Zero trust access control for OT environments is closing compliance gaps

At a glance

What this is: This is an analysis of how OT access management is shifting from VPN-based trust to granular, task-based zero trust controls, with compliance and auditability as the core finding.

Why it matters: It matters because OT teams now have to govern remote vendor, engineer, and maintenance access with the same identity discipline used in cloud and enterprise IAM, without breaking operational continuity.

👉 Read SSH Communications Security's article on zero trust access control for OT environments

Context

Operational technology access is no longer isolated from enterprise identity policy. As industrial control systems, plants, and critical infrastructure connect to corporate networks, cloud platforms, and remote service providers, the old model of broad network trust creates avoidable identity and audit risk.

The core governance problem is familiar to IAM teams: access is still often granted too widely, stays active too long, and is too hard to prove after the fact. In OT, that becomes a compliance issue as well as an operational one, because frameworks such as IEC 62443 and NIS2 expect controlled access and traceable activity across critical systems.

Key questions

Q: How should security teams reduce OT remote access risk without blocking maintenance work?

A: Use task-based access that grants the smallest practical privilege for the shortest useful duration, then records the session centrally. That lets engineers and vendors complete work without persistent credentials or broad network trust. The control goal is not just blocking access, but ensuring every remote session is attributable, time-bound, and auditable.

Q: Why do persistent credentials create so much OT compliance risk?

A: Persistent credentials blur the boundary between approved maintenance and residual access, which makes it hard to prove when authority started and ended. In OT, that weakens both security and auditability because the same credential can outlive the task it was issued for. Standing privilege is often the hidden failure mode behind failed access governance.

Q: How can organisations tell whether OT access controls are actually working?

A: Look for evidence that access is issued only on demand, expires automatically, and can be tied to a named user, task, and session record. If audits still require manual reconstruction, the control is not working at the governance level. Strong OT access management produces verifiable traces, not just fewer help desk tickets.

Q: Who is accountable when OT remote access cannot be traced after the fact?

A: Accountability sits with the operating organisation, because auditors and regulators expect it to prove who accessed critical systems and under what authority. In practice, that means security, OT operations, and compliance must share one access record and one revocation process. If no one can reconstruct the session, the governance model has already failed.

Technical breakdown

Why VPN-based OT access creates identity sprawl

VPN access was built to extend network reach, not to express identity intent. In OT environments, that means a user may appear broadly trusted once connected, even when they only need a narrow maintenance task. Shared credentials, persistent tunnels, and weak session attribution make it difficult to bind a specific person or vendor to a specific action on a specific industrial asset. The result is identity sprawl inside the access layer, where the network perimeter becomes the control point instead of the identity policy.

Practical implication: replace broad remote access paths with task-scoped identity controls that preserve per-user attribution.

How JIT access changes OT credential exposure windows

Just-in-Time access issues short-lived credentials only when work is needed, then expires them when the task ends. That changes the security model in OT because standing credentials no longer persist across maintenance windows, troubleshooting sessions, or vendor support periods. The key mechanism is not convenience, but time-bound privilege: the identity exists only long enough for the approved operational need. This also improves evidence quality because the access event, duration, and session activity are tied together for later review.

Practical implication: enforce short-lived access for remote maintenance and log expiry as part of the compliance record.

Central session logging and traceability for IEC 62443 and NIS2

Compliance in OT depends on being able to prove who accessed what, when, and for what purpose. Centralized access management platforms support that by recording sessions, commands, and access history across both IT and OT systems. This matters because industrial environments often contain legacy protocols and mixed trust boundaries that make point-in-time audit evidence hard to reconstruct manually. When access, recording, and control are unified, audit trails become operational artifacts rather than after-the-fact guesses.

Practical implication: centralize session recording and audit export so compliance evidence is available without manual reconstruction.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OT identity governance has moved from perimeter control to session control. The old assumption was that a VPN session could stand in for trust across industrial environments. That assumption no longer holds when vendors, engineers, and integrators all need narrow, time-bound access to critical systems. The implication is that OT programmes must treat access scope and session visibility as first-class governance objects, not network by-products.

Persistent access is the real compliance failure mode in OT. The article describes a familiar breakdown pattern: credentials remain active after the task is complete, leaving no clean boundary between approved work and residual exposure. This is not just a technical weakness, it is a governance gap because accountability depends on knowing when access should end. Practitioners should recognize standing privilege as the control problem, not remote connectivity itself.

Traceability is the named concept that separates compliant OT from merely connected OT. In this context, traceability means being able to prove identity, duration, action, and system touched across industrial sessions. Without it, auditors see a control environment that can connect but cannot explain itself. That weakens both IEC 62443 alignment and NIS2 readiness, because evidence of control matters as much as control design.

Granular access control is now the practical bridge between safety and security. OT teams often assume tighter controls will slow operations, but the article points to the opposite pattern when access is task-based and centrally managed. When engineers and vendors get only the systems they need for only the time they need them, security and maintenance stop competing. Practitioners should frame modernization as operationally enabling, not just restrictive.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to Astrix Security & CSA.
• For adjacent AI governance context, The 2026 Infrastructure Identity Survey shows 70% of organisations grant AI systems more access than human employees.

What this signals

Traceability is becoming the minimum viable control for connected OT. With industrial environments now spanning vendors, cloud services, and legacy assets, teams need evidence that access can be tied back to a named user and a time-bounded session. The practical shift is from perimeter trust to provable identity events, which is where zero trust and OT governance finally meet.

The programme implication is straightforward. If an organisation cannot produce session history, expiry evidence, and approval lineage without manual effort, its OT access model is too brittle for modern compliance expectations. That gap will surface first in audit, then in incident response.

For practitioners

• Replace shared OT credentials with named, task-scoped identities Map every engineer, vendor, and maintenance workflow to an individual identity so access can be attributed, reviewed, and revoked without ambiguity.
• Enforce Just-in-Time access for maintenance windows Issue short-lived credentials only for approved work and expire them automatically when the maintenance task ends, including vendor support sessions.
• Centralize session logging across IT and OT assets Record who accessed which system, what was done, and when the session started and ended so audit evidence is available in one place.
• Align remote access policy to IEC 62443 and NIS2 evidence needs Build access workflows that can produce traceable logs, approval history, and session records without manual reconstruction during audits.

Key takeaways

• OT connectivity expands the identity problem, because broad remote access creates standing trust where industrial environments need narrow, provable authority.
• The strongest evidence of control is not connectivity itself, but whether access expires automatically, is attributable to a named identity, and leaves a usable audit trail.
• Teams that want both security and operational continuity should redesign OT remote access around task scope, session visibility, and compliance-ready logging.

Key terms

• Operational Technology: Operational technology refers to the systems that monitor or control physical processes, such as industrial controllers, plant networks, and critical infrastructure equipment. In identity terms, OT is challenging because access must preserve safety, uptime, and traceability while still enforcing strong control over engineers, vendors, and maintenance workflows.
• Just-in-Time Access: Just-in-Time access is a model where credentials or permissions are issued only when needed and automatically removed after the task is complete. For OT, the value is reducing standing exposure while preserving operational continuity through short-lived, attributable sessions.
• Traceability: Traceability is the ability to reconstruct who accessed a system, when they did it, and what authority they used. In OT governance, it is the difference between being connected and being able to prove control, which is central to audit readiness and incident investigation.

Deepen your knowledge

OT identity governance, remote access control, and session traceability are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme for industrial environments, it is worth exploring.

This post draws on content published by SSH Communications Security: zero trust access control for OT environments. Read the original.