The SERC Reliability Corporation recently released its highly anticipated 2024-2026 Regional Risk Report, offering a stark assessment of the threats facing the bulk power system. Among the findings, one reality is undeniable: the modern grid is more interconnected than ever, and that connectivity is introducing unprecedented cybersecurity risks. While the report highlights several areas of concern, the exploitation of vulnerabilities through vendor remote access and legacy systems stands out as a critical, immediate threat to operational technology environments.
The evolving threat landscape for critical infrastructure
According to the SERC assessment, the rapid digitalization of our power grid and infrastructure brings profound benefits but equally profound vulnerabilities. The report identifies supply chain constraints and the exploitation of vulnerabilities as top-tier risks requiring active management. It is no longer sufficient to merely patch systems. The reliance on third-party service providers and cloud-based services for operational support has fundamentally altered the attack surface.
Threat actors are highly motivated and well-resourced. They understand that compromising a single third-party vendor can provide a backdoor into highly secure environments. The SERC assessment specifically calls out vendor remote access as a primary cyber security risk within the supply chain. When vendors require access to internal systems for maintenance, diagnostics, or operations, traditional security perimeters dissolve.
The problem with traditional remote access
Historically, organizations provided remote access via virtual private networks. A vendor is given credentials, they log in, and they are granted broad access to the internal network. This architecture treats the network perimeter as a hard shell, assuming everything inside is trusted.
However, the SERC risk report underscores the danger of this approach. If a vendor’s credentials are compromised—whether through phishing, malware, or a breach of the vendor’s own systems—the attacker inherits that trusted status. Once inside, they can move laterally, mapping the network, identifying critical systems, and preparing for disruptive action. In industrial environments governed by strict compliance mandates like the North American Electric Reliability Corporation Critical Infrastructure Protection standards, this level of unchecked lateral movement is a catastrophic failure.
Legacy systems complicate the defence strategy
Another major theme in the SERC report is the challenge of legacy architecture compatibility. Critical infrastructure relies heavily on programmable logic controllers and human-machine interfaces that were designed decades ago. These systems prioritize availability and reliability over security. They often lack native authentication mechanisms, cannot support modern encryption, and cannot run endpoint detection software.
When you combine insecure legacy systems with broad vendor remote access, the risk compounds exponentially. A compromised vendor account accessing a network filled with undefended legacy controllers is a worst-case scenario. Organizations cannot simply rip and replace these legacy systems—the capital expense and operational disruption would be immense. Instead, the security must be overlaid, intercepting and inspecting every request before it ever reaches the vulnerable controller.
Shifting to an identity-centric model
To mitigate the risks outlined by the SERC report, organizations must abandon perimeter-based trust and adopt a zero trust architecture. This model assumes that no user, device, or application is inherently trusted, regardless of whether they are internal or external.
In a zero trust environment, access is determined by identity and context, not by network location. Every request must be authenticated and authorized. This is where securing critical infrastructure requires a modern approach. Instead of providing a vendor with a virtual private network connection that grants network-level access, access is restricted to the specific application or system they need to perform their job, and nothing else.
Crucially, this access must be protected by strong, phishing-resistant multi-factor authentication and integrated with existing single sign-on providers. This ensures that the person accessing the system is exactly who they claim to be. If an anomaly is detected—such as a login from an unexpected geographical location or an unfamiliar device—access can be dynamically revoked.
Meeting compliance while improving security
For entities navigating the complexities of the North American Electric Reliability Corporation Critical Infrastructure Protection standards, modernising remote access is not just a security imperative; it is a compliance requirement. The SERC findings make it clear that regulators and assessors are acutely aware of the risks posed by supply chains and vendor access.
By implementing strict identity and access management, organizations can provide a detailed, immutable audit trail of every action taken by every user. You know exactly who logged in, when they logged in, what system they accessed, and what actions they performed. This level of visibility is impossible to achieve with shared credentials and legacy remote access tools.
The path forward for critical infrastructure
The SERC 2024-2026 Regional Risk Report is a vital reminder that the threats to our power grid and essential services are evolving rapidly. Supply chain attacks are no longer theoretical; they are a primary attack vector. Relying on outdated security models to protect decades-old infrastructure is a recipe for disaster.
We must embrace an architecture that acknowledges this reality. By removing the network from the equation, enforcing strict identity verification, and adopting true micro-segmentation, organizations can provide vendors with the access they need without compromising the integrity of their operational technology environments.
It is time to stop building higher walls and start securing the assets themselves. If you are ready to eliminate the risks of vendor remote access and bring true zero trust to your legacy systems, contact us today.