<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=7847562&amp;fmt=gif">
Get started
Back to News & Insights

In critical infrastructure, sabotage is still too often framed as a cyber problem. Malware, phishing, ransomware, compromised OT environments and hostile state actors dominate the security conversation. That focus is logical, but it is not sufficient.

A determined attacker does not always need to break through the firewall. Sometimes the shortest route to disruption starts outside the perimeter. A rented house near a power plant. Weeks of observation. A fake identity. A contractor’s jacket. Knowledge of routines. And eventually, a lost key that should already have been revoked.

That is not a hypothetical weakness in physical security. It is a governance failure.

Hybrid threats are no longer abstract

Recent threat assessments on hybrid and military threats make one thing clear: vital infrastructure is a relevant target in the grey zone between peace and open conflict. Hybrid conflict does not always look like a conventional military attack. It can involve espionage, reconnaissance, covert influence, cyber operations, physical sabotage and the use of proxies to conceal attribution.

That matters for energy operators. The threat is not limited to network intrusion. It includes the preparation phase before an attack. Mapping infrastructure. Studying supply chains. Observing facilities. Testing response times. Identifying weak access procedures. Exploiting the gap between digital security and physical access control.

In other words, the attacker may not start with a phishing email. He may start by watching the car park.

The anatomy of a physical identity attack

Imagine an energy company operating a regional power plant. The facility is part of critical infrastructure. It has fences, gates, access policies, visitor procedures, contractors, maintenance teams, operational technology and cyber security controls.

On paper, the organisation looks mature. But the attacker does not start with a network scan. He rents a house close to the facility. Over several weeks, he studies the rhythm of the plant. Shift changes. Contractor arrivals. Smoking areas. Parking habits. Badge behaviour. Which employees are in a hurry. Which doors are used most often. Which external workers seem familiar to security staff. Which service providers come and go without much questioning.

The attacker is not looking for a software vulnerability. He is looking for operational predictability. Eventually, an opportunity appears. A key is lost.

Not a Hollywood-style master key. Just a legitimate operational key that opens specific technical areas. That key should trigger an immediate security process. Who owned it? Which sites, rooms or cabinets could it access? Was it reported immediately? Were the access rights revoked? Were the affected cylinders updated? Was the risk escalated to security, operations and compliance?

Instead, the lost key is treated as a local facilities issue. That is the mistake. In critical infrastructure, a lost key is not an administrative inconvenience. It is a live credential outside control.

The fake identity is the real weapon

The attacker’s real advantage is not only the key. It is the ability to appear legitimate.

Critical infrastructure depends on a complex ecosystem of employees, contractors, subcontractors, maintenance engineers, emergency teams, vendors and temporary workers. In that environment, legitimacy is often assumed from context. A high-visibility jacket, a toolbox, confident behaviour and basic knowledge of site routines can be enough to avoid challenge. The fake identity does not need to be perfect. It only needs to survive long enough.

This is exactly where many organisations are exposed. Digital identities are increasingly managed through IAM and IGA platforms. Joiner, mover and leaver processes are formalised. Privileged access is monitored. Access reviews are documented.

Physical access, however, often sits in a different world. Mechanical keys. Local spreadsheets. Manual key cabinets. Disconnected electronic locking systems. Site-specific exceptions. Informal contractor access. Delayed revocation. Limited audit trails. That creates a governance gap.

A contractor may be removed from the IAM system but still hold a working physical key. An employee may change role but retain access to old locations. A lost key may be reported to facilities but not escalated to enterprise risk management. A site manager may know there is exposure, while the CISO, compliance officer and operational leadership remain blind.

For a saboteur, that gap is the attack path.

Physical sabotage starts with reconnaissance

Modern sabotage is rarely spontaneous. It is prepared. Before disruption comes observation. Before damage comes mapping. Before entry comes identity abuse. Hybrid actors understand that physical and digital attack paths reinforce each other. Physical access can enable cyber compromise. Cyber compromise can support physical intrusion. Identity fraud can bridge both domains.

