New security threats combine physical and cyber attacks
New security threats combine physical and cyber attacks, according to Raúl Porras Martín, Chief Information Security Officer at Desico (Grupo Casnova), during the presentation he gave at SICUR 2026, which focused on security systems in a connected operational environment.
In Raúl Porras’s view, the adoption and integration of Internet of Things (IoT) devices, Industrial Internet of Things (IIoT), IT/OT systems, Building Management Systems (BMS), and physical security systems has led to an increasingly interconnected mesh of cyber-physical systems. “We are no longer talking about isolated infrastructures, but about fully connected ecosystems,” he stated.
During his participation at SICUR 2026, Porras highlighted the growing importance of hybrid threats in physical security systems and warned of new challenges posed by cyberattacks. According to his explanation, current threats result from attacks jointly targeting physical and cyber assets.
The expert indicated that security systems combine traditional IT technologies, OT systems and IoT devices. Regarding information technology (IT), he emphasized the importance of TCP/IP protocols, application servers and databases, software, and virtualised environments. In relation to operational technology (OT), he referred to SCADA platforms, PSIM, VMS, PLCs and protocols such as OSDP or Wiegand, as well as identification technologies such as Mifare or Desfire. Added to this are IoT devices such as CCTV cameras, biometric and card readers, IP intercoms, and connected video door entry systems.
Adapting to cross-cutting challenges
Porras stated that the challenges are cross-cutting, but questioned whether they are also being managed that way. His answer was no. “The functions and responsibilities of physical security and cybersecurity are disconnected and, in many cases, still operate completely independently.”
The strategy for physical security is limited to the following functions: protection of facilities, people, assets and physical access against deliberate threats; definition of security policies and procedures; management of physical security assets (cameras, readers, etc.); and management of security personnel. Meanwhile, the cybersecurity strategy focuses on protection against digital threats; the definition of information security policies and procedures; the management of information security assets; and the management of IT assets.
In this expert’s view, the traditional model is no longer sufficient, and it is now necessary to define responsibilities in a unified manner, carry out comprehensive risk analyses, and ensure cooperation and coordination between physical security and cybersecurity.
Cybersecurity by design
The paradigm shift is not due solely to technological evolution, but also to the regulatory context. Porras recalled that frameworks such as the National Security Framework (ENS), the NIS2 Directive and the Cyber Resilience Act (CRA) require a higher level of access and privilege control, secure communications, traceability and auditing, as well as cybersecurity integrated into products and infrastructure from the design stage and throughout their entire lifecycle. “It is no longer enough to declare that a system is secure; security must be assessable and verifiable,” he stated.
In this regard, he highlighted the importance of manufacturers incorporating robust technical controls that enable secure deployment in real-world environments. He also emphasised that Desico is currently undergoing LINCE certification for its Vigiplus PSIM platform, a scheme promoted by the National Cryptologic Centre (CCN) that technically evaluates the cybersecurity controls integrated into the product.
Manufacturer, the first link in security
In this new scenario, he concluded, the selection of manufacturers becomes a security requirement. “The manufacturer is the first link in the chain of sovereignty and cybersecurity. The quality, continuous improvement, resilience and the system’s ability to adapt to new threats and regulatory requirements depend on them,” he stated.
The convergence of physical security and cybersecurity, together with regulatory pressure and the need for independent technical evaluation, points toward a model in which security can no longer be understood as an accessory element, but as a structural requirement of technological solutions.