In light of the current situation, what is the level of threat that operators of critical infrastructure face, and are other companies affected as well?

Torsten Hiermann: “The threat situation has changed in recent months and has increased significantly. At the end of september, chancellor Friedrich Merz summed it up: “We are not at war, but we are no longer at peace either.” Malicious manipulation is no longer a marginal phenomenon but rather a strategic method of disrupting economic, political, and social processes. The office for the protection of the constitution and the federal office for civil protection define this approach as deliberately impairing or destroying structures to weaken or influence them. This is not just about “classic” attacks on buildings, but also subtle attacks, such as disruptions to supply chains, targeted espionage, manipulation of public perception, and spreading uncertainty to influence political decision-making or encourage anti-state attitudes.

Therefore, the perpetrator landscape is broad. According to police statistics, left-wing extremist groups in particular tend to carry out attacks on infrastructure and provide instructions on how to build incendiary devices online. We also see state actors working through “proxies,” or recruited helpers who appear inconspicuous at first but are actually pursuing foreign interests. We must also not underestimate the danger from within. Employees who are frustrated or feel unfairly treated can become saboteurs.

Additionally, we are now dealing with hybrid threats. These attacks are not only physical, such as cutting a cable or attacking a transformer station, but also combine cyberattacks, social engineering, and classic physical attacks. Perpetrators intercept data, manipulate processes, or use social media to obtain information. That’s why I say the protection of objects doesn’t end at the fence.

You mentioned the importance of information. Could you elaborate on that?

Torsten Hiermann: Many people underestimate how valuable publicly available information is to a potential attacker. Social media profiles often reveal interesting information: For example, LinkedIn profiles often reveal not only where someone works, but also the projects and technologies they are involved in. This information is an excellent recruitment and evaluation tool for external services. The fact that Google Earth can be used to evaluate the initial vulnerabilities of a location is nothing new.

Added to this is careless handling of internal information. For example: In a critical infrastructure facility, tradespeople and service providers are given a detailed site plan with corresponding facility designations as part of their safety training. This provides potential perpetrators with precise information for planning an attack. This illustrates that protection against saboteurs also requires preventive information protection. What data should I publish? How restrictive should I be when naming contact persons? Is there a social media policy? How do I educate employees so they understand they are part of the security chain?

Drones have recently come into focus as a security risk. How do you see the role of airspace in the overall concept?

Torsten Hiermann: The threat posed by drones has reached a new dimension. They can film, collect reconnaissance data—for example, on processes or response times—record digital signatures, and transport objects and “weapons,” which they can drop. The war in Ukraine has shown how rapidly technology and its applications are advancing.

Nevertheless, I advocate a differentiated approach. Not every company needs to invest in expensive anti-drone systems right away. The key factor is risk analysis. A “normal” production facility without drones poses a lower risk than an energy supplier, chemical plant, airport, or military property, for example. In particular, KRITIS operators must now “take airspace into account” in their security concepts.

Remember that drones often complete their task before being detected. Therefore, the key questions are: How do we detect drones, and how do we respond to them? Rather, the security concept must be thought out from the perspective of the perpetrator. What information will a drone be able to see and access? How can that be prevented “on the ground”?

What specific countermeasures do you recommend in terms of organization and technology?

Torsten Hiermann: It’s about a holistic approach. First, the organizational side: prohibitions on filming and photography on company premises, employee training, and checking vehicles and people for items they are carrying. Access controls must also be reliable and effective. Depending on the level of protection, this may involve biometric procedures. In short, if I don’t check at the gate to see if a service provider is bringing in something undesirable, I don’t need to worry about drones above.

Technically, we have a wide range of options, including perimeter sensors, video surveillance, motion detectors, and tamper-proof devices. Drone detection systems can also be useful. In critical areas, active defense measures, such as jammers or interceptor drones, may be considered. At the same time, however, it’s important to consider resilience, such as redundant power supplies, emergency generators, and secure supply chains. Business continuity is always part of overall protection!

What role does integrated alarm and security management play in this context?

