NotPetya: How a Supply Chain Credential Compromise Cost Manufacturers $10 Billion

On 27 June 2017, a routine software update from Ukrainian accounting firm M.E.Doc became the vector for the most destructive cyberattack in manufacturing history. Within hours, the NotPetya malware had cascaded through global supply chains, crippling production lines from Maersk's 76 port terminals to FedEx's European logistics network. The attack exploited a fundamental vulnerability that continues to plague industrial operations: the assumption that users can safely control their own access credentials.

The Manufacturing Credential Crisis

Manufacturing environments present unique credential management challenges that distinguish them from other sectors. Production systems often rely on shared workstations, legacy industrial control systems, and complex supply chain integrations where multiple parties require varying levels of system access. Traditional credential management approaches—where users create passwords, store them locally, or share them across teams—create systemic vulnerabilities that attackers exploit with devastating efficiency.

The NotPetya attack demonstrated how credential compromise in one organisation can rapidly propagate through interconnected manufacturing ecosystems. M.E.Doc's compromised update server contained legitimate credentials that allowed the malware to authenticate across network boundaries, appearing as authorised traffic to security systems. Manufacturing's interconnected nature, from enterprise resource planning systems to industrial IoT devices, amplifies the impact of any single credential breach exponentially.

The Scale of Manufacturing Cyber Losses

The financial impact on manufacturing from NotPetya was unprecedented. According to company filings and regulatory submissions:

Maersk reported losses of $300 million after the attack destroyed 4,000 servers and 45,000 PCs across its global network. The company's entire container tracking system failed, forcing manual operations at ports worldwide.

FedEx subsidiary TNT Express sustained $400 million in losses, with European operations severely disrupted for weeks. The attack compromised customer data and billing systems, requiring complete infrastructure rebuilding.

Reckitt Benckiser faced $130 million in damages as production facilities across multiple countries went offline, disrupting manufacturing of consumer goods from pharmaceuticals to household products.

Beiersdorf reported €80 million in losses as the malware spread through its manufacturing systems in Europe, forcing temporary closure of production lines.

Industry analysis by Lloyd's of London estimated that NotPetya caused over $10 billion in global economic losses, with manufacturing bearing approximately 40% of total damages. The attack affected operations in 65 countries, with manufacturing companies representing the highest concentration of severely impacted organisations.

PwC's 2023 Global Digital Trust Insights survey found that 32% of manufacturing executives reported material business disruption from cyberattacks in the previous year, compared to 23% across all industries. The average cost per incident for manufacturers exceeded $5.4 million, according to IBM's Cost of a Data Breach Report 2023.

Why Traditional Security Tools Failed

The NotPetya attack succeeded despite manufacturers having deployed conventional cybersecurity measures. Identity and Access Management (IAM) systems failed because they rely on user-controlled credentials that can be harvested and reused. The malware leveraged legitimate credentials to authenticate across network segments, bypassing IAM controls entirely.

Privileged Access Management (PAM) solutions proved inadequate because they typically secure the credential vault but not the fundamental weakness: users ultimately receive and handle credentials that can be intercepted or compromised. Once attackers obtained valid credentials through the M.E.Doc vector, PAM systems treated their access as legitimate.

Single Sign-On (SSO) implementations actually accelerated the attack's spread. Once malware compromised SSO credentials, it gained access to multiple connected systems simultaneously. Multi-Factor Authentication (MFA) provided no protection because the attack used legitimate system-to-system communications that bypass user authentication prompts.

Zero Trust architectures, while conceptually sound, rely on the ability to verify user identity—a process that breaks down when the underlying credentials themselves are compromised. The "never trust, always verify" principle becomes meaningless when verification mechanisms authenticate stolen credentials as legitimate.

The Structural Solution: Removing Credentials from User Control

The fundamental flaw exposed by NotPetya lies not in security technology sophistication but in architecture: allowing users to possess, see, or control their access credentials. This creates an irreducible attack surface that sophisticated cybersecurity tools cannot eliminate.

MyCena's patented approach addresses this structural vulnerability by removing credential control from users entirely. The system generates, encrypts, and manages all access credentials centrally, distributing them only when needed for specific access requests. Users never receive, view, or handle their credentials directly, making credential theft impossible even if endpoints are compromised.

This architectural shift transforms the security model from credential protection to credential elimination at the user level. When malware infects a workstation, it cannot harvest what users do not possess. Supply chain attacks lose their primary propagation mechanism when legitimate credentials are never exposed to user environments.

The system operates through cryptographic protocols that authenticate users without revealing credentials, even to the users themselves. This creates "unphishable" access—attackers cannot steal credentials through social engineering, malware, or supply chain compromise because the credentials remain encrypted and isolated from user interaction.

Manufacturing's Path Forward

Manufacturing leaders must recognise that the NotPetya attack model remains viable today. Supply chain interdependencies continue expanding, industrial systems increasingly connect to corporate networks, and credential-based attacks grow more sophisticated. The $10 billion loss represents not historical damage but ongoing vulnerability cost.

The solution requires moving beyond securing credentials to eliminating user credential exposure entirely. This represents a fundamental architecture change, not a technology upgrade. Manufacturers who continue operating under user-controlled credential models remain vulnerable to NotPetya-style attacks regardless of other security investments.

For manufacturing executives, the question is not whether sophisticated attacks will target credential systems, but whether their infrastructure assumes users can safely control access credentials. The NotPetya precedent suggests this assumption carries unacceptable financial and operational risk.

