How should organisations modernize authentication in critical infrastructure without breaking operations?

Start with the systems whose access paths create the largest operational blast radius, then replace password-first access with stronger authentication that fits the environment. Keep legacy systems stable by sequencing change, not by preserving weak controls indefinitely. Modernization succeeds when security, operations, and governance share a migration plan.

Why This Matters for Security Teams

Critical infrastructure authentication cannot be modernized as a simple password replacement exercise. Plants, utilities, transport networks, and industrial control environments depend on long-lived sessions, brittle vendor workflows, and legacy integrations that can fail if identity changes are rolled out without sequencing. The real objective is to reduce blast radius while preserving uptime, which means treating authentication as an operational control, not just an IT control.

NHI Management Group research shows the scale of the problem: Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges and that only 20% of organisations have formal offboarding and revocation processes. That matters in critical infrastructure because weak authentication is rarely isolated. It becomes a pathway for service accounts, vendor remote access, and machine-to-machine trust to expand beyond intended scope. Guidance from CISA cyber threat advisories reinforces that attackers routinely target identity paths first, especially where operational technology and enterprise identity overlap.

In practice, many security teams discover authentication debt only after a maintenance window, vendor outage, or incident exposes how much production depends on credentials that were never designed for modern assurance.

How It Works in Practice

The safest modernization path is staged. Start by inventorying every authentication path that touches high-impact assets, including operator consoles, remote maintenance tools, APIs, service accounts, and machine users. Then rank those paths by operational blast radius and replace the highest-risk ones first. For many environments, the right first move is not full federation or passwordless rollout, but stronger authentication at the edge of the risky path: MFA for privileged human access, certificate-based authentication for devices, and tightly scoped tokens for service-to-service access.

For non-human access, current best practice is moving toward workload identity and short-lived credentials rather than static secrets. That means issuing credentials per task, binding them to the workload, and revoking them automatically when the task ends. This is consistent with NHI guidance and with the broader direction of modern identity controls described in Ultimate Guide to NHIs. In parallel, use policy as code so authorization can be evaluated at request time rather than assumed from a human-style role model. NIST’s Zero Trust model and the evolving agentic security work in Anthropic Project Glasswing both point in that direction: identity should prove what a workload is, not just what secret it knows.

• Keep legacy systems stable by fronting them with identity-aware gateways when direct replacement is too risky.
• Use privileged access management for break-glass paths, but reduce standing privilege wherever a task can be time-bound.
• Rotate secrets on a schedule that reflects operational risk, not convenience.
• Require change windows, rollback plans, and ownership for every authentication migration.

These controls tend to break down when flat networks and vendor-managed remote access still allow broad lateral movement because one compromised credential can reach too many systems.

Common Variations and Edge Cases

Tighter authentication often increases operational overhead, requiring organisations to balance assurance against maintenance burden and recovery speed. That tradeoff is real in critical infrastructure, where some systems cannot tolerate frequent reauthentication, certificate churn, or dependencies on external identity services. Current guidance suggests separating safety-critical and business-critical authentication flows so modernization does not create a single point of failure.

One common edge case is legacy SCADA or industrial control equipment that cannot support modern protocols. In those environments, the practical answer is usually compensating controls: segment the asset, constrain administrative paths, and broker access through a hardened jump environment rather than forcing unsupported native changes. Another edge case is vendor access. Many outages happen when third-party support still relies on shared passwords or persistent VPN access. Here, the goal should be just-in-time access, per-session approvals, and full logging, even if the underlying system itself remains unchanged for a time.

There is no universal standard for this yet across all critical sectors, but the direction is clear. The EU NIS2 Directive reinforces governance and resilience expectations, while NHI research shows static credential reliance is still widespread. Organisations that modernize authentication without accounting for failover, offline operation, and vendor dependency usually end up reintroducing the same weak controls under a different name.

Related resources from NHI Mgmt Group

• How do organisations know if certificate-based authentication is actually reducing risk?
• How do teams harden authentication recovery without making access unusable?
• How should organisations decide between federated authentication and SSO?
• What breaks when passwordless authentication is deployed without lifecycle controls?