PKI and network segmentation are closing OT identity gaps

At a glance

What this is: This is an analysis of how PKI and network segmentation reduce OT exposure as IT and OT converge, with device identity and boundary enforcement treated as the control foundation.

Why it matters: It matters because IAM, NHI, and lifecycle teams now have to govern device trust, certificate inventory, and lateral movement in environments where legacy access patterns no longer hold.

👉 Read Keyfactor's guidance on PKI and network segmentation for OT security

Context

Operational technology security is the discipline of protecting industrial systems, devices, and the communications that keep physical operations running. In this article, the primary problem is that OT environments are no longer isolated, so identity and network controls must work together to prevent compromise from spreading across factory, utility, or transport systems.

The security gap is straightforward: legacy OT devices often lack strong authentication, and flat networks make lateral movement easier once an attacker lands on an IoT sensor, maintenance laptop, or exposed service. In that setting, PKI becomes the device trust layer and segmentation becomes the containment layer, which is why OT governance now overlaps with NHI lifecycle and certificate management.

The article assumes a typical modern OT environment, not an edge case. That matters because most organisations are moving from implicit trust and static boundaries toward device identity, certificate validation, and finer-grained access controls.

Key questions

Q: How should security teams secure connected OT devices without relying on the old air gap?

A: Security teams should combine device-level identity with segmentation. PKI verifies the device before it connects, while segmentation limits where that device can go if it is compromised. That combination is more reliable than assuming an isolated network still exists, especially in environments where IT and OT traffic now overlap.

Q: Why do certificates matter so much in OT security?

A: Certificates matter because they give industrial devices a verifiable identity that survives across network zones and long asset lifecycles. Without them, teams often fall back to shared credentials, default access, or unencrypted protocols, all of which make spoofing and lateral movement much easier.

Q: What breaks when OT networks are segmented without strong identity controls?

A: Segmentation without identity still leaves the organisation guessing which device is allowed to connect. Attackers can exploit weak credentials or unmanaged endpoints inside a segment, and operators may compensate with overly broad exceptions. The result is containment that looks strong on paper but fails during an intrusion.

Q: Who should own certificate lifecycle management in OT environments?

A: Certificate lifecycle management should be shared across security, OT operations, and infrastructure teams, with clear ownership for issuance, renewal, inventory, and revocation. OT environments are too operationally sensitive for manual tracking, so governance needs defined handoffs and automation.

Technical breakdown

Device identity in OT networks

In OT, device identity is commonly established with X.509 certificates rather than user passwords or hostnames. A certificate binds a device to a trusted cryptographic identity that other systems can verify before allowing communication. This matters because industrial devices often run for years, use proprietary protocols, and cannot tolerate frequent manual access changes. PKI provides issuance, renewal, and revocation, which turns device trust into a governed lifecycle rather than a one-time setup. Without that, operators fall back to shared secrets, static allowlists, or weak defaults that attackers can reuse across segments.

Practical implication: inventory every certificate-backed device and tie certificate issuance to a managed lifecycle, not ad hoc deployment.

Network segmentation and microsegmentation in industrial environments

Network segmentation limits how far an attacker can move after compromising one OT-connected asset. Traditional segmentation splits broad zones, but microsegmentation narrows policy to the workload or device level, which is better suited to mixed legacy and modern environments. In practice, this means access is shaped by the device, its role, and the zone it needs to reach, rather than by flat network trust. Segmentation does not replace identity controls, but it makes identity meaningful by restricting where a valid identity can talk once verified.

Practical implication: define small, identity-aware zones around critical OT assets and remove broad east-west trust between them.

Why PKI and segmentation work together

PKI answers the question of who or what is connecting, while segmentation answers where that identity is allowed to go. That pairing matters in OT because authentication without containment still leaves a compromised device free to roam, and containment without strong identity can block legitimate operations or invite workarounds. The article’s core architectural point is that least privilege in OT is enforced at two layers at once: cryptographic trust at the connection point and traffic control at the network boundary. Together, they reduce spoofing, unauthorized access, and lateral movement.

Practical implication: treat certificate authentication and segment policy as one control plane and review them together during OT change management.

Threat narrative

Attacker objective: The attacker aims to expand from one compromised OT-connected asset into higher-value industrial systems and disrupt operations or safety.

1. Entry occurs when an attacker reaches a connected OT asset such as an IoT device or third-party maintenance laptop.
2. Escalation follows if the compromised asset can communicate across flat or weakly segmented networks using shared passwords, default credentials, or unencrypted protocols.
3. Impact is broader network reach, including movement toward critical systems that could disrupt industrial operations, safety, or availability.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OT security now depends on certificate governance, not just network design. The article shows that once OT systems connect to broader IT and IoT environments, identity becomes the control plane for trust. That shifts the discipline from perimeter protection to governed certificate lifecycles, device validation, and revocation discipline. Practitioners should treat certificate inventory as a core security asset, not an administrative afterthought.

