The PAM credential problem: why the vault is only as secure as the technician who holds the key

In August 2024, CrowdStrike's incident commander revealed how a single privileged credential had enabled attackers to maintain persistence across their environment for weeks before the global outage. The breach highlighted a fundamental flaw in how managed service providers (MSPs) approach privileged access management: even the most sophisticated vault is worthless if technicians can be tricked into surrendering the keys.

For MSPs managing hundreds of client environments with elevated privileges, this represents an existential threat. Every technician with privileged access becomes a potential breach vector, regardless of how securely those credentials are stored.

The managed services credential conundrum

MSPs face a unique credential challenge. Unlike traditional enterprises managing a single environment, they require privileged access to hundreds or thousands of client systems. A single Level 2 technician might hold administrative credentials for dozens of client domains, cloud platforms, and critical infrastructure systems.

This creates what security professionals term "credential sprawl at scale". Each technician becomes a walking master key to multiple client environments. Traditional privileged access management (PAM) solutions attempt to secure these credentials in vaults, but they fundamentally rely on human operators who must authenticate themselves to retrieve credentials when needed.

The model assumes that verifying a technician's identity is sufficient to grant access. But this assumption proves catastrophically flawed when that technician receives a convincing phishing email or falls victim to social engineering. Once an attacker compromises the technician's authentication method, they inherit access to every client system that technician can reach.

The data tells a stark story

According to Verizon's 2024 Data Breach Investigations Report, 68% of breaches involved a human element, with phishing attacks increasing by 76% year-over-year. For MSPs, these statistics translate into amplified risk across their entire client base.

The Ponemon Institute's 2024 Cost of Insider Threats report found that credential theft incidents cost organisations an average of $4.99 million per breach, with MSPs facing additional liability through their client contracts. More concerning, the report revealed that 60% of insider threat incidents involved privileged users – exactly the technician population that MSPs rely upon for daily operations.

Research from the Cybersecurity and Infrastructure Security Agency (CISA) shows that 90% of successful cyberattacks involve compromised credentials. For MSPs, this means that traditional identity verification – even with multi-factor authentication – creates a single point of failure that can cascade across multiple client environments.

The UK's National Cyber Security Centre reported that MSPs were targeted in 47% of supply chain attacks in 2023, with compromised privileged credentials being the primary attack vector in 73% of these incidents.

Why existing security tools fail the MSP model

Most organisations deploy a stack of identity and access management tools: privileged access management (PAM) vaults, single sign-on (SSO) platforms, multi-factor authentication (MFA), and increasingly, zero trust frameworks. Yet breaches continue to occur with regularity.

The fundamental problem lies in a flawed equation that underpins all these solutions: identity equals access. Every existing tool operates on the principle that verifying who someone is should determine what they can access. Prove your identity through passwords, biometrics, or hardware tokens, and the system grants corresponding access rights.

This approach creates an inherent vulnerability. No matter how sophisticated the identity verification process, once an attacker successfully impersonates a legitimate user, they inherit all that user's access rights. A compromised MSP technician doesn't just represent a single breach – they represent potential compromise across every client environment they can access.

PAM vaults exemplify this problem. They secure credentials behind robust authentication, but ultimately rely on human operators to retrieve and use those credentials. The vault protects credentials at rest, but cannot prevent a compromised technician from accessing and misusing them. SSO and MFA simply move the vulnerability to different authentication factors, while zero trust frameworks still depend on identity verification as their foundation.

Separating identity from access

The solution requires abandoning the identity-equals-access paradigm entirely. Instead of asking "who is this person and what should they access?", the question becomes "how do we enable necessary business functions without exposing credentials to human operators?"

This approach, termed "credential-less access", ensures that users never see, hold, or control the credentials that grant them system access. Rather than storing credentials in a vault for retrieval, the organisation generates, encrypts, and manages every credential centrally. When a technician needs to access a client system, the credential is transmitted directly to the target system without ever being visible to the user.

MyCena's patented solution demonstrates this principle in practice. When an MSP technician needs administrative access to a client's domain controller, they don't retrieve a password from a vault. Instead, the system generates an encrypted credential, transmits it directly to the target system, and establishes the session without the technician ever seeing the authentication material.