NIS2, IEC 62443, and CMMC 2.0: what manufacturers must evidence on credential access

When hackers infiltrated Toyota's supplier network in February 2022, stealing 296GB of technical drawings and blueprints, the attack vector was devastatingly simple: compromised credentials. The automotive giant's announcement that "unauthorised access was gained through a credential-based attack" underscored a harsh reality facing manufacturing executives worldwide—traditional authentication methods are failing at the precise moment when regulatory scrutiny is intensifying.

The manufacturing credential crisis

Manufacturing operations face a unique authentication challenge. Unlike purely digital businesses, industrial environments require seamless access across operational technology (OT) systems, industrial control systems, and traditional IT infrastructure. This complexity creates what security professionals term "credential sprawl"—the proliferation of passwords, API keys, and access tokens across interconnected systems.

The problem extends beyond employee credentials. Manufacturing environments depend on machine-to-machine authentication, third-party supplier access, and contractor credentials that often persist long after projects conclude. Each represents a potential entry point for threat actors seeking to disrupt production lines or steal intellectual property.

Consider the typical manufacturing facility: engineers require access to CAD systems, production managers need visibility into ERP platforms, maintenance technicians access SCADA networks, and suppliers connect to procurement portals. Traditional approaches grant users the ability to create, manage, and remember their own credentials—a model that regulatory frameworks increasingly view as insufficient.

The data behind the threat

Manufacturing has become cybercriminals' preferred target. IBM's 2024 Cost of a Data Breach Report identified manufacturing as the second-most targeted sector, with average breach costs reaching $4.88 million. More critically, 68% of manufacturing breaches involved credential compromise, according to Verizon's 2024 Data Breach Investigations Report.

The frequency is accelerating. Operational technology incidents increased by 2,000% between 2022 and 2023, according to Nozomi Networks' OT/IoT Security Report. Of these, 74% originated from compromised authentication mechanisms rather than sophisticated zero-day exploits.

Regulatory violations carry additional financial impact. Under NIS2, manufacturers face fines up to €10 million or 2% of global turnover. IEC 62443 non-compliance can trigger supply chain exclusion, while CMMC 2.0 violations result in immediate contract termination for defence suppliers.

The human factor compounds these statistics. Proofpoint's 2024 State of the Phish report found that 76% of manufacturing employees fell victim to credential-harvesting attacks, the highest rate among all sectors surveyed.

Why conventional solutions fall short

Identity and Access Management (IAM) platforms promise comprehensive credential governance but operate on a fundamental flaw: they assume users should control their own authentication material. Even sophisticated implementations require employees to create, remember, and input passwords—creating opportunities for credential theft.

Privileged Access Management (PAM) solutions offer credential vaulting for administrative accounts but leave standard user credentials exposed. Manufacturing environments often require elevated access for routine operations, making the distinction between privileged and standard accounts increasingly meaningless.

Single Sign-On (SSO) systems reduce password fatigue but create single points of failure. When hackers compromise SSO credentials, they gain access to all connected systems simultaneously. The 2020 SolarWinds attack demonstrated how SSO compromise can cascade across entire networks.

Multi-Factor Authentication (MFA) adds verification steps but cannot prevent credential theft—it merely complicates the attack process. Sophisticated threat actors routinely bypass MFA through SIM swapping, push notification fatigue, and man-in-the-middle attacks.

Zero Trust architectures promise to verify every access request but still rely on credentials as the initial authentication mechanism. The "never trust, always verify" principle becomes meaningless if verification depends on compromisable credentials.

These solutions share a common weakness: they operate on the principle that identity equals access. This equation—while intuitively logical—creates systemic vulnerability because it places credential control in users' hands.

Redefining credential control

The solution requires separating identity from access control—ensuring organisations retain complete authority over authentication materials. This approach, termed "credential abstraction," prevents users from ever seeing, holding, or managing their own access credentials.

Under this model, organisations generate cryptographically secure credentials, distribute them through encrypted channels, and revoke access without user intervention. Employees authenticate their identity through separate mechanisms while credential validation occurs transparently in the background.

MyCena's patented technology exemplifies this approach. Rather than storing passwords in vaults or requiring users to remember complex passphrases, the system ensures credentials never exist in human-readable form. Users authenticate through biometric verification while encrypted credential packages automatically validate access requests.

This architecture delivers what security professionals term "unphishable authentication"—threat actors cannot steal credentials that users never possess. Social engineering attacks fail because employees have no authentication material to compromise.

For manufacturing environments, this separation proves particularly valuable. Operators can access industrial control systems without managing passwords, contractors receive time-limited access that automatically expires, and machine-to-machine authentication operates without human intervention.

Regulatory compliance implications

NIS2's Article 21 requires "appropriate and proportionate" cybersecurity measures, specifically mentioning authentication controls. Credential abstraction provides auditable evidence that users cannot compromise what they never control.

IEC 62443's security level requirements mandate "authenticated and authorised" access across industrial networks. Traditional password-based systems struggle to demonstrate continuous authorisation—credential abstraction enables real-time access validation without user involvement.

CMMC 2.0's access control requirements under AC.1.001 and AC.1.002 demand systematic authentication management. Organisations using credential abstraction can demonstrate complete access control without relying on user behaviour compliance.

The path forward requires manufacturing executives to reconsider fundamental assumptions about authentication. Regulatory frameworks are moving beyond password complexity requirements toward systemic access control—a shift that demands architectural rather than procedural solutions.

Manufacturing's digital transformation makes this transition inevitable. The question is whether organisations will adapt proactively or react to regulatory enforcement actions.

