Infrastructure
Well prepared against sabotage and natural disasters
How the physical security of infrastructures is tested.
Infrastructure
How the physical security of infrastructures is tested.
March 20, 2025
Water utilities, energy suppliers, telecommunications services, or other key sectors are considered critical infrastructures (KRITIS). But how well protected are they in this country against physical attacks, and how and within what framework are they tested? We spoke about this with Lars Wilke, an expert in the physical security of infrastructures at TÜV NORD.
Mr. Wilke, how well are critical infrastructures in Germany protected against attacks, acts of sabotage, or natural disasters?
Lars Wilke: We simply don’t know. Unlike cybersecurity, there are no comprehensive, cross-sector requirements for the physical security of critical infrastructures. Physical protection is indeed mentioned in the current KRITIS legislation, but it is limited to IT systems. This gap is meant to be closed by the EU’s so-called CER Directive, which had to be transposed into national law by the member states by October 17, 2024. However, this has not yet happened in Germany. The federal government did present a draft law, the KRITIS Umbrella Act, but it was not passed due to the breakdown of the coalition. We now hope that the future government will quickly take up the implementation of the CER Directive. Given the current global situation, we cannot afford to neglect the protection of critical infrastructures.
So time is running out?
Yes, all the more because the previous draft law included transitional periods until 2027, which would likely be pushed back even further if adoption is delayed. Of course, operators must be given sufficient lead time to adapt to the new requirements. At the same time, we urgently need to get an initial overview of the current state of critical infrastructures. If it turns out that there are major gaps, this will require construction work and retrofitting, which cannot be approved and completed overnight.
Why is it so essential to protect critical infrastructures?
Even many small-scale attacks could cause large-scale damage to our infrastructure. We therefore need to ensure that our critical infrastructures are as well protected as possible against such attacks or natural disasters, and that their consequences remain manageable in the event of an incident, in order to guarantee the supply of the population. To highlight the importance of this issue, TÜV NORD has joined the Federal Association for the Protection of Critical Infrastructures (BSKI). There, we contribute our expertise, particularly in the area of physical security.
This is an article from #explore. #explore is a digital journey of discovery into a world that is rapidly changing. Increasing connectivity, innovative technologies, and all-encompassing digitalization are creating new things and turning the familiar upside down. However, this also brings dangers and risks: #explore shows a safe path through the connected world.
You and your team already test the physical protection of data centers, some of which are considered critical infrastructures. How do you approach this?
In most cases, these are voluntary assessments, some of which result in certifications. These may be requested by the data centers’ customers or required by a supervisory authority, which is often the case for data centers in the banking sector. The principle of assessment can basically be applied to any infrastructure and sector: first, we look at the environmental risks at the given location—flooding, earthquakes, but also the nearby gas station or the chemical plant ten kilometers away. Based on these findings, we then assess the structural protection of the facility: how secure are the windows, doors, and fences against break-ins? Is technical fire protection fully ensured by appropriate fire alarm systems and extinguishing equipment?
The next step is the security systems: video surveillance, intrusion detection systems, and access control systems—from card readers to biometric systems. We examine, for example, how fingerprint or iris scanners are configured and whether they have sabotage protection. We also look at which encryption methods the card reader systems use and how and where access authorizations are stored.
Does the power supply also play a role in the assessments?
Of course. Physical security does not only mean that no one can break into the facility, but also that it remains resilient against failures. Power supply is therefore a central focus of our assessments: we examine whether redundancies exist through different power sources and emergency power systems, and how these are designed. We also look at organizational aspects. The resilience and reliability of a facility ultimately depend on whether the staff knows what to do in every situation. While these issues are generally relevant across all industries, in data centers an additional factor comes into play: the entire cooling system. Servers must be cooled around the clock. If cooling fails, the servers fail too. To prevent this, appropriate redundancies must also be implemented here.
A complex and broad field that requires expertise from a wide range of disciplines.
Exactly! That’s why our interdisciplinary team consists of specialists from all relevant fields: mechanical engineering, physics, architecture, civil engineering, computer science, electrical engineering, and refrigeration technology. After we have thoroughly examined the individual facilities from different perspectives, we then evaluate how they interact within the overall system. Because the physical protection of infrastructure can only succeed if all the cogs mesh together.
Lars Wilke is Lead Expert for Physical Security of Infrastructures and Lead Auditor for Data Centers at TÜV NORD. A graduate in Energy and Environmental Engineering, he and his team assess data centers to determine how well they are prepared against natural disasters, acts of sabotage, and failures of individual supply systems.