The threat landscape for companies and institutions has grown significantly in recent years. Sabotage, industrial espionage and ransomware attacks are now among the most common risks. Companies that are part of critical infrastructure (CI) are required by law to take special precautions to protect themselves from a wide range of attacks and disruptions. In this interview, Torsten Hiermann of CriseConsult provides key insights into the challenges companies face in terms of both physical and cyber security.

Why is a 360-degree approach to security so important for critical infrastructure? Where in practice do you see security measures being treated in isolation rather than as part of a bigger picture?

Torsten Hiermann: A 360-degree approach is always essential – especially when it comes to protecting corporate assets or even human lives. That doesn’t mean that every area requires the same level of security. Protection goals and measures can vary, even within the same company or facility. The key is to view security as an integrated, holistic concept. As a practical example, companies may invest heavily in drone detection and defence, but allow contractor vehicles onto the premises with little or no control. It’s a clear mismatch and illustrates why looking at security in isolation is ineffective.

What are the most common physical security vulnerabilities you’ve seen? And how often are they the result of a lack of integration with other areas of security?

Torsten Hiermann: From a technical point of view, there are many effective physical security measures available. However, vulnerabilities often arise from two main factors: a lack of security awareness and a reluctance to invest. Awareness is particularly critical – it determines whether and how consistently an organisation protects its assets in a professional and up-to-date manner. It’s also important to remain realistic: not every theoretically possible measure is economically viable. A 360-degree approach means making targeted risk assessments.

A typical example from the field: companies train their employees extensively on social engineering threats. Meanwhile, the staff car park is open to the public, or employee parking permits clearly indicate that a vehicle belongs to someone from company XY. Associating a private car with a specific employee makes that car a potential target: access cards, transponders, laptops… Corporate security doesn’t start at the perimeter – it starts in the parking lot of a hardware store. In the worst-case scenario, a casual encounter becomes a “target” because the black Audi A6 with its company-branded parking sticker or licence plate frame signals: this car belongs to someone in the top management of company XY. From the attacker’s point of view, the person who gets in or out of that car is my person of interest.

How does the separation of IT and physical security create problems? Would you say this is a structural problem?

Torsten Hiermann: IT and physical security are two separate domains with different approaches and requirements. Each requires specific risk assessments, protective measures and response strategies. However, these two areas must ultimately work together. A holistic view doesn’t mean you need an all-powerful corporate security department or a super-CISO. But one thing is clear: complex threats are best addressed with integrated security approaches. The overall security of an organisation depends on a holistic strategy. Security is a shared responsibility – and it starts with something as basic as preventing tailgating.

What are your best practices for implementing a holistic approach to critical infrastructure security? Are there proven measures or checklists that have worked well?

Torsten Hiermann: I’d suggest taking a look at the security measures at the German Chancellery. But seriously, depending on the threat scenario and protection objectives, security concepts can be so complex that simple checklists are no longer sufficient. The more demanding the requirements, the more it makes sense to involve professional security consultants or planners. It’s a bit like medicine: there’s a big difference between hospitals that occasionally perform a certain procedure and those that specialise in it.

What’s the most common misconception you see when it comes to critical infrastructure security?

Torsten Hiermann: The most fundamental misconception is the failure to recognise the need for integrated security measures due to a lack of visible incidents – the idea that “nothing has happened so far, so we must be OK”. While this attitude may be tolerable in less critical areas, critical infrastructure operators must apply much stricter standards. Security cannot be reactive – it must be preventative and strategically planned.

What technologies or new security concepts do you see as being particularly forward-looking?

Torsten Hiermann: The key is system integration and connectivity. Detection and response are increasingly linked, often through the use of artificial intelligence. However, experience shows that professional attackers are always finding new ways to bypass defences. If technical security is strong, the organisation’s internal security culture may be the weak link – and vice versa. Again, a 360-degree approach is the only viable solution.

What are your top three recommendations for critical infrastructure operators to make their security strategy more sustainable and effective?

Torsten Hiermann: Sustainable means long-term effectiveness. Effective means it actually works. Opportunistic attackers can be deterred. Professional attackers adapt. The takeaway: security measures must be aligned with protection objectives, represent state-of-the-art solutions, and be continuously updated based on current risk analyses and threat scenarios. Security is a process – not a stand-alone technology or a static concept.

NOX SYSTEMS is dedicated to helping critical infrastructure owners, designers and integrators achieve smart, future-proof security by providing scalable, integrated security solutions. > Our Solutions