NIS2 resilience is exposing gaps in OT access governance

At a glance

What this is: This article argues that resilience now depends on stronger OT access governance, with NIS2, Zero Trust, and just-in-time access as the main control themes.

Why it matters: It matters because IAM teams now have to extend identity controls into OT, third-party access, and operational continuity, not just enterprise IT.

👉 Read SSH Communications Security's analysis of NIS2 resilience and OT access control

Context

Resilience in critical infrastructure depends on more than perimeter defence. In practice, the weak point is often privileged access in operational environments, where vendor sessions, maintenance workflows, and emergency changes create high-impact identity paths that traditional IT controls do not model well.

The article frames NIS2, Zero Trust, and just-in-time access as part of the same governance problem: keeping essential services available while reducing the blast radius of privileged access. For IAM and PAM teams, the question is how to make OT access reviewable, auditable, and time-bound without breaking operations.

Key questions

Q: How should security teams govern privileged access in OT environments?

A: They should treat OT privileged access as a continuity control, not only a security control. Use task-scoped approval, short-lived credentials, and full session recording for vendors and operators. The goal is to reduce standing privilege, preserve attribution, and keep essential services running when incidents or maintenance work occur.

Q: Why do OT environments need different access controls from IT systems?

A: OT environments tie identity decisions directly to availability and safety, so broad or persistent access can have physical consequences. Many OT systems also rely on legacy protocols and vendor maintenance flows that make standard IT assumptions unreliable. Access must therefore be bounded, auditable, and aligned to operational continuity.

Q: What breaks when vendor access is not tightly controlled in critical infrastructure?

A: The main failure is loss of accountability and excessive blast radius. If vendor sessions are not time-limited and recorded, an incident may be impossible to reconstruct, and a compromised account can reach more systems than intended. That turns routine maintenance access into a resilience and recovery problem.

Q: How do Zero Trust and NIS2 fit together for OT resilience?

A: Zero Trust reduces implicit trust in access decisions, while NIS2 makes resilience and reporting obligations explicit for essential sectors. Together they push teams to prove who accessed what, for how long, and under which approval. The practical answer is to connect identity, audit, and continuity controls.

Technical breakdown

Just-in-time access for OT sessions

Just-in-time access gives users or vendors elevated privileges only for the duration of a specific task. In OT, that matters because standing access is hard to justify when the same account can reach production equipment, maintenance interfaces, and sensitive operational data. JIT is not just a convenience layer. It changes the trust model from persistent entitlement to bounded session authority, which is better aligned to high-risk industrial work. The challenge is that OT environments often include legacy systems, vendor dependencies, and shared workflows that make rigid access patterns difficult to adopt.

Practical implication: define task-scoped access paths for OT work and remove standing administrative access where operations allow it.

Protocol-agnostic connections and audit trails

Protocol-agnostic access means the control plane can broker connections across different industrial protocols without exposing credentials directly to the user or vendor. That matters in OT because visibility often breaks at the protocol boundary, leaving teams unable to prove who accessed what, when, and for how long. A strong audit trail is not just logging. It is the evidence layer that supports accountability, incident review, and regulatory reporting. Without that, resilience claims are difficult to defend after an outage or intrusion.

Practical implication: centralise session brokering and ensure every privileged OT session is recorded with attributable metadata.

NIS2 and resilience as an operating requirement

NIS2 treats resilience as an operational obligation, not a theoretical policy goal. For essential sectors, that means incident reporting, risk management, and continuity planning have to be built into day-to-day access governance. Identity controls become part of service continuity because privileged access decisions can affect safety, availability, and recovery. In OT, the governance problem is broader than MFA or password policy. It is the ability to control third-party access, prove oversight, and maintain service under disruption.

Practical implication: map OT privileged access controls to NIS2-aligned resilience and reporting obligations, especially for third-party sessions.

Threat narrative

Attacker objective: The objective is to disrupt or influence critical operations by turning privileged OT access into a path to service impact.

1. Entry occurs through privileged OT access, especially where vendor or maintenance accounts retain broad reach across operational systems.
2. Escalation follows when session activity is not tightly bounded, allowing an attacker or careless operator to move from routine access into control-plane actions.
3. Impact is operational disruption, unsafe changes, or loss of availability in systems that support critical infrastructure and essential services.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Resilience is now an identity governance problem, not just a network design problem. The article shows that essential services fail when privileged access paths are too broad, too persistent, or too hard to audit. That is an identity issue because the blast radius is created by who can reach operational systems and how long that access remains valid. The practitioner conclusion is that OT resilience depends on access governance that is both time-bound and attributable.