This makes phishing attacks fundamentally impossible. An attacker who compromises a technician's device or account finds no credentials to steal. The technician themselves cannot accidentally expose credentials because they never possess them. Social engineering attacks fail because there are no secrets for the technician to reveal.

From a regulatory compliance perspective, this approach addresses requirements across multiple frameworks. SOC 2 Type II controls around credential management become demonstrable through technical architecture rather than policies and procedures. ISO 27001's requirements for privileged access management shift from administrative controls to automated technical controls. For MSPs serving regulated industries, this provides auditable evidence of credential security without relying on human behaviour.

The path forward for MSPs

The credential problem facing MSPs requires architectural change, not additional layers of identity verification. organisations that continue to operate on the identity-equals-access model will find themselves vulnerable regardless of their security investment.

MSPs should evaluate their current credential exposure across their technician workforce. How many client environments could be compromised if a single technician fell victim to a phishing attack? What would be the financial and reputational impact of a breach that cascaded across multiple client environments?

The transition to credential-less access represents a fundamental shift in security architecture, but it addresses the root cause rather than symptoms. For MSPs facing increasing regulatory scrutiny and client security requirements, this approach provides demonstrable protection against the attack vectors that have proven most successful against their sector.

The question is not whether MSPs will face credential-based attacks, but whether they will implement solutions that make such attacks impossible before they become the next headline.

The BPO credential problem every financial services firm is carrying

When Medibank's customer data breach exposed 9.7 million records in October 2022, investigators traced the attack vector to compromised credentials at a third-party provider. The incident crystallised a growing concern across financial services: Business Process Outsourcing (BPO) arrangements create credential exposure that traditional security frameworks cannot adequately address.

The hidden liability in your supply chain

Financial institutions have spent the past decade hardening their internal security posture, deploying sophisticated identity and access management systems, implementing zero-trust architectures, and enforcing multi-factor authentication across their estates. Yet a critical vulnerability persists in plain sight: the credentials managed by Business Process Outsourcing partners.

BPO arrangements in financial services typically involve sensitive operations—customer service, claims processing, transaction monitoring, compliance reporting, and data analytics. These partnerships require BPO providers to maintain administrative access to core banking systems, trading platforms, customer databases, and regulatory reporting tools. Each access point represents a credential that, if compromised, can provide attackers with a direct pathway into the financial institution's most sensitive systems.

The challenge extends beyond simple access management. BPO environments often operate under different security standards, employ staff with varying levels of security awareness, and maintain credential practices that would be considered inadequate within the financial institution itself. Yet these same credentials can access systems containing customer financial data, trading information, and regulatory filings.

The scale of exposure

Recent industry analysis reveals the extent of this exposure. According to the Financial Conduct Authority's 2023 operational resilience survey, 78% of UK financial services firms rely on critical BPO arrangements, with an average of 12 third-party providers having access to systems classified as important business services.

Verizon's 2023 Data Breach Investigations Report found that 61% of breaches in financial services involved compromised credentials, with 43% of these originating from partner or supply chain access points. The average cost of a supply chain breach in financial services reached $4.8 million in 2023, according to IBM Security's Cost of a Data Breach report.

The regulatory implications are equally concerning. The European Central Bank's 2023 cyber incident reporting data shows that 34% of significant cyber incidents reported by credit institutions involved third-party or outsourcing arrangements. In the United States, the Office of the Comptroller of the Currency cited inadequate third-party risk management in 23% of enforcement actions against national banks in 2023.

Perhaps most tellingly, a study by the Ponemon Institute found that financial services organisations can identify only 57% of the credentials held by their BPO providers at any given time. This visibility gap represents a fundamental control failure in environments where regulatory frameworks demand comprehensive oversight of access to sensitive systems.

Why current security tools miss the mark

The financial services sector has invested heavily in sophisticated access management technologies, yet these solutions fail to address the fundamental issue of credential control in BPO relationships.

Identity and Access Management (IAM) systems excel at managing identities within organisational boundaries but struggle with the distributed nature of BPO credentials. These systems can provision and deprovision access, but they cannot prevent BPO staff from accessing, copying, or sharing the underlying credentials themselves.

