Hard Truth: Most critical infrastructure providers don't know what digital vulnerabilities they have, where to find them, or how to fix them.
Each critical infrastructure provider must develop and implement cybersecurity countermeasures tailored to its specific physical and digital infrastructure. This is hugely unfamiliar territory for most providers, who have relied on their equipment vendors to handle both ICS/SCADA and IT security.
Unfortunately, neither traditional critical infrastructure vendors nor IT security vendors are fully equipped to counter the unique hybrid threat of cyber-enabled critical infrastructure attacks: The former aren't schooled in IT security, while the latter aren't used to protecting non-IT physical assets. Even worse, sometimes ICS/SCADA vendors don't reveal vulnerabilities or even purposely install capabilities – such as unremovable backdoors – that attackers could easily co-opt.