What should security teams do when device identities are spread across operational technology systems?

Why This Matters for Security Teams

operational technology environments rarely fail because one identity was missing. They fail when device identities are created ad hoc, shared across teams, left undocumented, or allowed to live far beyond the asset they were meant to protect. That turns certificates, keys, and embedded secrets into durable trust paths that attackers can reuse long after the original deployment changed. For OT, the practical risk is not just unauthorized access, but unsafe access that can affect production, safety, and recovery procedures. Guidance from the NIST Cybersecurity Framework 2.0 is most effective here when identity is treated as a lifecycle problem, not a one-time setup task.

NHI Management Group’s research shows how costly that mindset gap can be: in the State of Non-Human Identity Security, lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations. That matters in OT because long-lived device credentials often survive equipment replacement, vendor handoff, and maintenance windows. In practice, many security teams discover the problem only after a plant device or remote support channel has already been trusted far longer than intended.

How It Works in Practice

The right approach is to manage OT device identities as a governed identity lifecycle, not as hidden configuration detail. Every device certificate, private key, or machine credential should have a named owner, a source of issuance, an expiry date, and a revocation path. This is especially important where devices bridge flat operational networks and enterprise systems, because identity becomes the control plane for what a device may talk to, not just a way to authenticate it.

Teams should start by inventorying where device identities exist: PLCs, historians, sensors, engineering workstations, remote access gateways, and vendor-managed assets. Then classify each identity by criticality and replaceability. High-risk identities should move to centrally issued, short-lived credentials with renewal automation, rather than static keys buried in firmware or shared configuration. The NIST CSF 2.0 aligns well with this by pushing asset visibility, protective controls, and recovery planning together, while the Ultimate Guide to NHIs shows why unmanaged secrets and weak offboarding are common failure points.

• Map each device identity to an asset owner and business function.
• Issue credentials from a controlled authority with explicit renewal intervals.
• Separate operational access from vendor support access and review both.
• Revoke credentials on decommissioning, replacement, or vendor contract end.
• Log issuance, use, and revocation events so identity drift is visible.

For environments that can support it, certificate automation and workload-style identity prove more reliable than static passwords or shared tokens. Where OT constraints prevent full automation, current guidance suggests compensating with tighter documentation, shorter renewal cycles, and manual attestation of every privileged device credential. These controls tend to break down in brownfield plants with legacy controllers that cannot renew certificates, because identity changes must then be coordinated through maintenance outages and vendor-specific tooling.

Common Variations and Edge Cases

Tighter credential control often increases operational overhead, requiring organisations to balance resilience against maintenance constraints. That tradeoff is sharpest in OT, where uptime, vendor support, and safety certification can limit how quickly identities can be changed. Best practice is evolving, and there is no universal standard for every device class yet, so security teams need a tiered model rather than a single policy for all assets.

Legacy devices may only support shared accounts, fixed certificates, or hardcoded keys. In those cases, the goal is to reduce blast radius through network segmentation, compensating monitoring, and strict vendor access windows. Devices with embedded identities should be treated like privileged assets, not generic endpoints, especially if they can initiate outbound connections or reach business systems. The JetBrains GitHub plugin token exposure is a useful reminder that even trusted tooling can leak credentials when lifecycle controls are weak.

OT teams should also distinguish between device identity and operator identity. A technician may authenticate as a person, but the machine they touch still needs its own governed identity and revocation path. Where third-party maintenance is involved, current guidance suggests binding access to time-bound approvals and traceable ownership rather than standing exceptions. When device identities are spread across multiple plants, the control gap usually appears first at decommissioning, because old identities remain valid after the physical device has already changed hands.

Related resources from NHI Mgmt Group

• How should security teams govern non-human identities at scale?
• How should security teams govern non-human identities for compliance?
• How should security teams govern non-human identities in Salesforce?
• How should security teams run access reviews for non-human identities?