Privileged Access Management (PAM) solutions provide session recording and approval workflows, but they still rely on the principle that users hold their own credentials. When a BPO employee receives credentials for a privileged account, PAM systems can monitor how those credentials are used but cannot prevent the credentials from being compromised at source.

Single Sign-On (SSO) reduces credential proliferation but requires extensive integration work and may not be feasible across complex BPO arrangements involving multiple systems and platforms. More fundamentally, SSO still requires users to hold authentication credentials, merely consolidating rather than eliminating the risk.

Multi-Factor Authentication (MFA) adds a layer of security but does not address credential theft. Sophisticated attackers have demonstrated numerous techniques for bypassing MFA, from SIM swapping to real-time phishing attacks that capture both passwords and authentication tokens.

Zero Trust architectures improve security posture by assuming no inherent trust, but they still must grant access based on some form of credential verification. If those underlying credentials are compromised, Zero Trust principles provide limited protection.

The common failure across these approaches is structural: they assume that users must hold credentials to access systems. This assumption creates an inherent vulnerability that no amount of monitoring, encryption, or access control can fully eliminate.

Solving credential control at source

The solution lies in fundamentally restructuring credential ownership and distribution. Rather than allowing BPO partners to create, hold, and manage credentials, financial institutions need systems where credentials are generated, distributed, and controlled entirely by the organisation—with users never gaining direct access to the credential material itself.

Under this model, when a BPO employee needs to access a financial system, they receive encrypted credential material that can only be decrypted and used within a controlled environment. The employee cannot extract, copy, or share the underlying credentials because they never possess them in a readable format. Access becomes cryptographically bound to specific devices and sessions, making credential theft practically impossible.

MyCena's patented credential control technology demonstrates this approach in practice. The system generates unique encrypted credentials for each user and session, distributing them through secure channels without ever exposing the credential material to the end user. BPO employees can access the systems they need to perform their roles, but the underlying authentication mechanism remains entirely under the financial institution's control.

This architectural shift transforms BPO credential management from a risk management exercise into a technical control. Rather than hoping that BPO partners will maintain adequate security practices, financial institutions can ensure that compromise of BPO environments cannot lead to credential theft.

The compliance imperative

For financial services firms, the implications are clear. Regulatory frameworks increasingly require demonstrable control over third-party access to sensitive systems. The EU's DORA regulation, which takes effect in January 2025, explicitly requires financial entities to maintain "full oversight and accountability" for ICT services provided by third parties.

The time for treating BPO credential management as a contractual rather than technical problem has passed. Financial institutions that continue to rely on traditional access management approaches for BPO relationships are carrying a structural vulnerability that regulatory scrutiny and threat actor sophistication will inevitably expose.

The path forward requires recognising that identity and access are separate concepts—and that true security emerges from controlling access without distributing the credentials that enable it.

SolarWinds: How One Vendor Credential Reached 18,000 Organisations Including the US Government

On 13 December 2020, cybersecurity firm FireEye disclosed that nation-state attackers had infiltrated SolarWinds' Orion network management software, creating what would become the most significant supply chain cyberattack in history. The breach exposed a fundamental vulnerability in how organisations manage vendor access: a single compromised credential cascade through 18,000 customers, including nine US federal agencies and Fortune 500 companies.

The attack began with attackers inserting malicious code into SolarWinds' software updates between March and June 2020. When customers installed routine updates, they unknowingly granted attackers persistent access to their networks. This breach demonstrated how vendor credential management failures can transform trusted business relationships into national security threats.

The Critical Gap in Government Vendor Access Control

Defence and public sector organisations face a unique challenge in vendor credential management. Unlike private companies that can limit third-party access, government agencies require extensive contractor and vendor integration for everything from IT infrastructure to classified research programmes. Each vendor relationship creates potential attack vectors through shared credentials, privileged access, and interconnected systems.

The SolarWinds incident exposed how traditional credential management approaches fail at scale. Government agencies typically manage vendor access through manual processes, shared accounts, or basic identity management systems that assume credentials remain secure once issued. This assumption proved catastrophic when attackers gained access to SolarWinds' internal systems and leveraged existing vendor credentials to move laterally across customer networks.

The attack succeeded because it exploited the trust relationship between vendors and customers. SolarWinds' legitimate credentials provided attackers with authorised access to customer systems, bypassing traditional perimeter security controls. For government agencies handling classified information or critical infrastructure, this represented a complete failure of access control architecture.

