Critical infrastructure breaches don’t start in the control room. They start with credentials.

Colonial Pipeline. The Ukraine power grid. The Oldsmar water plant. Every major critical infrastructure incident in the last decade began the same way — with a credential in human hands that the operator could not control, monitor, or revoke. MyCena closes that entry point before the attacker reaches the operational technology layer.
Book a technical briefing →
0
of cyber-physical attacks use remote access as the entry vector · OT Ecosystem 2025
0
Colonial Pipeline ransom — paid for one inactive VPN credential never revoked
0
Increase in state-aligned attacks on energy, transport and manufacturing in 2024
0
Annual cost of unplanned industrial downtime globally · Siemens 2024
The pattern

Three incidents. Same entry point.

Every major critical infrastructure breach in the last decade followed the same architectural failure. A credential existed in human hands. The operator had no structural mechanism to control it.

Colonial Pipeline — 2021
$4.4M
Fuel supply to 17 US states halted for six days.
Attackers purchased a single VPN credential for a former employee on the dark web. The account had never been deactivated. Nobody knew it was still active.
Entry point — inactive VPN credential, former employee
Ukraine Power Grid — 2015 & 2016
230,000
Customers lost power following coordinated cyberattacks on grid operators.
Attackers used spear-phishing to steal operator credentials, then used those credentials to remotely access SCADA systems and open circuit breakers. The credential was the entry to the OT layer.
Entry point — phished operator credentials
Oldsmar Water Plant — 2021
111x
An attacker remotely accessed the SCADA system and attempted to increase sodium hydroxide to 111 times the safe level.
Entry via remote desktop software with credentials that were shared across multiple users.
Entry point — shared remote desktop credentials

In every case the OT network itself was not the initial attack surface. The attacker authenticated using valid credentials at the IT/OT boundary — the remote access layer, the engineering workstation, the vendor VPN. Every security system in place saw a legitimate user logging in, because the credential was legitimate. The failure occurred before the attacker reached the control room.

Risk landscape

Six credential risks specific to critical infrastructure

Critical infrastructure environments carry the standard enterprise credential gap — plus operational risks that exist nowhere else.

01 — Operational
Vendor and contractor remote access
Third-party engineers connect to OT networks via VPN or remote desktop using credentials the operator organisation did not generate and cannot instantly revoke. 82% of cyber-physical attacks use this remote access layer as entry vector. The vendor’s employee turnover is the operator’s uncontrolled exposure.
When the relationship ends, how fast can you revoke access to your SCADA environment? If the answer involves a ticket, you have a gap.
02 — Operational
Shared operator credentials
Many OT environments use shared login accounts for control systems — a legacy architecture inherited from before multi-user authentication existed on these platforms. Shared credentials mean no individual attribution, no audit trail, and no ability to revoke one person’s access without affecting the whole team.
A forensic investigation into an incident at Oldsmar was complicated by shared credentials. There was no way to know who had been logged in.
03 — Safety
Credential compromise reaching physical processes
Unlike an IT breach, a credential compromise that reaches the OT layer can trigger physical consequences — valves open, circuit breakers trip, process parameters change. The dwell time between credential theft and operational impact in OT environments is measured in hours. Detection happens after physical damage.
The credential is the access to the process. Controlling the credential is the first line of physical safety defence.
04 — Regulatory
NIS2 and CAF B2 evidence requirements
NIS2 Article 21 requires essential service operators to demonstrate access control governance. NCSC CAF Principle B2 requires organisations to closely manage and maintain identity and access control for all users — including automated systems. Policy documents do not satisfy this. Continuous, timestamped credential logs do.
NIS2 personal liability for named management applies to critical infrastructure operators who cannot demonstrate structural access control.
05 — Supply chain
Software and maintenance supply chain access
OT system vendors — Siemens, Rockwell, Schneider, GE — routinely require remote access for updates, maintenance, and monitoring. SolarWinds demonstrated that vendor build credentials are the highest-risk entry point in enterprise supply chains. In OT, vendor access reaches process control systems directly.
Every vendor with remote access to your OT environment is carrying credentials they created, not you. You cannot revoke what you do not own.
06 — Emerging
AI and automation agent credentials
Industrial AI deployments — predictive maintenance, automated process optimisation, anomaly detection — are introducing non-human identities into OT environments at scale. Each AI agent holds credentials to the systems it monitors and controls. Those credentials are created by the development team, not the operational security team.
The 82:1 ratio of AI agents to humans in enterprise environments is arriving in critical infrastructure. Without credential governance, each AI deployment is a new ungoverned access path.
Where MyCena operates

