Physical penetration test for KRITIS companies: 10 out of 12 failed

70% of the perimeter fences we tested in recent months were incorrectly installed.

Not damaged, but incorrectly installed. The nuts used to secure the fence elements were facing outwards. A ring spanner set, and the fence has the desired gap.

This is not an isolated case. It is the average result of 12 physical penetration tests recently conducted by RH Security on behalf of defense contractors, food manufacturers, and energy suppliers. Ten out of 12 sites failed the test.

Before I explain why, none of these sites were poorly positioned on paper.

All had fences, cameras, and an external security service. All would probably have been given the green light during an inspection.

 

What distinguishes a physical penetration test from an inspection?

An inspection checks whether protective measures are in place. A physical penetration test checks whether they are effective.

The difference sounds small, but it isn’t. We didn’t use any tools, drones, or additional electronic equipment in our tests. We played by the rules: no damage, no business interruption. And yet we got in 10 out of 12 cases.

This is not because the sites were negligently secured. Physical security simply fails differently under real conditions than under test conditions. That explains the number.

 

The three places where physical security regularly fails

 

1. The perimeter fence

The fence looks like a deterrent. 2.00 to 2.50 meters high, with barbed wire on top. Until you take a closer look.

In almost 70% of the standard fences we tested, the installation was faulty and the screws were accessible from the outside. In 70% of cases, there was visible damage, vegetation growing through the fence to aid climbing, and gaps at corners or gates. Not a single site had anti-climb protection. If you can’t climb over, you dig under. We have used this method several times.

And there is another problem that is underestimated: a fence through which you can see into the company premises gives the attacker all the time in the world. They can study routines, observe vehicle movements, locate security personnel, and plan their attack accordingly. A fence without privacy protection is not perimeter protection, but an observation post for the other side.

 

2. Camera surveillance

A lot of technology, little effect in daylight conditions. Most of the systems we have encountered only function fully when there is no regular traffic on the premises, i.e., at night or on weekends. Motion detectors, thermal cameras, all sensibly set up for quiet periods.

During the day, when vehicles come and go, suppliers are on the premises, and employees change shifts, the system is set to allow passage. That is precisely where the window lies. Anyone who blends in with the ongoing operations wearing a yellow safety vest does not attract attention. We have tested this at several locations. Success rate: 95%.

 

3. The external security service

This is the point where I want to be most careful with my wording, because it is often misunderstood.

Security services do their job. The problem is more structural: a security guard who is also responsible for access control, handling visitor registrations, making rounds, and serving as the first point of contact for all kinds of issues cannot detect covert attacks. His job description simply does not allow for it.

None of the 12 locations had a scout who stood in front of the actual security chain and observed the premises in advance. The two locations that passed the test had one thing in common: a security concept that did not treat the security service as the sole human authority.

 

Why is this issue so urgent right now?

On January 3, 2026, perpetrators set fire to a cable bridge in Berlin-Lichterfelde. No elaborate cyberattack, no sophisticated technology. An incendiary device at a junction where several lines were bundled together. The result: around 45,000 households with approximately 100,000 people without electricity and heating, several hospitals and nursing homes affected, emergency numbers temporarily restricted. The longest power outage in Berlin since 1945. Power was not fully restored until January 7.

The perpetrators knew where to strike. That is the point that is relevant for security managers. Not the political motivation, not the question of who was behind it. But the fact that someone specifically identified, prepared for, and exploited a physical weak point.

Drones flying over LNG terminals, arson attacks on power pylons in Berlin in September 2025, cable theft on railway lines. These are not isolated incidents, but a pattern.

Hybrid attacks combine physical access with digital or infrastructural impact. Anyone who enters a building does not need to pick a lock or hack a server. All they need is a USB stick and an unobserved moment at the right computer. Physical security is the easiest attack vector in many companies because it has received less attention than IT security for years.

This is currently changing, enforced by regulations.

 

What do NIS2 and the KRITIS umbrella act mean in concrete terms?

Around 23,000 companies in Germany will fall under the categories of the KRITIS umbrella act. For many of them, physical security has been a footnote in their resilience plan until now.

That is no longer enough. NIS2 requires companies to explicitly anchor physical security measures in their protection concepts and prove their effectiveness. A physical penetration test is the recognized tool for this; it provides proof under real conditions, not on the basis of a checklist.

The legal pressure is real. But I would prefer to cite another reason when talking to security managers: an actual attack on a KRITIS site costs more than any test. Not just financially.

 

Reasons, why RH Security offers physical penetration tests

RH Security is known as a personal security company. The question of why we conduct physical penetration tests is a valid one.

The answer lies in our training. Our founder, Ivo Schendel, has ten years of practical reconnaissance experience in a special police task force. There, the focus is constantly on entering buildings, gaining access to premises, circumventing security forces, and identifying vulnerabilities. These skills are applicable on both sides. Personal security and physical security checks stem from the same operational thinking: How does someone gain access to a protected object, and what prevents this?

For KRITIS companies and defense contractors, RH Security therefore offers both: penetration tests for locations and property protection, and, on request, personal protection for executives and security escorts for sensitive transports.
Everything comes from the same skill set, just applied in different ways.

 

What does a physical penetration test not do?

A test is a snapshot. It shows where the gaps are on the day of the test. Routines change, personnel change, premises change. A one-off test without a follow-up concept therefore has limited value.

What makes the difference: a detailed report with prioritized vulnerabilities, concrete recommendations for action, and, if desired, continuous support as an independent second instance alongside the existing security service. This is exactly what worked at the two locations that passed our tests.

 

How well is your site really secured?

Whether your security service is doing its job is not the decisive question. 
It’s more about the fact that most security concepts are designed for “normal operation,” not for someone who is specifically looking for gaps.

If you would like to check this in your company, I would be happy to speak with you personally. No standard offer, no checklist. We will look at your specific situation together.