Critical infrastructure security fails when organisations treat it as an IT project. It is not. It is a resilience, governance and operational-control problem. These are the ten mistakes to avoid.
Most critical infrastructure is not a neat data centre. It is pumps, cabinets, substations, rail switches, bridges, locks, treatment plants, traffic systems and field assets. Many have limited connectivity. Some have no connectivity at all.
If physical access is weak, cyber controls are incomplete. NIS2 and the Dutch Cyberbeveiligingswet explicitly put risk management and appropriate security measures at the centre of the duty of care. The NCSC also states that the physical environment of systems is part of the scope.
Insider risk, disgruntled staff, compromised contractors and stolen credentials are real scenarios. Trust is not a control. Access must be based on identity, role, purpose, approval and time window.
In practice: no permanent field access unless there is a business reason.
Mechanical keys cannot be revoked. They cannot produce audit trails. They cannot prove who entered where and when. For critical infrastructure, that is a governance gap.
A lost master key is not an incident. It is a structural control failure.
IAM, IGA and physical access control are often managed in separate silos. That creates orphaned access, manual workarounds and weak accountability.
The correct model is simple: one identity, one role model, one approval flow, one audit trail. Physical access should be governed through the same lifecycle as digital access.
Spreadsheets are not access control. They are evidence that the access-control process has already broken down.
For critical infrastructure, rights must be current, attributable, approved, reviewable and revocable. Manual lists do not scale across thousands of cabinets, sites, users, contractors and keys.
A lot of OT assets are distributed across the landscape. They are not always connected. That does not mean they can be excluded from governance.
The security model must support offline locks, delayed event retrieval, periodic key activation, mobile workflows and exception handling. Otherwise the highest-risk locations become the least governed locations.
NIS2, CER and national implementations are not about writing policies for auditors. They require operational proof. Who had access? Who approved it? Was access still justified? Was it revoked after role change, contract end or incident?
CISA’s critical infrastructure guidance also stresses both cybersecurity and physical security planning, not just paperwork.
Many incidents start in the supply chain. Contractors often need access to remote assets, but they should not receive open-ended permissions.
Use just-in-time access, approval workflows, expiry dates, MFA where possible and full logging. Supplier access should be more controlled than employee access, not less.
Incident response plans often focus on malware, data loss and system outage. They miss scenarios like lost keys, unauthorised site entry, sabotage, stolen service vehicles or contractor misuse.
A proper playbook must include immediate revocation, revalidation of access rights, field notification, SIEM/SOC integration and evidence capture.
A smart lock, card reader or key system does not solve the problem by itself. Without identity integration, policy enforcement, lifecycle management and audit reporting, it becomes another silo.
The architecture should start with governance. Then select the lock, key, IAM, IGA and monitoring components that fit that model.
Critical infrastructure security is not about adding more controls. It is about closing the gap between identity, physical access and operational accountability.
The weak spot is usually not the firewall. It is the door, the key, the contractor, the field cabinet and the missing audit trail.