Hey there,

Hope you are doing well.

This is a special edition, as we have an expert guest author today 1st time on this newsletter.

Welcome Jamie Williams to Securing Things community.

I wanted to bring in a different perspective from physical security view point; so I reached out to Jamie, who was putting some great stuff on LinkedIn (you should definitely checkout).

So Jamie kindly agreed to share ✍️ his expert insights, drawing from years of hands-on experience, to discuss the real risks and the gap between today's cyber and physical threats. He also explored what effective security looks like in the modern world.

I was excited to jump and join in on his idea and share✍️ my thoughts (coming from a cyber background). I explore the topic from the perspective of industrial critical infrastructure environments perspective.

So in this newsletter, cyber meets physical ;-)

Well not literally but📘at least from the point of views📜

Some reference, updates and upcoming newsletter.

So let’s dig in.

Yours truly.

— Yousuf.

But before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care or liked and keep me motivated to publish more. Thanks!

Together with:

ChatGPT at Work: Free Resource Bundle

Power up your productivity with Mindstream's exclusive ChatGPT toolkit, designed for professionals who want to work smarter, not harder.

Your free bundle includes:

• ChatGPT Decision Flowchart

• Advanced Prompt Templates

• 2025 AI Productivity Guide

• Task Automation Framework

• Industry-Specific Use Cases

Join thousands of AI-powered professionals by subscribing to our daily newsletter. Get the complete bundle instantly after signup - no extra steps required.

Click here to download your free bundle

The Real Security Risk? The Divide Between Cyber and Physical📜 

By Jamie Williams (Helping NZ Leaders Make Smarter Security Decisions | Director – Security Risk Management & Strategic Advisory | Physical Security | PSR | Risk, Culture & Controls)

Most organisations today are investing heavily in security. But the biggest threat might not be what’s outside the perimeter — it’s what’s happening inside.

The continued divide between cyber and physical security is creating blind spots that adversaries are quick to exploit.

It’s time we face a hard truth: security is broken in two — and that fragmentation is weakening our defences.

On one side, we have cybersecurity teams focused on digital infrastructure, data protection, and system integrity.

On the other hand, physical security teams handle access control, buildings, and human threats.

Despite having the same ultimate goal—protection—these functions are often siloed, with separate tools, policies, and reporting lines.

This division is not just inefficient—it’s dangerous.

Modern threats don’t respect boundaries. Neither should our defences.

A phishing email can open a door to a physical breach.

A hacked access system can disable alarms and unlock secure areas. IoT devices, smart buildings, and AI-powered platforms intersect digital and physical — yet most organisations still treat them as two separate risk categories.

This mindset must change.

Too often, organisations approach security as a technical problem, throwing more tools at the issue.

But security isn’t just about firewalls and cameras — it’s about people, behaviour, and systems interacting.

Real protection comes from integration, not accumulation.

My view? Security must stop chasing tools and start serving a purpose.

Ask not “Who owns this platform?” but “What risk does this protect against, and how does it keep the business running?”

The threats of tomorrow are already here:

AI-generated scams, insider risks, cloud exposure, supply chain vulnerabilities, and the convergence of cyber and physical systems.

None of these sit neatly in one box. So why are we still trying to manage them in separate ones?

The future of security isn’t more layers — it’s fewer walls.

Let’s stop treating cyber and physical like separate problems. It’s time to protect what matters most with one integrated solution.

So what does good security look like today?

It’s unified. Not identical — but integrated. It means:

• A shared understanding of risk across cyber and physical teams

• A common language and aligned objectives

• Joint monitoring, planning, and response

• Security strategies designed around people, not just infrastructure

This kind of integration isn’t just nice to have — it’s essential for resilience.

I believe every security function should serve three strategic purposes:

1. Enable safe, uninterrupted operations

2. Maintain situational awareness

3. Advise leaders in times of change or uncertainty

But that’s only possible if all teams know where their responsibilities begin — and end. In too many organisations, those lines are blurry.

And where scope is unclear, gaps grow.

Let’s also not ignore the human factor.

If your security strategies don’t account for how people behave — especially under pressure — they’ll be ignored, bypassed, or misused.

That goes for both cyber and physical controls.

Written By Jamie Williams (Helping NZ Leaders Make Smarter Security Decisions | Director – Security Risk Management & Strategic Advisory | Physical Security | PSR | Risk, Culture & Controls)

Together with:

You Don’t Need to Be Technical. Just Informed

AI isn’t optional anymore—but coding isn’t required.

The AI Report gives business leaders the edge with daily insights, use cases, and implementation guides across ops, sales, and strategy.

Trusted by professionals at Google, OpenAI, and Microsoft.

👉 Get the newsletter and make smarter AI decisions.

Lead with AI—no coding needed

The Real Security Risk? The Divide Between Cyber and Physical in Industrial Critical Infrastructure

By M. Yousuf Faisal (Advice | Consult Cyber & business leaders in their journey on Securing Things (IT, OT/ICS, IIOT, digital transformation, Industry 4.0, & AI) & share everything I learn on this Newsletter | and upcoming Academy).