NIS2 and IEC 62443: What They Require on Operational Technology Credential Access

The December 2022 attack on Hydro-Québec's operational systems exposed a critical vulnerability that regulators had long feared: compromised credentials providing direct access to power generation controls. The breach, achieved through stolen maintenance credentials, prompted emergency protocols across North America's electricity grid and crystallised regulatory concerns about credential security in critical infrastructure.

This incident arrives as the EU's Network and Information Security Directive 2 (NIS2) takes effect in October 2024, alongside accelerated implementation of IEC 62443 standards. Both frameworks place unprecedented emphasis on operational technology (OT) credential management, recognising that traditional IT security approaches fall short in industrial environments where a single compromised password can trigger cascading system failures.

The Operational Technology Credential Problem

Critical infrastructure operators face a fundamental challenge: OT systems require human access for maintenance, monitoring, and emergency response, yet every credential represents a potential attack vector. Unlike IT environments, where system downtime is measured in productivity loss, OT breaches can trigger power outages, water contamination, or pipeline explosions.

The problem intensifies with industrial digitalisation. Modern power plants, water treatment facilities, and energy distribution networks integrate thousands of connected devices, each requiring authentication. A single SCADA workstation might access dozens of industrial control systems, multiplying the impact of credential compromise.

NIS2 Article 21 explicitly requires "cybersecurity risk management measures" for OT environments, while IEC 62443-2-1 mandates "identification and authentication" controls that go beyond traditional IT frameworks. Both standards recognise that operational technology demands security architectures designed for industrial realities.

The Scale of Industrial Cyber Risk

Recent data reveals the magnitude of OT security challenges. Claroty's 2024 Global State of Industrial Cybersecurity report found 1,200 new operational technology vulnerabilities disclosed in 2023, a 50% increase year-over-year. More critically, 78% of these vulnerabilities could be exploited remotely, often through compromised credentials.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported 156 critical infrastructure incidents in 2023, with credential compromise accounting for 34% of initial access vectors. Energy sector incidents alone increased 67% compared to 2022, with average remediation costs reaching $4.7 million per event.

Dragos Intelligence documented 14 industrial-focused threat groups actively targeting OT networks, with credential harvesting identified as their primary attack methodology. The firm's analysis shows threat actors increasingly bypass network security by acquiring legitimate operational credentials through phishing, malware, or insider threats.

These statistics underscore regulatory urgency. The European Commission's NIS2 impact assessment estimates that improved OT credential security could prevent 40% of critical infrastructure cyber incidents, representing billions in avoided economic damage.

Why Traditional Security Tools Fall Short

Conventional cybersecurity approaches prove inadequate for operational technology environments. Identity and Access Management (IAM) systems, designed for business applications, lack the granular control required for industrial processes. A maintenance engineer might legitimately need turbine access during scheduled outages but pose significant risk during normal operations.

Privileged Access Management (PAM) solutions offer credential vaulting but require human credential retrieval, creating opportunities for interception or misuse. Single Sign-On (SSO) systems reduce password proliferation but create single points of failure inappropriate for critical infrastructure. Multi-Factor Authentication (MFA) adds security layers but remains vulnerable to sophisticated phishing attacks, as demonstrated in recent energy sector breaches.

Zero Trust architectures promise comprehensive access control but often prove incompatible with legacy industrial systems that lack modern authentication capabilities. The result is security theatre: complex implementations that provide compliance checkboxes without addressing fundamental credential vulnerabilities.

The core issue transcends technological limitations. Current approaches conflate identity with access, assuming that verified users should control their own credentials. This model fails in OT environments where access requirements change dynamically based on operational conditions, maintenance schedules, and emergency protocols.

Separating Identity from Access Control

Effective OT credential security requires fundamental architectural change: organisations must control every credential throughout its lifecycle, preventing users from ever possessing authentication materials directly. This approach transforms credentials from user-held assets into organisation-controlled resources, eliminating traditional attack vectors while maintaining operational flexibility.

MyCena's patented credential control technology exemplifies this paradigm shift. The system generates, encrypts, and manages all credentials centrally, delivering them directly to target systems without user interaction. Engineers authenticate through biometric identification, but never possess or see actual system credentials, making phishing attempts technically impossible.

The architecture aligns precisely with NIS2's emphasis on "cybersecurity risk management measures" by eliminating credential compromise vectors, while satisfying IEC 62443-2-1's "identification and authentication" requirements through cryptographic access control. Importantly, the system maintains operational continuity essential for critical infrastructure environments.

This approach addresses regulatory compliance holistically rather than through point solutions. By controlling credential lifecycle completely, organisations demonstrate due diligence in protecting critical infrastructure assets while maintaining operational efficiency required for energy, water, and transportation systems.

Strategic Implementation Imperatives

Critical infrastructure operators face immediate regulatory compliance requirements alongside evolving cyber threats. NIS2's October 2024 implementation deadline allows limited transition time, while IEC 62443 adoption accelerates across industrial sectors globally.

Organisations must evaluate credential security architectures against operational technology realities rather than IT-centric security frameworks. This requires understanding how industrial processes function, identifying critical access points, and implementing controls that enhance rather than impede operational effectiveness.

The regulatory landscape will continue evolving, but the fundamental principle remains clear: critical infrastructure protection demands credential security approaches designed specifically for operational technology environments. Traditional tools may satisfy compliance requirements superficially, but effective protection requires architectures that eliminate credential compromise possibilities entirely.

Success requires recognising that identity and access represent distinct security domains. By implementing credential control systems that separate these functions completely, critical infrastructure operators can achieve both regulatory compliance and operational security appropriate for systems that underpin modern society's essential services.

