The ability of cyber threats to compromise information systems is an ongoing danger to all organizations. However, an emerging threat presents a new challenge—cyberattacks that may cause physical harm to systems and persons. This threat has become acute for certain sectors such as critical infrastructure.

Historically, cyberattacks seek to harm a target by either causing disruption of a system or covertly entering to commit espionage or data theft. Recently, a new cyberattack has evolved to harm targets by causing physical damage or corruption of a system. For example, in 2016 one piece of malware targeted Ukraine’s power grid and cut power to 20 percent of the capital. The attack occurred toward the end of winter and left residents without electricity, lights, and, in some cases, heat. It involved malware that could activate or deactivate controls, and, as the attack was unfolding, it became clear that it was engineered for maximum effect because it also took backup power sources offline.