Accessibility
Language
Digital attacks on networked systems: How real are cyberattacks on critical infrastructure?
Cybersecurity to protect operational technology
18.03.2026
Traffic in a city follows fixed patterns: traffic lights regulate intersections, traffic flows interlock. Most people take this for granted.
But what happens when several systems fail at the same time? Within a few minutes, uncertainty arises and the usual rhythm comes to a standstill. What initially appears to be a technical malfunction can turn out to be a targeted digital intrusion into a networked system.
Cyberattacks no longer only affect data or email accounts. They affect machines, systems and transport infrastructures - in other words, the very systems that structure and stabilize our physical world.
How vulnerable are these structures really? Where are the typical weak points? And what does this mean for companies?
We discuss these questions in the following interview with Martin Aman, CTO of TG alpha GmbH. He has been working in the field of operational technology (OT) security for over ten years and supports industrial companies with cybersecurity issues, the protection of critical digital infrastructures and topics relating to digitalization and sustainability. Together, we will talk about real-life scenarios, regulatory developments and how digital security can be implemented in industrial practice.
Mr. Aman, to what extent does the above scenario correspond to actual threat situations?
Martin Aman: In principle, such a scenario would be possible. Specifically, we are talking about traffic light systems, i.e. traffic light systems whose components were originally developed without taking cybersecurity aspects into account. In combination with the respective network architecture, this could mean that an attack would be realistic in principle.
However, the fact that this has not usually happened so far is due to the fact that additional protective measures are in place. In addition to digital security mechanisms, physical security in particular plays a key role. Access restrictions through locks, fences or shielded areas make an attack considerably more difficult, as potential attackers would first have to gain physical access to the system and the network.
If, on the other hand, the systems were completely and unprotectedly connected to the Internet, such an attack scenario would be quite realistic.
You and your team support companies in the area of critical infrastructure, among other things. What types of incidents have you actually experienced in this context?
Martin Aman: The topic of critical infrastructures is now on everyone's lips, not least because of the volcano group in Berlin. This shows once again that even physical attacks, such as incendiary devices or sabotage, can cause considerable damage.
We observed a similar scenario to the one in the teaser back in 2019 in a larger city with around 150,000 inhabitants and 200 intersections with traffic lights. At the time, we were provided with a corresponding system for test purposes to check how easy it would be to hack such a system. And it was frighteningly easy.
After about 30 minutes with a bit of Internet research, I was able to understand how root rights, i.e. administrative access rights to the control of such a traffic light system, i.e. a traffic light, can be obtained. This made it possible to demonstrate that the system could even be deliberately disabled in the event of a successful compromise.
What exactly was the weak point?
Martin Aman: The vulnerability was simply that there was a debug mode for this access, which was openly accessible without any authentication such as username and password. Presumably, this access was originally intended for service or maintenance purposes.
From a security point of view, however, its existence was problematic, as it made an attack considerably easier. As soon as root rights are available on a system, there is complete control. In this case, all functions could be manipulated, including a targeted shutdown of the system.
What measures do you recommend if such an incident occurs or threatens to occur?
Martin Aman: Basically, it makes sense to first carry out an analysis of the current situation in the form of a risk analysis. Many of these networks are often not properly documented. Such an analysis is necessary in order to be able to assess which dangers actually exist and which risks need to be prioritized.
Suitable countermeasures can then be introduced on this basis. This can include, for example, commissioning a pen test, as was done in the case described. A penetration test means that the security of the systems in question is checked in a targeted and comprehensive manner.
In addition, enhanced physical protection measures or additional cybersecurity measures can be implemented. These include, for example, the introduction of authentication mechanisms or the technical hardening of devices so that they cannot be compromised so easily.
Is cybersecurity considered from the outset when building new facilities and infrastructures or is it still considered a nice-to-have?
Martin Aman: It is actually on the rise now. This is also linked to the European Union's cybersecurity strategy. In this context, various regulations and ordinances have been introduced, including the Cyber Resilience Act.
This is about bringing secure products onto the market, or, as the wording puts it, "placing them on the market". Originally, the mindset was primarily geared towards consumer devices. If you imagine, for example, buying a cell phone or a TV from a discount store and not receiving any updates from day one because the product has been around for a while and only remaining stocks are sold, this is problematic in terms of security.
This is precisely where the Cyber Resilience Act comes in. In future, there is to be a minimum term for such products. Manufacturers must provide security updates and patches for a certain period of time, usually at least five years, from the time the product is placed on the market.
