Device authentication proves that a machine, sensor, or controller is genuine. Device authorisation determines what that device is allowed to do once trusted. Industrial environments need both, because a verified device may still need tightly scoped permissions to limit production risk.
Why This Matters for Security Teams
In IIoT, device authentication and device authorisation solve different problems, and mixing them up creates avoidable risk. Authentication answers whether a sensor, controller, gateway, or maintenance tool is genuine. Authorisation answers what that trusted device can do inside the plant network, including which PLCs it may reach, which topics it may publish to, and which commands it may issue. The distinction matters because industrial devices are often long-lived, remotely managed, and integrated across vendors.
Industry guidance increasingly treats this as a Zero Trust issue rather than a simple trust check, which is consistent with the NIST Cybersecurity Framework 2.0. NHI Management Group research also shows why scope control is urgent: NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, which is exactly the kind of overreach that device authorisation is meant to prevent.
In practice, many security teams encounter device misuse only after a trusted endpoint has already been used to move laterally or alter production state.
How It Works in Practice
Device authentication typically happens first. The plant validates the device’s identity using certificates, hardware-backed keys, shared secrets, or attestations from a trusted platform. If the device cannot prove who it is, the session should fail before any operational action is permitted. This is especially important for IIoT fleets because devices are often cloned, replaced, or serviced in the field.
Device authorisation comes next and should be narrower than the authentication layer. A verified device may still be limited to a specific line, protocol, or command set. For example, a temperature sensor may be allowed to publish telemetry but never write configuration data, while a maintenance tablet may be allowed to request diagnostics but not trigger actuator changes. This is where policy matters: current guidance suggests expressing permissions as explicit machine rules rather than broad network trust. That aligns with the NIST CSF emphasis on controlled access and asset governance.
- Authentication verifies the device’s cryptographic identity or trusted hardware state.
- Authorisation scopes that identity to allowed assets, protocols, commands, and time windows.
- Segmentation limits damage if a verified device is compromised.
- Logging should capture both the identity proof and the action decision for incident review.
For governance, NHIs should be managed as first-class machine identities. The Schneider Electric credentials breach is a reminder that trusted machine access can still become a production risk when credentials, scope, or lifecycle controls fail. These controls tend to break down in brownfield environments with shared credentials, unsupported devices, or flat industrial networks because authentication is present but granular authorisation cannot be enforced consistently.
Common Variations and Edge Cases
Tighter device authorisation often increases operational overhead, requiring organisations to balance safety and availability against configuration complexity.
Some IIoT deployments use certificate-based authentication but rely on coarse allowlists for authorisation. That is acceptable as a transitional control, but best practice is evolving toward finer-grained, context-aware decisions. A line-side controller may need elevated permissions during commissioning and much tighter permissions during normal operation. Likewise, a contractor’s diagnostic tool may require temporary access that expires automatically after a maintenance window closes.
Edge cases appear when devices share gateways, when legacy protocols cannot carry strong identity claims, or when a single device performs multiple roles. In those situations, there is no universal standard for perfect device-level authorisation, so compensating controls become critical: network segmentation, protocol proxies, per-function accounts, and short-lived credentials for operator tools. Organisations should also treat vendor remote support channels carefully, because authenticated access does not automatically justify broad production permissions.
For teams building a program from scratch, the most practical rule is simple: authenticate the device once, authorise every action separately, and revoke access as soon as the task ends.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Device identities are NHIs and need strong verification and lifecycle control. |
| NIST CSF 2.0 | PR.AC-4 | Device authorisation is about limiting what an authenticated device may access. |
| NIST Zero Trust (SP 800-207) | Policy Enforcement Point | IIoT devices should be authenticated, then authorised at the point of action. |
Inventory every device identity, then enforce issuance, rotation, and revocation as a managed NHI lifecycle.
Related resources from NHI Mgmt Group
- What is the difference between agent authentication and agent authorisation?
- What is the difference between passwordless login and cross-device authentication?
- Why is it crucial to adopt new authentication methods in MCP usage?
- What is the difference between authentication and authorization in NHI systems?
