Device protection by sector: are your secrets controls keeping up?

TL;DR: IoT and operational technology security must shift from bolted-on controls to baked-in identity, secrets protection, certificate rotation, tamper-resistant supply chains, and auditable recovery, according to DigiCert, because sector risks now differ by device class and operational context. For IAM, NHI, and lifecycle teams, the message is that device identity governance is a programmatic control plane, not a point fix.

NHIMG editorial — based on content published by DigiCert: The Elixir of Things: Strategies for Device Protection by Sector

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should security teams protect device identities in connected environments?

A: They should treat each device credential as a governed identity with an owner, a purpose, and a lifecycle.

Q: Why do digital secrets create such large risk in IoT and OT?

A: Digital secrets create large risk because they are the proof mechanism for device trust.

Q: What breaks when device security is added after deployment?

A: Retrofit security usually breaks alignment between identity, maintenance, and operational reality.

Practitioner guidance

• Inventory device trust anchors by sector Catalogue which devices rely on passwords, keys, certificates, or hardware roots of trust, then assign an owner and lifecycle policy to each trust anchor.
• Make certificate rotation operational, not occasional Set renewal triggers for X.509 certificates and other device secrets based on risk, maintenance windows, and device criticality.
• Require tamper-resistant update delivery Validate that firmware, configuration, and software updates are signed, traceable, and verifiable before they reach field devices.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Sector-by-sector device protection strategies for process control, transportation, aviation, healthcare, media, defense, printing, telecommunications, and energy.
• Specific examples of how X.509 certificates, remote recovery, and tamper-resistant delivery are applied across different device classes.
• The vendor's own framing of what manufacturers, operators, and service providers should do across the IoT supply chain.
• Additional context on how the same trust model changes across brownfield and greenfield deployments.

👉 Read DigiCert's sector analysis of device protection strategies →

Device protection by sector: are your secrets controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →