Convergence of Physical and Cybersecurity in the Philippines: Practices, Challenges, and Frameworks (2018–2025). A Comprehensive Literature Review.

Abstract

This literature review examines the evolving convergence of physical and cybersecurity in the Philippine context from 2018 to 2025. Through a thematic synthesis of academic research, government policy documents, industry reports, and credible media sources, the study analyzes the drivers, practices, challenges, and institutional frameworks shaping integrated security strategies across critical infrastructure, government, smart cities, and the private sector. Findings reveal a growing recognition of hybrid cyber-physical threats and a shift toward unified defense models, exemplified by initiatives such as the National Cybersecurity Plan 2023–2028, Executive Order No. 58, and the National Telecommunications Security Council. Despite progress, persistent challenges remain—including fragmented organizational structures, regulatory gaps, workforce shortages, and underinvestment in converged technologies. The review concludes that while the Philippines is on a trajectory toward security convergence, full institutionalization requires a dedicated Critical Infrastructure Protection law, multi-sector collaboration, and sustained investment in training and integrated systems. This article contributes to the global discourse on cyber-physical security by offering a detailed case study of convergence in a rapidly digitizing developing nation.

Keywords: cybersecurity, physical security, security convergence, critical infrastructure protection, Philippines, cyber-physical systems, National Cybersecurity Plan

Introduction: The Imperative of Security Convergence

In an era defined by digital transformation, the boundaries between the physical and cyber domains are increasingly dissolving. Modern threats no longer operate in isolation; instead, they exploit the interdependencies between digital systems and physical infrastructure. This has given rise to the concept of security convergence, the strategic integration of physical security and cybersecurity functions into a unified, holistic defense framework. As one industry guide defines it, “convergence melds physical security, cybersecurity, and business continuity planning together” (ASIS Foundation, 2022). The rationale is clear: a cyberattack can disrupt physical operations, and a physical breach can enable digital intrusion. In the Philippine context, where critical infrastructure, government systems, and private enterprises are rapidly digitizing, this convergence is not merely a best practice but an operational necessity.

The Philippines, like many developing nations, faces a complex and evolving threat landscape. Cyberattacks on government agencies, ransomware incidents affecting public services, and physical sabotage of critical infrastructure are no longer hypothetical, they are documented realities. As such, the integration of cyber and physical security has emerged as a central theme in national security planning, corporate risk management, and urban development. This literature review synthesizes research, policy developments, and practical initiatives from 2018 to 2025 to provide a comprehensive analysis of the state of security convergence in the Philippines, examining its practices, challenges, and frameworks across government, critical infrastructure, smart cities, and the private sector.

Methodology

This review employs a thematic literature synthesis approach, analyzing peer-reviewed studies, government policy documents, industry reports, and reputable news sources published between 2018 and 2025. Sources were identified through keyword searches (e.g., “security convergence,” “cyber-physical systems,” “critical infrastructure protection,” “Philippines”) in academic databases (Google Scholar, ResearchGate) and institutional websites (e.g., DICT, The Asia Foundation, ERIA). The analysis is organized thematically around four domains: government frameworks, critical infrastructure, smart cities, and private sector practices. The goal is to identify patterns, assess progress, and highlight persistent challenges in the institutionalization of security convergence in the Philippine context.

Theoretical and Conceptual Foundations of Security Convergence

Security convergence is more than a technical integration; it is a cultural, organizational, and strategic shift. Traditionally, physical security (managed by facilities, guards, and law enforcement) and cybersecurity (handled by IT departments) operated in silos, with separate budgets, reporting lines, and response protocols. This fragmentation creates exploitable gaps. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that when cyber and physical security teams operate in isolation, they “lack a holistic view of security threats,” thereby increasing the likelihood that an attack will go undetected until it causes damage (CISA, 2021).

CISA emphasizes that organizations with converged security programs are more resilient and better prepared to identify, prevent, and respond to complex threats (CISA, 2021). By sharing information and aligning policies, converged teams gain a comprehensive risk picture that siloed departments cannot achieve. This integrated approach is anchored in shared goals: protecting people, assets, and data across both digital and physical environments.

