JIT access matters because industrial systems are often accessed by operators, engineers, and third parties who do not need permanent credentials. Issuing access only for the approved maintenance window reduces standing privilege and narrows the blast radius if credentials are abused. In OT, that also improves auditability because every privileged session has a clear operational reason.
Why This Matters for Security Teams
Industrial control systems are rarely serviced by a single trusted operator. They are touched by OEM support staff, contractors, integrators, and internal engineers, often across sites and shifts. That makes standing privilege especially risky: credentials that exist all the time become an always-open path into OT environments. Current guidance on Zero Trust and digital identity, including NIST SP 800-63 Digital Identity Guidelines, supports short-lived, purpose-bound access where identity assurance and session governance matter as much as the login itself.
This is why JIT is not just an IT convenience in industrial settings. It is a control that limits exposure during the exact window when privileged access is needed, then removes that privilege before it can be reused for lateral movement, unsafe commands, or post-maintenance abuse. The risk is not theoretical: NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, and that problem compounds in OT where remote access and service accounts are common. See the Ultimate Guide to NHIs and the Ultimate Guide to NHIs — Key Challenges and Risks for the broader NHI context.
In practice, many security teams discover standing access paths only after a maintenance credential has already been reused outside the original work order.
How It Works in Practice
In OT, JIT access usually sits between a request workflow and a privileged session broker. An engineer requests access for a named asset, a specific time window, and a defined task. Policy then evaluates whether the requester is authorised, whether the change window is approved, and whether a higher-assurance check is needed for that equipment class. If approved, the system issues a short-lived credential, a session token, or brokered jump-host access that expires automatically when the task ends.
For industrial environments, the useful pattern is not just “short TTL,” but “short TTL plus narrow scope.” That means binding the session to a device, PLC, historian, or engineering workstation, and pairing it with RBAC or PAM rules that only open the functions needed for that maintenance event. The OWASP Non-Human Identity Top 10 aligns with this approach by emphasising lifecycle control, secret hygiene, and least privilege for machine identities. It is also consistent with the 52 NHI Breaches Analysis, where weak identity governance repeatedly amplifies breach impact.
- Use JIT for vendors and engineers who need occasional elevated access, not permanent VPN or shared admin credentials.
- Log the business reason, approver, asset, and expiry time so the session is auditable end to end.
- Revoke access automatically when the ticket closes, the shift ends, or the timeout is reached.
- Pair JIT with MFA, session recording, and command-level controls where the control system supports them.
Where possible, issue access from workload or user identity rather than long-lived shared secrets, and rotate any residual secrets that still must exist for device compatibility. These controls tend to break down when legacy OT equipment cannot enforce per-session authorisation and still depends on shared local accounts or static vendor passwords because the identity layer is too shallow to bind access to a real task.
Common Variations and Edge Cases
Tighter JIT controls often increase operational overhead, so organisations have to balance faster maintenance against stronger containment. That tradeoff is real in plants that run 24/7, where a delayed approval can affect safety or uptime. Best practice is evolving here, and there is no universal standard for every ICS stack. Some environments use break-glass access for emergency restoration, but that should be the exception, not the operating model.
Another edge case is offline or intermittently connected sites. If the access broker cannot reach the controller, JIT may need a local cache of approvals or a pre-authorised maintenance window with very tight expiry. Even then, the goal remains the same: remove standing privilege and prove who accessed what, when, and why. NHI Mgmt Group guidance on Guide to NHI Rotation Challenges is useful here because JIT and rotation solve different parts of the same exposure problem. For high-risk vendor access, the Schneider Electric credentials breach is a reminder that long-lived access paths can become a serious operational liability.
For programmes mapping this to governance, Ultimate Guide to NHIs — Standards is the best starting point. In control rooms and field service scenarios, the weak point is usually not the policy definition but the exception process, which is where standing access quietly returns.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | JIT depends on short-lived secrets and clean rotation boundaries. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust requires dynamic, context-based access decisions for OT sessions. |
| NIST CSF 2.0 | PR.AC-1 | Access control governance is the core control objective behind JIT for ICS. |
Issue time-bound credentials, then revoke or rotate them immediately after the approved session ends.
Related resources from NHI Mgmt Group
- When do NHI access reviews create more value than a one-time cleanup?
- What breaks when access reviews are used as the main risk control?
- How should security teams govern privileged access across service accounts and AI-driven systems?
- How should security teams control privileged access in Salesforce environments?