The Scale of Compromise: By the Numbers

The SolarWinds breach affected approximately 18,000 organisations that downloaded compromised software updates, according to SolarWinds' own SEC filings. However, the attackers demonstrated strategic targeting, with Microsoft estimating that fewer than 1,000 organisations were actually compromised through follow-on activities.

Among confirmed victims, nine US federal agencies were breached, including the Departments of State, Treasury, Homeland Security, Energy, and Commerce. The attackers maintained persistent access for up to nine months before detection, with some intrusions continuing for months after the initial disclosure.

Financial impact data reveals the true cost of credential compromise. SolarWinds reported spending over $18 million on incident response in 2021 alone, while facing multiple federal investigations and lawsuits. The company's market capitalisation fell by approximately $3.3 billion in the weeks following disclosure, according to financial filings.

The UK's National Cyber Security Centre identified that British government departments were among those affected, though the full extent remains classified. Similar impacts were reported across NATO allies, demonstrating how vendor credential compromise can cascade across international government networks.

Why Traditional Security Tools Failed

The SolarWinds attack succeeded despite extensive deployment of modern security tools across victim organisations. Identity and Access Management (IAM) systems failed because they authenticated legitimate SolarWinds credentials — the attackers were using valid access tokens obtained through the supply chain compromise.

Privileged Access Management (PAM) solutions, designed to control high-value accounts, proved ineffective because the attackers leveraged standard vendor access rather than obviously privileged credentials. The malicious code operated within normal software update processes, avoiding PAM monitoring focused on administrative activities.

Single Sign-On (SSO) and Multi-Factor Authentication (MFA) provided no protection because attackers bypassed these controls entirely. Once inside victim networks through legitimate SolarWinds access, attackers could move laterally without triggering authentication challenges designed for external access.

Zero Trust architectures, increasingly adopted across government agencies, failed to prevent the breach because they still relied on validating credentials rather than controlling their creation and distribution. The fundamental assumption — that credentials can be trusted once verified — remained intact and exploitable.

These tools address authentication and monitoring but do not solve the core problem: organisations cannot control credentials they allow others to create and hold. Vendor credentials, by definition, exist outside organisational control boundaries, creating persistent blind spots in security architecture.

Structural Solution: Organisational Credential Control

The SolarWinds breach demonstrates that effective security requires organisations to maintain complete control over all credentials accessing their systems, including vendor access. This means shifting from credential verification to credential generation and distribution.

Under a controlled credential model, organisations generate all access credentials centrally, distribute them in encrypted form, and maintain continuous revocation capability. Vendors and contractors never possess plaintext credentials, eliminating the possibility of credential theft or misuse. Access becomes truly unphishable because users cannot disclose credentials they do not hold.

This approach transforms vendor relationships from trust-based to verification-based. Rather than trusting vendors to secure their own credentials, organisations maintain cryptographic control over access rights. When vendors require system access, they request specific permissions that are granted through encrypted credential distribution, not permanent credential sharing.

MyCena's patented technology implements this model by ensuring users never see or control their own credentials. The system generates cryptographically secure credentials, distributes them in encrypted form, and enables instant revocation across all access points. For government agencies, this means vendor access can be controlled with the same rigour applied to classified information handling.

Implications for Defence and Public Sector Leaders

The SolarWinds breach created lasting regulatory and operational changes across government agencies. The US Executive Order on Cybersecurity (EO 14028) now mandates specific controls for software supply chains and vendor access management. Similar requirements are emerging across allied nations, creating compliance obligations that traditional security tools cannot address.

Government leaders must recognise that vendor credential compromise represents a systemic risk requiring architectural solutions, not incremental security improvements. The shift toward controlled credential distribution will become a requirement, not an option, as regulatory frameworks evolve.

Organisations should immediately audit vendor access arrangements and identify credentials existing outside their direct control. Each uncontrolled credential represents a potential SolarWinds-style compromise vector that could provide attackers with authorised access to critical systems.

The lesson from SolarWinds is clear: in an interconnected threat environment, credential control cannot be delegated to third parties, regardless of trust relationships or contractual obligations. Security architecture must assume credential compromise and design accordingly.

