By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SecurityScorecardPublished December 5, 2025

TL;DR: Canada’s warning that malicious cyber activity against power, water, health, finance, and transportation systems is rising reflects a broader North American exposure problem, with SecurityScorecard highlighting third-party and ICS/OT visibility gaps as key blind spots. Interconnected infrastructure now turns one weak vendor, remote-access path, or legacy control into cross-border operational risk.


At a glance

What this is: Canada’s cyber warning frames critical infrastructure as an interconnected North American risk, with third-party exposure and ICS/OT visibility gaps emerging as the central weakness.

Why it matters: For IAM, PAM, and broader security teams, the issue is that remote access, vendor pathways, and legacy OT controls often bypass the identity and governance assumptions used in modern enterprise environments.

👉 Read SecurityScorecard’s analysis of North American critical infrastructure cyber risk


Context

Critical infrastructure risk is no longer confined to one operator, one province, or one sector. In environments such as power, water, healthcare, finance, and transport, operational continuity depends on systems that were not designed for today’s remote access, vendor dependency, and cross-network exposure patterns.

The identity angle is especially important where OT and ICS environments rely on shared service accounts, remote administration paths, and third-party access that is difficult to inventory cleanly. That creates a governance gap between who can reach a system and who is actually accountable for the access. The starting position described here is increasingly typical rather than exceptional.


Key questions

Q: How should security teams govern third-party access in identity programs?

A: Treat third-party access as a managed identity relationship with an owner, scope, expiry, and revocation process. Review not only what the supplier account can do directly, but also what it can reach through connected applications and delegated trust. That approach reduces hidden blast radius and makes supplier access auditable.

Q: Why do legacy OT systems create more identity risk than standard IT environments?

A: Legacy OT environments often rely on local admin accounts, vendor-owned software, and disconnected networks, which makes normal IAM visibility incomplete. That increases the odds of dormant accounts, excessive privileges, and unreviewed exceptions surviving for long periods. The risk is not just harder administration, but ungoverned access paths that can affect operations.

Q: What breaks when healthcare remote access is not tied to certificate and identity lifecycle controls?

A: When remote access is not tied to lifecycle controls, access persists after the business need ends, and attackers can reuse trusted paths that were meant to be temporary. In healthcare, that can expose patient data, disrupt clinical services, and make vendor support channels a liability instead of a control. Certificate renewal and revocation discipline is the difference between governed trust and stale trust.

Q: Who is accountable when a vendor compromise creates internal access risk?

A: Accountability sits with both the business owner of the integration and the identity team that approved the trust path. Procurement may own the contract, but IAM owns the access relationship. If the downstream system still trusts the supplier after compromise, the governance gap is in access design as much as in vendor oversight.


Technical breakdown

ICS and OT attack surfaces expand when legacy controls meet remote access

Industrial control systems and operational technology were built for reliability and safety, not for internet-era threat models. When organisations add remote administration, IoT connectivity, and third-party support channels, they extend the attack surface beyond the original design assumptions. Default credentials, weak remote access controls, and delayed patching become structural weaknesses rather than isolated misconfigurations. In practice, the problem is not only exposure, but exposure without modern identity governance around who can access what, from where, and under what conditions.

Practical implication: Treat OT remote access as a governed identity path, not a convenience layer.

Third-party visibility is now part of resilience engineering

The article’s core point is that operators often cannot see the true security posture of the vendors and service providers embedded in their operational ecosystem. That matters because a compromise frequently enters through the least visible dependency rather than the operator’s main perimeter. In OT environments, where patch cadence and segmentation are already constrained, third-party access becomes an amplified risk vector. Visibility has to include externally observable vulnerability posture, access pathways, and the dependency chain behind critical services.

Practical implication: Map vendor access paths and external exposure together instead of reviewing them separately.

Why identity governance matters in cross-border infrastructure risk

Critical infrastructure security is often discussed as a network or resilience problem, but the access layer decides how far an incident can travel. Shared accounts, standing privileged access, and weak offboarding for vendors create a persistent control gap in both IT and OT-connected environments. This is where IAM and PAM intersect with resilience: if access is not time-bound, attributable, and tightly scoped, containment becomes much harder after compromise. The identity problem is not secondary to OT risk, it is one of the ways OT risk becomes actionable.

Practical implication: Require attributable, time-bound access for every human and third-party path into operational environments.


Threat narrative

Attacker objective: The attacker seeks operational disruption, leverage for extortion, or a broader compromise that can spread across interdependent critical infrastructure environments.

  1. Entry often begins through remote-access exploitation, a third-party service weakness, or a credential path that should not have remained exposed in an OT-connected environment.
  2. Escalation follows when the attacker reaches systems with overly permissive access, weak segmentation, or shared operational credentials that allow movement beyond the initial foothold.
  3. Impact can include ransomware, disruption of physical processes, service interruption, or the creation of cross-ecosystem risk when interconnected infrastructure dependencies are affected.

