Table of contents

  1. Beyond the Perimeter: Integrating Physical Topology into Strategic Threat Models
  2. The Fundamental Flaw in Modern Threat Modeling
  3. Adapting STRIDE for Physical Reality
  4. Spoofing Gets Physical
  5. Tampering Beyond Software
  6. Information Disclosure Through Physics
  7. Denial of Service at Layer 1
  8. Elevation of Privilege Through Physical Access
  9. Repudiation Through Physical Manipulation
  10. PASTA Enhancement for Physical-Cyber Systems
  11. Stage 1: Business Objectives with Physical Impact
  12. Stage 2: Technical Scope Including Physical Boundaries
  13. Stage 3: Application Decomposition with Infrastructure Mapping
  14. Stage 4: Threat Analysis for Physical Actors
  15. Stage 5: Vulnerability Analysis Across Physical-Cyber Boundaries
  16. Stage 6: Attack Modeling for Multi-Domain Scenarios
  17. Stage 7: Risk Analysis with Physical Impact Assessment
  18. The Air-Gap Fallacy
  19. Case Study: Industrial Network Convergence
  20. Risk Scoring for Physical-Cyber Integration
  21. Physical Access Requirements
  22. Detection Probability
  23. Recovery Complexity
  24. Framework Integration: NIST CSF Enhancement
  25. Identify Function
  26. Protect Function
  27. Detect Function
  28. Respond Function
  29. Recover Function
  30. Strategic Design Principles for Future-Proof Threat Models
  31. Principle 1: Topology as Attack Surface
  32. Principle 2: Convergence Awareness
  33. Principle 3: Hybrid Threat Scenarios
  34. Principle 4: Defense in Depth Across Domains
  35. Principle 5: Continuous Physical Visibility
  36. Implementation Strategy for Security Leaders
  37. Phase 1: Assessment and Gap Analysis (30 Days)
  38. Phase 2: Framework Integration (60 Days)
  39. Phase 3: Control Implementation (120 Days)
  40. Phase 4: Maturity and Optimization (Ongoing)
  41. The Strategic Imperative

Beyond the Perimeter: Integrating Physical Topology into Strategic Threat Models

3/24/2025 / 9 minutes to read / Tags: threat-modeling, theory

The Stuxnet playbook is twenty years old, but we’re still falling for the same fundamental flaw: treating physical and logical security as separate domains. While security teams obsess over zero-trust architectures and advanced persistent threats, adversaries are walking through the front door with USB drives and network taps, exploiting the one thing our threat models consistently ignore—the physical reality of how our networks actually work.

This isn’t about some hypothetical advanced attack. In 2021, the Triton/TRISIS malware campaign demonstrated sophisticated air-gap jumping through network topology weaknesses that should have been identified during threat modeling. The Xenotime group didn’t break cryptography or exploit zero-days—they leveraged engineering workstations connected to both corporate and safety networks, a physical topology decision that violated fundamental air-gap principles.

The problem isn’t that we don’t understand physical security. The problem is that our threat modeling frameworks treat physical topology as an afterthought, when it should be foundational to how we think about systemic risk.

The Fundamental Flaw in Modern Threat Modeling

Most threat modeling methodologies evolved from software security, where the threat surface is defined by code and configurations. STRIDE analyzes software components, PASTA focuses on application architecture, and even NIST’s guidance primarily addresses logical security boundaries. Physical topology—the actual copper, fiber, and radio waves that carry our data—gets relegated to a footnote about “physical security controls.”

This creates a dangerous blind spot. Modern networks are physical-cyber systems where the topology itself becomes the attack vector. When CrowdStrike’s 2025 threat intelligence shows average eCrime breakout time decreased to 48 minutes with fastest lateral movement of 51 seconds, that’s not just about malware—it’s about adversaries understanding network topology better than the people who built it.

Consider this: 68.4% of physical security cameras run outdated firmware, creating IoT attack vectors that traditional threat models miss entirely. These devices are physically deployed throughout facilities, often with network access and default credentials, but they rarely appear in formal threat analyses because we think of them as “physical security,” not “cyber security.”

Adapting STRIDE for Physical Reality

STRIDE needs evolution to address physical topology threats. Here’s how I’ve adapted the classic categories:

Spoofing Gets Physical

Traditional STRIDE focuses on identity spoofing in software contexts. Physical spoofing includes device impersonation through MAC address cloning, rogue access points mimicking legitimate infrastructure, and physical device substitution during maintenance windows. The threat model must account for how physical access enables these attacks.

