Pakistan’s critical installations face an increased risk of cyberattacks, the National Computer Emergency Response Team (CERT) has warned in a fresh cybersecurity advisory issued on Tuesday, urging institutions to adopt stringent preventive measures to safeguard sensitive systems.
According to the advisory, all public and private sector organisations have been directed to implement a zero trust security model, under which no device or system is considered secure unless fully verified before being connected to networks. Authorities emphasised that strict authentication protocols must be followed to minimise vulnerabilities.
The alert warned that hostile states could exploit supply chain weaknesses to target key sectors, including power, banking and defence systems. It noted that even minor negligence during the delivery of hardware and software could result in major system failures with far-reaching consequences.
Officials highlighted that state-sponsored cyber espionage has advanced significantly, extending into logistics and manufacturing stages. As a result, institutions have been instructed to treat all hardware deliveries as potential security risks and to carry out thorough inspections before deployment.
The advisory also cautioned against the use of unverified software updates, stating that such updates could introduce hidden backdoors into the national digital infrastructure, compromising sensitive data and operational integrity.
Furthermore, vendors with unknown ownership were described as a serious threat to national security, prompting calls for stricter scrutiny of suppliers involved in critical infrastructure projects. Authorities recommended the mandatory use of tamper-proof and trackable systems for the transportation of sensitive equipment.
The warning added that reliance on a single supplier could expose entire systems to disruption, noting that a compromised vendor might potentially impact the entire power grid or banking network.
The National CERT stressed that ignoring supply chain security could leave vital installations completely paralysed. Institutions have also been advised to immediately report suspicious network activity and any unusual software behaviour to relevant authorities.