SOC 2, ISO 27001, and NIS2: what MSPs must evidence on credential governance

The £36 million fine imposed on British Airways following its 2018 data breach sent shockwaves through every sector that handles client data. For Managed Service Providers (MSPs), the message was unambiguous: credential compromise affecting customer environments now carries existential financial risk. Yet three years after NIS2 came into force, most MSPs remain fundamentally exposed to the same attack vector that felled BA—compromised credentials that auditors cannot trace, control, or revoke.

The MSP credential complexity crisis

MSPs face a unique credential governance challenge that traditional enterprises do not. Where a corporation manages credentials for its own employees accessing its own systems, MSPs must govern credentials across multiple client environments, each with distinct security requirements and regulatory obligations.

Consider a mid-sized MSP managing 200 client environments. Each technician requires administrative access to client systems, backup platforms, monitoring tools, and cloud infrastructure. Multiply this across shift patterns, contractor access, and emergency response scenarios, and the credential count rapidly exceeds 50,000 active credentials. When SOC 2 Type II auditors examine this environment, they require evidence of credential creation, distribution, usage monitoring, and revocation for every single access point.

The regulatory burden intensifies under NIS2, which explicitly requires "appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems." For MSPs, this translates to demonstrable control over every credential that could impact client systems. ISO 27001 certification, increasingly demanded by enterprise clients, requires similar evidence under control A.9.2.1 (User Registration and De-registration) and A.9.2.6 (Access Rights Review).

The data tells a stark story

Recent research from the Ponemon Institute reveals that 61% of data breaches in managed services environments involve compromised credentials. More concerning for MSPs: the average time to identify a credential-based breach is 287 days, during which attackers maintain persistent access to client environments.

Verizon's 2024 Data Breach Investigations Report found that 68% of breaches involving managed service providers used stolen credentials as the primary attack vector. The financial impact extends beyond direct losses—MSPs report an average 23% client churn rate following a credential-related security incident, according to CompTIA's 2024 MSP Trust and Security Study.

Regulatory penalties compound these losses. Under NIS2, fines can reach €10 million or 2% of global annual turnover. For MSPs operating on typical 15-20% margins, a single significant breach can eliminate years of profit growth.

The compliance burden generates hidden costs too. MSPs report spending an average of 40 hours per quarter preparing credential governance evidence for SOC 2 audits, according to Service Leadership research. ISO 27001 certified MSPs spend 60% more time on credential documentation than their non-certified counterparts.

Why current tools fall short of regulatory requirements

Identity and Access Management (IAM) platforms promise credential control but typically delegate password creation to users. When auditors examine IAM logs, they see access events but cannot verify who actually created or knows the credential. SOC 2's CC6.1 control requires evidence that logical access is "restricted to authorised users"—difficult to prove when users generate their own passwords.

Privileged Access Management (PAM) solutions create another layer of complexity. While PAM tools can vault and rotate passwords, they still rely on users creating initial credentials. Under ISO 27001's A.9.4.3 control (Privileged Access Rights Management), organisations must demonstrate that privileged credentials are "allocated and used on a restricted and controlled basis." User-generated passwords cannot meet this standard.

Single Sign-On (SSO) centralises authentication but does not address the fundamental issue: users still create and know their credentials. Multi-Factor Authentication (MFA) adds security layers but phishing attacks increasingly defeat SMS and app-based MFA. Microsoft reported a 74% increase in successful phishing attacks against MFA-protected accounts in 2024.

Zero Trust architectures assume breach and verify every transaction, but verification relies on credentials that users control. If the underlying credential is compromised, Zero Trust becomes a sophisticated system for authenticating attackers.

The common failure point across all these technologies: they conflate identity with access. Users prove who they are using credentials they created and control. This fundamental design makes credentials inherently phishable and governance inherently incomplete.

Separating identity from access control

The solution requires recognising that identity and access represent distinct concepts. Identity establishes who someone is; access determines what they can reach. Current systems blur this distinction by letting users create credentials that serve both functions.

MyCena Technologies has developed a patented approach that separates these functions entirely. Under this model, organisations generate all credentials using cryptographic processes. These credentials are encrypted and distributed to authorised users, but users never see the actual password. When authentication occurs, the credential is decrypted automatically without user visibility or input.