Legacy OT creates an identity problem before it creates a segmentation problem. Many industrial systems were built without strong authentication or modern encryption, which means the first failure is often uncontrolled trust, not uncontrolled traffic. Segmentation helps, but only after the device identity layer is made trustworthy enough to support it. The implication is that identity blind spots in OT are now security blind spots.

PKI for OT is a form of non-human identity governance. Device certificates are issued, renewed, and revoked across a long lifecycle, which is exactly the kind of governance model NHI teams already manage in cloud and workload environments. Device certificate lifecycle debt: when certificates are deployed faster than they are inventoried, renewed, and revoked, trust accumulates without oversight. Practitioners should rethink OT identity as a lifecycle control problem, not a point-in-time authentication project.

Zero Trust in OT only works when verification and containment are both enforced. The article’s architecture maps cleanly to a zero-trust pattern: verify each device, then restrict every connection to the minimum necessary segment. That matters because OT failures are often blast-radius failures. Practitioners should use segmentation to limit consequence, but only after PKI makes the connection itself trustworthy.

OT convergence is forcing IAM, network, and operations teams into the same governance conversation. The article makes clear that access, device trust, and network policy can no longer be owned in isolation. That is a programme design issue, not just a tooling issue. Practitioners should align OT certificate management, network engineering, and identity governance around a shared control model.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility, according to The State of Non-Human Identity Security.
• OT and NHI teams should treat certificate visibility as a governance control, not a back-office inventory task, and use it to drive containment decisions across identity and network boundaries.

What this signals

Device certificate lifecycle debt: OT teams that cannot inventory, renew, and revoke certificates at scale are carrying the same governance burden that NHI programmes face with service accounts and API keys. The operational difference is that an expired or rogue certificate can become a safety issue, not just an access issue. Mature programmes will bring certificate lifecycle ownership into the same control model as workload identity and privileged access.

The practical signal for readers is that OT security is moving from network-only thinking to identity-and-boundary governance. Teams that still treat segmentation as sufficient will miss the fact that trusted identities can still be over-broad, stale, or unmanaged. Aligning certificate telemetry with identity controls and NIST SP 800-207 Zero Trust Architecture is now a programme requirement, not an optimisation.

As more connected devices enter industrial environments, the question is no longer whether OT needs identity controls, but whether the organisation can sustain them across thousands of certificates and long-lived assets. That is where automation, lifecycle policy, and NIST Cybersecurity Framework 2.0 governance functions become the operational backbone for resilience.

For practitioners

• Build a complete cryptographic inventory Map every certificate, key, and device identity across OT and IT segments, including legacy systems and temporary maintenance assets. Missing inventory is the fastest route to expired trust and unmanaged exposure.
• Replace shared access with certificate-backed device trust Use X.509 certificates for device authentication instead of shared passwords or default credentials, especially for IIoT endpoints that must cross zone boundaries.
• Break flat OT networks into identity-aware segments Use firewalls, VLANs, and microsegmentation to limit east-west movement between critical systems, then tie allowed flows to specific device roles and approved tasks.
• Automate certificate renewal and revocation Set lifecycle rules for issuance, renewal, and revocation so compromised or expired certificates can be removed before they become an operational workaround.

Key takeaways

• OT security fails when legacy device trust is left implicit and network zones are too broad to contain compromise.
• The article’s practical evidence is that PKI and segmentation solve different halves of the problem: identity verification and blast-radius control.
• The control that changes outcomes is certificate lifecycle governance, because unmanaged identity in OT becomes both an access risk and an operational risk.

Key terms

• Operational Certificate: A certificate used to authenticate a device or system during live operations. In OT, it extends trust from manufacturing into production communications, so access decisions can be enforced cryptographically instead of through shared passwords or static network assumptions.
• Device Identity Certificate: A certificate assigned to a connected device to prove its identity to other systems. In industrial environments, it helps bind hardware to a trustworthy identity across a long lifecycle, which is essential when devices operate for years and cross multiple network segments.
• Microsegmentation: A network control approach that restricts traffic at the workload or device level instead of relying only on broad zones. In OT, it reduces the blast radius of compromise by limiting which assets can communicate, but it only works well when paired with strong identity verification.
• Certificate Lifecycle Management: The process of issuing, tracking, renewing, and revoking digital certificates over time. For OT and machine identities, lifecycle management is what keeps cryptographic trust current, prevents stale access, and gives security teams the visibility needed to respond quickly when something changes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Keyfactor: PKI OT Security Via PKI and Network Segmentation. Read the original.