Tampering Beyond Software

Physical tampering represents the highest-impact, lowest-detection threat vector. Hardware implants, cable interception devices, and infrastructure modification create persistent access that survives software updates and reboots. These attacks require physical proximity, but the payoff is complete system compromise.

Information Disclosure Through Physics

Data extraction through electromagnetic emanations, optical fiber tapping, and physical reconnaissance of network infrastructure reveals information that logical security controls can’t protect. Threat models must consider what adversaries can learn by walking around your facility.

Denial of Service at Layer 1

Physical link disruption, power attacks, and environmental threats can achieve denial of service more effectively than network-based attacks. A bolt cutter is often more reliable than a DDoS.

Elevation of Privilege Through Physical Access

Physical device access enables privilege escalation that bypasses authentication systems entirely. Console access, hardware debugging interfaces, and direct memory access can grant administrative privileges regardless of software protections.

Repudiation Through Physical Manipulation

Physical access enables evidence tampering and log manipulation that can eliminate attribution. If attackers can access logging infrastructure, they can cover their tracks at the hardware level.

PASTA Enhancement for Physical-Cyber Systems

The Process for Attack Simulation and Threat Analysis (PASTA) methodology provides a framework we can enhance for physical topology considerations:

Stage 1: Business Objectives with Physical Impact

Traditional PASTA considers business objectives primarily through software functionality. Enhanced PASTA includes physical security objectives: operational continuity, safety systems integrity, and physical asset protection. The threat model must understand how physical attacks affect business operations differently than logical attacks.

Stage 2: Technical Scope Including Physical Boundaries

Scoping must include physical topology mapping, infrastructure boundaries, and access points. This means documenting cable runs, equipment locations, environmental systems, and physical access controls as first-class architecture components.

Stage 3: Application Decomposition with Infrastructure Mapping

Traditional decomposition focuses on software components. Enhanced decomposition includes physical architecture: where data flows physically, which systems share infrastructure, and how physical access to one component affects others.

Stage 4: Threat Analysis for Physical Actors

Threat analysis must consider physical threat actors: insider threats with facility access, external actors with physical reconnaissance capabilities, and hybrid threats combining physical and cyber techniques. Nation-state actors, corporate espionage, and criminal organizations all have different physical capabilities and motivations.

Stage 5: Vulnerability Analysis Across Physical-Cyber Boundaries

Vulnerability analysis must assess physical infrastructure vulnerabilities: unsecured network equipment, accessible cable runs, and environmental threats. These vulnerabilities often enable logical attacks but require different remediation approaches.

Stage 6: Attack Modeling for Multi-Domain Scenarios

Attack modeling must consider multi-stage scenarios combining physical and cyber techniques. How does physical access enable logical attacks? How do logical compromises facilitate physical access? These hybrid scenarios represent the most sophisticated threats.

Stage 7: Risk Analysis with Physical Impact Assessment

Risk analysis must quantify physical impacts: safety implications, business disruption, and recovery complexity. Physical attacks often have longer recovery times and higher collateral damage than logical attacks.

The Air-Gap Fallacy

Air-gapped networks represent the ultimate failure of logical-only threat modeling. Security teams deploy air gaps thinking they’ve eliminated network-based attacks, then act surprised when attackers jump the gap through physical means.

The Stuxnet methodology remains the template: physical infiltration for malware delivery, “sneakernet” methods for data exfiltration, and exploitation of temporary connections during maintenance windows. Modern implementations include USB-based attacks against industrial systems, temporary network bridges created during software updates, and shared infrastructure between supposedly isolated networks.

Case Study: Industrial Network Convergence

I’ve assessed facilities where “air-gapped” operational networks shared power infrastructure, environmental controls, and even physical switch hardware with corporate networks. The air gap existed at Layer 3 but not at Layer 1. An attacker who compromised the corporate network could manipulate shared infrastructure to affect operational systems without crossing the logical boundary.

The threat model should have identified these shared dependencies, but traditional methodologies don’t consider physical infrastructure as part of the attack surface.

Risk Scoring for Physical-Cyber Integration

Traditional risk scoring uses CVSS to assess software vulnerabilities, but physical vulnerabilities require different metrics. I’ve developed an enhanced framework that considers:

Physical Access Requirements

  • None Required: Remote attacks through logical means
  • Limited Physical: Proximity attacks (WiFi, electromagnetic)
  • Facility Access: Access to building but not secured areas
  • Infrastructure Access: Access to network equipment and cable runs
  • Device Access: Physical manipulation of target systems

Detection Probability

Physical attacks often have different detection signatures than logical attacks. Installing a network tap requires physical presence but may be undetectable through network monitoring. The risk score must account for detection likelihood across both physical and logical domains.