Adding on to Jamie’s idea on the topic. Here’s my take from an industrial Critical Infrastructure perspective.

Within critical infrastructure sectors such as energy, water, transportation, and manufacturing, the traditional divide between physical security and cybersecurity is increasingly a liability.

We see almost an entire section, domain and or area covered around physical security in almost all cyber or data security standards and or regulations.

Both domains are essential to safeguarding operations, but their separation often leaves critical gaps that sophisticated modern threats exploit, putting industrial environments at risk of severe disruption.

Physical Security in Industrial Critical Infrastructure

Physical security in critical infrastructure protects personnel, hardware, and facilities from threats like intrusions, vandalism, and natural disasters.

Challenges include budget constraints, monitoring difficulties, and the need for ongoing risk assessments.

Key measures include HAZOP, Safety Instrumented Systems (SIS), surveillance cameras, intrusion detection, access control, barriers, and security personnel.

These controls prevent unauthorized access to sensitive sites such as power substations and water treatment plants, often in remote areas.

Without strong security, malicious actors could access critical equipment, causing damage or enabling cyber intrusions.

Cybersecurity in Industrial Critical Infrastructure

Industrial environments increasingly depend on interconnected digital systems like IT, ICS, SCADA, and OT to automate and monitor processes.

While these technologies enhance efficiency and safety, they also expose critical infrastructure to cyber threats such as ransomware, phishing, supply chain attacks, and ICS sabotage.

Cyberattacks can lead to data loss, physical damage, environmental hazards, and threats to human safety.

For instance, malware like Triton targeted safety systems in a chemical plant to cause physical harm.

These cyber-physical attacks show that both cybersecurity and physical security are essential to protect critical infrastructure.

The Modern Cyber-Physical Threat Landscape

The threats today blur the lines between physical and cyber domains.

Attackers may combine physical breaches with cyber intrusions to maximize impact.

For instance, unauthorized physical access to a server room can enable malware installation and or data breach, while cyberattacks can disable surveillance systems or access controls, rendering physical security ineffective.

Legacy systems with outdated security features and the growing attack surface due to IoT integration further exacerbate these risks.

2021 Colonial Pipeline ransomware attack disrupted fuel supply across the US East Coast, illustrating the real-world impact of cyber vulnerabilities exploited in IT network impacting the industrial operations but halting real world physical processes. 

The Divide’s Impact on Addressing Real Risks

The traditional siloed approach, where IT handles cybersecurity and facilities manage physical security, creates blind spots and hampers coordinated threat detection, allowing attackers to exploit weaknesses.

Without integrated strategies, organizations may fail to recognize how physical vulnerabilities can lead to cyber breaches and vice versa.

Security standards and risk assessments often overlook the critical interplay between physical and cyber risks in industrial environments, where safety, availability, and environmental protection are crucial.

What Does Good Security Look Like Today?

Good security in modern industrial critical infrastructure is holistic and integrated, combining physical and cyber defenses into a unified strategy:

• Comprehensive Business Discovery for Inventory: Ensure that a thorough business inventory is build across the entire business lifecycle and across the industrial automation stack.

• Risk Assessments: Regularly evaluate both physical and cyber vulnerabilities, including insider threats and environmental factors, to prioritize mitigation efforts.

• Integrated Access Controls: Use electronic access systems that tie physical entry permissions to cyber identity management, ensuring only authorized personnel can access sensitive areas and systems.

• Advanced Surveillance and Monitoring: Deploy video surveillance and environmental sensors with remote cloud-based management, coupled with cybersecurity measures to protect these systems from tampering.

• Segmentation and Isolation: Isolate critical ICS/OT networks from corporate IT and external internet access to reduce attack surfaces, while maintaining secure communication channels.

• Adherence to International Standards: Implement standards like IEC 62443 and IEC 62351 that focus on securing OT and cyber-physical systems by design, emphasizing safety and operational continuity.

• Cross-Disciplinary Collaboration: Foster collaboration between physical security teams, IT, OT, and cybersecurity professionals to ensure coordinated defense and incident response.

• Continuous Monitoring and Incident Response: Employ real-time monitoring tools that integrate physical and cyber alerts, enabling rapid detection and mitigation of combined threats.

In essence, the real security risk lies in maintaining a divide between cyber and physical security.

Bridging this gap with integrated, layered defenses tailored to the unique demands of industrial critical infrastructure is essential to protect vital services and ensure resilience against today’s complex cyber-physical threats.

By M. Yousuf Faisal (Advice | Consult Cyber & business leaders in their journey on Securing Things (IT, OT/ICS, IIOT, digital transformation, Industry 4.0, & AI) & share everything I learn on this Newsletter | and upcoming Academy).

Related Resources

• Jamie have an interesting short dummies guide on security → here.

• Another good resource from Jamie → here.

