G 0.41 — Sabotage · Cenedril Wiki

In a large data centre, the uninterruptible power supply (UPS) fails four times within a single year. Each time the operational disruption lasts between 40 and 130 minutes, and some hardware damage occurs. After a lengthy investigation, the cause is revealed: an employee with access to the technical room had repeatedly switched the UPS to bypass manually and then tampered with the main power supply.

Sabotage — the wilful damage or manipulation of property and processes — ranks among the threats that are hardest to contain organisationally. The BSI lists it as elementary threat G 0.41. The challenge: saboteurs often know the infrastructure from the inside.

What’s behind it?

Sabotage refers to the deliberate manipulation or destruction of systems, infrastructure or processes with the aim of harming an organisation. Unlike many other threats, sabotage often requires physical access — and that is precisely what makes insiders particularly dangerous.

Data centres and communication links are preferred targets. There, an enormous amount of damage can be done with relatively little effort. A severed fibre-optic cable, a manipulated cooling cabinet or a deliberate water ingress in the server room — a few actions are enough to bring critical business processes to a standstill.

Forms of sabotage

Manipulation of building infrastructure — UPS systems, HVAC systems, fire alarm systems and power distributors are often not adequately protected against unauthorised access. A person with basic knowledge can cause significant damage there.
Destruction of communication lines — fibre-optic and copper cables often run through unprotected cable ducts or across publicly accessible grounds.
Logical sabotage — an administrator with privileged rights can delete databases, alter configurations or install backdoors. The traces can be covered with the right know-how.
Supply chain sabotage — manipulated hardware or software can be introduced into an organisation in a targeted way, to be activated later.

Impact

The scale of the damage depends heavily on how central the sabotaged component is. A single manipulated switch can take down a network segment; a sabotaged UPS can in the worst case bring an entire data centre to a halt. On top come the costs of forensic investigation, repair and — if the sabotage becomes public — significant reputational damage.

Practical examples

Water ingress in the server room. In a building where sanitary facilities are located near the server room, someone deliberately blocks the drains and opens the water supply. The inrushing water damages central network components. The business disruption lasts several days because replacement parts have to be procured first.

Manipulation of a fire alarm system. A dismissed employee still has three weeks of building access. He repeatedly triggers the fire alarm by manipulating the smoke detector in the server room. The gas fire-suppression system activates and the data centre shuts down automatically each time. Only on the third incident is the connection to the departing employee recognised.

Sabotage of outdoor cables. A company’s fibre connection runs through a publicly accessible cable duct. An unknown person cuts the cable over a weekend. Because there is no redundant connection over a physically separate route, the company remains offline until Monday morning.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 20 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.7.12 — Cabling security: Protection of communication and power cables against manipulation and damage.
A.7.11 — Supporting utilities: Safeguarding power, climate and water supplies against targeted manipulation.
A.7.13 — Equipment maintenance: Regular maintenance uncovers manipulations before they cause outages.
A.8.19 — Installation of software on operational systems: Restrictive installation policies prevent logical sabotage through unauthorised software.
A.6.1 — Screening: Screening of employees and service providers who gain access to critical infrastructure.

Detection:

A.8.15 — Logging: Gapless logging of physical entries and administrative accesses.
A.8.14 — Redundancy of information processing facilities: Redundant systems increase the likelihood of detection because unexpected failover events stand out.

Response:

A.5.29 — Information security during disruption: Business continuity plans in case critical components are taken out by sabotage.
A.5.23 — Information security for use of cloud services: Cloud-based failover options as a fallback during physical sabotage on site.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.41 with the following modules:

INF.5 (Room and cabinet for technical infrastructure) — physical protection of technical components against unauthorised access.
INF.13 (Technical building management) — safeguarding of building services equipment.
IND.1 (Process control and automation technology) — protection of industrial control systems against sabotage.
DER.2.3 (Remediation of major security incidents) — processes for the forensic handling of sabotage incidents.

Sources

BSI: The State of IT Security in Germany — annual report with current incident statistics
BSI IT-Grundschutz: Elementary Threats, G 0.41 — original description of the elementary threat
ISO/IEC 27002:2022 Section 7.12 — implementation guidance on cabling security

ISO 27001 Controls Covering This Threat

A.5.15 Access control A.5.23 Information security for use of cloud services A.5.29 Information security during disruption A.6.1 Screening A.7.11 Supporting utilities A.7.12 Cabling security A.7.13 Equipment maintenance A.8.1 User endpoint devices A.8.7 Protection against malware A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.23 Web filtering A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.31 Separation of development, test and production environments

Frequently asked questions

Does sabotage always come from external attackers?

The greatest sabotage risk often comes from insiders -- employees, maintenance staff or service providers with physical access to critical infrastructure. They know the weaknesses of the systems and can inflict maximum damage with minimal effort.

Which areas are particularly vulnerable to sabotage?

Data centres, server rooms, UPS systems, air-conditioning equipment and communications links are especially attractive targets. They are central hubs: if one of these components fails, numerous business processes are often affected simultaneously.

How do I distinguish sabotage from a technical defect?

Individual failures can have technical causes. Repeated failures of the same component, unusual patterns (always at night, always at weekends) or physical traces (broken locks, altered cabling) point to sabotage. A forensic investigation brings clarity.