Manufacturing teams should standardise authentication where they can, then apply compensating controls around legacy OT systems that cannot support modern identity patterns. The priority is to reduce shared access, limit standing privilege, and align access decisions with shift-based operations so security does not interrupt production.
Why This Matters for Security Teams
Manufacturing access is harder than standard enterprise access because IT and OT have different uptime, safety, and vendor-support constraints. A strong control in the office can become a production outage on the plant floor if it ignores shared accounts, unmanaged workstations, or legacy controllers. The real risk is not just unauthorised access. It is uncontrolled access that cannot be changed quickly when a contractor leaves, a shift rotates, or a device is replaced.
NHI Mgmt Group has found that 97% of NHIs carry excessive privileges, which is especially dangerous in manufacturing where service accounts often bridge MES, ERP, historians, and OT gateways. That makes the Ultimate Guide to NHIs directly relevant to plant environments. The control problem is familiar to OWASP Non-Human Identity Top 10 guidance: identity sprawl, over-privilege, and weak lifecycle controls turn routine access into a persistent exposure.
In practice, many security teams discover the access gap only after a maintenance account, shared vendor login, or forgotten API key has already been used outside its intended shift window, rather than through intentional review.
How It Works in Practice
The most workable pattern is to separate identity policy from production dependency. Standard IT systems should use central identity, MFA, and privileged access workflows. OT systems that cannot support modern authentication should be wrapped with compensating controls such as jump hosts, session recording, network segmentation, and tightly governed service accounts. That approach lets teams improve access without forcing unsupported changes onto PLCs, HMIs, or vendor-managed platforms.
For accounts that do integrate cleanly, use least privilege and short-lived access by default. This is where Ultimate Guide to NHIs — Key Challenges and Risks aligns with current best practice: reduce standing privilege, rotate secrets, and make revocation immediate when a role, shift, or supplier relationship changes. In parallel, the OWASP Non-Human Identity Top 10 reinforces that secret sprawl and excessive trust are the usual failure points, not merely weak passwords.
- Use a single source of truth for human access where feasible, then federate into plant systems through controlled gateways.
- Replace shared credentials with named accounts, break-glass access, or task-bound service identities.
- Time-bound privileges to shifts, work orders, or maintenance windows instead of leaving access always on.
- Log and review access at the boundary between IT and OT, not just within each domain.
For policy framing, CISA guidance on cyber-physical systems and NIST cyber-physical systems guidance both support layered controls when direct identity modernization is not practical. These controls tend to break down when plant owners allow vendor remote access to bypass the normal access path because the exception quickly becomes the default.
Common Variations and Edge Cases
Tighter access control often increases operational overhead, requiring organisations to balance production continuity against stronger identity governance.
Legacy OT is the hardest case. Some systems only support local accounts, hardcoded credentials, or maintenance access that cannot be federated. Best practice is evolving here, and there is no universal standard for every plant architecture. In those environments, compensating controls matter more than elegant identity design: isolate the asset, restrict who can reach it, and force every privileged session through a monitored control point.
Mixed IT/OT environments also need different treatment for humans and non-human identities. A maintenance engineer, a supplier, and a SCADA integration job should not share the same access model, even if they touch the same system. For that reason, current guidance suggests separate lifecycle rules for contractors, machine accounts, and vendor support channels, with explicit offboarding when a project ends. The NHIMG guide on 52 NHI Breaches Analysis shows how often weak lifecycle control becomes the root cause in real incidents.
Where safety and uptime dominate, access can be approved more broadly but only for a shorter time, with stronger logging and supervisory approval. The goal is not to eliminate exceptions. It is to make exceptions visible, time-limited, and reversible before they become standing privilege.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses excessive privileges and weak lifecycle control for service accounts. |
| NIST CSF 2.0 | PR.AA-01 | Supports identity proofing and access enforcement across mixed environments. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is central to reducing shared and overbroad manufacturing access. |
Inventory OT and IT service accounts, remove standing privilege, and rotate or revoke credentials on a fixed schedule.
Related resources from NHI Mgmt Group
- How should teams secure non-human identities across cloud and SaaS?
- How should security teams govern access to SCADA environments across IT and OT?
- How should security teams decide whether JIT access is safe for non-human identities?
- How should teams combine SAST and DAST in a secure development programme?
