Let's Get Physical
Not all risks are created equal
October has seen two events on different sides of the world that bring home how important physical security is to overall operational resilience: the alleged Louvre heist (19 October) and alleged acts of sabotage against Sydney hospitals (28 October).
The sheer brazenness of those allegedly engaging in these acts struck me and prompted me to better understand what happened and what it all means from a risk management standpoint. Indeed, I am writing this piece to try and correct my own bias, at times, about how cyber is the most important risk type for organisations, especially CNI asset operators.
After all, why try to hack something remotely to achieve a given objective when you can exploit fundamentally weak physical controls on the part of the operator?
Let’s dive in.
The Louvre Heist
Let’s start with this bit from an ABC News piece on the aftermath of the breach:
[The French Culture Minister] refused the resignation of the museum director and cited four failings: underestimated risk, under-equipped security, ill-suited governance and ‘obsolete’ protocols.
Holy moly, what’s not in the list of security shortcomings, as identified by the Minister and the inquiry by the Cour des Comptes (France’s highest auditor) on security at the Louvre from 2018-24?
It all flows from ‘chronic, structural underestimation’ of risk. Substandard governance is far from uncommon, so I’m not surprised. The failure to even identify, however, how large one’s risks are, that is in-ex-cus-able!
You are a museum with shiny objects that baddies want to steal and you don’t give the security of said objects the same thought as their procurement? Why bother procuring them (which you were criticised for focusing on at the expense of security) if you simply, as arguably implied by the Cour des Comptes’s report, allow such catastrophic physical security failures to happen?
To think the only CCTV camera monitoring the targeted area at the time of the heist was facing away from the balcony which the thieves climbed over to infiltrate the museum. And to think the museum is only installing anti-ramming (despite the string of ISIS-inspired vehicular lone wolf attacks in Europe in the 2010s) and anti-intrusion devices in the next two months. Ye gods above, what on earth?!
If the alleged thieves weren’t rank amateurs in leaving behind some of the loot, tools, clothing, protective gear and, in the process, their DNA, who knows, would they have been caught as quickly as they were? After all, the authorities otherwise wouldn’t have had something to check against their database of the DNA of people with criminal histories.
The longstanding awareness of Louvre management of the need for and indeed their degree of planning for security uplift, I’m reminded of how Maersk coasted into being NotPetya’d in 2017. I remember being struck by the latter firm green-lighting, indeed funding, basic control uplift, but never really getting around to it until their entire IT network (bar the Ghana office with that domain controller) was blown to kingdom come, even if accidentally, by Russian military intelligence.
The main reason? The security execs’ KPIs weren’t set appropriately.
(More on this in Andy Greenberg’s book and my discussion with two legal experts on the old podcast.)
If we fast-forward to the Louvre, they apparently had been looking at security modernisation since 2018, but kept delaying implementation. To the extent that control uplift was supposed to only start next year, while they had spent a measly 3 million euros on said modernisation over 2018-24.
Well, if only the baddies had done the French the courtesy of scheduling their criminality around when the exhibition spaces were getting secured properly. Reminded of this exchange between Bernard and the PM about NATO’s posture in Yes, Prime Minister:
Bernard: The Dutch, Danish and Belgian armies go home for the weekend.
Jim: So if the Russians are to invade, we’d prefer them to do it between Mondays and Fridays?
Funnily enough, the alleged thieves became known ‘as criminals with a “better work-life balance” than the rest of society’, given their choosing to rob the place in broad daylight.
By the way, what does this mean for security governance in France? The Culture Minister refused the resignation of the museum director, Laurence des Cars, after all. The director presides over one of the biggest physical security stuff-ups in recorded history. Her boss makes clear the elementary causation of the stuff-up. And yet she gets to keep her job?
But then again, how many CEOs of major companies have resigned after serious breaches of cyber resilience that were caused by a dearth of basic controls?
Having discussed security governance at the Louvre, let’s shift to the other side of the world.
Sabotage at Sydney Hospitals
I’ll again start with bits from a news article, this one being from the Sydney Morning Herald:
All NSW public hospitals will urgently audit the security of medical gases as authorities investigate the death of a 72-year-old man at a Sydney hospital about an hour after a woman allegedly switched off the facility’s supplies in an act of sabotage.
… allegedly destroying electrical wiring and scaling a wall to access a restricted area at The Sutherland Hospital in Caringbah in Sydney’s south. Police allege she also tampered with water and gas mains and activated fire hoses at the nearby Kareena Private Hospital before her arrest.
My condolences to the family of the elderly gentleman. Om Shanti.
These are highly significant physical security failures and thank goodness hospital staff rehearse contingency plans. (I ask out of ignorance: is two hours the usual time taken by a hospital to restore medical gases after acts of sabotage?)
On the specific incidents here, is it a contributing factor that Australia’s is a high-trust society where folks don’t go around randomly/negligently/maliciously attacking vital physical infrastructure like substations, gas/water mains, fire control panels/security cameras? (Side note: here’s my thread on incidents of American electricity substations being (allegedly) targeted by saboteurs of varying motivations.)
Certainly, it appears from reading the article that the alleged saboteur in this case seemed like she needed a lot of help, so to speak. After being charged over the above incidents, she refused an offer of LegalAid and indeed told the court that ‘I didn’t do it’. Sheesh.
I know nothing about how to safely store medical gases, but I visited a hospital recently and I dunno if it’s a good idea for tall tanks of the stuff to be sitting outside behind merely a tall-ish fence and a chain-link door. That too, located not that far from actual hospital buildings. What if someone simply chucked a Molotov over said fence or popped off a few rounds with an illegally-acquired handgun at the tanks?
