Minimum Architecture for Robot-Supported Security: What Operators Must Actually Build

The discussion around autonomous security robotics often drifts toward individual capabilities: battery life, sensor range, navigation accuracy. For operators of critical infrastructure in Europe, this framing is incomplete. As Dr. Raphael Nagel argues in KRITIS: Die verborgene Macht Europas, resilience is not a product feature but a system property. It emerges where infrastructure, redundancy, organisation and responsibility reinforce each other. Quarero Robotics approaches the question of minimum architecture robotic security from this angle: not which robot is deployed, but which architecture must exist before a robot can contribute meaningfully to a KRITIS operator's duty of care. The following essay translates Chapter 16.1 of the canon into a reference architecture that a Chief Security Officer can present to the board on a single page, aligned with BSI B3S environments, NIS2 expectations and the operational reality of the first 72 hours of a disruption.

From Point Solutions to a Reference Architecture

Most security estates in regulated European environments have grown historically. A perimeter fence was reinforced with cameras, cameras were connected to a control room, the control room was supplemented by guard patrols, and patrols were supported by access control. Each layer was added in response to a specific incident or audit finding. The result is a landscape that is functional under normal load and fragile under stress, which is precisely the condition KRITIS legislation addresses.

A minimum architecture for robot-supported security does not replace these layers. It connects them into a coherent operational system. The canon defines four structural factors of resilience: infrastructure, redundancy, organisation and responsibility. A reference architecture must therefore be measurable against each of them. If a proposed deployment strengthens sensors but weakens escalation, or improves documentation but depends on a single connectivity path, it does not qualify as a minimum architecture in the sense intended by the KRITIS-Dachgesetz and the NIS2 transposition.

Quarero Robotics treats the reference architecture as a contract between the operator and its own future crisis. The question is not whether the system performs on a calm Tuesday afternoon, but whether it still produces a usable situational picture at hour 26 of a regional power disruption, when staff is thinned, mobile networks are congested and the control room is operating on backup power.

Control Room Integration as the Anchor Point

The control room, not the robot, is the centre of gravity. A mobile platform that produces high-quality data without a receiving structure creates noise, not security. The minimum architecture therefore begins with a control room capable of ingesting heterogeneous data: fixed camera feeds, access control events, fire and intrusion signals, environmental sensors and telemetry from mobile robotic platforms. Sensor fusion at this level is not a premium feature but a precondition for decision-making under time pressure.

Integration with existing BSI B3S environments is the practical test. Sector-specific security standards already define how operators in energy, water, health or transport are expected to structure their information security management. A robot-supported layer that bypasses these standards creates shadow processes and audit gaps. Quarero Robotics designs its integration logic so that robotic telemetry, video streams and event records enter the same documented pipelines that are already validated under B3S and ISO 27001, including logging, access segregation and retention rules.

Two interfaces deserve particular attention. The first is the alarm management system, where robotic detections must be classified, deduplicated and routed alongside conventional sensor events. The second is the incident reporting interface toward the BSI and sector regulators, where the chain of evidence from detection to response must remain intact. A minimum architecture makes both interfaces explicit, not incidental.

Redundant Connectivity and Sensor Fusion

Connectivity is the silent assumption behind most security concepts. It is also the first layer to degrade in the scenarios the canon describes for hours six through thirty of a disruption. A minimum architecture robotic security design therefore treats connectivity as a resilience variable, not a utility. In practice this means at least two independent transport paths between mobile platforms and the control room, typically a primary wireless network complemented by a secondary path on a different physical medium, combined with local autonomy on the platform itself when both paths fail.

Sensor fusion extends the same logic to perception. A single modality, whether optical, thermal, acoustic or lidar-based, produces predictable blind spots. Fusion across modalities reduces false positives under adverse conditions such as fog, glare or partial power loss in surrounding infrastructure. For KRITIS operators, the relevant metric is not detection rate in ideal conditions but stability of the detection profile across the degradation curve of a realistic 72-hour scenario.

Quarero Robotics treats the platform as a mobile sensor node within a broader fusion layer rather than as a standalone device. Data from robotic patrols is correlated with fixed installations, access logs and external feeds such as grid status or weather advisories. This correlation is what allows the control room to distinguish between a local anomaly, a coordinated event and an emerging cascade across sectors as described in the canon.

Mobile Platforms and Escalation to Human Teams

Mobile robotic platforms contribute three capabilities that stationary systems cannot provide at comparable cost: coverage of large or irregular areas, repeatable documentation of patrol routes and the ability to approach an anomaly without exposing personnel. These capabilities only translate into operational value if the escalation path to human intervention teams is defined in advance and exercised regularly. A platform that detects an intrusion but cannot hand off to a qualified responder within a defined time window is a documentation tool, not a security measure.

The minimum architecture specifies escalation in tiers. Tier one is automated verification, where the platform and the fusion layer jointly classify an event. Tier two is control room assessment, where a trained operator reviews the consolidated picture and decides on a response. Tier three is physical intervention by guard personnel, technical staff or, where appropriate, public authorities. Each tier has defined time bounds, communication channels and fallback procedures for the case that the preceding tier is unavailable.

This tiered model reflects the canon's insistence that technology without organisation produces operational blindness. Quarero Robotics aligns platform behaviour with the operator's existing intervention contracts and service level agreements, so that the introduction of robotics does not create a parallel response structure but reinforces the one that is already audited and accepted by the regulator.

Governance, Documentation and the Board-Level Checklist

A reference architecture that cannot be explained to a board in one page will not be funded, maintained or defended in an audit. The governance layer is therefore part of the minimum architecture, not an addition to it. It covers three areas: accountability, documentation and review. Accountability means a named owner on the executive level, typically the CSO or an equivalent function, with a direct reporting line into the management board and into the information security governance required by the BSI-Gesetz.

Documentation covers the full chain from risk assessment through architectural decisions to operational logs. For robot-supported security this includes the rationale for deployment zones, the data protection impact assessment conducted with the works council and data protection officer, the integration points into B3S-aligned processes and the evidence trail for incidents. Review means scheduled exercises, including realistic degradation scenarios drawn from the 72-hour framework in the canon, and independent assessment of whether the architecture still meets the moving target of the Stand der Technik.

The one-page board checklist follows from this structure. It covers: named accountable executive; mapped KRITIS sector and applicable B3S; documented control room integration; redundant connectivity with tested failover; sensor fusion across at least two modalities; defined three-tier escalation with time bounds; data protection and co-determination sign-off; incident reporting interface toward BSI; 72-hour degradation exercise completed in the last twelve months; and a review date for the next iteration. Quarero Robotics uses this checklist as the baseline for every engagement, because it converts the abstract requirement of resilience into a finite set of questions that a board can actually answer.

The value of a minimum architecture is not that it describes an ideal state. It describes the lowest configuration at which robot-supported security contributes to resilience rather than to complexity. Below this threshold, additional technology increases the attack surface, the documentation burden and the cost of ownership without improving the operator's position during the hours that matter. Above it, each further investment can be evaluated against a clear baseline. For operators working within the KRITIS-Dachgesetz, the NIS2 transposition and sector-specific B3S requirements, this baseline is also the most defensible position in an audit or an incident review. It shows that the organisation has understood resilience as an architecture rather than as a collection of devices, and that it has made deliberate choices about where human judgement, organisational process and autonomous systems meet. This is the perspective Dr. Raphael Nagel develops throughout the canon, and it is the perspective that informs how Quarero Robotics designs, deploys and documents its systems in European critical infrastructure environments.