The theoretical underpinning of convergence lies in the recognition that modern infrastructure is inherently cyber-physical, a term referring to systems where computation, networking, and physical processes are tightly interwoven. Examples include smart grids, automated transportation systems, and industrial control systems (ICS). In such environments, a breach in one domain can cascade into the other. For instance, a hacker disabling a power grid’s SCADA system can cause blackouts, while a physical intruder cutting fiber optic cables can cripple government communications. Thus, security must be equally integrated.

Converging Threats: The Hybrid Reality in the Philippine Context

The Philippines is increasingly vulnerable to hybrid attacks—threats that simultaneously target cyber and physical assets. The proliferation of Internet of Things (IoT) devices and Industrial IoT (IIoT) in critical systems has expanded the attack surface and blurred the line between digital and physical security (CISA, 2021). A 2022 study by The Asia Foundation warned that while cyber threats originate online, their impacts often “manifest beyond the digital space into our physical lives.” For example, a successful cyberattack on critical infrastructure could disrupt essential services or even endanger public safety (The Asia Foundation, 2022).

Public awareness reflects these converging concerns. A 2019 Unisys survey found that at significant events, Filipinos are almost as worried about data theft over Wi-Fi as they are about physical terrorist attacks, indicating a growing recognition that virtual and physical threats are equally critical (Unisys, 2019). This dual concern underscores the need for a unified security posture.

Recent incidents illustrate this hybrid reality. The 2023 ransomware attack on PhilHealth, the national health insurance agency, crippled its operations and exposed the personal data of millions of Filipinos. The breach had cascading physical consequences: hospitals and clinics nationwide experienced service disruptions, affecting patient care (Presto, 2025). Similarly, organized criminal groups have evolved from traditional heists to cyber-facilitated crimes, such as disabling CCTV systems or hacking building access controls to carry out robberies (Presto, 2025). These tactics demonstrate that modern threats are not purely digital or physical—they are converged.

Government Strategies and Policy Frameworks for Integrated Security

The Philippine government has taken significant steps toward institutionalizing security convergence, particularly through its National Cybersecurity Plans.

National Cybersecurity Plan 2017–2022 (NCSP 2022)

The NCSP 2022 was the country’s first comprehensive cybersecurity roadmap. It explicitly prioritized the protection of Critical Infrastructure (CI) alongside improving cyber resiliency (DICT, 2017). The plan identified four focus areas: government networks, businesses, the public, and CI systems so vital that their disruption would undermine national security or the economy (GovInsider, 2017). This marked a policy recognition that securing power grids, transportation, and finance from cyber threats is as crucial as traditional physical security.

National Cybersecurity Plan 2023–2028

Building on this foundation, the Department of Information and Communications Technology (DICT) released the updated NCSP 2023–2028, which further emphasizes converged security. One of its key pillars is “Secure and Protect Critical Information Infrastructure (CII),” which aims to safeguard essential services from cyberattacks (Lumify Work PH, 2024). The plan calls for:

• Regular vulnerability assessments of CII facilities

• Incident response plans involving both cyber and physical contingencies

• Cybersecurity certification requirements for operators

• A whole-of-nation approach involving government, industry, and international partners (Lumify Work PH, 2024)

The plan also proposes establishing a National Security Operations Center (NSOC) and strengthening the National Computer Emergency Response Team (CERT) to coordinate responses to attacks on critical systems (Lumify Work PH, 2024).

Executive Order No. 58 (2023)

In April 2024, President Ferdinand Marcos Jr. issued Executive Order No. 58, adopting the NCSP 2023–2028 as a “whole-of-nation cybersecurity roadmap” (US–ASEAN Business Council, 2024). The EO directs agencies to follow the NCSP, sets minimum cybersecurity standards, and calls for accreditation of cybersecurity service providers (US–ASEAN Business Council, 2024). However, it also acknowledges that dedicated guidelines for critical infrastructure are still forthcoming, pending the proposed CII Protection Act (US–ASEAN Business Council, 2024).

