How should security teams govern access on shared devices in manufacturing environments?

Security teams should treat shared-device access as a workflow problem, not just an authentication problem. The controls need fast user switching, clean session reset, and auditable handoffs between workers. If a control slows production enough to trigger workarounds, it will be bypassed, so usability and accountability must be designed together.

Why This Matters for Security Teams

Shared devices in manufacturing sit at the intersection of speed, safety, and identity risk. Operators move between stations, shifts, and sometimes lines, so access has to be fast enough for production and strict enough to preserve accountability. The common mistake is to apply office-style session control to an environment that cannot tolerate delay. That usually leads to shared passwords, sticky logins, or informal bypasses that erase auditability. Guidance in the Top 10 NHI Issues shows how quickly unmanaged credentials create exposure, and the same pattern applies when a workstation is treated as a permanent trust zone instead of a controlled handoff point. NIST’s NIST Cybersecurity Framework 2.0 still maps well here because identity, access, and logging all need to work together.

For security teams, the real issue is not whether a badge, PIN, or tap-in method exists. It is whether the device reliably returns to a known state after every use and whether the next worker inherits only the access needed for the task. In practice, many security teams encounter unsafe workarounds only after line speed, shift pressure, or supervision gaps have already made them routine.

How It Works in Practice

Governance on shared devices works best when the device behaves like a temporary session host, not a personal endpoint. Each worker should authenticate quickly, receive only the permissions needed for that station, and trigger an automatic reset when the session ends. That reset should clear cached credentials, application context, and any local data that could let the next user inherit access. Where feasible, pair role-based access control with just-in-time elevation so a maintenance task, quality check, or supervisor action is granted only for the duration of the task.

The operational model should include:

• Fast user switching with a clear log of who started and ended each session.
• Short-lived access tied to shift, station, or work order rather than a broad device login.
• Automatic timeout and screen lock thresholds that match production realities.
• Central logging for authentication, privilege changes, and handoff events.
• Recovery steps for shared terminals that fail mid-task without exposing the prior user’s context.

NHIMG research shows why this discipline matters: the Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges, and 96% of organisations store secrets outside secrets managers in vulnerable locations. That finding is about machine identities, but the lesson transfers cleanly to shared devices: anything persistent on the endpoint tends to outlive the user’s need for it. The same guide’s section on Lifecycle Processes for Managing NHIs is useful because device handoff should follow a lifecycle mindset, not a one-time login mindset. Current guidance from OWASP’s OWASP Non-Human Identity Top 10 also reinforces least privilege, credential hygiene, and visibility as baseline controls.

These controls tend to break down when applications cannot support rapid reauthentication, offline terminals must cache state, or legacy MES and HMI systems keep credentials in the client rather than the backend.

Common Variations and Edge Cases

Tighter session control often increases friction, requiring organisations to balance security assurance against line uptime and operator throughput. There is no universal standard for every plant layout, so current guidance suggests matching the control to the sensitivity of the function. A packaging station may only need quick re-login and audit logging, while a recipe-editing terminal or maintenance console may need stronger approval, step-up verification, and supervisor review.

One common exception is the device that must remain available during emergencies or safety events. In those cases, the workflow should preserve rapid access while still recording who performed the action and when. Another edge case is contract labour or rotating technicians: their access should be time-bound and scoped to a shift or work order, with automatic revocation at handoff. If the environment includes connected tools or shared kiosks that act like service endpoints, treat the device and any embedded secrets as separate control points, because a clean user session does not automatically mean a clean machine state.

The 52 NHI Breaches Analysis is a useful reminder that weak credential hygiene and poor visibility repeatedly turn routine access into incident material. For manufacturing teams, the practical test is simple: if a process cannot produce a trustworthy audit trail after shift change, it is not governed well enough yet. In those environments, the control is usually not the badge or the PIN, but the inability to prove what happened between one operator and the next.

Related resources from NHI Mgmt Group

• How should security teams govern non-human identities that have persistent access?
• How should security teams govern non-human identities in cloud environments?
• How should security teams govern API keys used for generative AI access?
• How should security teams govern agent-led ephemeral development environments?