Physical-Cyber Convergence is the Future of Utility Security

As threats to critical infrastructure continue to grow in complexity, the divide between physical and cyber security is dissolving, and a unified approach is becoming essential for a robust and proactive risk management security program.

Within the utility industry, attacks targeting water supplies, power grids and other vital systems are becoming more sophisticated, underscoring the need for more comprehensive and proactive security measures. At the same time, the sector is under regulatory pressure from frameworks like the North American Electric Reliability Corp.’s Critical Infrastructure Protection standards, a mandatory set of security rules designed to protect the reliability of the North American bulk electric system.

Across industries, many organizations’ physical and cyber security operations are siloed and highly fragmented, with vulnerable assets and disparate or duplicative technologies throughout. But hackers don’t distinguish between digital and physical systems, and neither should utilities, as an entry badge or a compromised camera can be as dangerous as malware. In fact, according to Allied Universal’s World Security Report, about 90% of organizations say cyber threats to their physical security are a challenge to their business operations.

To address this, industry leaders must work together to address advanced threats while ensuring operational resilience and regulatory compliance. Physical-cyber “convergence” – i.e., integrating various cyber and physical security technologies and capabilities – is one solution.

What Does Physical-Cyber Convergence Look Like?
At its core, this type of convergence is about creating a security posture that spans both physical and digital domains. What does that mean? Systems like access control, intrusion detection, video surveillance and operational technology network monitoring are no longer isolated. Instead, they’re positioned with an architecture that allows integrations for data aggregation and communication across multiple systems to deliver true situational awareness.

For example, while security cameras were once used solely to record images and videos, today’s cameras are smart devices that can integrate with the broader physical-cyber ecosystem. When integrated into cyber monitoring systems, video feeds can serve as both a physical deterrent and a digital signal. If a camera goes offline unexpectedly at a substation, it may indicate tampering, a network intrusion or both, and the proper teams can communicate and respond accordingly. The result is a stronger, more resilient security posture – one that reflects how attackers operate in the real world.

Getting Started
Adopting physical-cyber security convergence doesn’t require an overhaul of an organization’s systems or processes. Instead, organizations can take a phased, risk-based approach that includes these steps:

• Start with a security assessment. Determine where physical and cyber systems already interact. Identify the most vulnerable assets (e.g., substations, control rooms, generation sites) and their protective measures.
• Prioritize high-risk environments. Identify where physical-cyber convergence will deliver the greatest impact to show value quickly and increase momentum. One example is integrating video analytics or artificial intelligence with network monitoring to spot unusual substation activity.
• Invest in new technology. Choose platforms that allow physical and cyber tools to share data and alerts, allowing for easier enterprise scaling across the organization.
• Leverage outside expertise and partnerships. Partner with integrators and providers who have sector-specific experience across both physical and cyber domains.

Moving toward physical-cyber convergence still has its obstacles. Addressing challenges requires putting a strategy in place and supporting external experts who understand how to bridge these gaps.

The good news is that the utility industry has already started to successfully adopt physical-cyber convergence. In 2021, a Florida water treatment plant was cyber-hacked as attackers attempted to manipulate a city’s water supply via remote-access software. The attack was successfully stopped because physical security personnel detected unusual on-site activity and immediately collaborated with cyber teams and law enforcement. This example demonstrates how coordinated monitoring and communication across both domains can prevent potentially catastrophic outcomes.

Building a Resilient Future
Physical and cyber security are becoming increasingly linked. Companies that do not acknowledge this convergence will confront a higher probability of vulnerability. It is now essential to ensure reliability, safety, compliance and operational resilience in the face of evolving threats. With the right strategy and partners, utilities can build a future-ready security posture that addresses both physical and cyber threats.

About the Author: Steve Sinclair is director of utilities vertical market for Convergint (www.convergint.com).