There is also a requirement to introduce a secure development process. This can be reviewed by market surveillance authorities. Companies must therefore be able to demonstrate that they take cybersecurity adequately into account in the development process.
Overall, the topic is very complex. You are involved in the cybersecurity network at Bayern Innovativ. How do you specifically support small and medium-sized enterprises?
Martin Aman: TG alpha provides support for all cybersecurity issues in the OT sector, i.e. wherever it's not about traditional office IT, but about building automation, critical infrastructures and machines and systems.
We also provide advice in connection with regulations and ordinances. We are not lawyers, but have a background in electrical engineering and related fields. However, our aim is to prepare the regulatory requirements in an understandable way. Since we know the companies and their role in industrial practice, we can classify what the requirements mean in concrete terms, what measures are required and where there is a need for action. This is one of the areas in which we are active in consulting.
In addition to consulting, we also offer pen testing and support with security architectures, system design and evaluation. The aim is to provide companies with a partner that combines industrial understanding with cybersecurity expertise.
Many SMEs face the challenge of finding cybersecurity specialists in the first place, which is often a major cost factor. At the same time, knowledge from the classic IT world cannot be transferred one-to-one to OT systems. Typical IT solutions, such as installing an antivirus program on a controller, do not work in practice, as the resources of the devices are planned exclusively for their specific use case and therefore cannot install anything extra.
Where do you see other gaps where you say it is essential to take a closer look?
Martin Aman: I see a key gap in our own mentality. Many companies still approach the topic of cybersecurity too naively. They often say: "We're not relevant, it won't affect us." This often overlooks the fact that many companies work as suppliers for larger corporations or provide services for them. Anyone who delivers directly to a large automotive group, for example, is part of the supply chain. In this case, a company can quickly become a gateway for attacks.
Although large corporations place corresponding requirements on their suppliers, there is still a certain residual risk. An attacker could specifically target the supposedly weaker supplier in order to gain access to a larger company.
It is therefore crucial not to become a bridgehead for further attacks. Many underestimate that smaller companies can also be attractive targets. They work with various customers, possess sensitive information and are subject to confidentiality agreements. If such data is leaked, the consequences can be considerable.
In your opinion, is there a kind of quick win, i.e. a specific measure that companies could implement tomorrow, for example, to become a little more secure in the area of cybersecurity?
Martin Aman: Basically, the first thing you would say is: take care of it. However, this is not a classic quick win, as it involves a lot of effort. A measure that can be implemented in the short term is more in the area of physical protection.
For attacks, it is always crucial how easily a system can be reached, even physically. This can already mean gaining access to a data center and inserting a USB stick, for example. Such scenarios seem contrived, but are possible in principle. The time factor also plays a role here.
A pragmatic approach can be to first become aware of which systems are insecure or communicate with each other without encryption. These can then, for example, be housed together in a locked control cabinet that is actually secure.
Another example is remote maintenance. Here it can be specified that a connection is only established if a specific maintenance window has been agreed. Once the maintenance has been completed, the connection is disconnected again. In this way, a potential avenue of attack is limited in time instead of being permanently available.
You have certainly experienced many spectacular OT incidents or at least witnessed them at close quarters. If you had to film your most impressive case, which genre would you choose?
Martin Aman: I would like to do it in the noir genre, similar to the classic detective films in black and white. This atmosphere fits well because it is strongly characterized by investigative work and works a lot with inner dialogues, monologues and intensive conversations with those involved.
Typical elements such as encounters with the people involved could also be incorporated. Interpersonal relationships, manipulation and psychological dynamics play a central role, especially in the field of social engineering. This offers a lot of narrative scope.
If this genre doesn't fit, I would look more in the direction of "Blade Runner". There is also a film noir aesthetic there, combined with cyberpunk elements. This mixture of technical dystopia and gloomy mood also reflects the subject matter well.
The interview was conducted by Dr. Tanja Jovanovic, Head of Marketing & Innovation and Member of the Management Board, Bayern Innovativ GmbH, Nuremberg.
Also, don't miss the previous episode "Cybercrime in SMEs - A real cybersecurity case from everyday IT life"
Cybercrime in SMEs - A real case from the everyday life of operational technology (25.02.2026)
When networked transport systems or industrial plants are attacked, the effects are immediately noticeable: digital attacks can bring entire processes to a standstill. Dr. Tanja Jovanović discusses a real cyber incident from everyday life in operational technology with Martin Aman from TG alpha GmbH.
Your contact
