Lesson 1.1: 'You can't separate the physical from the cyber,' says New York's first security and ... - StateScoop

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: 'You can't separate the physical from the cyber,' says New York's first security and ... - StateScoop! Over the next 45 minutes, we will explore the fundamental connection between physical security and cybersecurity, and why ignoring this link creates critical vulnerabilities.

But first, let me tell you about Marcus Webb.

It's 8:15 on a Tuesday in October. Marcus Webb, a senior security analyst at a financial services firm in London, is settling in with his second coffee. The office hums with the quiet morning energy of keyboards clicking and low conversations. He's reviewing overnight security logs, the blue glow of his monitor reflecting in his glasses.

A notification pops up: an alert for unusual after-hours badge access to the server room. He dismisses it. Facilities had warned about maintenance work. A few minutes later, a second, quieter alert flags an anomalous data transfer from an internal database server. The destination IP is unfamiliar. He frowns, but the transfer size is small. Probably a misconfigured backup job.

The pivotal moment comes an hour later. The help desk is flooded with calls. Users can't access customer accounts. The core banking application is unresponsive. Marcus pulls up the network dashboard. Traffic to the database cluster is spiking, but it's all encrypted, internal traffic. He can't see what's inside. He makes a decision: he assumes it's a system failure, not an attack. He initiates a standard service restart, which takes the primary database offline.

This is the story of a Cyberattack. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: What is Converged Physical-Cyber Threat Intelligence?

Think of your organisation's security like a medieval castle. You can have the strongest walls (firewalls) and the most vigilant archers (SOC analysts), but if someone bribes a guard to leave the postern gate unlocked, the walls mean nothing. That's the gap we're addressing.

The Blurred Boundary

The old model of separate physical and cyber security teams is broken. An attacker doesn't care about your org chart. They will use any available door.

Research suggests modern attacks often start with a physical action: a stolen badge, a malicious USB drive left in a car park, or tailgating through a secured door. This physical action then enables the digital compromise.

The implication is that your threat intelligence must now watch both worlds. A pattern of failed badge swipes at 3 AM is as much a threat indicator as a port scan from a foreign IP.

The Attacker's Playbook

Industry data indicates that attacks blending physical and digital methods are on the rise. The initial cost to the attacker can be low—a fake ID, social engineering a cleaner—but the payoff in network access can be immense.

Once physical access is gained, techniques like connecting a rogue device to the network, installing hardware keyloggers, or simply photographing credentials on a monitor become trivial. The digital defences are often blind to this activity because it originates from 'inside the castle'.

DORA Article 5-17 DORA's ICT risk management framework requires financial entities to manage all material ICT risks, which explicitly includes risks from interdependencies between physical and digital infrastructure. A siloed approach fails this requirement.

ISO A.5.1 ISO 27001 A.5.1 mandates that management provide direction and support for information security. This includes ensuring the security policy encompasses all assets, whether digital or physical, that can impact information security.

Content Section 2: The Anatomy of a Converged Attack

Understanding the attacker's blended methodology reveals why it's so effective. Let me show you exactly how Marcus was compromised.

The Attack Flow

Step one was physical reconnaissance. The attacker spent a week observing the building, noting shift changes, delivery times, and employee habits.

Step two was physical intrusion. Posing as a contractor with forged paperwork during the known maintenance window, they gained escorted access to the server room. They used a moment of distraction to plant a small, network-enabled device behind a cabinet.

Step three was digital activation. The device, once planted, connected to the internal Wi-Fi (used for building management systems) and established a covert channel out to the attacker's command server. From there, they had a foothold inside the digital perimeter.

Key Technical Components

The planted device is often a 'drop box'—a small computer like a Raspberry Pi configured to beacon out. It uses common protocols like HTTPS or DNS to blend in.

Because it's a physical device on the internal network, it bypasses network-based threat detection looking for malware on existing company assets. It has no antivirus to trigger, and its network behaviour mimics legitimate IT equipment.

Why Traditional Defences Fail

Notice what all of these methods have in common. They each protect a single domain—physical OR cyber. The attack succeeds in the gap between them.

Here’s how common security methods are bypassed in a converged attack:

NIST PR.AC-3 NIST CSF PR.AC-3 (Remote Access Management) is bypassed because the access is not remote in the traditional sense; it's local network access gained through physical intrusion. Controls must account for this vector.

NIS2 Article 21 NIS2 Article 21 mandates risk management measures for network and information systems. A system that does not correlate physical access events with network security events fails to adequately manage the risk of physical-to-digital attack chains.