Inter-Agency Collaboration

The government has also established structures to facilitate convergence:

• The National Cybersecurity Inter-Agency Committee (NCIAC) harmonizes policies across civilian, defense, and law enforcement sectors.

• The Armed Forces of the Philippines (AFP) launched a Cyber Command to bolster military cyber defense, recognizing that digital attacks can be as disruptive as kinetic ones (C8 Secure, 2024).

• The Department of Energy has created a Cybersecurity Management Office to coordinate with energy companies on cyber-physical incident drills.

Despite these advances, the absence of a binding Critical Infrastructure Protection (CIP) law remains a critical gap. As of 2024, the Philippines lacks dedicated laws, standards, or government training programs for OT/cyber-physical security (ERIA, 2023). This regulatory vacuum leaves many sectors reliant on voluntary compliance and best practices from around the world.

Critical Infrastructure: Cyber-Physical Risks and Resilience

Critical infrastructure—encompassing energy, water, transportation, finance, and telecommunications—is at the forefront of security convergence. These sectors have adopted digital control systems, such as SCADA and PLCs, which improve efficiency but also introduce new vulnerabilities.

Energy Sector

The Asia Foundation (2022) notes that the power/energy industry’s digital transformation has “created multiple layers of threats and risks that need to be mitigated.” A historical example is the Meralco SCADA scare in the 2000s, where unauthorized radio interference disrupted the wireless controls of substations, a weakness that could have caused blackouts (The Asia Foundation, 2022). The 2015 Ukraine power grid cyberattack serves as a cautionary tale for the Philippines, underscoring the critical importance of cybersecurity in maintaining the safe operation of power systems (The Asia Foundation, 2022).

Telecommunications Sector

In 2025, major telecom operators (PLDT/Smart, Globe, DITO, Converge) formed the National Telecommunications Security Council (NTSC), an industry-led alliance to secure infrastructure against both cable-cutting vandals and cyberattacks (Gadgets Magazine, 2025). The NTSC is developing:

• A coordination framework for joint threat response

• Cross-sector security drills

• Integrated protective measures combining physical hardening and cyber defenses

As Smart Communications’ COO stated, “no single entity, government or private, can address these threats alone. But together, through trust, coordination, and shared responsibility, we can build a more secure digital future” (Gadgets Magazine, 2025).

Challenges in Implementation

Despite progress, challenges persist:

• Legacy systems in critical infrastructure are often incompatible with modern security solutions.

• Cost constraints limit adoption, especially in government-run utilities.

• Skills shortage: There is a lack of ICS/SCADA security experts in the Philippines (Mobility Foresights, 2025).

• Uneven maturity: While banks and telcos may have advanced postures, regional utilities often lag (ERIA, 2023).

Smart Cities and Integrated Urban Security

The rise of smart cities in the Philippines, such as New Clark City and Davao City, further underscores the need for convergence. These cities integrate IoT sensors, automation, and data networks into urban services, blending cyberspace with the physical environment.

Cyfirma (2022) warned that if a determined attacker gained access, they could “change the chemical composition of water being supplied” or “bring down the electricity grid,” causing real-world harm. This highlights a cyber-physical threat: a remote intrusion leading to physical consequences.

In response, the Department of the Interior and Local Government (DILG) promotes best practices, including:

• Data privacy and protection standards

• Securing IoT deployments

• Establishing city-level CERTs

• Conducting privacy and security impact assessments

Some cities are treating smart infrastructure like critical infrastructure, applying risk assessments to both digital and physical assets. However, many are still in early stages, and cybersecurity is often an afterthought rather than a design principle.

Private Sector and Enterprise-Level Convergence

The private sector is also embracing convergence, particularly in sectors like banking, malls, and healthcare.

Banks and Financial Institutions

Historically focused on physical security (guards, armored transport) and IT security (firewalls, encryption), banks now recognize the inseparability of the two. A breach in a bank’s cyber infrastructure—such as malware in the ATM switch—can lead to nationwide ATM outages (Blancaflor et al., 2023). Many large corporations have created converged security departments or cross-functional teams under unified risk management frameworks.