The IT/OT convergence credential gap

MyCena does not replace OT-specific security tooling — Dragos, Claroty, and Nozomi govern the OT network layer. MyCena governs the credential layer above it: the remote access layer, the engineering workstations, and the vendor connections that every major OT breach has used as its entry point.

Where credential control applies in an OT environment
MyCena governs
Vendor remote access
Engineer credentials to your OT environment
Third-party maintenance engineers connect via VPN or RDP. MyCena generates those credentials centrally — the engineer never holds them — and revokes all vendor access in seconds when the maintenance window closes or the relationship ends.
✓ Colonial Pipeline entry point — closed structurally
MyCena governs
Engineering workstations
Operator and engineer authentication at the HMI layer
Operators and engineers authenticate to HMI workstations and SCADA interfaces via MyCena. No shared credentials. Every access event individually attributed, timestamped, and logged. Oldsmar-style shared credential risk eliminated.
✓ Oldsmar entry point — closed structurally
MyCena governs
IT/OT boundary systems
Jump servers, historian systems, data diodes, DMZ applications
The IT/OT boundary — the systems that bridge enterprise IT and the OT network — is where credential compromise becomes operational risk. MyCena governs authentication at every boundary system via standard protocols.
✓ Ukraine grid entry point pattern — closed structurally
MyCena governs
AI and automation agents
Industrial AI agents accessing process data and control interfaces
AI agents deployed for predictive maintenance, anomaly detection, and process optimisation authenticate through MyCena. Their credentials are centrally generated, individually attributed, and instantly revocable — on the same platform as human operator credentials.
✓ AI agent governance — same architecture, non-human identities
Outside scope
PLC firmware & device credentials
Hardcoded device credentials, PLC proprietary protocols
Hardcoded credentials embedded in PLC firmware and legacy device protocols operate below the standard authentication layer. These are governed by OT-specific platforms such as Dragos and Claroty. MyCena operates above this layer.
The OT stack — credential governance by layer
MyCena governs · Level 5
Enterprise IT — user workstations, SaaS, email
Full credential governance for all enterprise users, vendors, and AI agents. Central generation, invisible injection, instant revocation.
MyCena governs · Level 4
IT/OT boundary — jump servers, historians, DMZ
The critical convergence layer. Remote access, VPN endpoints, boundary applications. The entry point in every major OT breach.
MyCena governs · Level 3
Operations network — HMI workstations, SCADA interfaces
Engineering and operator authentication to control system interfaces. Individual attribution, shared credential elimination, full audit trail.
OT platform scope · Level 2
Control network — PLCs, DCS, RTUs
Process control systems. Governed by Dragos, Claroty, Nozomi for network monitoring and anomaly detection. Below the standard authentication layer.
OT platform scope · Level 1
Field devices — sensors, actuators, instrumentation
Physical process layer. Hardware-specific governance. Outside the authentication credential model.
What MyCena delivers

Structural credential control at the IT/OT boundary

The entry points that caused every major OT breach in the last decade are at the remote access layer — not inside the control network. MyCena closes those entry points structurally.

Vendor remote access — generated and revoked by you
Third-party maintenance engineers authenticate through MyCena. You generate their credentials, they never see them, and you revoke all access in seconds when the maintenance window closes — or immediately in a suspected incident.
Shared credentials — eliminated
Every operator and engineer has individually attributed, centrally generated credentials. No more shared team logins. Every access event is traceable to a named individual with a precise timestamp — forensic evidence ready on demand.
Phishing — no target
Operators never see or type their credentials. A spear-phishing campaign targeting an operator or engineer finds no credential to capture. The Ukraine power grid attack vector — phished operator credentials — is closed structurally.
CAF B2 — structurally satisfied
NCSC CAF Principle B2 requires continuous identity and access control evidence. MyCena generates a timestamped log of every credential event automatically — who accessed what, when, from where. Auditors receive the log. Not a policy document.
“In the physical world, a power operator cannot hand the keys to their substation to a maintenance contractor and hope they give them back. In the digital world, that is exactly what happens every day — and the attacker who buys those keys on the dark web walks straight in.”
The Colonial Pipeline question

