Home » News » What Drones Over Denmark Teach Us About Cybersecurity Gaps
Drones over Denmark teach us about Cyber security gaps
Categories

What Drones Over Denmark Teach Us About Cybersecurity Gaps

Across Denmark, Norway, Sweden, the Netherlands and Belgium there has been a steady drumbeat of incidents that blur the line between physical and digital risk. Drones over airports. GPS interference in the Baltic. Intelligence warnings about hybrid activity against ports, grids and public services. European leaders are saying the quiet part out loud. The era of constant hybrid pressure has arrived.

Denmark offers the clearest recent example. After multiple airport closures and sightings near military sites, Prime Minister Mette Frederiksen called it “the most serious attack on Danish critical infrastructure to date” and warned that hybrid tactics are “only the beginning.” She also said Denmark will move fast on anti drone capabilities in cooperation with NATO.

Source Financial Times

The Netherlands has issued hard warnings about hybrid threats against critical services. Dutch military intelligence reported Russian attempts at cyber sabotage against Dutch infrastructure and described a grey zone between peace and war. The domestic security service AIVD has kept the national threat picture high.

Source Dutch News

Hybrid warfare is far more than drones. Operators of critical infrastructure are increasingly targeted by sophisticated cyber campaigns designed to gain a foothold through identities, everyday tools and seemingly minor access points. This is where the physical and the digital converge. The same probing logic that tests runways and restricted airspace also tests your people and their access.

For leaders within critical infrastructure, the parallel in cyber is unmistakable.
A single overlooked login. A forgotten shared account. A SaaS tool added by one team outside IT. Each is a drone at the edge of your perimeter. It does not look dangerous. It does not make noise. It only needs one gap.

Your smallest login is now a strategic asset

Most successful intrusions begin with people and credentials. Verizon’s latest Data Breach Investigations Report finds the human element, along with credential theft and misuse, remain among the most common initial actions.

Source Verizon Business

ENISA’s threat landscape confirms the pattern for Europe. Social engineering and phishing continue to feature across sectors, with availability attacks, ransomware and data breaches closely linked to weak identity controls.

Here is what that means in practice.

A contractor’s login for a non-SSO marketing tool can be the step that gives an attacker internal email visibility.

An old shared password for a logistics portal can become the foothold for lateral movement into back office systems.

A reused credential on a supplier extranet can be a route to OT-adjacent scheduling data.

None of these accounts looks critical. All of them are perfect social engineering targets.

Attackers know staff are more likely to click a believable message about invoices, shipment ETAs, or meeting invites than a clumsy request for admin rights. They aim low. They start with what seems harmless. Then they pivot.

Modern operations rely on a range of cloud services that extends well beyond the core OT environment. The average mid-sized company now uses well over a hundred apps. Shadow IT is common. Password sprawl is the default. In this environment, SSO improves user experience, yet it does not cover every service and can become a single point of failure when used alone.

The SSO blind spot that looks like a drone gap

SSO is valuable. It streamlines onboarding and centralises controls. It does not protect the growing list of services that do not support SSO or only offer it on premium plans. That is the blind spot attackers look for. A marketing tool here. A contractor portal there. One credential reused across systems. One password export was saved to a desktop. This is where an intrusion becomes lateral movement. This is where a business interruption becomes a regulatory incident.

The practical fix

Pair SSO with enterprise password and access management. Enforce unique, high-strength credentials everywhere SSO is not in use. Automate two-factor codes for all logins. Give administrators a single view of who has access to what. Remove the need for staff to make security decisions in the moment.

Current best practices for European operators

Leaders in critical infrastructure already plan for physical redundancy, grid stability, maritime, and rail continuity. Apply the same discipline to identity.

