Manufacturers should modernize SCADA governance in stages, starting with identity controls, network segmentation, and monitored remote access. The goal is to reduce exposure without forcing a production shutdown. Where replacement is not feasible, control the blast radius, narrow the access window, and test recovery paths before an incident makes those decisions for you.
Why This Matters for Security Teams
When SCADA modernization cannot stop the line, the real risk is not the upgrade itself but the unmanaged identity sprawl that keeps old access paths alive. Manufacturers often keep vendor accounts, shared service credentials, and remote support paths in place because downtime is unacceptable. That can leave the plant exposed long after the modernization project is “complete.” NHI governance is the safer bridge: reduce privilege first, then replace fragile access patterns over time. NHI Mgmt Group research shows that 97% of NHIs carry excessive privileges, which is exactly the kind of problem that turns a necessary production exception into an incident window. The same pattern appears in cases like the Schneider Electric credentials breach, where credential exposure became an operational security issue.
Current guidance from the NIST Cybersecurity Framework 2.0 still applies: identify assets, protect access, detect abnormal use, and recover quickly. In practice, many security teams encounter credential misuse only after a remote access path has already been abused, rather than through intentional governance.
How It Works in Practice
The safest modernization pattern is staged control replacement. Start by inventorying every non-human identity tied to SCADA, historians, engineering workstations, PLC tooling, and remote maintenance. Then separate identity from connectivity: require unique accounts, remove shared logins, and place vendor and integrator access behind monitored jump hosts. Where possible, use Ultimate Guide to NHIs — The NHI Market as the baseline for lifecycle and rotation expectations, because long-lived secrets are the easiest way to preserve legacy access without visibility.
For production environments, the practical controls are usually:
- Network segmentation between SCADA, IT, and vendor support paths.
- Role-based access mapped to named functions, not to broad “maintenance” groups.
- Monitored remote access with session recording and time-bound approvals.
- Just-enough access for specific tasks, with fast revocation after work is done.
- Credential rotation for service accounts before and after planned maintenance windows.
NIST Cybersecurity Framework 2.0 supports this approach by making protection and recovery measurable, not aspirational. The operational aim is to shrink blast radius without interrupting process control, especially where vendor software cannot be replaced quickly. These controls tend to break down when legacy HMIs and controllers depend on shared accounts or hard-coded secrets because the plant cannot easily prove who used the access and when.
Common Variations and Edge Cases
Tighter access control often increases maintenance overhead, requiring organisations to balance production continuity against security discipline. That tradeoff becomes sharper in 24/7 plants, brownfield sites, and regulated environments where patch windows are short and equipment vendors insist on persistent access. Best practice is evolving, but there is no universal standard for this yet: some sites can move to per-session approvals and full recording, while others must keep a minimal emergency path alive until replacement hardware is scheduled.
Where risk is highest, the priority is not perfect modernization but controlled exposure. Use an emergency break-glass account only if it is isolated, heavily monitored, and reviewed after every use. Keep the access window narrow, and make the revocation process automatic so the account does not become a permanent workaround. The broader lesson from the Ultimate Guide to NHIs — The NHI Market is that unmanaged credentials persist far longer than teams expect, which is why governance has to move ahead of replacement, not after it. For plants with distributed vendors or remote integrators, this guidance often weakens when contractual access obligations override local control, because security teams cannot enforce the same revocation pace across every third party.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential rotation is central when SCADA cannot be taken offline. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access fits staged SCADA modernization without shutdown. |
| NIST Zero Trust (SP 800-207) | Zero Trust supports segmented, monitored access for legacy industrial systems. |
Rotate service and vendor credentials on a schedule and revoke them after each maintenance window.
Related resources from NHI Mgmt Group
- How should security teams govern app identity modernization across multi-cloud environments?
- Who is accountable when OT remote access cannot be traced after the fact?
- Who is accountable when a leaked secret is still being used in production?
- What should organisations do when an app cannot support identity automation?