Shopping Malls and Commercial Hubs

Modern malls face blended threats. A weak Wi-Fi network or vulnerable CCTV system can be exploited to sabotage HVAC systems, lighting, or payment networks. A 2023 case study noted that such establishments pose both physical and cybersecurity risks, necessitating the integration of audits and training (Blancaflor et al., 2023).

Private Security Industry

With over 500,000 licensed guards, the private security sector is evolving. Some firms now offer integrated services, combining manned guarding with network vulnerability assessments. However, challenges remain, including underinvestment, lack of cyber awareness, and outdated training curricula (Presto, 2025).

Key Challenges and the Way Forward

Despite progress, several challenges hinder full convergence:

1. Siloed Organizational Structures: Separate reporting lines for physical and cyber security persist.

2. Policy and Regulatory Gaps: No dedicated CIP law or OT security standards.

3. Resource and Skills Constraints: Limited budgets and a shortage of converged security professionals.

4. Legacy Infrastructure: Outdated systems resist integration with modern security platforms.

5. Evolving Threat Landscape: Ransomware, AI-driven attacks, and IoT botnets require constant adaptation.

Strategic Recommendations

• Enact a CII Protection Law to establish mandatory standards.

• Create Multi-Sector Security Alliances (e.g., NTSC model for energy, finance).

• Invest in Training and Cross-Skilling through DICT’s Cybersecurity Academy and university programs.

• Adopt Integrated Technology Solutions like unified Security Operations Centers (SOCs).

• Promote Cybersecurity-by-Design in smart city and infrastructure projects.

Conclusion

From 2018 to 2025, the Philippines has made notable advancements in integrating physical and cybersecurity, reflecting a growing awareness of the complex and interconnected nature of modern threats. Government strategies, industry initiatives, and academic research all underscore a collective recognition that hybrid threats, those that combine physical and cyber elements, demand a coordinated and unified defense approach.

Over these years, the Philippine government has undertaken several key initiatives to strengthen its cybersecurity framework alongside traditional security measures. The establishment of the Department of Information and Communications Technology (DICT) has been pivotal in coordinating national efforts, enhancing cyber resilience, and developing strategic policies that address emerging cybersecurity challenges. Comprehensive policies, such as the National Cybersecurity Plan, have laid the groundwork for a more robust security posture by emphasizing collaboration between public and private sectors.

Industry partnerships have also been essential in this journey. Private enterprises are increasingly called upon to collaborate with governmental bodies to share threat intelligence, develop best practices, and foster innovation in cybersecurity solutions. This has led to a burgeoning cybersecurity industry in the Philippines, which not only helps protect critical infrastructure but also positions the country as a potential hub for cybersecurity services in Southeast Asia.

Academic institutions have played a significant role by conducting research that informs government policies and industry practices. Universities have begun to offer specialized programs designed to cultivate a skilled workforce capable of meeting the growing demands of both physical and cyber defense sectors. These educational endeavors are crucial in addressing the skills gap in cybersecurity, as the need for proficient professionals grows in tandem with the increasing digital transformation.

Despite the progress made, challenges remain that must be addressed to ensure effective security convergence. Key issues include the need for comprehensive policy reforms that further integrate cybersecurity considerations into national security strategies, as well as ensuring adequate capacity-building that equips local authorities with the necessary skills and resources. Resource allocation remains a critical area where improvements are necessary; enhanced funding for cybersecurity initiatives, training programs, and infrastructure investments is essential to fortify defenses against increasingly sophisticated threats.

Moreover, the importance of inter-agency collaboration cannot be overstated. By breaking down operational silos and encouraging information sharing between defense, law enforcement, and cybersecurity agencies, the Philippines can foster a more agile and responsive security framework capable of addressing evolving threats holistically.