This architectural change makes credentials unphishable—users cannot reveal passwords they have never seen. For MSPs, it creates complete credential governance: every password is organisationally generated, cryptographically distributed, and centrally revocable. Auditors can trace the complete lifecycle of every credential without relying on user testimony or behaviour.

The compliance implications are significant. SOC 2 auditors can verify that all credentials are "restricted to authorised users" because unauthorised users cannot create them. ISO 27001 requirements for "controlled allocation" of access rights become automatically satisfied. NIS2's "appropriate technical measures" standard is met through cryptographic proof rather than policy documentation.

The path forward for MSPs

MSPs cannot afford to treat credential governance as a technical problem solved by layering additional tools onto user-controlled passwords. Regulatory frameworks increasingly require evidence of organisational control over credentials, not just monitoring of credential usage.

The shift toward organisational credential generation represents a fundamental architecture change, not a product upgrade. MSPs evaluating this transition should assess their current credential count, audit preparation costs, and client security requirements. The question is not whether credential governance will become mandatory—NIS2, SOC 2, and ISO 27001 have already made that decision—but whether MSPs will implement proactive solutions or await the next regulatory penalty.

The British Airways fine demonstrated that credential compromise carries existential risk. For MSPs managing hundreds of client environments, the stakes are proportionally higher. The technology now exists to eliminate this risk entirely. The only question is timing.

One vendor credential. Every operator they serve. The supply chain cascade.

When hackers breached Colonial Pipeline in May 2021, shutting down America's largest fuel pipeline for six days, investigators traced the attack to a single compromised credential belonging to a former employee. That one password — likely harvested from the dark web — gave DarkSide ransomware operators access to the entire network, triggering fuel shortages across the Eastern seaboard and $4.4 million in ransom payments.

The incident exposed a fundamental vulnerability in critical infrastructure: the cascade effect of credential compromise through supply chains. One breached vendor credential can unlock access to dozens of downstream operators, creating systemic risk that regulators are only beginning to understand.

The multiplier effect in critical infrastructure

In the energy sector, a single technology vendor typically serves multiple grid operators, pipeline companies, and power generation facilities. When that vendor's credentials are compromised, attackers gain potential access to every client in their portfolio. The mathematics are stark: one successful phishing attack can multiply into dozens of simultaneous infrastructure breaches.

This supply chain credential risk is particularly acute in industrial control systems, where vendors require privileged access to monitor and maintain critical operational technology. A single engineering firm might hold administrative credentials for wind farms across three states. A SCADA software provider could have remote access capabilities across dozens of water treatment facilities.

The problem extends beyond direct vendor relationships. Subcontractors, consultants, and temporary workers create additional credential pathways, each representing potential vectors for lateral movement through interconnected infrastructure networks.

The scale of exposure

Recent data from the Cybersecurity and Infrastructure Security Agency reveals the scope of this vulnerability. CISA's 2023 Critical Infrastructure Threat Assessment identified credential compromise as the initial attack vector in 82% of successful breaches against energy sector targets, with supply chain relationships facilitating lateral movement in 67% of cases.

The Department of Energy's cyber incident reporting data shows that vendor-related breaches affect an average of 3.4 additional infrastructure operators beyond the initial target. In the most severe cases, a single compromised vendor credential has cascaded to impact up to 12 separate facilities across multiple states.

Financial losses compound accordingly. While direct breach costs for energy companies average $6.25 million according to IBM's Cost of a Data Breach Report 2023, supply chain incidents generate additional liability exposure. Colonial Pipeline's total incident costs, including business disruption and regulatory penalties, exceeded $90 million.

The North American Electric Reliability Corporation (NERC) reported 263 cyber security incidents across the bulk power system in 2022, with 34% traced to third-party credential compromise. Each incident triggered mandatory reporting requirements and potential compliance violations under NERC CIP standards.

Why current security tools fail the cascade test

Identity and Access Management (IAM) systems excel at managing internal user lifecycles but struggle with external vendor credential oversight. Most IAM platforms cannot enforce consistent credential policies across third-party relationships, creating governance gaps that attackers exploit.

