IP telephony has been rapidly introduced to replace the traditional circuit switched infrastructure for telephony services. This change has had an enormous impact on critical-infrastructure (CI) sectors, which are expected to become increasingly dependent on IP telephony services. Reliable and secure telephony service is a key concern confronting most organizations in the critical-infrastructure sector today. With the proliferation of voice over IP (VoIP) services in these organizations, it is important for them to understand the security vulnerabilities and come up with a set of best practices during the evolution of the IP telephony services. This article outlines the potential security issues faced by CI sectors as they transform their traditional phone systems into VoIP systems. Vulnerability analyses are conducted to understand the impact of VoIP security challenges in the new convergent network paradigm. The most common security measures are analyzed to identify their strengths and limitations in combating these new security challenges. A set of recommendations and best practices are offered to address the key issues of VoIP security as IP telephony is being introduced into critical infrastructure.