Ultimately, the trajectory is clear: security convergence is no longer an option but a necessity. By continuing to invest in talent, enacting robust legal and operational frameworks, and nurturing a culture of collaboration across sectors, the Philippines can build a resilient, integrated security posture that effectively protects its people, infrastructure, and digital future. This proactive and collaborative approach will not only bolster national security but also enhance the confidence of citizens and businesses alike, ensuring a safer and more secure environment for all stakeholders.

References

Apillanes, A. T. (2024). Cybersecurity implementation in the Philippine Coast Guard: Challenges and policy recommendations [Master’s thesis].

ASIS Foundation. (2019). The state of security convergence in the corporate world. ASIS International.

ASIS Foundation. (2022). Security convergence: Aligning cyber and physical security functions. ASIS International.

Presto, MM, Bathala Solutions. (2025). Better pay and smarter tech: Safer private security. https://www.bathalasolutions.com/better-pay-and-smarter-tech-the-key-to-safer-private-security-in-the-philippines

Blancaflor, A. C., Morales, R. E., & Sy, J. F. (2023). Security assessment in a Philippine shopping mall: Addressing converging physical and cybersecurity risks. In Proceedings of the 13th International Conference on E-business, Management and Economics (ICEME 2023). ACM.

C8 Secure. (2024). Cybersecurity | Cyber attacks on Philippines government. https://www.c8secure.com/2024/04/30/cyber-warfare-escalates-in-philippines-the-armed-forces-of-the-philippines-forms-exclusive-cyber-command-to-combat-growing-menace/

Cyfirma. (2022, May). Philippine smart cities need cybersecurity-by-design. Philippine News Agency / Outsource Accelerator.

Cybersecurity and Infrastructure Security Agency (CISA). (2021). Cybersecurity and physical security convergence. https://www.cisa.gov/sites/default/files/publications/Cybersecurity%2520and%2520Physical%2520Security%2520Convergence_508_01.05.2021.pdf

Department of Information and Communications Technology (DICT). (2017). National Cybersecurity Plan 2017–2022.

Department of Information and Communications Technology (DICT). (2023). National Cybersecurity Plan 2023–2028. Republic of the Philippines.

Economic Research Institute for ASEAN and East Asia (ERIA). (2023). Operational technology security in ASEAN. https://www.eria.org/uploads/Operational-Technology-Security-in-ASEAN.pdf

Executive Order No. 58. (2023). Approving and adopting the National Cybersecurity Plan 2023–2028. Office of the President, Republic of the Philippines.

Gadgets Magazine. (2025). Telcos to form united front with government and military against cyber and physical threats. https://gadgetsmagazine.com.ph/technology/cybersecurity/telcos-united-front

GovInsider. (2017). The Philippines unveils cybersecurity plan. https://govinsider.asia/intl-en/article/philippines-unveils-cybersecurity-plan

GovInsider. (2021). Smart cities need smart cybersecurity: Lessons from Southeast Asia. GovInsider.

Kaseware. (2023). Unified security operations guide: Bridging physical and cyber domains. Kaseware Inc.

Kital PH. (2021). Best practices in physical security. https://www.kital.com.ph/physical-security-tips-and-best-practices/

Lumify Work PH. (2024). Achieving cyber resilience via the National Cyber Security Plan. https://www.lumifywork.com/en-ph/blog/the-philippines-national-cyber-security-plan-2023-2028-roadmap-to-cyberspace/

Mobility Foresights. (2025). Philippines critical infrastructure protection market – analysis and forecast 2025. Mobility Foresights Research.

The Asia Foundation. (2022). Cybersecurity in the Philippines: Global context and local challenges. https://asiafoundation.org/wp-content/uploads/2022/03/Cybersecurity-in-the-Philippines-Global-Context-and-Local-Challenges-.pdf

Unisys. (2019). The Philippines shows the highest level of concern over security issues; one in five Filipinos have stopped dealing with an organisation after a data breach. https://www.unisys.com/news-release/ph-the-philippines-shows-the-highest-level-of-concern/

US–ASEAN Business Council. (2024). Philippines president issues executive order to strengthen cybersecurity. https://www.usasean.org/article/philippines-president-issues-executive-order-strengthen-cybersecurity