Start with the highest-risk assets and replace shared access with individual authentication that still works on the shop floor. Use phased rollout, exception handling, and operational fallback procedures so uptime is protected while accountability improves. The goal is not perfect coverage on day one, but a credible path away from untraceable access.
Why This Matters for Security Teams
Shared logins in OT are usually defended as a practical necessity, but they create an accountability gap that becomes a security and safety problem the moment an incident occurs. If operators, contractors, and maintenance teams all use the same account, it is difficult to prove who changed a setpoint, disabled an alarm, or approved a remote action. That makes detection, response, and root-cause analysis much slower.
The operational risk is not theoretical. In the Ultimate Guide to NHIs, NHI Mgmt Group notes that Schneider Electric credentials breach shows how identity weaknesses can cascade into broader exposure when access is not tightly governed. For manufacturers, the goal is not to impose office-style IAM onto a production line, but to replace anonymous access with traceable, resilient authentication that still fits shift work, contractors, and constrained HMIs. Current guidance suggests treating identity as an operations control, not just an IT control.
In practice, many security teams discover the scale of shared access only after a plant event, audit finding, or vendor dispute has already exposed the lack of traceability.
How It Works in Practice
The most reliable path is phased replacement, starting with the highest-risk assets: engineering workstations, PLC programming interfaces, remote access paths, and privileged operator functions. Each shared login should be mapped to a named person, role, or service function, then replaced with individual authentication that works in the plant environment. That usually means badge-based login, smart cards, local tokens, shared kiosk sessions with unique operator attribution, or privileged access workflows that issue individual approval and audit trails.
For OT, the implementation pattern matters more than the technology label. Strong identity controls should preserve uptime, so teams commonly combine local authentication, break-glass access, and time-bound elevation. The NIST Cybersecurity Framework 2.0 supports this kind of risk-based transition by emphasizing governance, access control, and recovery planning rather than one-size-fits-all enforcement. In parallel, manufacturers should align identities to assets and functions, then apply continuous review to remove stale access.
- Start with assets where shared credentials create the highest blast radius.
- Assign unique identities to operators, engineers, and vendors before tightening privileges.
- Use exception handling for legacy equipment that cannot support modern auth.
- Keep a documented fallback procedure for outages, shift changes, and emergency interventions.
Visibility also matters. Without logs that connect a person to a session, a badge, or a privileged action, the migration only changes the label on the account. Best practice is to preserve operational continuity while building traceability into every access path. These controls tend to break down in brownfield plants with legacy HMIs, unsupported PLCs, or vendor-maintained systems that cannot distinguish one user from another.
Common Variations and Edge Cases
Tighter identity control often increases friction on the shop floor, requiring organisations to balance traceability against shift speed, safety response time, and maintenance overhead. That tradeoff is real, especially in plants that depend on night-shift coverage, outside contractors, or equipment that was never designed for per-user authentication.
There is no universal standard for this yet, so current guidance suggests using compensating controls where direct replacement is not immediately possible. For example, a shared terminal may be acceptable temporarily if the session is re-attributed through badge tap-in, supervisor approval, or time-stamped work orders. Likewise, emergency access should exist, but it must be rare, logged, and reviewed after use.
Manufacturers should also distinguish between operator access and vendor access. The latter often presents the highest risk because remote troubleshooting, firmware updates, and maintenance windows can bypass normal controls. The same identity model should not be forced onto every environment; clean-room production, safety-critical lines, and highly automated cells may need different rollout speeds. NHI Mgmt Group’s broader guidance in the Ultimate Guide to NHIs is useful here because it frames identity as lifecycle governance, not just login replacement. The practical test is whether every privileged action can be traced back to a person or approved workflow without interrupting production unnecessarily.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Shared logins undermine accountable access control in OT. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege supports phased removal of broad shared access. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity sprawl and weak accountability are core non-human identity risks. |
Replace shared OT accounts with named access and auditable authentication paths.
Related resources from NHI Mgmt Group
- How should security teams apply zero trust to OT without disrupting operations?
- How should organisations govern identity in OT environments without disrupting operations?
- How should healthcare teams govern shared mobile device access without slowing clinicians down?
- How should NHS security teams reduce privileged access risk without disrupting clinical operations?
