Transparant-4  Plan a demo
Back to Home
ASSA Abloy Cliq

USE CASE: Sabotage via Compromised Contractor Access at NorthGrid Power Station

Key2XS
jun 3, 2025

 

 

USE CASE: Sabotage via Compromised Contractor Access at NorthGrid Power Station (Part 5 of our CER Series)

A detailed use case of a fictional security incident in the energy sector, designed to illustrate how the Critical Entities Resilience (CER) Directive applies in practice:

 

Context

NorthGrid Power Station, a large EU-based operator of gas-fired power plants, is classified as a critical entity under the CER Directive. It supplies electricity to over 2 million residents and several hospitals, data centers, and municipal services in its region.

As required by the CER Directive, NorthGrid maintains a Business Continuity Plan (BCP), performs regular risk assessments, and has upgraded its physical and logical access controls. However, third-party contractors are still granted access to certain plant areas using RFID-based key cards administered through a legacy system.

 

 

The Incident

Threat

An external contractor employed by NorthGrid’s HVAC subcontractor has his credentials cloned after leaving his RFID keycard unattended in a public co-working space. The attacker, an eco-extremist posing as a technician, uses the cloned keycard and contractor uniform to gain unauthorized physical access to a critical control room.

Breach

The attacker manually overrides cooling systems, causing a turbine to shut down. The plant is forced to go offline for six hours, resulting in regional brownouts and emergency generator activation at two hospitals.

 

 

Response & Legal Impact under the CER Directive

 

1. Immediate Obligations

  • Incident Notification: Within 24 hours, NorthGrid is legally required to notify the national CER authority (e.g., the Ministry of Energy or designated regulator), including the nature, impact, and mitigation steps.

  • Internal Investigation: NorthGrid must perform a root cause analysis and provide a full report within 72 hours.

  • Public Transparency: Because of the impact on healthcare facilities, NorthGrid is expected to communicate clearly with the public and authorities to mitigate reputational and regulatory damage.

 

2. Compliance Failures Identified

  • Inadequate Supplier Vetting: NorthGrid had not conducted updated resilience assessments on its subcontractor in the past 18 months.

  • Legacy Key System: The access control system used by the contractor did not comply with the CER’s expectations for traceable and revocable credentials.

  • No Role-Based Access: The HVAC technician’s card allowed access to areas beyond his operational requirement — a violation of the principle of least privilege.

 

3. Consequences

  • Regulatory Fine: The regulator imposes a €400,000 fine for failure to mitigate foreseeable access risks.

  • Civil Lawsuits: Families of patients affected during the hospital outages file civil claims for damages.

  • Board Scrutiny: Senior management is summoned before a national inquiry to explain failure of governance under CER obligations.

 

 

Mitigation Measures Taken

  • Upgraded Access Controls: NorthGrid replaces the legacy RFID system with time-limited, encrypted digital keys integrated with Microsoft Entra ID.

  • Supplier Re-qualification: A full resilience audit of all subcontractors is conducted. Those failing to meet CER standards are terminated or placed under probation.

  • Executive-Level Oversight: A Chief Resilience Officer (CRO) is appointed to report directly to the board.

 

 

 

Lessons Learned

This incident demonstrates how even a single weak link — such as a contractor’s outdated access method — can create systemic risk in a critical entity. Under the CER Directive, organizations must treat third-party risk, physical security, and accountability as interconnected priorities. Failure to do so has legal, financial, and human consequences.
ASSA Abloy Cliq Entra ID Sailpoint Identity Security Cloud
 

🇳🇱 Privacyverklaring – Key2XS

Laatst bijgewerkt: 4 april 2025

Bij Key2XS hechten wij veel waarde aan jouw privacy en de bescherming van persoonsgegevens. In deze privacyverklaring leggen wij uit welke gegevens wij verzamelen, waarom wij dat doen en hoe wij deze gegevens beveiligen.

1. Wie zijn wij?

Key2XS B.V.
Kraanspoor 50, 1033 SE Amsterdam
KvK-nummer: 96651504
E-mail: info@key2xs.com
Website: www.key2xs.com

2. Welke gegevens verzamelen wij?

  • Voor- en achternaam
  • E-mailadres
  • Telefoonnummer
  • Functie en bedrijfsnaam
  • IP-adres
  • Inloggegevens
  • Gebruiksgegevens van onze software

3. Waarvoor gebruiken wij deze gegevens?

  • Het leveren van onze diensten
  • Accountbeheer en toegangscontrole
  • Klantcommunicatie
  • Wettelijke verplichtingen
  • Verbetering en beveiliging van onze diensten

4. Rechtsgrond voor verwerking

  • Uitvoering van een overeenkomst
  • Wettelijke verplichting
  • Gerechtvaardigd belang
  • Toestemming

5. Gegevensopslag en hosting

Alle gegevens worden opgeslagen binnen de Europese Unie. Wij maken gebruik van ISO-gecertificeerde hostingpartners die voldoen aan de AVG.

6. Delen van gegevens met derden

Wij delen jouw gegevens niet met derden, tenzij dit wettelijk verplicht is of noodzakelijk voor onze dienstverlening. Met derden sluiten wij verwerkersovereenkomsten af.

7. Beveiliging van gegevens

Wij nemen maatregelen zoals:

  • Encryptie
  • Tweefactorauthenticatie
  • Toegangsbeheer
  • Regelmatige audits

8. Bewaartermijnen

Gegevens worden niet langer bewaard dan nodig of wettelijk verplicht.

9. Jouw rechten

  • Inzage, correctie, verwijdering
  • Beperking of bezwaar
  • Gegevensoverdraagbaarheid

Neem contact op via info@key2xs.com.

10. Klachten

Je kunt een klacht indienen bij ons of bij de Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl).

11. Wijzigingen

Wij behouden ons het recht voor deze verklaring te wijzigen. Check regelmatig onze website voor updates.

🇬🇧 Privacy Policy – Key2XS

Last updated: April 4, 2025

At Key2XS, we highly value your privacy and the protection of personal data. This privacy policy explains what data we collect, why we collect it, and how we secure it.

1. Who we are

Key2XS B.V.
Kraanspoor 50, 1033 SE Amsterdam
Chamber of Commerce (KvK) number: 96651504
Email: info@key2xs.com
Website: www.key2xs.com

2. What personal data do we collect?

  • Full name
  • Email address
  • Phone number
  • Job title and company
  • IP address
  • Login credentials
  • Usage data from our software

3. Why do we process your data?

  • To provide our services
  • Account and access management
  • Customer communication
  • Legal compliance
  • Service improvement and security

4. Legal grounds for processing

  • Performance of a contract
  • Legal obligation
  • Legitimate interest
  • Consent

5. Data storage and hosting

All data is hosted and stored within the European Union. We use ISO-certified hosting providers that comply with the GDPR.

6. Sharing data with third parties

We do not share your data with third parties, unless legally required or necessary for our services. Data processors are bound by processing agreements.

7. Data security

We implement measures such as:

  • Encryption
  • Two-factor authentication
  • Access control
  • Regular security audits

8. Data retention

We retain data only as long as necessary or legally required.

9. Your rights

  • Access, correction, deletion
  • Restriction or objection
  • Data portability

Contact us at info@key2xs.com to exercise your rights.

10. Complaints

You may file a complaint with us or with the Dutch Data Protection Authority: www.autoriteitpersoonsgegevens.nl.

11. Changes

We reserve the right to update this privacy policy. Please check our website regularly for updates.