The security audit in NSW could not be timelier. We have to have a serious conversation about physical security in Australia, especially about that of our CNI. Yes, CNI cyber resilience is vital, but it’s far easier for bad actors to potentially trigger the same/worse outcomes if they simply shoot at, block access to or physically tamper with relevant assets.
Think of the angle grinders and disc cutters used by the alleged Louvre thieves: what’s stopping someone going to Bunnings/on Alibaba/Temu to buy one of these power tools and then having at an exposed, vital component of an asset, like gas mains?
Given our deteriorating physical security risk landscape, we can’t expect our CNI assets to be left alone. There are, of course, the threats from hostile foreign intelligence services, something our European cousins have had to deal with vis a vis Russia since February 2022. Recall the Director-General of Security’s recent remarks in the 2025 Lowy Lecture (emphasis added):
Russia’s brazen acts of sabotage in Europe demonstrated its willingness to use a wider range of tools and tactics to coerce, intimidate and damage perceived adversaries, and we should not assume Australia is immune.
Indeed, look at Mike Burgess’s warning about ‘a more aggressive and reckless Russian intelligence apparatus’.
Separate to intelligence services and their agents/useful idiots, you have terrorist groups and activists. Again, let’s throw to DG ASIO (emphasis added):
Since October 2023, we’ve seen more provocative protests and a notable uptick in intentionally disruptive and damaging tactics by anti-Israel activists, including multiple acts of arson, vandalism and violent protest against defence companies accused of supplying weapon components.
… they contain individuals who are increasingly willing to embrace or threaten violence to achieve their goals.
He’s referring to, among other incidents, attacks on our DIB, which is part of our CNI (see the Security of Critical Infrastructure Act 2018 (Cth) s 8D(k)). For instance, three attacks from just July this year:
July 2025: The alleged arson attack against and subsequent threats to employees of Lovitt Technologies in Melbourne from an anti-Israel group; and
July 2025: The alleged scaling of the roofs of two DIB firms in Canberra, including Electro Optic Systems.
There have also been alleged attacks on police by Pro-Palestine activists protesting the presence of Israeli defence companies at the recent Indo Pacific International Maritime Exposition conference in Sydney.
In addition to the DIB: there have also been repeated attempts since October 7 by Pro-Palestine activists to disrupt the functioning of our ports because they berth merchant vessels with Israeli links.
Shifting from Pro-Palestine stuff to climate activism, there’s the Rising Tide group hellbent on disrupting the functioning of the Port of Newcastle if coal-carrying ships are in the area, including by sailing into the shipping channel (breaching prior assurances given to the Port) and vandalising a coal vessel.
I find it hard to classify such incidents as anything bar political violence targeting (the functioning of) our CNI and thus our national security. The normalisation of this violence as a form of ‘protest’ is despicable. Recall what DG ASIO warned when delivering this year’s threat assessment:
The normalisation of violent protest and intimidating behaviour lowered the threshold for provocative and potentially violent acts.
(Though the target was not CNI, I’d like to mention the heinous attack on diners at the Miznon restaurant in Melbourne by Pro-Palestine activists, allegedly because the owner was a spokesman for the Gaza Humanitarian Foundation.)
And we haven’t even started talking about the threat from neonazi groups like the National Socialist Network yet.
Are the physical security controls for our multitude of CNI assets—especially our systems of national significance (the super-duper CNI assets, as per SOCI Act s 52B)—up to scratch to deal with an ever-worsening risk landscape?
Gee, as if ASIO’s protective security brief wasn’t packed enough as if it is. One also hopes that Australia’s Critical Infrastructure Security Centre, which administers the SOCI Act, pays due attention to how the responsible entities for covered CNI assets are complying with their physical security hazard management obligations under part 2A of the law and associated rules.
P.S. Recently, NSW Police got word of sabotage at a telecom tower in the NSW Hunter region. That sabotage is potentially linked with a telecoms outage (including for 000 services) in the Port Stephens and Maitland areas, which impacted around 34,000 people.
Reflections
All risks are not created equal. Yes, the cyber risk landscape is deteriorating, but so is the physical security risk landscape, especially when we look at our CNI.
The Louvre heist was not pulled off by professionals, but rank amateurs. One could argue that the museum was asking for it because of the sheer scale of its under-investment in physical security modernisation as well as its severe under-estimation of security risks more generally. It knew the risks it was taking on (given the years of security reviews and budgeting for control uplift) so a heist’s occurrence could have been considered a matter of when, not if.
When we look at the alleged acts of sabotage against Sydney hospitals—one being followed by an elderly patient’s demise—I reckon it is insufficient to merely check if our hospitals are compliant with existing standards. Rather, we must look at whether our approach to physical security—especially with respect to exposed yet crucial assets like fire control panels/gas/water mains—is fit for purpose in a worsening risk landscape.
After all, what if the alleged Sydney assailant was not someone wandering around in breach of bail, but a local criminal paid off through cut-outs by a hostile intelligence service to do far more damage than occurred above (as was the case with Iran’s sponsorship of certain antisemitic arson attacks in Sydney and Melbourne)?
What do you think?
P.S. Just a few days back, part of a Polish railway track which is used for carrying stuff to Ukraine was blown up, allegedly ‘on behalf of a foreign intelligence service’, as per the Polish National Prosecutor’s office. Go figure.