Torsten Hiermann: A crucial one. We can introduce as many individual measures as we like, but if they are not integrated, we will end up with a patchwork again. To create an effective 360-degree security concept, all vectors must be taken into account.

Does that mean that, in the future, all companies—not just KRITIS operators—will have to address attacks more intensively?

Torsten Hiermann: It depends on the risk analysis and the level of protection. A medium-sized mechanical engineering company may not face the same threats as a network operator. However, they can still be crippled by physical or IT attacks. Just think of cyberattacks, disrupted supply chains, or power outages. Production at the Tesla Gigafactory was crippled not by a highly complex operation but by a simple arson attack on a supply line. So, the question is, “How vulnerable am I?” How resilient are my processes? Have I taken precautions to remain operational in the event of an attack or minimize damage?

This is precisely why business continuity is important. Comprehensive protection is about more than just defense; it’s also about preparation. It requires companies to consider not only the physical perimeter but also information protection, social engineering, IT security, and airspace.

Intrusion detection systems are often the first technical component of a security infrastructure, but without an effective alarm management process, they remain limited in their effectiveness. In a fully integrated, 360-degree security approach, it is essential to combine detection, evaluation and response to create a seamless process. This is the only way to avoid fragmented solutions and manage security efficiently.

Torsten Hiermann of CriseConsult explains how intrusion detection can be embedded into an effective alarm management strategy, and why regular alarm drills are a frequently overlooked success factor.

How should effective alarm management be incorporated into a 360-degree security framework, and how can it prevent the development of isolated solutions?

Torsten Hiermann: In military settings, we use the term ‘actionable intelligence’, which means: Information must be reliable and timely enough to be processed and acted upon. In this context: There is no such thing as a 360-degree security approach without functional alarm management. What use is precise detection if the downstream structures don’t work? The process begins with planning a system that aligns with the defined protection level. Only then can the technical components be considered. Most importantly, detection must be linked to predefined actions, whether technical, such as building automation, or organisational, such as deploying security personnel.

What are the most common weaknesses of intrusion detection systems, particularly in critical infrastructure environments?

Torsten Hiermann: The issue rarely lies with the technology itself. The challenge lies in ensuring that detection leads to action, ideally in the form of timely intervention. However, when personnel are required to respond on site, security teams quickly reach their limits. Response times and available manpower are key constraints. Intruders don’t wait. Therefore, their movement patterns must be tracked and relayed in real time to internal responders. Ideally, their movement should also be restricted, for example via lockdowns. This is technically feasible, but requires investment. This brings us back to the point that technical capabilities must be aligned with risk assessments. Let me add this: Alarm management deals with what happens after an incident is detected. However, the ultimate goal should always be to prevent – or at least delay – the incident from happening in the first place.

Can intrusion detection systems actually increase risk, for example by triggering false alarms?

Torsten Hiermann: Even the best systems can be rendered ineffective by poorly coordinated processes. Frequent false alarms can reduce situational awareness. Consider, for instance, a fire alarm that goes off every week – people will eventually stop reacting. Reliability is paramount: if your system triggers unnecessary alarms, the real ones may be overlooked. This undermines the entire subsequent response process.

So, how can modern technologies like AI-based detection improve alarm management?

Torsten Hiermann: We’re seeing rapid technological advances, especially in AI. This is already shaping security systems. Behaviour-based video analytics is one example. Predictive policing is another example. In short, the earlier a threat is detected, even in its early or potential phase, the sooner you can respond or take preventive action. That’s the good news. The bad news is that bad actors are evolving too. Modern technologies are powerful tools. However, they should never replace physical protection, but rather enhance it.

How important is regular testing of alarm procedures (e.g., alarm drills) for the real-world effectiveness of a security concept?

Torsten Hiermann: That’s easy to answer – with Benjamin Franklin: “If you are failing to prepare, you’re preparing to fail.” Special forces train. So do emergency physicians, pilots, security teams, and industrial site operators. Alarm drills are among the easiest exercises to conduct – and yet, if the alarm chain fails as a single point of failure, the entire response process collapses. In short: practice matters.