Content Section 3: Detection: Connecting the Dots

Marcus's computer knew something was wrong. The system logs recorded the anomalous data transfer. It just couldn't tell him why it was happening or connect it to the earlier badge swipe. Detection requires correlating signals from both worlds.

Physical-Level Indicators

Monitor for anomalies in physical access patterns. This includes access at unusual hours, repeated access attempts, or access by individuals whose role doesn't require it.

Correlate contractor schedules with security logs. Was a contractor logged in the server room at the same time a new device appeared on the network switch?

A practical application is to feed physical access control system (PACS) logs into your Security Information and Event Management (SIEM) system, not just keep them in a facilities database.

Network-Level Indicators

Look for new Media Access Control (MAC) addresses or hostnames on the network, especially in sensitive areas like server VLANs. A new, unknown device is a major red flag.

Monitor for internal devices making direct outbound connections to the internet that bypass proxies, or using non-standard ports for common protocols.

Converged Correlation Signals

The most powerful signals come from correlation. Create SIEM rules that trigger when a physical access event to a sensitive location is followed within a short time window by a network anomaly from that same segment.

Specific signals to monitor include: badge access to a wiring closet followed by new DHCP lease; after-hours building access followed by internal port scans; or a visitor log entry for a 'IT audit' with no corresponding scheduled audit.

SOC2 CC7.1 SOC 2 CC7.1 requires the entity to use detection and monitoring procedures to identify deviations from commitments and system requirements. Monitoring only logical access without considering physical access deviations represents an incomplete control environment.

GDPR Article 32 GDPR Article 32 requires appropriate security of personal data processing. This includes the ability to detect and respond to breaches. A breach originating from a physical intrusion must be detectable, requiring integrated monitoring of physical and technical safeguards.

Content Section 4: Building Your Compliance Evidence

Treating compliance documentation as just a checkbox exercise is like buying a fire extinguisher and never checking the pressure gauge. Its real value is proving you've thought about the real risks. This lesson provides the material to demonstrate that thought process.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that your ICT risk management framework considers threat scenarios involving physical security compromises, moving beyond purely digital risk assessments.

For ISO A.5.1 auditors... For ISO 27001 assessors, you can evidence that management review and policy direction includes the integration of physical and information security objectives, as discussed in your security policy.

For NIST ID.GV-1 auditors... For NIST CSF reviewers, you can show that your organisational security policy establishes governance that spans both physical and cybersecurity domains, breaking down operational silos.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Marcus's story ended.

The service restart was a disaster. It was not a failure; the database was being encrypted by ransomware. Taking it offline triggered the ransom note. The attacker had used their physical device to steal credentials and deploy the ransomware across the network. Recovery took three days. Marcus's team worked around the clock. The financial cost was significant, and the reputational damage was worse.

The organisation eventually did two things. First, they merged the reporting lines of physical security and cybersecurity under a single Chief Security Officer. Second, they implemented a converged security operations centre that ingests data from badge readers, cameras, and network sensors into a single analytics platform. The next time an unknown device connected after an unusual badge access, an alert screamed at the analyst within 90 seconds.

But it doesn't have to be your story. That's why we're here.

You should now understand that physical and cybersecurity are two sides of the same coin. You understand how attackers exploit the gap between them with low-tech starts leading to high-tech compromises. You know that detection requires correlating events from both domains. And you understand that compliance frameworks already require this holistic view of risk.

Next, we'll explore Next, we'll explore Lesson 1.2: 'The Psychology of the Insider: When Trust is the Vulnerability'. We'll look at how the human element, whether malicious or manipulated, is often the final piece in the attacker's puzzle.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key converged threat indicators and immediate correlation checks for physical-cyber attack chains on a single page.
• Compliance Mapping Worksheet - Map your organisation's controls for blended physical-cyber threats to specific articles in DORA, ISO 27001 A.5.1, NIST CSF ID.GV-1 and PR.AC-3, NIS2 Article 21, SOC 2 CC7.1, and GDPR Article 32.
• Risk Assessment Template - Assess your organisation's exposure to converged threats based on the physical access points to critical digital infrastructure and the maturity of cross-team detection capabilities covered in this lesson.
• Further reading - Links to official framework documentation on governance and risk management, and threat intelligence reports focusing on supply chain and physical intrusion vectors.

'You can't separate the physical from the cyber,' says New York's first security and ... - StateScoop Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026