Cybersecurity in critical infrastructure faces growing threats, with third-party access emerging as a major risk. Attacks on operational technology (OT) and industrial control systems (ICS) demonstrate how cyber threats disrupt essential services and endanger lives. Many organizations still rely on outdated security practices that grant excessive network access and expose critical systems to attacks. As OT environments grow more interconnected, robust security solutions are imperative. Addressing these vulnerabilities requires modernized access controls, proactive risk management strategies, and government-led initiatives to enforce stricter security measures.

Bill Cantrell, Chief Product and Operating Officer at Xona Systems, a company that specializes in securing remote access to critical infrastructure, highlights how cybersecurity has shifted with cloud-native deployments and continuous software updates. Cantrell explains that the COVID-19 pandemic accelerated the need for remote access to OT systems, expanding attack surfaces and increasing vulnerabilities. “This has greatly changed the landscape, introducing a lot of potential vulnerabilities to these systems,” Cantrell says.

Phishing remains the dominant attack vector, with around 90% of breaches originating from phishing and social engineering tactics. In OT environments, compromised credentials can grant attackers access to critical infrastructure, leading to service disruptions or physical damage—underscoring the need for stricter access control mechanisms.

Cantrell warns that third-party access is one of the biggest cybersecurity risks, citing breaches like the Target hack, where attackers exploited an external vendor’s access. Cantrell criticizes legacy VPN-based security models for granting excessive network exposure and increasing vulnerabilities. Xona Systems aims to provide a more secure alternative by enabling controlled remote access through a web interface. It prevents unauthorized file transfers and limits user actions to pre-approved commands, significantly reducing security risks.

Discussing the broader state of OT cybersecurity, Cantrell believes that many organizations are underprepared because of outdated infrastructure and insufficient security investments. Recent telecom breaches have emphasized that advanced cyber threats often go undetected for extended periods. While government initiatives like CMMC aim to enforce stronger protections, Cantrell emphasizes that challenges remain in funding and implementation. Strengthening enforcement and increasing investment in proactive security measures are crucial in closing these gaps.

Despite these concerns, Cantrell points to industry-wide improvements in security policies. He highlights the EU’s Cyber Resilience Act (CRA) initiative, which holds software vendors accountable for secure development practices, and the US’s Cybersecurity Maturity Model Certification (CMMC) program, which enforces stricter security standards among defense suppliers. Cantrell explains that Xona Systems helps organizations secure OT and IT environments without expensive overhauls by offering integrated security solutions.

Cantrell stresses that security culture and ease of implementation are just as important as the technology itself. Many OT professionals lack extensive cybersecurity expertise, making it critical for security solutions to be simple and intuitive. Xona Systems prioritizes security solutions that maintain strict access controls while minimizing human error.

Cantrell also highlights financial constraints in cybersecurity. Many organizations, particularly in sectors like rural water management, struggle to afford security investments. In response, Xona Systems aims to be cost-effective by integrating with existing identity management systems and reducing the need for redundant security components. This approach enables organizations to enhance security without disrupting operations or exceeding budget limitations.

Guest: Bill Cantrell
Company: Xona Systems
Show: CISO Insights

This summary was written by Emily Nicholls.