TL;DR: Canada’s warning that malicious cyber activity against power, water, health, finance, and transportation systems is rising reflects a broader North American exposure problem, with SecurityScorecard highlighting third-party and ICS/OT visibility gaps as key blind spots. Interconnected infrastructure now turns one weak vendor, remote-access path, or legacy control into cross-border operational risk.
NHIMG editorial — based on content published by SecurityScorecard: Canada’s warning on cyber threats to critical infrastructure and the visibility gaps it exposes
Questions worth separating out
Q: How should security teams govern third-party access in identity programs?
A: Treat third-party access as a managed identity relationship with an owner, scope, expiry, and revocation process.
Q: Why do legacy OT systems create more identity risk than standard IT environments?
A: Legacy OT environments often rely on local admin accounts, vendor-owned software, and disconnected networks, which makes normal IAM visibility incomplete.
A: When remote access is not tied to lifecycle controls, access persists after the business need ends, and attackers can reuse trusted paths that were meant to be temporary.
Practitioner guidance
- Inventory all third-party operational access Create a complete map of vendor, integrator, and managed-service access into OT and ICS environments, including jump hosts, remote support channels, and shared credentials.
- Segment identity paths from operational systems Separate administrative access, maintenance access, and production operator access so that one account or trust path cannot move freely across the environment.
- Harden remote access before patching backlog grows Assume some ICS assets will remain slow to patch and place stronger controls around the access layer: MFA where possible, time-bound authorisation, allowlisted endpoints, and monitored brokered access.
What's in the full article
SecurityScorecard's full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of how third-party and ICS/OT exposure show up in externally observable risk posture.
- The report’s framing of vendor visibility as a practical signal for infrastructure resilience planning.
- The detailed explanation of why remote access, default credentials, and patch constraints remain persistent OT weaknesses.
- The article’s cross-border implications for operators that share infrastructure touchpoints across sectors.
👉 Read SecurityScorecard’s analysis of North American critical infrastructure cyber risk →
Critical infrastructure visibility gaps: what OT teams need to know?
Explore further
Third-party access is now a resilience control, not just a procurement issue. The article shows that operators rarely fail in isolation. They fail through vendors, maintenance channels, and supply-chain dependencies that were never governed with the same discipline as core enterprise access. In a North American infrastructure context, the practical conclusion is that third-party access review belongs in operational risk management, not in a separate vendor spreadsheet.
A question worth separating out:
Q: Who is accountable when a vendor compromise creates internal access risk?
A: Accountability sits with both the business owner of the integration and the identity team that approved the trust path. Procurement may own the contract, but IAM owns the access relationship. If the downstream system still trusts the supplier after compromise, the governance gap is in access design as much as in vendor oversight.
👉 Read our full editorial: North American critical infrastructure risk is widening across OT ecosystems