Recovery Complexity

Physical attacks often require physical remediation. Removing hardware implants, replacing tampered equipment, and verifying infrastructure integrity takes longer and costs more than restoring from backups. Risk scoring must reflect these operational realities.

Framework Integration: NIST CSF Enhancement

The NIST Cybersecurity Framework provides an excellent foundation for integrating physical topology considerations:

Identify Function

Asset management must include physical infrastructure inventory: network equipment locations, cable run documentation, and access point mapping. Traditional asset management focuses on logical devices and software; enhanced asset management treats physical topology as critical infrastructure requiring protection.

Protect Function

Access control includes physical access to network infrastructure, not just logical access to systems. Data security considers physical data paths and interception possibilities. Infrastructure protection requires environmental controls and physical tamper detection.

Detect Function

Anomaly detection must correlate physical and logical events. A network intrusion followed by unusual physical access patterns suggests hybrid attack scenarios. Traditional monitoring focuses on network traffic; enhanced monitoring includes physical access events and environmental anomalies.

Respond Function

Response planning must include physical isolation procedures and alternate site activation. Incident response teams need physical security expertise, not just cyber skills. Communication plans must account for physical infrastructure dependencies.

Recover Function

Recovery includes physical infrastructure verification and alternate site capabilities. You can’t restore from backups if the physical infrastructure is compromised. Recovery time objectives must reflect physical remediation requirements.

Strategic Design Principles for Future-Proof Threat Models

Based on analysis of successful attacks and framework limitations, here are strategic design principles for integrating physical topology into threat modeling:

Principle 1: Topology as Attack Surface

Treat physical network topology as a first-class component of your attack surface. Cable runs, equipment locations, and physical access points are not operational details—they’re security boundaries that require protection and monitoring.

Principle 2: Convergence Awareness

Modern networks converge physical and logical systems in ways that traditional security models don’t address. IoT devices, building automation systems, and operational technology create attack paths that span physical and cyber domains.

Principle 3: Hybrid Threat Scenarios

The most sophisticated attacks combine physical and cyber techniques. Threat models must consider multi-stage scenarios where physical access enables logical attacks and logical compromise facilitates physical access.

Principle 4: Defense in Depth Across Domains

Security controls must address both physical and logical threats. Network segmentation requires physical segmentation; access control requires physical access control; monitoring requires physical monitoring.

Principle 5: Continuous Physical Visibility

You can’t protect what you can’t see. Physical topology discovery and monitoring must be continuous processes, not one-time documentation exercises.

Implementation Strategy for Security Leaders

Phase 1: Assessment and Gap Analysis (30 Days)

Conduct comprehensive physical topology assessment using enhanced threat modeling frameworks. Identify gaps between current security models and physical reality. Quantify risks using integrated physical-cyber risk scoring.

Phase 2: Framework Integration (60 Days)

Adapt existing threat modeling processes to include physical topology considerations. Train security teams on hybrid threat scenarios. Develop integrated risk assessment methodologies.

Phase 3: Control Implementation (120 Days)

Deploy monitoring and protection capabilities across physical and logical domains. Implement integrated incident response procedures. Establish continuous physical topology discovery processes.

Phase 4: Maturity and Optimization (Ongoing)

Develop advanced threat modeling capabilities for complex hybrid scenarios. Integrate physical and cyber threat intelligence. Establish metrics and KPIs for physical-cyber security effectiveness.

The Strategic Imperative

Physical topology integration isn’t just about better threat models—it’s about strategic competitive advantage. Organizations that understand the physical-cyber convergence will build more resilient systems and respond more effectively to sophisticated threats.

The adversaries already understand this. Nation-state actors, criminal organizations, and corporate spies all employ hybrid techniques that exploit the seam between physical and cyber security. Our threat models need to catch up.

This requires cultural change as much as technical change. Security teams must work with facilities, operations, and business stakeholders who control physical infrastructure. Threat modeling becomes a cross-functional exercise that requires diverse expertise and perspectives.

The payoff is threat models that actually reflect how modern attacks work. When physical topology becomes part of your strategic security thinking, you’ll identify vulnerabilities that others miss, deploy controls that actually protect against real threats, and build resilience that survives both cyber attacks and physical compromise.

The network you can’t see is the network that will kill you. Time to start looking.

← Back to blog