Power and utilities. Finance. Drinking water. Transport. Healthcare. Telecommunications. These aren’t just services—they’re lifelines. And today, they’re a top target for threat actors.
Critical infrastructure around the world has been the target of an ongoing wave of cyberattacks. High-profile incidents like Colonial Pipeline, JBS Foods, energy, water and waste management systems have prompted governments globally to respond with new legislation and strengthened cybersecurity guidelines aimed at protecting these vital sectors. translated
The threat to critical infrastructure has never been more urgent. Cyberattacks that once targeted data are now aggressively pivoting to disrupt critical infrastructure (CI) operations as they seek to take advantage of the digital transformation, and the modernisation of CI assets. Likewise, genuine accidents and tech outages—such as the case when tens of millions of people across Spain and Portugal lost power in 2025, or when tech outages cost UK banks the equivalent of 33 operating days and millions in potential compensation payments—underscore the need for resilient infrastructure. The stakes have changed. And so has the standard for defence.
Protecting critical infrastructure rests on one simple question: Who has access—and why?
That’s where Identity and Access Management (IAM) comes in. Modern IAM isn’t just about passwords and logins. It’s about visibility, control, and accountability. It’s about making sure only the right people, with the right roles, can access the right systems—at the right time.
In today’s regulatory environment, CI organizations and essential services are required to have robust IAM defences in place. Increasingly new legislation demands CI to demonstrate proactive risk management, including how access to systems is governed, assure how identities are verified, and how incidents are detected and contained. translated
The biggest change for CI is the convergence of Information Technology (IT) and Operational Technology (OT) systems. Traditionally, these systems had an intentional and distinct separation of environments – meaning that whatever happened in the IT environment could not affect the OT environment and vice a versa.
Keeping these systems separate is a key defence strategy for protecting CI assets, however with modernisation of CI and new advancements in technology, like AI, at some point IT and OT converge and this where the greatest risk is. translated
An example of this convergence is highlighted in the energy sector. Prior to smart grids, energy operators used simple predicted patterns (e.g. summer needs vs. winter needs) to determine load forecasting. With the transformation to smart grids, energy operators use smart sensors coupled with AI to compute the load forecast.
To add to the challenge, electricity grids that were originally designed to distribute electricity outward from the grid to a home are now having to receive energy from household solar panels. These solar energy resources often capture the energy and feed it back into the grid. Operators today must take this data from sensors which sit on IT networks and at some point converge this data in the command and control OT environment.
To protect these environments, IAM is the frontline of defence. It enforces least privilege, reducing the risk of an identity breach. It enables continuous monitoring, so anomalies can be detected before they become major incidents. Robust and modern IAM solutions also support rapid response, giving operators the ability to lock down systems or revoke access instantly.
For decades, RSA has secured the most secure. We’ve listened to and provided CI with the multi-factor authentication (MFA), identity governance and administration (IGA), single sign-on (SSO), and other identity security capabilities they need to minimize risks, identify threats, and maintain compliance with cybersecurity mandates. translated
In that time, we’ve identified key questions and best practices for CI operators, including:
- Do we know exactly who has access to our critical systems—and why? You can’t protect what you can’t see. For CI cybersecurity, visibility into all user identities, their roles, and their access levels is essential and often a regulatory requirement.
- Are we enforcing least privilege across all users and environments? Over-provisioned accounts are a leading cause of breaches.
- Can we detect and respond to suspicious identity behaviour in real time? Static controls or delayed reporting isn’t enough. CI needs continuous monitoring and behaviour analytics that identify anomalies to reduce risk.
- How do we manage joiner-mover-leaver processes and how quickly can we revoke access? Delays in de-provisioning access are a major threat vector. Speed and automation matter.
For CI infrastructure, IAM isn’t optional—it’s operationally essential. When CI organisations integrate IAM as a strategic part of their defence, they harden their cybersecurity postures and can determine whether every identity is either a potential risk—or a secured asset.
The legacy protections of OT environments are gone. Identity and access is the new perimeter. Join our webinar on 18 June with RSA Senior Solutions Architect Vinod Nair to learn about the IAM capabilities and best practices CI needs to stay safe from modern attacks.