Just-in-time access in OT exposes the standing-privilege assumption that many programmes still depend on. Standing privilege was designed for stable administrative roles and predictable maintenance windows. That assumption fails when the operating environment is under stress, vendors need temporary reach, and the same account can be used across multiple critical systems. The implication is that resilience planning has to rethink persistent entitlement as a default state.

Identity blast radius: the practical risk is not only unauthorized entry, but the scope of damage a legitimate privileged session can create. In OT, that blast radius can include safety systems, availability, and recovery timelines. A control set that does not narrow session scope, verify attribution, and preserve evidence cannot support credible resilience claims. The practitioner conclusion is to treat access scope as an operational continuity control.

NIS2 turns resilience into a governance test that spans IT, OT, and third parties. The article correctly places responsibility beyond the security team, because continuity failures often involve vendors, operations staff, and incident leaders at the same time. That makes access oversight a cross-functional control, not a niche PAM exercise. The practitioner conclusion is to align OT identity governance with reporting, accountability, and recovery obligations before an incident forces the issue.

Quantum-safe and Zero Trust language in the article points to a broader lesson: resilience must be engineered as layered control, not assumed from one mechanism. Zero Trust reduces implicit access, but it does not replace access governance, audit, or continuity planning. The practitioner conclusion is to connect identity, cryptography, and operational recovery as one resilience programme rather than separate workstreams.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a broader breach lens, see The 52 NHI breaches Report for case patterns that map directly to privileged access exposure and recovery failures.

What this signals

Identity blast radius: OT resilience programmes will increasingly be judged by whether they can prove session scope, attribution, and revocation across vendors and operators. If access still persists beyond the task, resilience claims remain brittle even when the network is segmented.

NIS2 pressure will keep pushing identity governance out of the IAM silo and into operational continuity planning. Teams that separate audit trails, incident reporting, and access review will struggle to show readiness when the next service disruption lands.

The next maturity jump is not another access policy. It is connecting JIT approval, session evidence, and recovery ownership into one operational model that can survive both cyber intrusion and routine maintenance stress.

For practitioners

• Map OT privileged access paths Inventory every vendor, maintenance, and emergency account that can reach operational systems. Classify them by asset criticality, session method, and whether access is standing or time-bound.
• Move to time-bounded session control Use just-in-time approval for high-risk OT access and revoke privileges immediately after the task completes. Keep the approval chain and session metadata attached to the record for audit and incident review.
• Centralise session evidence Broker OT sessions through a control point that captures identity, command history, and file-transfer activity. Preserve a complete audit trail so operations, security, and compliance can reconstruct events without relying on manual notes.
• Align third-party access with NIS2 obligations Tie vendor access review, incident reporting, and continuity planning to the same governance workflow. Make sure the business owner, not just the security team, signs off on ongoing access to critical systems.
• Separate resilience controls from cryptography planning Treat Zero Trust, post-quantum readiness, and OT identity governance as complementary tracks. Build a roadmap that covers access scope, auditability, and recovery together instead of assuming one control family will cover the whole problem.

Key takeaways

• Resilience in OT depends on controlling privileged identity paths, not just hardening infrastructure.
• The article’s evidence points to a control gap around standing access, limited attribution, and weak session governance.
• Teams should align OT access governance with NIS2, Zero Trust, and continuity planning as one programme.

Key terms

• Just-in-time access: Just-in-time access grants elevated permissions only for a specific task and removes them when the task ends. In OT and other high-risk environments, it reduces standing privilege and narrows the window in which a credential can be abused, but only if approvals and revocation are enforced consistently.
• Identity blast radius: Identity blast radius is the amount of damage an account or session can cause once it is compromised or misused. It is shaped by privilege scope, session duration, and where the identity can reach, making it a practical measure of governance strength in both IT and OT.
• Session attribution: Session attribution means being able to tie every privileged action back to a specific identity, approval, and time window. It is the evidence layer that supports audit, incident reconstruction, and accountability when multiple operators, vendors, or automated processes touch the same environment.
• Operational continuity control: An operational continuity control is any governance or technical measure that helps essential services keep running during disruption. In identity terms, that includes limiting access scope, preserving auditability, and preventing privileged sessions from becoming a single point of failure.

Deepen your knowledge

OT privileged access, session attribution, and continuity planning are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for critical infrastructure or vendor-heavy operations, it is worth exploring.

This post draws on content published by SSH Communications Security: NIS2 resilience, Zero Trust, and OT access governance. Read the original.