Zero trust for OT access is now an identity governance problem

At a glance

What this is: OT security is moving from perimeter assumptions to zero trust identity controls for ICS, SCADA, and remote access.

Why it matters: This matters because OT access now depends on the same governance disciplines used for NHI, autonomous systems, and human access, including privilege scope, session assurance, and offboarding.

👉 Read SSH Communications Security's analysis of zero trust access for OT environments

Context

Operational technology environments now behave less like isolated control networks and more like identity-dependent access planes. Once IT, IoT, and cloud connectivity enter the picture, the old assumption that network location equals safety stops holding for ICS, SCADA, and other critical systems.

That shift turns OT security into an identity governance problem as much as an engineering problem. Remote maintenance, third-party access, and privileged command paths all need tighter control because compromise now arrives through credentials, sessions, and integrations rather than only through the perimeter.

Key questions

Q: How should security teams implement just-in-time access for OT environments?

A: Start by mapping privileged tasks, maintenance windows, and approvers for every OT system. Then remove permanent elevation, issue access only for the specific session, and force automatic expiry after the work is complete. JIT works in OT only when identity, ticketing, and session monitoring are tied together.

Q: Why does remote vendor access increase risk in industrial environments?

A: Remote vendor access increases risk because it extends trust beyond the plant boundary and often relies on credentials that outlive the session. If those credentials are static or broadly reusable, they become a durable entry point into ICS and SCADA systems. The risk is not the vendor relationship itself, but uncontrolled privilege scope.

Q: What breaks when OT teams keep using permanent privileged accounts?

A: Permanent privileged accounts break the zero trust assumption that access should be granted only when needed and only for a known purpose. They create standing pathways for misuse, make revocation slower, and leave too much authority attached to too few identities. In OT, that also increases safety and compliance exposure.

Q: Who is accountable when a third-party OT session is abused?

A: Accountability sits with the organisation that allowed the access path to exist and the governance process that failed to constrain it. In practice, that means IAM, PAM, OT operations, and vendor management must share responsibility for approval, monitoring, and revocation. NIS2 and IEC 62443 both expect traceable control ownership.

Technical breakdown

Just-in-time privileged access for OT sessions

Just-in-time privileged access grants elevated permissions only for the task at hand and expires them automatically after use. In OT, that matters because privileged commands often have immediate operational impact and standing access creates a durable target for attackers. JIT changes the access model from persistent entitlement to session-scoped privilege, which is closer to how zero trust expects access to behave. It also supports auditability because the access window is explicit and bounded rather than hidden inside a permanent role assignment.

Practical implication: replace standing OT admin access with task-scoped JIT approval and session expiry controls.

Ephemeral certificates and passwordless remote access

Ephemeral authentication replaces long-lived passwords and SSH keys with short-lived certificates issued in real time by a trusted authority. In distributed OT environments, this reduces the chance that stolen credentials can be replayed across plants, vendors, or maintenance windows. The model also fits better with X.509 and OpenSSH-style workflows because the identity proof is temporary and tied to the current session. This is especially relevant where remote access must remain usable without leaving durable secrets behind.

Practical implication: issue short-lived certificates for remote OT access instead of relying on static passwords or reusable SSH keys.

Continuous monitoring and governance for critical systems

Continuous monitoring in OT combines session recording, behavioural analytics, and policy enforcement to detect unsafe activity while it is still in progress. This is important because OT access often involves third parties, high privilege, and safety-sensitive commands that cannot wait for post-incident review. When access is logged in real time, teams can correlate identity, device, and session context with the specific action taken. That creates an evidentiary trail for compliance frameworks such as IEC 62443 and NIS2, but the technical value is faster containment.

Practical implication: monitor OT privileged sessions in real time and retain audit-ready evidence for every remote connection.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OT zero trust is no longer just a network design choice, it is identity governance for machine-to-machine access. As OT environments connect to IT, cloud, and vendor ecosystems, the trust boundary shifts from the perimeter to the session. That makes access scope, credential lifetime, and session monitoring the core governance variables. Practitioners should treat OT as a controlled identity plane, not a protected subnet.

Standing credential exposure window: This article exposes the assumption that privileged OT access can remain present until someone notices misuse. That assumption was designed for slower, more isolated operational environments. It fails when remote access, third-party support, and cloud-linked integrations make credentials continuously reachable. The implication is that access review alone cannot describe the risk surface if privilege exists by default.