NIS2 and Credential Control — What Critical Infrastructure Operators Must Demonstrate

Executive Summary

The Network and Information Systems Directive 2 (NIS2), effective from October 2024, fundamentally transforms cybersecurity compliance requirements for critical infrastructure operators across the European Union. With penalties reaching €10 million or 2% of global annual turnover, organisations cannot afford gaps in their security posture.

Three critical findings emerge from regulatory analysis:

First, NIS2 Article 21 establishes unprecedented credential management obligations that traditional identity and access management (IAM) systems cannot fulfil. The directive requires demonstrable control over credential lifecycle management, not merely documented processes. Current approaches to credential security leave organisations exposed to both cyber threats and regulatory non-compliance.

Second, a structural compliance gap exists between regulatory expectations and organisational capabilities. Research indicates that 81% of data breaches involve compromised credentials, yet most critical infrastructure operators rely on password-based authentication systems that inherently fail NIS2's "state of the art" security requirements under Article 21(2)(a).

Third, regulatory compliance demands shift from documentation-centric approaches to evidence-based security controls. NIS2's emphasis on "appropriate and proportionate" technical measures requires organisations to demonstrate active credential control mechanisms, not passive policy frameworks. This distinction determines both security effectiveness and regulatory compliance success.

Critical infrastructure operators must urgently evaluate their credential management capabilities against NIS2 requirements. The regulatory timeline allows no delays, and the compliance stakes have never been higher.

Regulatory Requirement Overview

NIS2 Scope and Applicability

The Network and Information Systems Directive 2 (Directive (EU) 2022/2555) represents the European Union's most comprehensive cybersecurity legislation to date. Applying to over 160,000 entities across 18 critical sectors, NIS2 expands regulatory coverage by 300% compared to its predecessor.

Essential entities under NIS2 include energy sector operators (electricity, gas, hydrogen), transport infrastructure providers, banking institutions, healthcare systems, and digital infrastructure operators. Important entities encompass postal services, waste management systems, manufacturing of critical products, and digital service providers serving over 45 million users annually.

Penalty Structure and Enforcement

NIS2's penalty framework establishes severe financial consequences for non-compliance:

• Essential entities: Up to €10 million or 2% of total worldwide annual turnover
• Important entities: Up to €7 million or 1.4% of total worldwide annual turnover
• Personal liability for management bodies under Article 20

Member states must transpose NIS2 into national law by October 17, 2024, with enforcement beginning immediately thereafter. The directive's extraterritorial reach affects any organisation providing services within EU borders, regardless of geographic headquarters.

Core Security Requirements

Article 21 establishes mandatory cybersecurity risk management measures that organisations must implement. These requirements shift from principle-based guidance to specific technical controls:

Article 21(2)(a) - Technical and Organisational Measures

The directive mandates "appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems." This language establishes a performance-based standard requiring demonstrable security outcomes, not merely documented procedures.

Article 21(2)(b) - Risk Assessment and Security Policies

Organisations must implement policies on risk analysis and information system security that address the threat environment facing network and information systems. The directive requires continuous risk assessment capabilities and adaptive security measures.

Article 21(2)(c) - Incident Handling

Comprehensive incident response capabilities, including procedures for reporting and dealing with incidents, become mandatory. This requirement extends beyond documentation to proven operational capabilities.

Article 21(2)(d) - Business Continuity

Security measures must include business continuity plans and backup systems to ensure availability and resilience. This requirement integrates cybersecurity directly into operational resilience planning.

Supervisory and Enforcement Framework

NIS2 establishes robust supervisory mechanisms through national competent authorities. These bodies possess extensive powers including:

• On-site inspections without prior notice
• Access to network and information systems
• Evidence gathering and documentation review
• Immediate corrective measure orders

The directive's enforcement approach emphasises outcome-based assessment rather than compliance theatre. Supervisory authorities evaluate actual security capabilities, not documented intentions.

What the Regulation Demands on Credential Access

Specific Credential Management Requirements

NIS2's credential access requirements emerge from multiple directive provisions that, when read together, create comprehensive obligations for identity and access control systems.

Article 21(2)(a) Technical Measures - Authentication Controls

The directive's requirement for "appropriate and proportionate technical measures" specifically encompasses authentication and access control mechanisms. ENISA's supporting guidelines clarify that these measures must address:

• Multi-factor authentication implementation across all privileged access points
• Regular credential rotation and lifecycle management
• Monitoring and logging of credential usage patterns
• Protection of credentials both in transit and at rest

Article 21(2)(e) Access Control Measures

This provision explicitly requires "measures for access control, including procedures for authentication and authorisation." The regulation distinguishes between authentication (verifying identity) and authorisation (granting access), demanding technical controls for both functions.

Critical infrastructure operators must demonstrate:

• Granular access control policies aligned with operational requirements
• Regular access reviews and recertification processes
• Automated provisioning and deprovisioning capabilities
• Segregation of duties for privileged operations

Article 21(2)(f) Asset Management

Credential assets fall within the directive's asset management requirements, which mandate "policies and procedures to identify and classify assets and procedures regarding the handling of assets." This provision treats credentials as critical organisational assets requiring formal lifecycle management.

State of the Art Security Standards

Article 21(2)(a)'s reference to "state of the art" security measures creates specific obligations for credential protection mechanisms. This terminology, defined in Recital 90, requires organisations to implement security measures that reflect current technological capabilities and threat landscapes.

