Cyber-Physical Security Risk Assessment Using a Secure Asset Framework

This spring I was fortunate to be accepted as a speaker for API 2025. Held in Austin, Texas, the API Pipeline Conference and Expo is one of the most well-attended conferences in the energy industry, with over 1,000 attendees this year—a new record. I presented on behalf of the Cybernetics business unit at Applied4Sight, speaking on security programs and the U.S.-specific approach to integrating security risk assessments. My talk, "Cyber-Physical Security Risk Assessment Using a Secure Asset Framework," was accepted after a multi-month review process and slotted into the Cybernetics | SCADA/Cybersecurity track.
The energy sector provides critical infrastructure that supports communities, public services, and private enterprise. As early adopters of connected devices, the industry has used technology to improve operational efficiency and cut costs, while gaining invaluable data for monitoring and improving systems over time. But those same connected devices introduce new vulnerabilities. Traditionally, physical security relied on fences, gates, and locks; as devices joined the network, cybersecurity became essential to business continuity. With Industry 4.0 and our growing dependence on connected devices, the separation between physical and cyber security teams is dissolving—almost every physical control now involves some level of connectivity, from video surveillance to wireless keycards and remote-activated gates. Today's cyber breach becomes tomorrow's cyber-physical incident.
My talk made the case that security programs need the flexibility to manage evolving physical and cyber risks together while meeting regulatory requirements. Security risks are unique to each asset based on its specific threats and vulnerabilities, so a structured security risk assessment—one that integrates asset, threat, and vulnerability inputs to identify high, medium, and low risks—is essential. Correctly identifying those risks is what tells you where resources are actually needed, enables integrated planning, and aligns security with the company's management system. Assessments that draw on both cyber and physical input produce better cyber-physical protection at the asset level, letting organizations proactively manage their highest risks through a single lens.
Later that same week, I had the chance to bring the U.S. and Canadian perspectives together at BSides Calgary, where Terry Freestone and I co-presented on CSA Z246.1 and its applications.

Understanding Security Program Risk Assessments Through a Secure Asset Framework
A peer-reviewed conference paper presenting a secure asset framework for understanding and structuring security program risk assessments—accepted to the world's premier pipeline conference after a multi-month review.
