LAS VEGAS – Security doors and cameras, alarms and biometrics, smart locks and drones, were some of the security device types on display at ISCWest (International Security Consortium West) 2025 at the Venetian Hotel in April. Many of these devices are used for public safety in airports, stadiums, courts, etc., while also monitoring for physical threats across the critical infrastructure (aka ports, water and power plants, etc.)
Attendees hailed from critical infrastructure, law enforcement and public safety agencies, along with integrators and installers (residential and commercial). The question is, do these exhibitors understand the risks of the tools they’re selling, installing, and connecting to one another and to the cloud? Do their buyers?
As with all IOT, these high-tech safety and monitoring products contain software components, meaning they, too, can present vulnerabilities to the enterprises they connect to.
For that reason, a large portion of ISCWest’s agenda focused on the convergence of cyber and physical security, so this awareness is dawning. In fact, I was invited to moderate a panel of experts on cyber-physical attacks and the need for both sides to work together.
Examples of Cyber-Physical Attacks
All of us on the panel had experiences we shared to highlight what cyber-physical attacks look like. For example:
- Years ago, I covered a story for Computerworld in which a disgruntled employee had opened a valve and dumped oil into a busy Houston chipping channel. In an earlier case, when I was at Software Magazine, an investigator met with me “off the record” while on his way to New York to find out who had changed a computer record just before a nurse administered a lethal dose of medication to a patient. At the time, he theorized that it was a mob hit, although he never got back to me after his investigation.
- Using an informational graphic, Jasvir Gill, CEO of AlertEnterprise (physical and cyber access controls) helped the audience visualize what a cyber-physical attack looks like using an electric substation graphic. In it, a gunshot at the site, followed by fence intrusion alarm, a change in system configuration, begged the question: Is this a cyber or physical attack? It was both of these, as part of the attack involved changing access and erasing digital evidence from site cameras.
- Cyberattacks and technical glitches can also take down production in remote facilities, added Renee Guttman, former CISO (Chief Information Security Officer) of Coca Cola, Campbell’s Soup, Caribbean Cruise lines, and other Fortune 50 companies. In another example, she cited the security measures she put in place to protect cruise ship networks from teens trying to hack into ship systems through the public Wi-Fi. And, to hit home, she described instances where she had to replace security cameras because they were unsupported by their manufacturers or otherwise too risky.
- Marc Sachs, former CSO at NERC, who’s now SVP and chief engineer at the Center for Internet Security (CIS), then talked about solutions, starting with Cyber Informed Engineering.
Stepping Out
A large number of vendors integrating cameras and other tech (much of it made in China, which the U.S. deems an “Adversarial Country”). Yet, those I talked to at the vendor booths had little awareness of the cyber security implications associated with their products when I asked them. For example, they couldn’t answer any specific software security questions about their cloud, AI, and API integrations they’re building on top of these third-party hardware products.
So, I tracked down Kasia Hanson, founder and CEO of KFactor, which focuses on guiding enterprises on their physical-IT security infrastructure leveraging AI, OT, and computer vision (analytics/intelligence). This was her seventh ISCWest, often as a speaker, and this year she presented on IOT’s journey to the cloud.
“Securing the software is so important now because world is quickly evolving and connecting when it comes to OT,” she said during our interview. “Now you look at these hybrid environments with edge safety and security devices, on-prem storage and cloud, which are adaptable to your environment. But it all comes with risk.”
For those that are building products, she recommends following best practices in product safety, visibility, and security, starting at the design phase. She talked about the need for transparency of all elements of software across the OT supply chain, including product origins (hardware, firmware, software), including how all the product was developed, by whom and from where.
“When you buy OT software, you need to confirm that it is truly the software that you bought. We know software can be poisoned,” Hanson explained.
To chief product officers and developers of OT systems, she cautions against moving too fast into AI and cloud connectivity. “As you start looking at how to replace and use AI in things like physical security cameras and other OT devices, you must think like the hackers do. Examine how installing these products could possibly lead to a cyber incident. Because a lot of times physical events lead to cyber events and vice versa.”
Or, as – Brian Harrell, CSO, Avangrid, said in the 2025 Security MegaTrends Report by Security Industry Association, “Rarely do we see a cyber-only or physical-only attack. The threat landscape is very blended.”
Resources:
Digital Security Journal Articles on the importance of advancing the cyber security of physical security devices.
Using Advanced Binary Code Analysis (BCA) to generate Software Bills of Materials (SBOMs) on third-party code and gain visibility into the OT software supply chain.
Integrating Deep SAST into your OT system development process.
