Notifications
Clear all
Topic starter
25/06/2026 10:41 pm
TL;DR: As OT environments connect to IT networks and IoT fleets grow, legacy systems with weak authentication and minimal encryption become easier to exploit, according to Keyfactor. The core issue is not just exposure, but whether identity controls can still verify devices and contain movement when the old air gap is gone.
NHIMG editorial — based on content published by Keyfactor: PKI OT Security Via PKI and Network Segmentation
Questions worth separating out
Q: How should security teams secure connected OT devices without relying on the old air gap?
A: Security teams should combine device-level identity with segmentation.
Q: Why do certificates matter so much in OT security?
A: Certificates matter because they give industrial devices a verifiable identity that survives across network zones and long asset lifecycles.
Q: What breaks when OT networks are segmented without strong identity controls?
A: Segmentation without identity still leaves the organisation guessing which device is allowed to connect.
Practitioner guidance
- Build a complete cryptographic inventory Map every certificate, key, and device identity across OT and IT segments, including legacy systems and temporary maintenance assets.
- Replace shared access with certificate-backed device trust Use X.509 certificates for device authentication instead of shared passwords or default credentials, especially for IIoT endpoints that must cross zone boundaries.
- Break flat OT networks into identity-aware segments Use firewalls, VLANs, and microsegmentation to limit east-west movement between critical systems, then tie allowed flows to specific device roles and approved tasks.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on using PKI to authenticate IIoT and OT devices across manufacturing and operations
- Practical segmentation patterns for isolating critical industrial systems from connected maintenance and sensor traffic
- Certificate lifecycle management considerations for renewal, revocation, and visibility at OT scale
- Crypto-agility guidance for long-lived industrial environments where cryptographic standards will keep changing
👉 Read Keyfactor's guidance on PKI and network segmentation for OT security →
OT identity gaps: what PKI and segmentation actually change?
Explore further
25/06/2026 11:20 pm
OT security now depends on certificate governance, not just network design. The article shows that once OT systems connect to broader IT and IoT environments, identity becomes the control plane for trust. That shifts the discipline from perimeter protection to governed certificate lifecycles, device validation, and revocation discipline. Practitioners should treat certificate inventory as a core security asset, not an administrative afterthought.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who should own certificate lifecycle management in OT environments?
A: Certificate lifecycle management should be shared across security, OT operations, and infrastructure teams, with clear ownership for issuance, renewal, inventory, and revocation. OT environments are too operationally sensitive for manual tracking, so governance needs defined handoffs and automation.
👉 Read our full editorial: PKI and network segmentation are closing OT identity gaps