Privileged Access Management (PAM) solutions address some vendor access challenges by creating secure credential vaults and session monitoring. However, they typically operate within individual organisational boundaries. When a vendor's PAM-managed credential is compromised at their home organisation, that breach can still cascade to client environments where the same vendor maintains separate access rights.

Single Sign-On (SSO) reduces credential proliferation but creates single points of failure. A compromised SSO credential grants access to multiple connected systems simultaneously. For vendors serving multiple infrastructure clients, SSO compromise amplifies rather than reduces cascade risk.

Multi-Factor Authentication (MFA) provides additional security layers but remains vulnerable to sophisticated phishing attacks. The Lapsus$ group demonstrated advanced MFA bypass techniques in their 2022 infrastructure targeting campaign, using social engineering to overcome authentication barriers.

Zero Trust architectures improve security posture by assuming breach and continuously validating access requests. However, they do not solve the fundamental problem: users still create, know, and control their own credentials. A compromised user can still authenticate legitimately within a Zero Trust framework.

Separating identity from credential control

The structural solution requires separating identity verification from credential ownership. Rather than allowing users to create and manage their own passwords and access tokens, organisations must retain complete control over credential generation, distribution, and revocation.

This principle shifts the security paradigm from "trust but verify" to "control and distribute". Under this model, users prove their identity through biometric or other verification methods, but never possess the actual credentials that grant system access. Instead, encrypted credentials are generated centrally and delivered directly to target systems without user visibility.

MyCena's patented approach implements this separation by removing human knowledge from the credential equation. Users authenticate their identity, but the organisation maintains exclusive control over the cryptographic keys that actually unlock system access. Because users never see or handle these credentials, they cannot be phished, stolen, or misused across multiple client environments.

This architecture prevents supply chain cascade failures by ensuring that even if a vendor's identity verification process is compromised, the underlying credentials remain secure and cannot be replayed against client systems. Each access session requires fresh cryptographic validation from the controlling organisation.

Regulatory convergence demands action

Multiple regulatory frameworks are converging on supply chain credential management requirements. The Transportation Security Administration's cybersecurity directives for pipeline operators explicitly require "cybersecurity risk assessments" of third-party remote access. The Securities and Exchange Commission's new cyber disclosure rules include materiality thresholds that treat vendor credential breaches as potentially reportable events.

NERC CIP-004 standards mandate "personnel risk assessments" for vendor access, while proposed updates to CIP-013 would strengthen supply chain cybersecurity requirements. The Federal Energy Regulatory Commission has indicated that future compliance examinations will focus heavily on third-party access controls.

For critical infrastructure operators, the message is clear: credential cascade risk is transitioning from a cybersecurity concern to a regulatory compliance requirement. Organisations that cannot demonstrate robust vendor credential governance face increasing scrutiny from multiple oversight bodies.

The mathematics of supply chain credential risk are unforgiving. One compromised vendor affects multiple operators. Multiple operators create systemic infrastructure vulnerability. Systemic vulnerability attracts regulatory intervention and potential enforcement action. The most effective defence is preventing the initial credential compromise through organisational control rather than user responsibility.

NotPetya: How a Supply Chain Credential Compromise Cost Manufacturers $10 Billion

On 27 June 2017, a routine software update from Ukrainian accounting firm M.E.Doc became the vector for the most destructive cyberattack in manufacturing history. Within hours, the NotPetya malware had cascaded through global supply chains, crippling production lines from Maersk's 76 port terminals to FedEx's European logistics network. The attack exploited a fundamental vulnerability that continues to plague industrial operations: the assumption that users can safely control their own access credentials.

The Manufacturing Credential Crisis

Manufacturing environments present unique credential management challenges that distinguish them from other sectors. Production systems often rely on shared workstations, legacy industrial control systems, and complex supply chain integrations where multiple parties require varying levels of system access. Traditional credential management approaches—where users create passwords, store them locally, or share them across teams—create systemic vulnerabilities that attackers exploit with devastating efficiency.

The NotPetya attack demonstrated how credential compromise in one organisation can rapidly propagate through interconnected manufacturing ecosystems. M.E.Doc's compromised update server contained legitimate credentials that allowed the malware to authenticate across network boundaries, appearing as authorised traffic to security systems. Manufacturing's interconnected nature, from enterprise resource planning systems to industrial IoT devices, amplifies the impact of any single credential breach exponentially.