Zero Trust for OT validates least privilege, but it also raises the bar for operational discipline. JIT access, ephemeral certificates, and continuous verification reduce blast radius only when entitlement governance, session policy, and device trust are aligned. A partial implementation can still leave vendor tunnels, shared admin paths, or unmanaged service identities outside the control model. Practitioners should re-evaluate whether their OT programme governs identity, not just connectivity.

Managed remote access becomes a compliance and safety control, not just an admin convenience. In critical infrastructure, session recording and real-time termination are part of the governance evidence chain, especially where auditors expect traceability under IEC 62443 and NIS2. Teams that rely on informal vendor access or permanent maintenance accounts are carrying hidden operational debt. The practical conclusion is that access pathways must be engineered as controlled, reviewable workflows.

The OT identity model now overlaps with NHI governance because many of the same failure modes apply. Service-like credentials, short-lived authentication, third-party connectivity, and machine access all behave like non-human identities even when the asset is operational equipment. That means OT teams should borrow NHI governance language for credential scope, lifecycle, and revocation. Practitioners should stop treating OT access as a special case and start managing it as machine identity at criticality scale.

From our research:

• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
• The same survey found that only 44% of organisations have implemented any policies to manage their AI agents, even though 92% agree governance is critical to enterprise security.
• For adjacent guidance, the Ultimate Guide to NHIs , Key Challenges and Risks shows why unmanaged credentials, sprawl, and over-privilege keep recurring across machine identity programmes.

What this signals

Standing access is the wrong default for connected OT. As remote maintenance becomes routine, identity governance has to move closer to the session and away from the perimeter. Teams that still treat vendor connectivity as exceptional are likely to miss the point where privilege should expire.

Privilege scope is now the control variable that matters most. With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey, the same over-entitlement pattern is likely to surface wherever machine access is left to convenience.

Managed remote access is becoming part of operational resilience. OT programmes that can record, verify, and terminate sessions on demand will be better positioned for audit, incident containment, and vendor oversight. The governance pattern is converging with NHI lifecycle control, not diverging from it.

For practitioners

• Replace standing OT admin access with JIT workflows Map every privileged OT path to a task, approver, and expiration condition. Remove permanent elevation where operators or vendors do not need continuous access, and require re-authorization for each new session.
• Issue ephemeral certificates for remote maintenance Phase out reusable SSH keys and static passwords for vendor and engineer access. Use short-lived certificates issued by a trusted authority so that a stolen credential cannot persist across multiple maintenance windows.
• Enforce session monitoring on all third-party connections Record privileged sessions, correlate commands with identity context, and enable immediate termination for risky behaviour. This is especially important where external support teams can reach ICS or SCADA systems through remote tunnels.
• Align OT access governance with compliance evidence Retain access logs, approval records, and session artefacts in a form that supports audit requirements under IEC 62443 and NIS2. Treat evidence capture as part of the access design, not as a separate reporting task.

Key takeaways

• OT environments now face identity-driven exposure because IT, IoT, cloud, and third-party access have replaced the old isolated model.
• Standing credentials and permanent privileged accounts are the main structural weakness because they outlast the task and widen the blast radius.
• JIT access, ephemeral certificates, and monitored sessions are the controls that convert OT access from persistent trust into bounded governance.

Key terms

• Just-in-time privileged access: A model that grants elevated permissions only when a specific task requires them and removes them automatically after use. In OT, it limits the lifespan of high-risk access and reduces the number of sessions an attacker can hijack or reuse.
• Ephemeral certificate: A short-lived digital credential issued for a current session rather than stored for long-term reuse. In connected OT environments, ephemeral certificates reduce the value of stolen credentials and provide a cleaner control point for remote authentication and revocation.
• Managed remote access: A governed method for third-party or internal users to reach critical systems through approved authentication, monitoring, and policy controls. In OT, it turns vendor connectivity into a traceable identity workflow instead of an informal exception path.
• Standing privilege: Persistent elevated access that remains available outside a specific task or session. In OT this is particularly risky because long-lived admin rights create a durable path into sensitive control systems and make revocation slower when risk changes.

Deepen your knowledge

OT identity governance and zero trust access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending machine identity controls into industrial environments, it is a strong place to build that foundation.

This post draws on content published by SSH Communications Security: Operational Technology environments and zero trust security. Read the original.