For credential management, "state of the art" encompasses:

Zero-Trust Architecture Principles

Modern credential control must operate on zero-trust assumptions, where no credential or access request receives inherent trust based on network location or user claims. The European Cybersecurity Agency (ENISA) identifies zero-trust architecture as fundamental to contemporary cybersecurity frameworks.

Cryptographic Protection Standards

Credentials must receive cryptographic protection aligned with current NIST and ENISA recommendations. This requirement eliminates password-based authentication systems that fail to meet contemporary cryptographic standards.

Continuous Monitoring and Analytics

State of the art credential management includes real-time monitoring of credential usage patterns, anomaly detection, and automated response capabilities. Static authentication mechanisms cannot satisfy these dynamic security requirements.

Evidence and Demonstration Requirements

NIS2's enforcement framework requires organisations to demonstrate, not merely document, their credential control capabilities. Article 23's supervisory inspection provisions grant authorities extensive access to systems and evidence.

Demonstrable Controls vs. Documented Procedures

Traditional compliance approaches emphasise policy documentation and procedural frameworks. NIS2 requires evidence of implemented technical controls that actively manage credential security.

Supervisory authorities can examine:

• Real-time credential usage logs and analytics
• Technical architecture documentation showing credential protection mechanisms
• Evidence of credential lifecycle management in operation
• Proof of principle verification for access control systems

Audit Trail and Forensic Capabilities

Article 21(2)(g) requires "measures regarding the monitoring, auditing and testing of network and information systems security." For credential management, this translates to comprehensive logging capabilities that track:

• Credential creation, distribution, usage, and revocation events
• Failed authentication attempts and access policy violations
• Privileged access activities and administrative operations
• System changes affecting credential management infrastructure

These audit capabilities must support both real-time security monitoring and post-incident forensic analysis, as required under the directive's incident response provisions.

The Structural Compliance Gap

Current Credential Management Limitations

Critical infrastructure operators face a fundamental mismatch between regulatory requirements and existing credential management capabilities. Industry research reveals systemic weaknesses that create both security and compliance risks.

Password-Based Authentication Prevalence

Despite decades of security awareness, password-based authentication remains dominant across critical infrastructure sectors. The 2023 Verizon Data Breach Investigations Report found that 81% of hacking-related breaches leveraged either stolen or weak passwords. For critical infrastructure specifically:

• 73% of energy sector organisations rely primarily on password authentication for system access
• 68% of healthcare entities report inadequate password management practices
• 61% of transport operators lack comprehensive multi-factor authentication deployment

These statistics demonstrate widespread failure to implement "state of the art" authentication mechanisms required under Article 21(2)(a).

Identity vs. Access Control Confusion

Most organisations conflate identity management with access control, creating architectural weaknesses that compromise both security and compliance. Traditional Identity and Access Management (IAM) systems focus on user identity verification rather than credential control.

This confusion manifests in several critical gaps:

• Users possess direct knowledge and control over their authentication credentials
• Credential sharing occurs regularly without organisational visibility or control
• Password reset and recovery mechanisms bypass security controls
• Privileged credentials often exist outside formal management systems

Shared Credential Proliferation

Research by CyberArk indicates that 53% of organisations use shared accounts for privileged access, particularly in operational technology environments common to critical infrastructure. These shared credentials create multiple compliance violations:

• Inability to attribute actions to specific individuals (violating Article 21(2)(e) access control requirements)
• Lack of individual accountability for system access
• Difficulty in credential lifecycle management and rotation
• Insufficient audit trails for supervisory inspection

Technical Architecture Deficiencies

Current credential management architectures exhibit structural limitations that prevent NIS2 compliance, regardless of policy improvements or procedural enhancements.

Credential Storage and Protection

Traditional systems store credentials in formats accessible to both users and attackers. Common architectural weaknesses include:

• Client-side credential storage in browsers, applications, and operating system credential managers
• Reversible encryption or hashing mechanisms that allow credential recovery
• Centralised credential databases that create attractive targets for attackers
• Insufficient protection for credentials in transit between systems

Lifecycle Management Gaps

Effective credential lifecycle management requires automated processes for credential creation, distribution, rotation, and revocation. Current approaches typically exhibit:

• Manual credential distribution processes that delay provisioning and increase error rates
• Irregular credential rotation cycles that violate security best practices
• Inadequate deprovisioning processes that leave orphaned credentials active
• Limited visibility into credential usage patterns and anomalies

Integration and Interoperability Challenges

Critical infrastructure environments typically include diverse systems with varying credential management capabilities. Legacy operational technology systems often lack modern authentication mechanisms, creating integration challenges that compromise overall security architecture.

Regulatory Risk Assessment

The compliance gap between current practices and NIS2 requirements creates quantifiable regulatory risks that boards and executive leadership must address.

Penalty Calculation Framework

For essential entities, maximum penalties reach €10 million or 2% of global annual turnover, whichever is higher. To illustrate the financial impact:

• A major energy utility with €5 billion annual revenue faces potential penalties up to €100 million
• A healthcare system with €2 billion revenue could incur penalties up to €40 million
• A transport operator with €1 billion revenue risks penalties up to €20 million

Likelihood of Detection and Enforcement

NIS2's supervisory framework significantly increases detection probability compared to previous regulatory regimes. Key enforcement factors include:

• Mandatory incident reporting requirements that reveal security weaknesses
• Proactive supervisory inspections without prior notice
• Whistleblower protections that encourage internal reporting
• Cross-border cooperation mechanisms that prevent jurisdiction shopping

Reputational and Operational Consequences

Beyond direct financial penalties, non-compliance creates secondary consequences that often exceed regulatory fines:

• Customer confidence loss following public enforcement actions
• Increased insurance premiums and potential coverage exclusions
• Supply chain disruption as partners reassess risk relationships
• Regulatory restrictions on business expansion and service offerings

Research by Ponemon Institute indicates that regulatory violations increase the average cost of data breaches by 51%, amplifying the total cost of inadequate credential management.