  1. Map every account, not only every system Catalogue user identities, shared accounts, and access spanning IT and business SaaS. Treat shared credentials as temporary and auditable.
  2. Close the SSO coverage gap Where SSO is not available, enforce password generation, storage, and automatic fill with encrypted, device-anchored vaults. Add automatic TOTP so multi-factor is the default without friction.
  3. Strengthen least privilege and revocation Make joiner, mover, and leaver workflows a controlled process with immediate de-provisioning. Tie it to a live access inventory and an audit log that stands up to regulatory review and integrate it with your current Microsoft infrastructure.
  4. Prove compliance continuously Align controls to NIS2 expectations for access policies, cryptography, multi-factor use, and incident reporting. Use dashboards that translate security posture into operational language for the board.
  5. Design for recovery Assume compromise and plan for identity restoration. Store secrets with a zero-knowledge architecture so a breach of infrastructure does not expose credentials. Test emergency procedures for identity at the same cadence as OT incident drills.

Why it matters

Critical infrastructure cannot afford extended manual workarounds. A targeted account takeover at a supplier. A ransomware attack triggered by a reused password. A coordinated information operation while drones fly over an airfield. Hybrid campaigns combine these elements. The best defence is to remove the easy wins an attacker expects and to raise the cost of every step.

A successful cyberattack on electricity networks can lead to power outages and pose a threat to national security. That is the accurate scale of the access problem.

Identity and access are becoming the heart of European cyber resilience

That is why the NIS2 directive puts stronger requirements on access management, multi-factor authentication, cryptography, asset and access inventories, incident reporting, and business continuity.

It is about safeguarding essential services across critical infrastructure, so that societies can absorb shocks and continue to operate. The directive holds management directly responsible for cyber risk and imposes meaningful sanctions, signaling the critical importance of identity and access to European resilience.

Put simply, Europe is strengthening cyber resilience by hardening the front door. Identity and access are now the decisive controls that keep essential services running when pressure rises.

Implement password and access management as a core control.

A modern password and access management programme should combine three elements.

First, intuitive credential handling for users.

Second, strong multi-factor authentication is applied wherever people log in.

Third, a central view for administrators that displays who has access to what, along with an auditable trail.

When this sits alongside your existing Single Sign On, it closes the coverage gaps where SSO is not available and avoids a single point of failure.

For organisations in critical infrastructure, the impact is immediate.

  • Measurable risk reduction Replace weak and reused passwords with unique, high-strength credentials and extend multi-factor authentication to all logins, including services outside SSO. This directly addresses the most common breach paths and reduces overall incident probability.
  • Operational simplicity Staff sign in faster with secure autofill of credentials and one-time codes, which reduces the helpdesk load. Meanwhile, administrators gain a live inventory of accounts and permissions, allowing them to add, adjust, or revoke access in minutes.
  • Regulatory confidence Day-to-day controls align with NIS2 expectations for access policies, cryptography, use of multi-factor authentication, and incident evidence. Management can demonstrate oversight and accountability with reports drawn from the access audit log.

How to put this into practice

Start by mapping all accounts, including shared and third-party access. Enforce password generation and storage in encrypted vaults anchored to user devices. Enable automatic entry of both passwords and time-based one-time codes to remove the moment of human error that social engineering seeks to exploit. Integrate with SSO where available and utilize the access dashboard and audit log to enhance the security of joiner, mover, and leaver processes.

Leadership takeaway

Drones over Denmark are a real-world reminder. Threats now arrive quietly, testing your readiness and exploiting even the most minor gaps. In cybersecurity, those gaps are usually related to credentials and access. You do not need to rethink your whole architecture to close them. You need to see every login, protect every login and prove it.

Simon Cederstråhle Hellstrøm-Melander
Written by

Simon Cederstråhle Hellstrøm-Melander

Simon Cederstråhle Hellstrøm Melander is Chief Marketing Officer at Uniqkey and part of the original team. He specialises in password and access management with a focus on government, defence, and compliance, bringing hands-on experience from work with large organisations and public sector environments. On the blog he translates complex topics like EU directives such as NIS2 and the practical reality of SSO gaps into clear, actionable guidance for European leaders.