IT/OT convergence increases identity risk because it connects environments that were never built around the same authentication, authorization or audit model. Legacy OT systems, shared accounts and remote vendor access create inconsistent control points, so the weakest identity practice can extend from office IT into production operations.
Why This Matters for Security Teams
Manufacturing identity risk changes sharply when IT and OT are linked because the attack surface expands from office systems into production uptime, safety functions and vendor-maintained equipment. OT was often designed around trusted networks, shared logins and maintenance access, not strong identity assurance. That means one weak service account, remote support credential or token can cross a boundary that previously acted as a practical containment layer. The result is not just data exposure; it can become process disruption, unsafe state changes or prolonged downtime. Current guidance from NIST Cybersecurity Framework 2.0 treats identity as a core control point, but in convergence environments the implementation is harder because legacy controllers and modern cloud tooling rarely share the same authentication model.
NHI exposure is especially important here because machines and integrations multiply fast across plants, vendors and automation platforms. NHIs outnumber human identities by 25x to 50x in modern enterprises, and only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs. In practice, many security teams encounter identity abuse only after remote access, a shared account or a stale secret has already been used to move from IT into OT, rather than through intentional control design.
How It Works in Practice
In a converged plant, identity risk usually concentrates in a few places: vendor remote access, service accounts that bridge historians and MES platforms, API keys used by orchestration tools, and certificate-based trust between industrial assets. Those identities are often long-lived, over-privileged and difficult to rotate because downtime windows are limited. That is why least privilege, strong logging and separation of duties need to be applied to both human and non-human identities, not just employees.
A practical model starts by inventorying every identity that can reach a production environment, then classifying which ones are human, which are machine identities and which are external vendor accounts. From there, teams should align access to time-bound tasks with JIT provisioning, PAM for privileged sessions and ZSP for standing access where possible. For machine-to-machine trust, workload identity is usually a better primitive than shared secrets because it ties access to cryptographic proof of what the workload is, not to a password that can be copied. Best practice is evolving toward runtime authorisation, where policy is evaluated at the moment of use instead of granted broadly in advance.
That shift matters because secrets decay badly in operational environments. The Ultimate Guide to NHIs notes that 96% of organisations store secrets outside dedicated secrets managers, and 79% have experienced secrets leaks. For convergence programmes, that usually means remote support credentials, API tokens and certificates are spread across engineering laptops, CI/CD systems and plant integrations. These controls tend to break down when uptime requirements prevent rapid rotation because old secrets remain valid longer than the process owners expect.
Common Variations and Edge Cases
Tighter access control often increases operational overhead, requiring organisations to balance containment against maintenance speed and vendor support needs. That tradeoff is most visible in plants that depend on third-party integrators, legacy PLCs or applications that cannot support modern authentication. In those environments, current guidance suggests compensating with network segmentation, jump hosts, session recording and stricter credential lifecycle controls rather than pretending the asset can be made cloud-native overnight.
There is no universal standard for every OT protocol, so teams should be careful not to overstate maturity just because a system has a login prompt. Shared accounts may still be unavoidable in some brownfield systems, but they should be wrapped with monitoring, just-in-time elevation and strong change control. Vendor access is another edge case: it often looks temporary but becomes effectively permanent unless entitlements are reviewed after every maintenance event.
For governance, the most relevant framework lens is identity-centric and risk-based. The 52 NHI Breaches Analysis shows how often weak machine identity hygiene contributes to compromise patterns, while Top 10 NHI Issues helps teams prioritise the recurring failures that matter most in operational settings. For convergence programmes, the real test is whether identity controls still hold when the plant is under pressure, not just when the environment is calm.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Identity rotation and secret hygiene are central to OT and vendor access risk. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is the main control gap in IT/OT convergence. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero trust limits lateral movement from IT into production systems. |
Require explicit verification for each session and avoid implicit trust across IT/OT boundaries.