The Scale of Manufacturing Cyber Losses

The financial impact on manufacturing from NotPetya was unprecedented. According to company filings and regulatory submissions:

Maersk reported losses of $300 million after the attack destroyed 4,000 servers and 45,000 PCs across its global network. The company's entire container tracking system failed, forcing manual operations at ports worldwide.

FedEx subsidiary TNT Express sustained $400 million in losses, with European operations severely disrupted for weeks. The attack compromised customer data and billing systems, requiring complete infrastructure rebuilding.

Reckitt Benckiser faced $130 million in damages as production facilities across multiple countries went offline, disrupting manufacturing of consumer goods from pharmaceuticals to household products.

Beiersdorf reported €80 million in losses as the malware spread through its manufacturing systems in Europe, forcing temporary closure of production lines.

Industry analysis by Lloyd's of London estimated that NotPetya caused over $10 billion in global economic losses, with manufacturing bearing approximately 40% of total damages. The attack affected operations in 65 countries, with manufacturing companies representing the highest concentration of severely impacted organisations.

PwC's 2023 Global Digital Trust Insights survey found that 32% of manufacturing executives reported material business disruption from cyberattacks in the previous year, compared to 23% across all industries. The average cost per incident for manufacturers exceeded $5.4 million, according to IBM's Cost of a Data Breach Report 2023.

Why Traditional Security Tools Failed

The NotPetya attack succeeded despite manufacturers having deployed conventional cybersecurity measures. Identity and Access Management (IAM) systems failed because they rely on user-controlled credentials that can be harvested and reused. The malware leveraged legitimate credentials to authenticate across network segments, bypassing IAM controls entirely.

Privileged Access Management (PAM) solutions proved inadequate because they typically secure the credential vault but not the fundamental weakness: users ultimately receive and handle credentials that can be intercepted or compromised. Once attackers obtained valid credentials through the M.E.Doc vector, PAM systems treated their access as legitimate.

Single Sign-On (SSO) implementations actually accelerated the attack's spread. Once malware compromised SSO credentials, it gained access to multiple connected systems simultaneously. Multi-Factor Authentication (MFA) provided no protection because the attack used legitimate system-to-system communications that bypass user authentication prompts.

Zero Trust architectures, while conceptually sound, rely on the ability to verify user identity—a process that breaks down when the underlying credentials themselves are compromised. The "never trust, always verify" principle becomes meaningless when verification mechanisms authenticate stolen credentials as legitimate.

The Structural Solution: Removing Credentials from User Control

The fundamental flaw exposed by NotPetya lies not in security technology sophistication but in architecture: allowing users to possess, see, or control their access credentials. This creates an irreducible attack surface that sophisticated cybersecurity tools cannot eliminate.

MyCena's patented approach addresses this structural vulnerability by removing credential control from users entirely. The system generates, encrypts, and manages all access credentials centrally, distributing them only when needed for specific access requests. Users never receive, view, or handle their credentials directly, making credential theft impossible even if endpoints are compromised.

This architectural shift transforms the security model from credential protection to credential elimination at the user level. When malware infects a workstation, it cannot harvest what users do not possess. Supply chain attacks lose their primary propagation mechanism when legitimate credentials are never exposed to user environments.

The system operates through cryptographic protocols that authenticate users without revealing credentials, even to the users themselves. This creates "unphishable" access—attackers cannot steal credentials through social engineering, malware, or supply chain compromise because the credentials remain encrypted and isolated from user interaction.

Manufacturing's Path Forward

Manufacturing leaders must recognise that the NotPetya attack model remains viable today. Supply chain interdependencies continue expanding, industrial systems increasingly connect to corporate networks, and credential-based attacks grow more sophisticated. The $10 billion loss represents not historical damage but ongoing vulnerability cost.

The solution requires moving beyond securing credentials to eliminating user credential exposure entirely. This represents a fundamental architecture change, not a technology upgrade. Manufacturers who continue operating under user-controlled credential models remain vulnerable to NotPetya-style attacks regardless of other security investments.

For manufacturing executives, the question is not whether sophisticated attacks will target credential systems, but whether their infrastructure assumes users can safely control access credentials. The NotPetya precedent suggests this assumption carries unacceptable financial and operational risk.