Default credentials are dangerous because they often survive device deployment, are reused across fleets, and create a predictable foothold for attackers. In OT, that foothold can persist far longer than in IT because devices are harder to reimage, patch, or replace.
Why This Matters for Security Teams
Default credentials are not just a configuration smell in operational technology. They are a durable attack primitive that can survive commissioning, vendor handoff, and years of low-touch operation. In OT, devices are often difficult to patch, replace, or even safely reboot, so a predictable login can remain useful to an attacker long after deployment. Current guidance from the OWASP Non-Human Identity Top 10 treats credential hygiene as a core control because predictable secrets undermine every downstream control.
The risk is amplified by fleet reuse. A single factory-set password copied across controllers, sensors, HMIs, or remote access appliances can turn one exposure into a site-wide compromise. NHIMG’s Guide to the Secret Sprawl Challenge shows how secret reuse and weak lifecycle discipline create an environment where one leaked secret can become many. In practice, many security teams discover the problem only after an outage, safety event, or third-party audit reveals that default access was still live months after commissioning.
How It Works in Practice
Default credentials remain dangerous in OT because they align with how these environments are built and maintained. Devices are commonly shipped with vendor defaults, installed by integrators under time pressure, and then left in place because field engineers need a stable login path for maintenance. That stability is exactly what attackers exploit. A default account is not merely a weak password; it is a known foothold that can be tested at scale, reused across similar assets, and combined with flat network trust to reach higher-value systems.
Security teams should treat default credentials as a lifecycle issue, not a one-time commissioning task. The control path usually includes:
- Inventorying every OT asset that accepts local, vendor, or remote administrative access.
- Replacing factory credentials during acceptance testing, before the device enters production use.
- Binding access to unique, per-device secrets rather than fleet-wide shared passwords.
- Using privileged access workflows so technicians receive time-bound access instead of permanent login rights.
- Validating that backups, templates, and golden images do not reintroduce the same defaults later.
This is where OT differs from IT identity programs. In OT, the issue is often not just whether the password exists, but whether operational constraints allow its safe removal. The 2024 Non-Human Identity Security Report notes that 59.8% of organisations see value in dynamic ephemeral credentials, which is relevant because short-lived access reduces the blast radius of inevitable maintenance workflows. That approach aligns with the NIST SP 800-63 Digital Identity Guidelines emphasis on stronger identity assurance, even though OT implementation must often be adapted for legacy protocols and vendor lock-in.
Where possible, organisations should move toward unique credentials, JIT access, and centralised secrets management, but there is no universal standard for this yet across every OT platform. These controls tend to break down when legacy controllers cannot support per-user authentication or when vendors hardcode shared service accounts into maintenance tooling because the organisation then has no clean way to revoke access without interrupting operations.
Common Variations and Edge Cases
Tighter credential control often increases operational overhead, requiring organisations to balance safety and uptime against faster response and lower access risk. That tradeoff is especially visible in brownfield plants, remote substations, and mixed-vendor sites where changing a password can require a maintenance window, vendor approval, or site visit.
Some OT systems only support one local administrator account, while others rely on embedded service accounts that cannot be rotated without breaking support contracts. In those environments, best practice is evolving toward compensating controls such as network segmentation, jump hosts, PAM session brokering, and strict monitoring for login anomalies. The Ultimate Guide to NHIs is useful here because it frames why static secrets persist longer than they should, and why dynamic secrets are safer when the platform can support them.
Another edge case is vendor remote support. Some organisations leave defaults unchanged because they fear breaking remote diagnostics. That is a governance failure, not a technical necessity. Where authentication cannot be modernised immediately, current guidance suggests compensating with tightly scoped access, logging, and explicit expiration dates rather than accepting permanent default access. Teams that ignore this usually find the same pattern later in breach reports, such as exposed credentials in the Cisco Active Directory credentials breach, where operational convenience had silently outlived security discipline.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Default creds are static secrets that should be rotated or eliminated. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access control must prevent shared default access. |
| NIST AI RMF | AI RMF governance is relevant when autonomous operations inherit OT credentials. |
Establish accountability for credential lifecycle decisions that affect operational safety and access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