Colonial Pipeline paid $4.4 million because an inactive VPN credential for a former employee was never revoked. The attacker purchased it on the dark web. If Colonial had deployed MyCena, the credential would not have existed in human hands — there would have been nothing to purchase. The 3.2-day average offboarding lag across the industry represents thousands of live credential exposure windows right now.

How it works at the IT/OT boundary

Credential control without touching OT systems

MyCena deploys as a software overlay at the IT/OT boundary layer. No OT system is modified. No control network is changed. No production process is touched.

Step 01
Central credential generation at the boundary
Every operator, engineer, and vendor credential for boundary systems — jump servers, VPN endpoints, HMI workstations, historian access — is generated by MyCena centrally. No individual creates their own access. No vendor brings their own credentials to your environment.
Step 02
Invisible injection — nothing to phish or share
Operators and engineers click to connect to boundary systems. MyCena injects the credential at the point of authentication — they never see it, type it, or hold it. No spear-phishing campaign can steal a credential the operator doesn’t know. No maintenance engineer can share what they’ve never seen.
Step 03
Complete access map — automatically maintained
Every credential event is logged individually — which operator, which boundary system, when, from where. The access map is complete and current at all times. When an incident investigation begins, the forensic trail is already there. No reconstruction. No uncertainty about who was logged in.
Step 04
Instant revocation — vendor or operator, any system
A maintenance window closes: one command, vendor access revoked across every boundary system simultaneously in seconds. A suspected insider incident: same command, same speed. A regulatory audit: timestamped revocation evidence produced on demand. The Colonial Pipeline gap, closed.
Regulatory framework

NIS2, CAF, NERC CIP, and IEC 62443 — all require what MyCena delivers

Every framework governing critical infrastructure access control requires demonstrable evidence of who accessed what, when — and that access was revoked immediately when the relationship changed. MyCena generates that evidence automatically.

NIS2 — Articles 20 & 21
Essential service operators must demonstrate access control governance. Article 20 creates personal liability for named management. Article 21 requires supply chain security including third-party access governance. Policy documents do not satisfy this — continuous evidence does.
✓ Personal liability risk structurally mitigated
NCSC CAF — Principle B2
Identity and Access Control — organisations must closely manage and maintain access for all users, devices, and systems including automated functions. The B2 principle explicitly requires this to be architecturally enforced, not procedurally claimed. MyCena satisfies B2 structurally.
✓ B2 satisfied architecturally, not procedurally
NERC CIP — CIP-004 & CIP-011
Critical Infrastructure Protection standards for electric utilities require personnel access management, access control to critical cyber assets, and electronic security perimeter controls. Individual user attribution and instant revocation are explicit requirements.
✓ CIP access management requirements satisfied
IEC 62443 — IAM requirements
The ISA/IEC 62443 framework recognises that without proper identity and access management, other technical controls can be bypassed by attackers with valid credentials. Zone-based access control requires individual user authentication — no shared accounts.
✓ IEC 62443 IAM controls satisfied at boundary layers
NIST SP 800-82
US guidance for securing OT systems requires access control, audit and accountability, and identification and authentication controls. Vendor and remote access governance are explicitly identified as critical control points for ICS security.
✓ Remote access and vendor governance controls satisfied
Cyber insurance
Critical infrastructure operators face increasing scrutiny on vendor remote access governance at insurance renewal. Structural credential control — with timestamped revocation evidence — provides the underwriting evidence that policy documents cannot. Premium reduction argument directly applicable.
✓ Level 4–5 maturity — premium reduction warranted
Critical infrastructure briefing
A 45-minute technical briefing on credential governance at the IT/OT boundary — specific to your sector and regulatory obligations.
Book a technical briefing →
MyCena
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.