Notifications
Clear all
Topic starter
25/06/2026 3:02 pm
TL;DR: Industrial IoT growth expands the attack surface because connected machines, sensors, and proprietary controllers still depend on uneven authentication, legacy protocols, and fragile supply chain controls, according to DigiCert. The security problem is not connectivity itself but the identity and trust model built around it.
NHIMG editorial — based on content published by DigiCert: Three Challenges for the Industrial IoT
Questions worth separating out
Q: How should security teams govern identity for industrial IoT devices?
A: Security teams should govern industrial IoT identity by treating each device as a managed non-human identity with a defined certificate, ownership, and lifecycle.
Q: Why do legacy industrial controllers create security risk in connected factories?
A: Legacy industrial controllers create risk because many were designed for isolated networks and cannot participate cleanly in modern authentication, logging, or policy enforcement.
Q: How can organisations tell whether their IIoT trust model is working?
A: A workable IIoT trust model produces clear answers to three questions: which assets have verifiable identities, who can remotely control them, and how trust is revoked when a device changes state.
Practitioner guidance
- Map every industrial asset to an identity control model Classify each connected machine, sensor, and controller by whether it can support certificates, logging, and revocation.
- Tie certificate lifecycle to device lifecycle Connect issuance, renewal, and revocation to onboarding and decommissioning workflows so device trust does not persist after a unit is retired or replaced.
- Require provenance evidence before production deployment Ask suppliers for firmware, hardware, and software provenance details during procurement and acceptance testing.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- How DigiCert frames PKI as a control for secure communication between IIoT devices, sensors, and machines.
- The article's discussion of implementation challenges for older devices that use proprietary protocols and cannot easily join a fully connected enterprise.
- The source's supply chain integrity discussion, including the need for transparency and standardisation in device development.
- The original examples and commentary cited from manufacturing and supply chain leaders.
👉 Read DigiCert's analysis of industrial IoT security challenges →
Industrial IoT trust gaps: what IAM and PKI teams need to know?
Explore further
25/06/2026 4:19 pm
Industrial IoT exposes a device identity problem, not just a connectivity problem. When production assets move from isolated control networks into connected enterprise environments, the trust model changes faster than most governance programmes do. Authentication, certificate management, and remote access policy must now cover machines, sensors, and controllers that were never built for the same assurance expectations as human users. Practitioners should treat device identity as a first-class governance domain.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, showing how little inventory many programmes can actually trust.
A question worth separating out:
Q: What is the difference between device authentication and device authorisation in IIoT?
A: Device authentication proves that a machine, sensor, or controller is genuine. Device authorisation determines what that device is allowed to do once trusted. Industrial environments need both, because a verified device may still need tightly scoped permissions to limit production risk.
👉 Read our full editorial: Industrial IoT security hinges on device identity and supply chain trust