NHI Mgmt Group analysis

Third-party access is now a resilience control, not just a procurement issue. The article shows that operators rarely fail in isolation. They fail through vendors, maintenance channels, and supply-chain dependencies that were never governed with the same discipline as core enterprise access. In a North American infrastructure context, the practical conclusion is that third-party access review belongs in operational risk management, not in a separate vendor spreadsheet.

ICS and OT visibility gaps create a standing exposure window. Legacy industrial environments often retain remote access paths, default credentials, and patch delays because operational uptime is treated as the dominant constraint. That creates a predictable opening for nation-state and criminal activity alike. The named concept here is OT visibility debt: the accumulated inability to see, classify, and govern exposed industrial assets before an incident forces the issue.

Identity governance becomes the control plane for cross-ecosystem containment. Where operators rely on shared accounts, persistent vendor entitlements, or weakly segmented administrative paths, the blast radius expands faster than incident responders can react. The best-performing programs will treat IAM, PAM, and access scoping as part of infrastructure resilience, not as separate enterprise disciplines. The practitioner conclusion is clear: governance must extend to every operational identity path.

Interconnected infrastructure means one weak link can become a regional event. The article correctly frames critical infrastructure as technically and commercially interdependent across borders. That raises the bar for security assurance, because a local compromise can create regional effects through shared providers, software dependencies, and operational ties. The field should expect more scrutiny of ecosystem-wide visibility and accountability, especially where access into critical environments is not tightly attributable.

What this signals

Critical infrastructure operators should expect more scrutiny of machine and third-party access as regulators and buyers focus on ecosystem resilience. The governance pattern is familiar to identity teams: if you cannot enumerate access, you cannot prove control, and you cannot limit blast radius when an incident starts.

Operational access debt: when remote support, vendor entitlements, and legacy administrative paths accumulate faster than they are reviewed, the organisation inherits a hidden control deficit. That debt shows up first as incomplete visibility and later as slow containment, especially in environments where NHI breach patterns already demonstrate repeated access-related failure.


For practitioners

  • Inventory all third-party operational access Create a complete map of vendor, integrator, and managed-service access into OT and ICS environments, including jump hosts, remote support channels, and shared credentials. Tie each pathway to an accountable owner and review it on a fixed cadence.
  • Segment identity paths from operational systems Separate administrative access, maintenance access, and production operator access so that one account or trust path cannot move freely across the environment. Apply the same restraint to remote sessions, service accounts, and privileged support workflows.
  • Harden remote access before patching backlog grows Assume some ICS assets will remain slow to patch and place stronger controls around the access layer: MFA where possible, time-bound authorisation, allowlisted endpoints, and monitored brokered access. Use the strongest available control at the entry point.
  • Test resilience against vendor-dependent failure modes Run incident exercises that start with a compromised third-party access path or exposed remote service, then validate whether containment, segmentation, and recovery still work when operational systems cannot be taken offline quickly.

Key takeaways

  • The article’s central warning is that critical infrastructure compromise increasingly travels through third parties, remote access paths, and legacy OT assumptions.
  • The practical evidence is not just theoretical exposure but a regional risk model where one weak dependency can affect multiple sectors and jurisdictions.
  • The control question is no longer whether to add more monitoring, but whether access into operational environments is attributable, bounded, and resilient under pressure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 and DORA define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Remote access and third-party exposure are core access-control concerns in this article.
NIST SP 800-53 Rev 5AC-6Least privilege is essential where shared or overbroad OT access expands blast radius.
CIS Controls v8CIS-5 , Account ManagementAccount governance matters because vendor and service accounts often create the exposed path.
ISO/IEC 27001:2022A.8.20Network security controls are relevant to segmentation and remote access hardening.
DORAOperational resilience and third-party dependency risk map directly to this article’s message.

Use DORA-style resilience testing to validate vendor-dependent operational pathways under stress.


Key terms

  • ICS/OT Visibility: The ability to see which industrial control and operational technology assets exist, how they are exposed, and who can reach them. It includes external attack surface awareness, vendor pathways, and the operational context needed to judge whether access is acceptable.
  • Third-Party Access: Third-party access is access granted to vendors, contractors, or support partners who are not direct employees of the organisation. It is higher risk than internal access because accountability, device assurance, and access duration are harder to control, so it usually requires tighter time limits and stronger auditability.
  • Operational Identity Governance: Operational identity governance is the practice of managing access in a way that supports live business or production decisions, not just audit requirements. It adds decision authority, escalation paths, and response readiness to standard IAM controls so teams can act safely under pressure.

What's in the full article

SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:

  • Specific examples of how third-party and ICS/OT exposure show up in externally observable risk posture.
  • The report’s framing of vendor visibility as a practical signal for infrastructure resilience planning.
  • The detailed explanation of why remote access, default credentials, and patch constraints remain persistent OT weaknesses.
  • The article’s cross-border implications for operators that share infrastructure touchpoints across sectors.

👉 SecurityScorecard’s full article covers the OT visibility gap, third-party exposure, and resilience implications in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect access governance to the broader security programme they already run.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org