TL;DR: S4x26 sessions on OT threat pre-positioning, visibility quality, zero trust, and incident communication showed that the community has moved past awareness and is now confronting execution gaps, according to Elisity. The practical challenge is not proving OT matters, but building identity-aware segmentation, trained response, and defensible asset confidence before adversaries act.
At a glance
What this is: This recap argues that OT security has shifted from awareness to operational execution, with adversary pre-positioning, visibility quality, and readiness emerging as the central concerns.
Why it matters: It matters to identity and security practitioners because OT segmentation, access policy, and incident response now depend on trustworthy asset identity, not just network visibility.
👉 Read Elisity's OT security recap from S4x26
Context
OT security has moved into a phase where the core problem is no longer whether the risk exists, but whether organisations can act on it fast enough and with enough confidence. In industrial and healthcare environments, the gap is often not tooling coverage but the quality of the underlying asset and access data that drives policy decisions. That is where the identity dimension becomes real: segmentation, privileged access, and response all fail if the environment cannot be reliably identified.
The article uses S4x26 to show that practitioners are now grappling with adversary persistence, inventory confidence, and operational readiness rather than basic awareness. For NHIMG readers, the important intersection is that OT policy enforcement increasingly depends on identity-like control points for devices, workloads, and operator access. In other words, OT security is becoming a governance problem as much as a network problem.
Key questions
Q: What breaks when OT security teams treat visibility as a checkbox?
A: Teams lose the ability to enforce meaningful segmentation because the inventory is not accurate enough to support policy decisions. In OT, coverage without confidence creates false assurance. The result is that device identity, communication paths, and change impact remain too weak to prevent lateral movement or contain a live event.
Q: Why do dormant footholds matter so much in OT environments?
A: Dormant footholds matter because they preserve future access in systems where attackers may wait for the right operational moment. In OT, the danger is often persistence rather than immediate action. A quiet environment can still be compromised if an adversary can keep access available long enough to exploit it later.
Q: How do security teams know if OT segmentation is actually working?
A: Segmentation is working when policy decisions can be enforced using verified asset identity and validated communication relationships. If the team cannot explain why one device may talk to another, the control is weak. The clearest signal is whether the policy holds during maintenance, incident response, and normal operational change.
Q: Who is accountable when OT risk is communicated poorly to leadership?
A: Accountability sits with the security and operational leaders who own risk translation, because funding and response depend on how the threat is described. If executives only hear technical noise, they cannot prioritise correctly. OT governance needs a shared language for severity, reach, and duration that leadership can act on.
Technical breakdown
Why OT threat pre-positioning changes the security model
Pre-positioning means an adversary establishes access and keeps it available without immediately disrupting operations. In OT, that is especially dangerous because the attacker can wait for a high-value moment, such as a safety event, maintenance window, or geopolitical trigger. This is not the same as noisy ransomware tradecraft. It is a patient access strategy that turns dormant footholds into future options. Defensive planning therefore has to assume presence, not just intrusion. That changes how teams think about segmentation, detection, and escalation thresholds.
Practical implication: treat dormant access in OT as an active control failure, not a benign finding.
Visibility quality in OT asset identity and segmentation
Visibility is only useful if it is accurate enough to support policy enforcement. An OT inventory that lists devices but cannot reliably distinguish them, map their communications, or attribute their function creates false confidence. That is why visibility quality matters more than raw coverage. In practice, teams need enough confidence to know which devices can talk, which zones and conduits are legitimate, and which assets are too risky to leave unconstrained. Passive discovery helps, but active validation often improves the fidelity required for enforcement. Identity becomes the pivot point when segmentation rules depend on the correct asset classification.
Practical implication: validate OT inventory confidence before using it as the basis for segmentation or access policy.
Zero trust in OT depends on operational readiness, not slogans
Zero trust in OT is not a branding exercise. It requires repeatable controls, trained staff, and incident procedures that reflect how industrial systems behave under pressure. Unlike IT, OT response may affect safety, uptime, and physical processes, so the organisation cannot improvise during a live event. The article’s message is that tooling alone cannot bridge this gap. A working OT zero trust model needs clear ownership, tested playbooks, and enforcement logic that matches the environment’s operational constraints. That is why readiness is part of architecture, not a separate programme.
Practical implication: pair OT zero trust projects with rehearsed response workflows and role-specific training.
Threat narrative
Attacker objective: The objective is to preserve operationally useful access inside critical infrastructure so it can be activated at a strategically chosen moment.
- Entry occurs through patient pre-positioning inside critical infrastructure networks, where the attacker maintains access without immediate disruption.
- Escalation happens when dormant footholds remain available long enough to support future operational objectives and potential lateral movement.
- Impact is realised when the attacker chooses to activate access against industrial or energy systems, creating the option for disruption, surveillance, or coercion.
NHI Mgmt Group analysis
Awareness is no longer the problem in OT security. The field has moved into an execution gap where organisations understand the risk but still struggle to enforce policy against it. That is a governance failure as much as a technical one, because the real question is whether access, visibility, and response are accurate enough to support action. Practitioners should stop treating OT maturity as a communications exercise and start treating it as an enforcement discipline.
OT visibility has become a control quality issue, not a discovery issue. A device list that cannot support segmentation, access decisions, or accurate attribution creates false confidence. The named concept here is visibility quality: the degree to which inventory data is precise enough to drive real controls. If the data is weak, the policy layer becomes performative. Practitioners should measure whether asset intelligence is actionable, not whether it exists.
