G 0.34 — Attack · Cenedril Wiki

In the 1980s, a bomb attack hit the data centre of a large federal authority in Cologne. The blast destroyed windows, walls and numerous IT systems. Decades later, little has changed about the underlying threat: physical force can destroy IT infrastructure within seconds — and recovery takes weeks or months.

Attacks (G 0.34) are extreme events with potentially catastrophic impact. The likelihood of occurrence is low for most organisations, but depends strongly on location, industry and political environment.

What’s behind it?

The BSI defines an attack as deliberate physical action against buildings, infrastructure or persons. The means range from vandalism through arson to bomb attacks. Motivation can be political, ideological, personal or economic.

Risk factors

Location — Institutions near demonstration routes, government buildings or conflict areas are more exposed.
Industry and activity — Companies in politically controversial areas (defence, energy, animal testing) or authorities with enforcement tasks carry a higher risk.
Public visibility — Prominent buildings with clear signage and media attention are easier targets than inconspicuous sites.
Current threat landscape — The threat level can change rapidly through political events, social tensions or targeted threats.

Impact

An attack can simultaneously destroy buildings, IT infrastructure, documents and human lives. The consequential damage — business interruption, data loss, reconstruction costs, trauma to staff — often exceeds the immediate physical damage many times over. Without geo-redundant data storage and a documented recovery plan, an attack on a data centre can permanently end business activity.

Practical examples

Arson attack on an office building. Unknown perpetrators set fire to the facade of an office building at night, in which an IT service provider has its headquarters. The fire spreads to the ground floor, where the server room is located. Sprinklers prevent complete destruction, but fire-extinguishing water damage takes all servers offline. Recovery takes two weeks.

Vandalism on a fibre route. During construction work near a company site, unknown persons deliberately sever multiple fibre cables. The company loses its entire internet connection and the connection to the geo-redundant backup site. Because only a single cable route exists, the repair takes several days.

Explosive attack on critical infrastructure. An energy supplier operates a substation at the edge of a city. An attack on the transformers disables power supply for an entire industrial area. Several companies whose emergency power is only designed for a few hours have to stop operations.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 7 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)

Prevention:

A.7.1 — Physical security perimeters: Resilient building envelope, perimeter protection and multi-stage access control.
A.7.2 — Physical entry: Controlled entry points prevent unauthorised persons from approaching critical infrastructure.
A.7.4 — Physical security monitoring: Video surveillance and alarm systems as deterrent and for early detection.
A.7.6 — Working in secure areas: Special rules for presence and work in high-security areas.

Detection:

A.7.3 — Securing offices, rooms and facilities: Intrusion detection systems and state monitoring of critical rooms.

Response:

A.8.14 — Redundancy of information processing facilities: Geo-redundant systems enable operations to continue after a total loss.
A.7.11 — Supporting utilities: Emergency power supply and independent supply routes for electricity and connectivity.

BSI IT-Grundschutz

G 0.34 is linked by the BSI IT-Grundschutz catalogue to the following modules:

INF.1 (General building) — Structural protective measures against physical action.
INF.2 (Data centre and server room) — Special protection requirements for data centres, including access control and perimeter protection.
DER.4 (Emergency management) — Recovery planning after a physical attack.
INF.1.A35 (Perimeter protection) — Specific requirements for outer protection.

Sources

BSI: The State of IT Security in Germany — Annual report with reference to physical threats
BSI IT-Grundschutz: Elementary Threats, G 0.34 — Original description of the elementary threat
ISO/IEC 27002:2022 Section 7.1 — Implementation guidance on physical security perimeters

Frequently asked questions

How realistic is an attack on a normal company?

For most companies, the risk of a targeted attack is low. It rises markedly, however, for institutions working in politically controversial areas, located near demonstration routes, or with high public visibility. The threat assessment must be specific to the site and the industry.

Who advises on assessing the attack threat?

In Germany, the state criminal police offices (Landeskriminalämter) or the Federal Criminal Police Office (Bundeskriminalamt) can be consulted. For operators of critical infrastructure, the BSI and the constitutional protection agencies are additionally available as contacts.

How do you protect a data centre against physical attacks?

The most important measures: inconspicuous location without public signage, multi-stage access control, resilient building envelope (burglar- and blast-resistant windows and walls), video surveillance, perimeter protection and a geo-redundant backup site that can take over in case of total loss.