Physical breaches are one of the most underestimated — yet potentially devastating — threats to modern organizations. It’s hard to predict, often strikes without warning, and can leave lasting damage. While cyberattacks like ransomware or phishing dominate the headlines, physical disruptions often go unnoticed. Yet the real danger lies in their combination: digital and physical attacks are increasingly intertwined.

In this expert interview, Björn Hawlitschka from MACONIA GmbH shares what businesses need to know now — and how to build real resilience against hybrid threats.

Mr. Hawlitschka, what types of digital or physical interference are most common today?

Björn Hawlitschka: According to the German digital industry association Bitkom, digital attacks have significantly increased in recent years. Ransomware, phishing, targeted malware infections, and other forms of cybercrime are often much easier for attackers to carry out than physical attacks. They don’t require physical presence, can be controlled remotely and anonymously, and usually involve lower risk. The rise of remote work and the growing connectivity of critical systems have accelerated this trend.
But that doesn’t mean physical disruption is losing relevance – quite the opposite. Although less frequent, physical attacks often have more far-reaching consequences, especially when critical infrastructure is involved. A recent example is the suspected left-wing extremist arson attack on the Tesla factory in Grünheide, which severely impacted the regional power supply.

Why is the combination of digital and physical threats particularly dangerous?

Björn Hawlitschka: Combined digital and physical attack strategies represent a particularly complex and challenging risk scenario. The digital component can be used for reconnaissance – reading building plans, disabling alarm systems, or manipulating access control. These vulnerabilities pave the way for targeted physical attacks that cause real damage. A cyberattack becomes the entry ticket for a physical assault. Attackers use this synergy to maximize impact and bypass defenses that are often only prepared for one type of threat.

Which internal weaknesses make companies vulnerable to targeted disruptions?

Björn Hawlitschka: One of the biggest weak points is one-sided focus – either on IT security or on physical protection. A company that installs firewalls and antivirus tools but has no access control system is just as vulnerable as one that does the opposite.
Often, basic organizational structures are missing – like a functioning crisis response team or clearly defined emergency processes. These gaps make it easy for attackers to create chaos through targeted actions. A lack of clearly communicated reporting channels and responsibilities also hinders effective responses to suspicious incidents. In the end, it’s the fragmentation of security structures that leaves many organizations exposed.

How can the human factor be strengthened to prevent targeted interference?

Björn Hawlitschka: Despite all the technology, people remain one of the biggest vulnerabilities – but also one of the strongest lines of defense when empowered correctly. What’s crucial is a lived security culture: Employees need to know how to act, what the risks are, and who to report to in case of suspicion. Real protection emerges only when basic awareness is integrated into everyday behavior – when it becomes second nature to challenge strangers in the hallway or to lock screens when leaving desks unattended. It’s also essential that awareness programs don’t just focus on IT. Physical aspects – like visitor protocols, USB port controls, or screen filters in sensitive areas – need to be trained and communicated just as regularly. Technical tools like video surveillance or access control systems are important – but without employee vigilance, they’re not enough.

How does today’s geopolitical climate influence the risk of targeted disruption?

Björn Hawlitschka: The current global political climate is significantly increasing the risk of targeted interference. The Russian invasion of Ukraine marked a new level of hybrid conflict, in which Western infrastructure has become a clear target – whether via state-sponsored hacking groups like APT28 or covert operatives on the ground. What’s striking is the rise of “low-level agents”: not trained spies, but individuals acting on orders to carry out simple but effective attacks.
Tensions with China could also drive an increase in industrial espionage and targeted disruptions, especially if economic isolation or tech sanctions take effect.
We also need to consider domestic threats – environmental activists or radicalized groups can become actors themselves, especially when political frustration grows.

How important is the integration of IT and physical security for comprehensive protection?

Björn Hawlitschka: Effective protection requires integrated strategies combining both digital and physical security. These two areas must be aligned not just technically but also organizationally. Modern security systems should enable centralized and modular management of intrusion detection, access control, video surveillance, and backup power. In hybrid attack scenarios, digital alerts must trigger physical responses – for example, when a perimeter breach is detected, a response team must be dispatched automatically. Without this integration, companies risk falling into dangerous response gaps.

What are best practices for handling suspected security incidents or disruptions within an organization?

Björn Hawlitschka: Companies must establish clear and well-communicated reporting procedures. Employees should know exactly who to contact in case of a suspicious incident – and feel confident that their report will be taken seriously. It’s also smart to build relationships with security authorities, such as national security agencies or cybercrime units, well before an emergency occurs. If targeted disruption is suspected, external specialists like IT forensic experts or corporate security consultants should be brought in early. And when in doubt – for instance, if someone is acting suspiciously or photographing sensitive areas – it’s better to overreact than underreact. A professional and level-headed approach builds trust. Organizations that conduct regular crisis drills, assign dedicated emergency teams, and work with external partners are far better prepared. And let’s be clear: Preparedness costs money – but nowhere near as much as a successful security breach.

The threat landscape for companies and institutions has grown significantly in recent years. Sabotage, industrial espionage and ransomware attacks are now among the most common risks. Companies that are part of critical infrastructure (CI) are required by law to take special precautions to protect themselves from a wide range of attacks and disruptions. In this interview, Torsten Hiermann of CriseConsult provides key insights into the challenges companies face in terms of both physical and cyber security.

Why is a 360-degree approach to security so important for critical infrastructure? Where in practice do you see security measures being treated in isolation rather than as part of a bigger picture?

Torsten Hiermann: A 360-degree approach is always essential – especially when it comes to protecting corporate assets or even human lives. That doesn’t mean that every area requires the same level of security. Protection goals and measures can vary, even within the same company or facility. The key is to view security as an integrated, holistic concept. As a practical example, companies may invest heavily in drone detection and defence, but allow contractor vehicles onto the premises with little or no control. It’s a clear mismatch and illustrates why looking at security in isolation is ineffective.

What are the most common physical security vulnerabilities you’ve seen? And how often are they the result of a lack of integration with other areas of security?

Torsten Hiermann: From a technical point of view, there are many effective physical security measures available. However, vulnerabilities often arise from two main factors: a lack of security awareness and a reluctance to invest. Awareness is particularly critical – it determines whether and how consistently an organisation protects its assets in a professional and up-to-date manner. It’s also important to remain realistic: not every theoretically possible measure is economically viable. A 360-degree approach means making targeted risk assessments.

A typical example from the field: companies train their employees extensively on social engineering threats. Meanwhile, the staff car park is open to the public, or employee parking permits clearly indicate that a vehicle belongs to someone from company XY. Associating a private car with a specific employee makes that car a potential target: access cards, transponders, laptops… Corporate security doesn’t start at the perimeter – it starts in the parking lot of a hardware store. In the worst-case scenario, a casual encounter becomes a “target” because the black Audi A6 with its company-branded parking sticker or licence plate frame signals: this car belongs to someone in the top management of company XY. From the attacker’s point of view, the person who gets in or out of that car is my person of interest.

How does the separation of IT and physical security create problems? Would you say this is a structural problem?

Torsten Hiermann: IT and physical security are two separate domains with different approaches and requirements. Each requires specific risk assessments, protective measures and response strategies. However, these two areas must ultimately work together. A holistic view doesn’t mean you need an all-powerful corporate security department or a super-CISO. But one thing is clear: complex threats are best addressed with integrated security approaches. The overall security of an organisation depends on a holistic strategy. Security is a shared responsibility – and it starts with something as basic as preventing tailgating.

What are your best practices for implementing a holistic approach to critical infrastructure security? Are there proven measures or checklists that have worked well?

Torsten Hiermann: I’d suggest taking a look at the security measures at the German Chancellery. But seriously, depending on the threat scenario and protection objectives, security concepts can be so complex that simple checklists are no longer sufficient. The more demanding the requirements, the more it makes sense to involve professional security consultants or planners. It’s a bit like medicine: there’s a big difference between hospitals that occasionally perform a certain procedure and those that specialise in it.

What’s the most common misconception you see when it comes to critical infrastructure security?

Torsten Hiermann: The most fundamental misconception is the failure to recognise the need for integrated security measures due to a lack of visible incidents – the idea that “nothing has happened so far, so we must be OK”. While this attitude may be tolerable in less critical areas, critical infrastructure operators must apply much stricter standards. Security cannot be reactive – it must be preventative and strategically planned.

What technologies or new security concepts do you see as being particularly forward-looking?

Torsten Hiermann: The key is system integration and connectivity. Detection and response are increasingly linked, often through the use of artificial intelligence. However, experience shows that professional attackers are always finding new ways to bypass defences. If technical security is strong, the organisation’s internal security culture may be the weak link – and vice versa. Again, a 360-degree approach is the only viable solution.

What are your top three recommendations for critical infrastructure operators to make their security strategy more sustainable and effective?

Torsten Hiermann: Sustainable means long-term effectiveness. Effective means it actually works. Opportunistic attackers can be deterred. Professional attackers adapt. The takeaway: security measures must be aligned with protection objectives, represent state-of-the-art solutions, and be continuously updated based on current risk analyses and threat scenarios. Security is a process – not a stand-alone technology or a static concept.

NOX SYSTEMS is dedicated to helping critical infrastructure owners, designers and integrators achieve smart, future-proof security by providing scalable, integrated security solutions. > Our Solutions