A cyber-physical attack meets a well-prepared CER strategy
At exactly 3:17 AM on a Tuesday morning, the Security Operations Center (SOC) of a regional power plant detects a sequence of anomalous log-ins across internal systems. Simultaneously, the physical access control system reports multiple unauthorized door openings in the facility’s high-voltage control area despite no scheduled maintenance or personnel on site.
Within minutes, it becomes clear: this is a coordinated attack, targeting both IT infrastructure and physical security layers. The attackers are attempting to force a controlled blackout by manipulating power distribution systems while bypassing on-site access control.
The Chief Information Security Officer (CISO) is alerted through the SIEM system. At the same time, the Chief Resilience Officer (CRO) receives an alert via the critical asset protection system, which monitors physical perimeter and access events. Thanks to procedures established under the Critical Entities Resilience (CER) directive, both officers know exactly how to respond, swiftly, decisively, and in coordination.
Within 10 minutes, the CISO initiates the cyber incident response plan, isolating network segments to prevent lateral movement by the attackers. In parallel, the CRO activates physical lockdown procedures: mechanical locks are engaged in critical areas, and on-site security teams are deployed in accordance with emergency protocols.
Investigation reveals that the attackers used cloned access badges and tampered surveillance cameras. On the cyber side, they leveraged stolen credentials combined with a zero-day exploit. However, audit logs from the access control system and anomaly detection within the Identity & Access Management (IAM) layer are triggered in time, allowing the response team to isolate the breach and cut off access before any damage can be done.
Within 45 minutes, the threat is contained. No systems are compromised, power distribution remains stable, and the public is unaware of how close they came to a blackout.
The attackers, who used cloned access cards and advanced intrusion techniques, are blocked within 45 minutes. No actual damage is done, no blackout, no safety risks, no public fallout.
However, under CER and NIS2 regulations, the story doesn’t end there.
Both directives impose strict incident notification rules:
Under CER, incidents that significantly disrupt operations or pose a threat to public safety or security must be reported to the national competent authority without undue delay.
Under NIS2, incidents affecting network and information systems, even if no damage occurred, must be reported within 24 hours to the CSIRT (Computer Security Incident Response Team) and the supervisory authority.
In this case, although the impact was mitigated, the attempt itself meets the threshold of both directives: it targeted essential services and exploited system vulnerabilities.
Non-compliance with CER or NIS2 can result in:
Regulatory fines or sanctions
Increased scrutiny from national authorities
Damage to the company’s license to operate
Potential criminal liability if negligence is involved
Thanks to their proactive coordination and clear documentation trail, the CRO and CISO are able to submit a complete post-incident report within hours — meeting compliance standards and avoiding further consequences.
This attempted breach highlights the growing reality of hybrid threats — where physical and digital vectors are used together. It also demonstrates the value of joint governance: without clear responsibility, aligned crisis playbooks, and real-time coordination between the CISO and CRO, this incident could have led to significant infrastructure failure, public disruption, and reputational harm.
This case highlights three critical lessons:
Hybrid threats are the new normal — requiring integrated digital + physical response.
CER and NIS2 are not just red tape — they create real incentives to be ready.
Preparedness pays off — not just in security, but in compliance and continuity.
“Security is no longer just an IT issue or a facilities matter. With CER and NIS2 in effect, it’s a board-level responsibility.”
— CRO, Regional Power Plant
Key2XS connects physical key systems (like ASSA ABLOY CLIQ and iLOQ) to digital IAM platforms (Microsoft Entra ID, OKTA, SailPoint, One Identity), automating access, enhancing auditing, and enabling instant response.
By helping organizations align with CER and NIS2 from day one, Key2XS empowers both CROs and CISOs to protect, respond, and report all from a single pane of glass.