Notifications
Clear all
Topic starter
06/06/2026 11:14 am
TL;DR: OT environments are increasingly connected to corporate networks and remote providers, but VPN sprawl, persistent credentials, weak visibility, and incomplete audit trails still make compliance with IEC 62443 and NIS2 difficult, according to SSH Communications Security. Granular, task-based access with JIT and session logging shifts OT identity governance from broad trust to verifiable, least-privilege control.
NHIMG editorial — based on content published by SSH Communications Security: zero trust access control for OT environments
Questions worth separating out
Q: How should security teams reduce OT remote access risk without blocking maintenance work?
A: Use task-based access that grants the smallest practical privilege for the shortest useful duration, then records the session centrally.
Q: Why do persistent credentials create so much OT compliance risk?
A: Persistent credentials blur the boundary between approved maintenance and residual access, which makes it hard to prove when authority started and ended.
Q: How can organisations tell whether OT access controls are actually working?
A: Look for evidence that access is issued only on demand, expires automatically, and can be tied to a named user, task, and session record.
Practitioner guidance
- Replace shared OT credentials with named, task-scoped identities Map every engineer, vendor, and maintenance workflow to an individual identity so access can be attributed, reviewed, and revoked without ambiguity.
- Enforce Just-in-Time access for maintenance windows Issue short-lived credentials only for approved work and expire them automatically when the maintenance task ends, including vendor support sessions.
- Centralize session logging across IT and OT assets Record who accessed which system, what was done, and when the session started and ended so audit evidence is available in one place.
What's in the full article
SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:
- How PrivX OT is positioned to control, monitor, log, and record access across mixed IT and OT environments
- The article's practical framing for supporting industrial protocols and legacy environments during remote maintenance
- The specific way the source ties JIT access to compliance reporting for IEC 62443 and NIS2
- The vendor's explanation of how centralized access management reduces operational friction in critical sectors
👉 Read SSH Communications Security's article on zero trust access control for OT environments →
OT zero trust access control: what IAM teams need to know?
Explore further
06/06/2026 11:55 am
OT identity governance has moved from perimeter control to session control. The old assumption was that a VPN session could stand in for trust across industrial environments. That assumption no longer holds when vendors, engineers, and integrators all need narrow, time-bound access to critical systems. The implication is that OT programmes must treat access scope and session visibility as first-class governance objects, not network by-products.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to Astrix Security & CSA.
A question worth separating out:
Q: Who is accountable when OT remote access cannot be traced after the fact?
A: Accountability sits with the operating organisation, because auditors and regulators expect it to prove who accessed critical systems and under what authority. In practice, that means security, OT operations, and compliance must share one access record and one revocation process. If no one can reconstruct the session, the governance model has already failed.
👉 Read our full editorial: Zero trust access control for OT environments is closing compliance gaps
