Accountability usually spans operations, security, engineering, and suppliers, because OT connectivity decisions are shared decisions. Boards and regulators will expect named ownership for access paths, segmentation, monitoring, and incident isolation, especially where critical services are affected. Clear accountability is the only way to prevent breach readiness from becoming a documentation exercise.
Why This Matters for Security Teams
OT connectivity changes the accountability model because a network path into production is not just a technical link, it is an operational dependency with safety, availability, and recovery consequences. When disruption occurs, the question is rarely whether a firewall failed in isolation. It is usually whether ownership for remote access, segmentation, monitoring, change approval, and supplier access was defined before the outage. Current guidance from NIST SP 800-53 Rev 5 Security and Privacy Controls supports the idea that accountable control ownership matters as much as the control itself.
Security teams often over-focus on tool deployment and under-focus on decision rights. In OT environments, that gap becomes visible when engineers, plant operators, MSSPs, and vendors each assume someone else approved the change, monitored the link, or had authority to isolate it. The result is delayed containment, unclear escalation, and disagreements over whether the disruption was caused by a cyber event, a maintenance action, or a supplier mistake.
For NHIMG, the practical lesson is that accountability must be explicit before connectivity is expanded. If it is not assigned, it becomes contested during the incident, which slows response and increases business impact. In practice, many security teams encounter ownership gaps only after production has already been disrupted, rather than through intentional readiness planning.
How It Works in Practice
Accountability in OT connectivity should be assigned across the full lifecycle, not only at design time. That means someone owns the approval of connectivity, someone owns the security architecture, someone owns operational continuity, and someone owns third-party assurance. The clearest model is a documented control owner for each critical pathway, with escalation authority for emergency isolation and restoration.
In operational terms, the accountable parties usually include plant operations for runtime impact, OT engineering for system integrity, security for monitoring and detection, and procurement or supplier management for contracted access. Where third parties provide remote support, the contract should define who can connect, when, under what authentication, and how access is revoked. This aligns with broader identity and access governance principles in NIST SP 800-207 Zero Trust Architecture, even though OT implementation often requires compensating controls because legacy systems cannot enforce modern trust checks natively.
- Define named ownership for each OT access path, including jump hosts, VPNs, vendor tunnels, and remote admin accounts.
- Map who approves changes, who monitors activity, and who can isolate a segment during an incident.
- Maintain logs that connect access decisions to specific business and safety owners.
- Test incident playbooks so accountability is exercised under pressure, not only recorded in policy.
Good practice also includes recovery accountability. If connectivity is needed for patching, telemetry, or support, the organisation should define who authorises temporary exposure and who verifies rollback. This is where MITRE ATT&CK helps teams think in attacker behaviours and response paths, especially around remote services, lateral movement, and valid accounts. These controls tend to break down when ownership is split across plants, corporate IT, and suppliers because no single team has authority to stop unsafe connectivity fast enough.
Common Variations and Edge Cases
Tighter OT accountability often increases coordination overhead, requiring organisations to balance production uptime against control rigor. That tradeoff is real: highly segmented environments with many vendors need more approvals and more change control, while highly integrated environments may move faster but leave fewer options for containment.
There is no universal standard for who must be the final accountable owner in every OT model. In some organisations, the plant manager owns operational risk, while the CISO owns the security control framework and the engineering lead owns technical implementation. In others, especially where safety systems are involved, accountability may sit with a formal operational risk committee. The important point is that the line of accountability must be visible, auditable, and tested.
Edge cases often appear in shared infrastructures, managed services, or multi-site manufacturing. If a supplier maintains always-on access, accountability must include both the customer organisation and the supplier, with clear rules for monitoring, approval, and emergency suspension. Where regulation or critical infrastructure obligations apply, teams should also consider CISA industrial control system guidance and sector-specific resilience expectations. The answer becomes more complex when OT connectivity supports safety-critical or 24/7 processes, because isolation decisions may carry operational and physical consequences.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the technical controls, and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | OT disruption accountability depends on clear organisational roles and ownership. |
| NIST Zero Trust (SP 800-207) | SC-7 | Segmentation and isolation are central when connectivity failure affects production. |
| NIS2 | Critical service disruption raises governance and incident accountability expectations. | |
| OWASP Non-Human Identity Top 10 | OT supplier access often relies on non-human identities and secrets that need ownership. |
Assign explicit operational and security ownership for every production-facing connectivity path.
Related resources from NHI Mgmt Group
- Who is accountable when a contained vulnerability still leads to operational disruption?
- Who is accountable when OT living off the land abuse reaches production systems?
- Who is accountable when anonymous credentials are used in production?
- Who is accountable when vendor credentials touch production data?