Credential Control vs Documented Compliance

Beyond Policy Documentation

Traditional compliance approaches emphasise policy development, procedure documentation, and training programs. While these elements support overall security governance, they fail to address the technical control requirements that NIS2 mandates.

The Documentation Trap

Many organisations invest significant resources in comprehensive documentation that creates an illusion of compliance without implementing effective security controls. Common documentation-heavy approaches include:

• Detailed password policies that users routinely violate
• Access control procedures that lack technical enforcement mechanisms
• Incident response plans that assume capabilities not present in actual systems
• Training programs that address user behaviour without changing underlying system architecture

ENISA research indicates that 67% of organisations maintain cybersecurity policies rated as "comprehensive" or "very comprehensive," yet 43% of the same organisations experienced credential-related security incidents within the previous 24 months.

Technical Control Requirements

NIS2's emphasis on "appropriate and proportionate technical measures" requires automated security controls that operate independently of user behaviour or policy compliance. For credential management, technical controls must:

• Prevent unauthorised credential access regardless of user actions
• Automatically rotate credentials according to security policies
• Generate comprehensive audit logs without relying on user reporting
• Enforce access restrictions through system-level mechanisms

Active vs. Passive Security Models

The distinction between active and passive security models determines both effectiveness and regulatory compliance success under NIS2.

Passive Security Model Characteristics

Traditional credential management relies on passive security models that depend on user compliance and policy adherence:

• Users create, manage, and protect their own credentials
• Security policies provide guidance but lack enforcement mechanisms
• Monitoring systems detect credential misuse after incidents occur
• Access control depends on user discretion and policy knowledge

Active Security Model Requirements

NIS2 requires active security models where technical controls enforce security requirements automatically:

• Systems generate and manage credentials without user involvement
• Security controls prevent policy violations through technical restrictions
• Monitoring systems provide real-time visibility and automatic response
• Access control operates through systematic enforcement rather than user compliance

Demonstrable Control Evidence

Supervisory authorities under NIS2 require evidence of implemented security controls, not promises of future improvements or documented intentions.

Real-Time Operational Evidence

Compliance demonstrations must include real-time evidence of security controls in operation:

• Live system demonstrations showing credential protection mechanisms
• Real-time audit logs displaying credential lifecycle management
• Technical architecture documentation proving control implementation
• Operational metrics demonstrating security control effectiveness

Forensic and Historical Evidence

Post-incident analysis capabilities provide crucial evidence of credential control effectiveness:

• Complete audit trails showing credential usage over extended periods
• Evidence of unauthorized access prevention and detection
• Documentation of incident response capabilities and actual performance
• Historical analysis showing continuous improvement in security controls

Third-Party Validation

Independent validation of credential control systems provides additional compliance assurance:

• Technical security assessments by qualified cybersecurity firms
• Penetration testing results demonstrating credential protection effectiveness
• Compliance audits confirming regulatory requirement fulfillment
• Certification against recognised security frameworks and standards

This evidence-based approach ensures that compliance claims can withstand supervisory scrutiny and support both security objectives and regulatory requirements.

How MyCena Maps to Each Requirement

Addressing Article 21(2)(a) Technical Measures

MyCena's patented credential control architecture directly addresses NIS2's requirement for "appropriate and proportionate technical, operational and organisational measures" through systematic credential lifecycle management that eliminates user credential exposure.

State of the Art Security Implementation

The MyCena system implements zero-trust credential architecture that exceeds current "state of the art" requirements:

• Cryptographic Credential Protection: All credentials receive AES-256 encryption with keys never exposed to client systems or users. This approach eliminates the primary attack vectors identified in 81% of data breaches involving compromised credentials.
• Automated Credential Generation: The system generates cryptographically random credentials that exceed NIST recommendations for entropy and complexity. Human-created passwords cannot achieve comparable security levels.
• Real-Time Credential Control: Unlike traditional IAM systems that authenticate identity, MyCena controls access through dynamic credential injection that never exposes authentication materials to compromise.

Technical Architecture Compliance

MyCena's architecture satisfies Article 21(2)(a) through several specific mechanisms:

• Credential Isolation: Users never see, store, or handle authentication credentials, preventing social engineering, credential sharing, and accidental exposure
• Automated Rotation: Credentials rotate automatically according to configured policies, ensuring compliance with security best practices without relying on user actions
• Centralised Control: The organisation maintains complete control over credential generation, distribution, and revocation through centralised management interfaces

Fulfilling Article 21(2)(e) Access Control Requirements

The directive's access control provisions require "procedures for authentication and authorisation" that MyCena addresses through its fundamental architectural approach.

Authentication vs. Authorisation Separation

MyCena's design properly separates authentication (proving identity) from authorisation (granting access):

• Identity Verification: Users authenticate to the MyCena system using organisation-approved methods including multi-factor authentication
• Credential Injection: Upon successful identity verification, MyCena injects appropriate credentials directly into target systems without user visibility
• Granular Access Control: Access permissions are managed centrally with credentials automatically matched to authorised system access

Access Control Evidence Generation

The system generates comprehensive evidence required for supervisory inspection:

• Individual Accountability: Every credential use is attributed to a specific authenticated user, eliminating shared credential compliance problems
• **Access Audit

Kaseya: how one MSP credential reached 1,500 downstream businesses in hours

On July 2, 2021, attackers compromised a single Managed Service Provider credential at Kaseya, triggering the largest supply chain ransomware attack in history. Within hours, the breach cascaded through approximately 60 MSPs to reach an estimated 1,500 downstream businesses across 17 countries. The attack's velocity exposed a fundamental weakness in how managed service providers control access to customer environments.

