Notifications
Clear all
Topic starter
25/06/2026 2:56 pm
TL;DR: Industrial and IoT environments need lifecycle management for device identity, certificates, and protected keys because remote maintenance, long device lifetimes, and heterogeneous brownfield and greenfield estates make conventional IT assumptions brittle, according to DigiCert. The control problem is not just security by design; it is sustained trust across onboarding, operations, updates, and retirement.
NHIMG editorial — based on content published by DigiCert: How Technology is Transforming Industries in the Digital Era
By the numbers:
- 12 to 18 months, ment cycles can stretch to 12 to 18 months, compared with monthly cycles in IT.
- Device lifetimes can reach 15 to 30 years in OT, compared with three to five years for IT equipment.
Questions worth separating out
Q: How should security teams govern device identities across long OT lifecycles?
A: Security teams should manage device identities as lifecycle assets, not as one-time onboarding events.
Q: Why do OT devices complicate certificate governance more than standard IT assets?
A: OT devices often remain in service for years longer than IT endpoints, yet they still depend on trustworthy keys and certificates for access, updates, and telemetry.
Q: What breaks when device identity is treated like a deployment-only control?
A: When identity ends at deployment, teams lose visibility into renewal, update trust, and retirement.
Practitioner guidance
- Map every device identity lifecycle stage Document how devices are identified at manufacture, onboarded, maintained, updated, and retired.
- Standardise certificate handling for long-lived devices Define issuance, renewal, revocation, and storage rules that match OT uptime constraints and device longevity.
- Require provenance for update workflows Verify that update paths preserve device provenance, integrity, and compatibility across OEMs and field device classes.
What's in the full article
DigiCert's full article covers the operational detail this post intentionally leaves for the source:
- How OT and IT differ across patch cadence, device lifetime, and update workflows in heterogeneous fleets
- Specific device identity and certificate handling patterns for headless equipment and remote maintenance
- Why factory-default passwords, local key storage, and PUF-backed roots of trust matter for device assurance
- The operational constraints that make interoperability and non-disruptive deployment difficult in brownfield environments
👉 Read DigiCert's analysis of device lifecycle management and digital trust in OT →
Device identity lifecycle management in OT: what IAM teams miss?
Explore further
25/06/2026 4:11 pm
Device identity lifecycle is the control plane for OT trust: In industrial environments, the question is not whether a device can authenticate once, but whether its identity remains authoritative through years of maintenance, updates, and ownership change. That makes lifecycle governance the primary control plane, not a side task attached to PKI. Practitioners should treat onboarding, renewal, update integrity, and retirement as one continuous trust process.
A few things that frame the scale:
- The recurring cost of certificates can protect millions of devices over their estimated service lifetime of five to 30+ years, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How do you know if industrial identity controls are actually working?
A: You know controls are working when each device can be traced from authoritative issuance through active use to retirement, and when certificate renewal, revocation, and update validation happen without improvised exceptions. If teams cannot prove that chain for a device class, governance is incomplete even if the devices are still online.
👉 Read our full editorial: Industrial device identity needs lifecycle governance, not point fixes