• I also wrote one in part of my Chronicles of Cybersecurity Consulting - 3rd in series - Assessment Slips to Discovery, where I stumble upon a couple of physical security gaps.

Updates

It was great to participate and present “Securing the Digital Factory: Lessons from the Field on Security Challenges from Industry 3.0 to 4.0 and Beyond” on Industrial Cyber Days for Manufacturing virtual conference series around US (13th May) and EMEA (21st May) and APAC (3rd June).

It was a mini-course introduction to the Securing Things IT-OT CySEAT (Cyber Security Education and Transformation) program, providing insights into securing digital factories.

You missed it. If any interest let me know by replying to this and I’ll see to it.

There were many other interesting presentations and panel discussions.

Announcements

Are you ready to master "OT Cybersecurity Procurement Process & Practices" and safeguard your critical infrastructure in the era of Industry 3.0 and Industry 4.0?

🚨Attention: IT-OT Tech, Cybersecurity, & Industrial Procurement Professionals! 🚨

🔐 Introducing an exclusive Multi-Part Series on " OT Cybersecurity Procurement Process & Practices (OTCS PPP) - ultimate guide"- for procuring / buying industrial solutions / services that protect industrial operations across water/wastewater utilities, manufacturing plants, and beyond.

🔥 I am extremely excited and glad to be partnering on this series with an expert from the field "Ms. Alana Murray", an OT expert, alongside my learnings and experience from manufacturing and other critical infrastructure sector.

ONLY on Securing Things newsletter - coming this June-July 2025.

Call out for expert insights:

Also, if you are an expert in Power, Transportation (Airport and Railway) and Oil & Gas sectors and want to contribute to this series ✍ me a DM 📥 / drop a comment 👇 for guest posts and attribution and a shout out! 📢 

♻️ if you know someone in your professional circle will benefit from this guidance and or are interested in learning.

Thanks 🌟

My Recent Most Viewed Social Posts:

In case you’ve missed - here are some of my recent most viewed social posts.

• 📰[ST # 66] ISA/IEC 62443 Standards - Part 6 ✅62443-2-2:2025 IACS Security Protection Scheme, ISASecure Certification Standards, upcoming sessions & newsletters✍️ [Securing Things by M. Yousuf Faisal]

• 📰[ST # 65] Cybersecurity and AI Across IT-OT Automation Stack - Monthly Digest # 2 ✅ Competence Framework for Solutions Architects and Security Architects on industry 4.0, cybersecurity and AI across the automation stack (Cloud, ERP, DMZ, MES, SCADA, HMI, PLC/Edge), physical devices & more.🚀 [Securing Things by M. Yousuf Faisal]

• 📰[ST#64] IT & OT Cybersecurity Requirements Specifications - Do’s & Don’ts ✅ Deadly Sins (Common Mistakes) & Quick Wins (recommended fixes) for Cybersecurity requirements specification for Industrial environments 🚨- You Can’t Afford to Ignore! Plus🚨Announcement on OT Cybersecurity Procurement Process & Practices Series - an ultimate guide for IT-OT Tech, Cybersecurity & Procurement Professionals. [Securing Things by M. Yousuf Faisal]

• 📰[ST # 63] IT & OT Network Security - Example Do's & Don'ts ✅ Deadly Sins (Common Mistakes) & Quick Wins (recommended fixes) for Industrial / Manufacturing environments. Plus CISO's query and my response on Managed vs. Unmanaged switches for production environment🚀 [Securing Things by M. Yousuf Faisal]

• 📰 [ST # 62] ✅Cybersecurity Insights from Q1 2025 - ✅ IT, OT, AI Cybersecurity Market Insights, M&As, Incidents, breaches, ransomware, threats and changing regulatory landscape🚀 [Securing Things by M. Yousuf Faisal]

• 📰[ST # 61] ✅My list of IT-OT & Cybersecurity, Leadership, Productivity, Personal Development, and Money/Business books - must read for Cyber Leaders and Practitioners. Few updates on OT Security conference, & more.🚀 [Securing Things by M. Yousuf Faisal] 📰

• 📢 [ST #60] All Series Index - Securing Things 📢✅IT, OT & AI Cybersecurity – Program, Digital Factory, Guides, Standards, Crash Courses, Quarterly Insights & more.🚀 [Securing Things by M. Yousuf Faisal] 🗞️🗞️🗞️

Ways in which I can help?

Whenever you are ready - I can help you with:

A - IT & OT Cybersecurity Advisory / Consulting services - for securing your business and or its digital transformation journey.

B - Security Awareness Training & Phishing Awareness Portal - Train your staff and build a Security awareness program through our subscription based service.

C - Securing Things Academy (STA) - Security trainings for IT & OT practitioners.

Visit the newsletter website for Links to above services and or reach out at info[at]securingthings[dot]com or DM me via LinkedIn.

D - Securing Things Newsletter - Sponsor this newsletter to showcase your brand globally, or subscribe to simply Get Smarter at Securing Things.

Reach out at newsletter[at]securingthings[dot]com or DM me via LinkedIn.