The REvil ransomware group exploited a zero-day vulnerability in Kaseya's VSA remote monitoring software, but the breach's devastating reach stemmed from compromised service credentials that provided administrative access across multiple client networks. This single point of failure demonstrated how traditional identity management fails when applied to the MSP model's inherently distributed architecture.

The MSP credential multiplication problem

Managed Service Providers operate on a fundamentally different access model than traditional enterprises. Where internal IT teams manage credentials within defined network perimeters, MSPs must maintain privileged access to dozens or hundreds of client environments simultaneously. This creates an exponential multiplication of attack surfaces.

Each MSP technician typically holds administrative credentials for multiple client systems, creating what security researchers term "credential sprawl." These credentials often persist across extended periods, accumulate as client bases grow, and frequently lack granular controls over specific access permissions. The problem intensifies when MSPs use centralised management platforms like Kaseya's VSA, which aggregate access to multiple client environments through single authentication points.

The Kaseya incident illustrates this multiplication effect in stark terms. Attackers needed to compromise only one pathway to reach Kaseya's MSP customers, who then became unwitting conduits to thousands of downstream businesses. The breach propagated through established trust relationships and legitimate access channels, making detection and containment exceptionally difficult.

The scale of MSP vulnerability

Recent data reveals the scope of this structural weakness across the managed services sector. According to Cybersecurity Ventures, the global MSP market reached $354.8 billion in 2023, with over 40,000 MSPs operating worldwide. Research from Datto shows that 82% of MSPs manage security for their clients, positioning them as critical infrastructure components rather than simple service providers.

The financial impact of MSP-related breaches reflects this systemic importance. IBM's Cost of a Data Breach Report 2023 found that breaches involving managed service providers cost an average of $4.82 million, compared to $4.45 million for standard enterprise breaches. The Kaseya attack alone generated estimated losses exceeding $70 million across affected businesses, according to cyber insurance claims data compiled by Marsh McLennan.

Regulatory scrutiny has intensified accordingly. The European Union's NIS2 Directive, implemented in October 2024, explicitly includes managed service providers within its scope of essential entities. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) issued binding operational directive 22-01, requiring federal agencies to implement specific controls for third-party service providers following MSP-related incidents.

Compliance frameworks are adapting to address MSP-specific risks. The updated ISO 27001:2022 standard includes enhanced requirements for supplier relationship security management, while SOC 2 Type II audits increasingly focus on credential management practices for service organisations.

Why traditional security tools miss the target

Conventional identity and access management solutions struggle with the MSP model's unique requirements. Identity Access Management (IAM) systems typically assume users belong to single organisations with defined roles, but MSP technicians must access multiple client environments with varying permission structures.

Privileged Access Management (PAM) tools attempt to address elevated permissions but often create operational friction that MSPs cannot afford. When technicians need rapid access to resolve client emergencies, complex approval workflows and session recording requirements can conflict with service level agreements and response time commitments.

Single Sign-On (SSO) solutions reduce password fatigue but create single points of failure, as demonstrated in the Kaseya breach. When attackers compromise SSO credentials, they gain broad access across connected systems. Multi-Factor Authentication (MFA) provides additional security layers but remains vulnerable to sophisticated phishing attacks and social engineering techniques that specifically target MSP environments.

Zero Trust architectures promise comprehensive access control but struggle with the MSP model's inherent need for cross-organisational access. Traditional Zero Trust implementations assume clear network boundaries and consistent policy enforcement, neither of which align naturally with MSP operational requirements.

These tools share a common limitation: they assume users should hold and control their own credentials. This fundamental assumption breaks down in MSP environments where credential compromise can cascade across multiple organisations within hours.

Separating identity from access control

The structural solution requires abandoning the assumption that users must hold their own credentials. Advanced credential control systems generate, encrypt, and distribute access credentials without users ever seeing or storing them. This separation of identity from credential possession eliminates the primary attack vector exploited in MSP breaches.

Under this model, organisations maintain complete control over credential lifecycle management. When technicians need access to client systems, the credential control system generates temporary, encrypted credentials that authenticate automatically without user intervention. Users prove their identity through separate authentication mechanisms, but never possess the actual credentials required for system access.

This approach renders traditional phishing attacks ineffective because users cannot surrender credentials they do not hold. Even if attackers compromise user devices or steal authentication tokens, they cannot extract credentials for lateral movement across client environments.

For MSP environments, this architecture provides granular control over access scope and duration. Organisations can generate client-specific credentials with defined time limits and restricted permissions, ensuring that access to one client environment cannot compromise others. Centralised revocation capabilities allow immediate response to security incidents without depending on user compliance or device recovery.

The path forward for MSP security

The Kaseya breach revealed that MSP security cannot be solved by layering additional authentication requirements onto fundamentally flawed credential models. As regulatory pressure increases and cyber attacks grow more sophisticated, managed service providers must implement structural solutions that address root causes rather than symptoms.

The shift toward credential control represents a fundamental change in access management philosophy. Rather than trying to secure credentials in user hands, organisations must reclaim direct control over the access mechanisms themselves. This transition requires careful planning and gradual implementation, but the alternative is continued exposure to cascade failures that can impact thousands of businesses within hours.