The Dutch Ministry of Infrastructure and Water Management threat scenarios highlight that vital infrastructure can be an attractive target for sabotage and that actors may conduct reconnaissance and preparatory activities against infrastructure such as energy, gas pipelines, drinking water and communications systems. That should change the way energy companies think about keys and access rights.

A key is not just metal or plastic. It is a credential.

A cylinder is not just a lock. It is an enforcement point.

A key plan is not just a facilities document. It is part of the security architecture.

Why lost keys are high-impact incidents

In a normal office, a lost key is annoying. In an energy plant, substation, switching facility or control location, it can be material. A lost key can provide persistent access to technical spaces, operational cabinets, backup systems, substations, fuel infrastructure, control rooms, maintenance areas or other sensitive locations. If the organisation cannot immediately determine the blast radius of that key, it is not in control.

The basic questions are brutal:

  • Who had the key?

  • Which identity was linked to it?

  • Which role justified the access?

  • Which doors, cylinders or cabinets could it open?

  • When was it last activated?

  • Was access time-bound?

  • Has it been revoked?

  • Have affected locks or cylinders been updated?

  • Can we prove this in an audit?

If those questions cannot be answered quickly, the organisation has a resilience problem.

Cyber resilience and physical resilience are now one governance issue

The traditional separation between cyber security and physical security is outdated. Energy infrastructure is a hybrid environment. OT, IT, field operations, contractors, remote assets and physical access all interact.

A saboteur does not care whether the weakness is in IAM, a badge process, a key cabinet, a contractor onboarding workflow or a disconnected locking system. The attacker will use the route that works.

That is why physical access must become part of enterprise identity governance. Access to critical assets should be governed by the same principles used for digital access:

  • Least privilege.

  • Role-based access.

  • Segregation of duties.

  • Time-bound access.

  • Approval workflows.

  • Immediate revocation.

  • Auditability.

  • Exception reporting.

  • Continuous compliance.

This is not bureaucracy. It is operational control.

The board-level issue

For energy operators, this is no longer a facilities management topic. It is a board-level resilience topic.

If a fake identity can move through the organisation because contractor governance is weak, the problem is not the attacker’s creativity. The problem is the control framework.

If a lost key remains useful after it has been reported, the issue is not the key. The issue is failed revocation.

If security cannot correlate physical access with HR, IAM, IGA, SOC and operational data, the organisation has fragmented governance.

That fragmentation is exactly what hybrid threat actors exploit.

What good looks like

A resilient energy operator connects physical access to digital identity governance. Every key, credential and access right must be traceable to a verified identity, an approved role and a legitimate operational need. That means:

  • Every key is linked to a verified digital identity.

  • Every access right is linked to a role, work order, project or approved exception.

  • Every activation is time-bound and policy-driven.

  • Lost keys trigger automatic impact analysis.

  • Revocation happens immediately, not after a manual process.

  • Physical access events are auditable.

  • Contractors are governed with the same discipline as employees.

  • Exceptions are visible to security, operations and compliance.

  • Physical access data can be correlated with cyber and operational risk.

The target state is clear: physical access should no longer operate as a disconnected local process. It must become part of the enterprise security model.

The compliance pressure is increasing

NIS2 and CER push organisations toward a broader resilience model. The direction is obvious: cyber resilience, physical resilience and organisational resilience are converging.

For critical entities, that means it will no longer be enough to show cyber controls in isolation. Organisations must be able to demonstrate that access to critical assets is governed, controlled, monitored and auditable. A lost key at an energy site is not just a local incident. It can become a compliance issue, an operational risk and a national resilience concern.

The uncomfortable conclusion

The next serious incident in critical infrastructure may not start with malware.

It may start with a person renting a house near a power plant: "watching, learning, waiting, assuming a false identity, using a lost key and walking through a door that should no longer have opened".

That is the point. The weakest access path is not always digital. Sometimes it hangs on a keyring. For energy operators and other critical infrastructure organisations, the mandate is clear: bring physical access into identity governance. Treat every key as a credential. Treat every lost key as a security event. Treat every unmanaged exception as an attack path.

Because in hybrid conflict, the attacker does not care which department owns the weakness. He only cares that it works.
Security
More Articles