Dormant access is the OT equivalent of standing privilege in a high-consequence environment. The threat is not only what an attacker does today, but what they preserve for later. That matters because industrial environments often assume quiet means safe, when the opposite may be true. The governance lesson is that persistence windows in OT must be treated as risk-bearing assets. Practitioners should hunt for long-lived footholds before they become operational leverage.
Zero trust in OT fails when organisations separate architecture from readiness. The article shows that controls only matter when staff, playbooks, and enforcement logic match the reality of industrial operations. This is where identity and segmentation intersect: policy based on device identity only works if operators trust the identity data and know how to act on it. Practitioners should align technical design with exercised response, not documentation alone.
OT risk communication is part of security governance, not public relations. The proposed incident scoring discussion reflects a broader need to translate technical risk into language that executives, policymakers, and local responders can use. That translation layer matters because funding and response prioritisation follow the narrative as much as the telemetry. Practitioners should treat risk communication as a control enabler, not an afterthought.
What this signals
Visibility quality is becoming the control plane for OT governance. For most programmes, the next problem is not whether they can see more devices, but whether they can trust what the inventory says well enough to enforce policy. That shift will push teams toward tighter validation of asset identity, communication pathways, and change impact before segmentation is allowed to become a primary control.
Identity-aware enforcement will matter more than static network boundaries. As OT environments become more dynamic, policy will need to follow confirmed asset identity rather than physical location alone. This is where the identity-security intersection becomes practical: if teams cannot map devices and access to trustworthy identities, their ZTA ambitions will remain fragile.
From our research, 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to the 2024 ESG Report: Managing Non-Human Identities. That level of exposure is a warning for OT teams as well, because any environment that relies on machine-to-machine trust needs strong lifecycle controls, clear ownership, and measurable review cycles.
For practitioners
- Validate inventory fidelity before enforcing segmentation Test whether device identity, communication paths, and zone mapping are accurate enough to support enforcement, not just reporting. Use validation methods that compare passive collection with targeted active checks where safety and operations allow. If the inventory cannot support a policy decision, do not let it drive one.
- Hunt for dormant access and stale footholds Prioritise long-lived sessions, unmanaged remote access, and any OT account or pathway that can sit unused until a future trigger. Focus on access that remains available across maintenance cycles, vendor support windows, and incident-free periods. Dormant access is often the precondition for later operational abuse.
- Tie segmentation rules to verified asset identity Build policy enforcement around confirmed device identity and communication intent, not static network position. Where asset confidence is low, use compensating controls such as tighter allowlists, shorter review cycles, and manual approval for high-risk changes. The goal is to reduce policy drift when the environment changes.
- Rehearse OT incident response with operational constraints Run exercises that include safety, uptime, and cross-functional decision-making so response teams understand what they can isolate, shut down, or defer without causing collateral harm. Include engineering, operations, and security roles in the exercise design. OT response fails when people have never practised under realistic constraints.
- Make risk communication board-ready and responder-ready Translate OT events into concise impact language that separates severity, reach, and duration so executives can fund and prioritise correctly. Use a common scale internally so incident narratives are consistent across operations, security, and leadership. Clear communication reduces delay when decisions are time-sensitive.
Key takeaways
- OT security has moved from awareness to enforcement, and the real gap is now operational readiness.
- Visibility only becomes useful when asset identity is accurate enough to drive segmentation and response.
- Dormant access in OT should be treated as a standing risk asset that can be activated later.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | OT segmentation and access enforcement depend on managed permissions and identity-aware policy. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central when OT access must be constrained by role and operational need. |
| CIS Controls v8 | CIS-5 , Account Management | Dormant access and stale footholds are account governance problems in OT environments. |
| MITRE ATT&CK | TA0003 , Persistence; TA0008 , Lateral Movement | The article centres on long-lived footholds and movement across industrial environments. |
| NIST Zero Trust (SP 800-207) | The article discusses zero trust in OT where continuous verification and segmentation are required. |
Review OT accounts under CIS-5 and remove any access that persists beyond its operational need.
Key terms
- Visibility Quality: The degree to which asset discovery data is accurate enough to support real security decisions. In OT, this means more than coverage. It includes fidelity, confidence, and the ability to map devices, communications, and functions tightly enough to enforce policy.
- Pre-Positioning: An adversary technique where access is established and maintained without immediate disruption. In critical infrastructure, pre-positioning matters because the attacker is preparing for a future event, not just collecting data today. That makes persistence itself a strategic threat.
- OT Segmentation: The practice of separating industrial systems into controlled zones so traffic and access can be restricted by operational need. In effective programmes, segmentation depends on trustworthy asset identity, accurate communication mapping, and enforced rules that reflect how the environment really behaves.
- Incident Impact Scoring: A method for translating technical OT incidents into a simple scale that reflects severity, reach, and duration. The purpose is to make risk easier to compare, communicate, and prioritise across technical teams, executives, and public stakeholders.
What's in the full article
Elisity's full analysis covers the operational detail this post intentionally leaves for the source:
- Field session observations on OT visibility quality and microsegmentation deployment across real environments.
- The incident-communication proposal for scoring OT events by severity, reach, and duration.
- How practitioners are thinking about identity-based policy enforcement across multi-site OT estates.
- The practical readiness questions teams are asking about zero trust, staffing, and exercised response.
👉 Elisity's full post expands on visibility quality, OT readiness, and incident communication.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, workload identity, and the control patterns that underpin machine-to-machine trust. It is designed for practitioners who need to connect identity governance to broader security operations and policy enforcement.
Published by the NHIMG editorial team on 2026-02-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org