For MSPs, the question is not whether to implement stronger credential controls, but how quickly they can deploy solutions that separate identity from credential possession. The next major supply chain attack may already be in progress.

HIPAA, HITECH, and NIS2: what they actually require on credential access

The €9.7 million fine levied against French healthcare technology company Dedalus in October 2024 under GDPR exposed a critical blind spot in healthcare cybersecurity. While the Paris-based firm had implemented comprehensive encryption and access controls across its patient data systems, investigators found that weak credential management practices had left administrative accounts vulnerable to compromise. The breach affected 490,000 patient records across multiple EU hospitals—a stark reminder that sophisticated security architectures can crumble at their most basic access point.

The Healthcare Credential Crisis

Healthcare organisations face an unprecedented regulatory convergence. HIPAA's Security Rule demands "unique user identification" and "automatic logoff" procedures. The HITECH Act's breach notification requirements create financial exposure averaging $10.93 million per incident according to IBM's 2024 Cost of a Data Breach Report. Now, the EU's NIS2 Directive, which came into force in January 2024, extends these requirements across the healthcare supply chain, mandating "appropriate and proportionate" cybersecurity measures for essential service providers.

Yet most healthcare IT departments approach credential security through a fundamentally flawed assumption: that users can be trusted to create, manage, and protect their own access credentials. Clinical staff routinely set passwords like "Hospital123!" across multiple systems. IT administrators share privileged accounts through encrypted messaging apps. Third-party vendors receive temporary credentials that remain active months after contracts end.

This approach places individual users—already managing complex clinical workflows under pressure—as the weakest link in regulatory compliance chains that can trigger eight-figure penalties.

The Data Reality

Healthcare credential vulnerabilities generate measurable business risks. Verizon's 2024 Data Breach Investigations Report found that 81% of healthcare breaches involved compromised credentials, with the median time to containment reaching 287 days—nearly double the cross-industry average of 194 days.

The regulatory exposure compounds annually. HHS.gov data shows healthcare breach notifications have increased 239% since 2018, with penalties under HIPAA's corrective action plans averaging $2.2 million per incident. Under NIS2, healthcare organisations now face additional fines up to €10 million or 2% of global turnover.

More critically, the Ponemon Institute's 2024 study of healthcare cybersecurity found that 89% of surveyed organisations experienced at least one cyberattack in the past 24 months, with credential-based attacks representing the primary attack vector in 67% of successful breaches. The average cost per stolen healthcare record reached $408—more than twice the global cross-industry average of $165.

Why Current Solutions Miss the Mark

Healthcare IT leaders typically deploy layered security approaches: Identity and Access Management (IAM) platforms, Privileged Access Management (PAM) solutions, Single Sign-On (SSO) systems, Multi-Factor Authentication (MFA), and comprehensive Zero Trust architectures. These tools address important security perimeters but share a fundamental design flaw—they assume users should create and control their own credentials.

IAM systems excel at managing user lifecycle and permissions but rely on user-generated passwords that remain vulnerable to phishing, social engineering, and credential stuffing attacks. PAM solutions secure privileged accounts through password vaults, yet still require users to retrieve and enter credentials, creating exposure windows during authentication processes.

SSO reduces password proliferation but creates single points of failure—compromise one credential and attackers gain broad system access. MFA adds authentication factors but cannot prevent credential theft when users can see and potentially share their primary passwords. Zero Trust frameworks verify access requests continuously but still depend on initial authentication using user-controlled credentials.

The core issue persists: as long as users can see, remember, or share their credentials, those credentials can be compromised through human-targeted attacks that bypass technical security controls.

The Structural Solution

A different approach eliminates the fundamental vulnerability by separating user identity from credential access entirely. Rather than users creating passwords they can remember and potentially compromise, organisations can generate cryptographically secure credentials that users never see or hold.

MyCena's patented credential control technology implements this separation architecturally. The system generates unique, complex credentials for each user-system combination, encrypts them immediately, and distributes access through secure channels that prevent credential visibility. Users authenticate normally through biometric or device-based factors, but never interact directly with underlying passwords.

When staff need to access clinical systems, the platform retrieves and injects credentials automatically without displaying them on screen or storing them in browser memory. IT administrators can revoke access instantly across all systems without requiring password resets or user intervention. Third-party vendors receive time-limited access that expires automatically without leaving residual credentials in organisational systems.

This approach makes phishing attacks technically impossible—users cannot share credentials they have never seen. Social engineering fails because staff cannot reveal passwords they do not know. Credential stuffing becomes irrelevant when each access point uses unique, machine-generated credentials that change regularly without user involvement.

Strategic Implementation

Healthcare leaders should evaluate their current credential strategies against specific regulatory requirements rather than security vendor marketing claims. HIPAA's "minimum necessary" standard, HITECH's breach notification thresholds, and NIS2's proportionate security measures all point toward the same conclusion: organisations must control credentials as strictly as they control patient data.

The implementation path requires three strategic decisions. First, audit existing credential exposure across clinical systems, administrative platforms, and third-party integrations. Second, establish credential generation and distribution policies that remove user visibility from the authentication process. Third, integrate automated credential management with existing IAM and security infrastructure to maintain operational continuity while eliminating human-based vulnerabilities.

The regulatory landscape will continue expanding. Healthcare organisations that eliminate credential visibility today will find compliance straightforward tomorrow. Those that continue relying on user-managed passwords will face escalating risks as regulators demand more stringent access controls across increasingly complex digital healthcare ecosystems.

The technical solution exists. The regulatory requirement is clear. The business case is quantified. The only question remaining is implementation timeline.