Legacy OT systems often lack modern logging, central authentication, and fine-grained access controls. That forces security teams to compensate with external governance layers, because the equipment itself cannot reliably enforce least privilege or produce clean identity evidence for reviews and investigations.
Why Legacy OT Raises Access Risk in Factories
Legacy OT systems increase access risk because many were built for availability and long service life, not identity-aware control. They often cannot enforce modern least privilege, log every action, or distinguish one operator, engineer, or vendor session from another. That leaves factories depending on external controls such as jump hosts, segmentation, and manual approvals to compensate for gaps in the equipment itself. Current guidance from the NIST Cybersecurity Framework 2.0 treats identity and access as core risk management functions, but legacy OT makes that harder to implement consistently.
The practical problem is not only authentication. In many plants, shared accounts, static credentials, and unsupported controllers create access paths that are difficult to attribute and even harder to revoke cleanly. NHIMG research shows that secrets and NHI weaknesses remain pervasive across enterprise environments, with the Ultimate Guide to NHIs noting that 97% of NHIs carry excessive privileges and 96% of organisations store secrets outside secrets managers. In factories, those patterns are amplified by uptime constraints and vendor dependencies. In practice, many security teams discover access sprawl only after a maintenance session or remote support path has already been abused.
How It Works in Practice
Factories typically inherit a mix of PLCs, HMIs, engineering workstations, historians, and remote support channels that were never designed for modern identity governance. Because the devices themselves may not support strong authentication, teams build compensating controls around them: network segmentation, dedicated jump servers, VPN restrictions, and supervisor approval for high-risk actions. That reduces exposure, but it does not create true visibility into who used what, when, or why.
A stronger approach is to treat access to OT as a governed workflow, not a permanent entitlement. Security teams usually map users, service accounts, and vendor access into separate trust zones, then issue short-lived credentials only for an approved task. This is consistent with the identity-first principles in the OWASP Non-Human Identity Top 10 and with NHI lifecycle guidance in Ultimate Guide to NHIs — Why NHI Security Matters Now.
- Use unique accounts for operators, engineers, integrators, and vendors instead of shared logins.
- Apply just-in-time access for maintenance windows, then revoke it automatically after the task ends.
- Store secrets in a managed vault and rotate them when staff, vendors, or equipment changes.
- Route privileged activity through monitored access paths so sessions can be reviewed and attributed.
- Prioritise systems that can emit identity evidence, even if newer controls must be layered around older assets.
For mixed estates, the most effective pattern is to pair policy-based approvals with strong segmentation and compensating detection. That keeps legacy OT usable while reducing the blast radius if a credential is copied, reused, or exposed. These controls tend to break down when vendors require persistent remote access to unsupported controllers because revocation, logging, and session attribution remain incomplete.
Common Variations and Edge Cases
Tighter OT access control often increases operational overhead, so factories must balance uptime against control depth. That tradeoff is especially sharp in safety-critical lines, 24/7 plants, and multi-vendor environments where maintenance cannot wait for a full IAM redesign.
Best practice is evolving, but there is no universal standard for retrofitting identity controls onto every legacy platform. Some plants can enforce individual operator accounts on workstations while leaving PLCs behind a segmented control layer. Others must rely on compensating measures such as read-only diagnostics, time-bound vendor access, and manual approval for write operations. In those cases, the goal is not perfect modernization overnight. It is to reduce standing privilege and make access decisions auditable.
The edge case most teams underestimate is remote service access. A third-party technician using a shared VPN profile can bypass local accountability even when the plant floor is segmented. NHIMG’s 52 NHI Breaches Analysis and the Top 10 NHI Issues both reinforce the same lesson: access risk rises fastest where identities are persistent, shared, and hard to revoke.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC | Legacy OT weakens access control, attribution, and revocation across factory systems. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared accounts and static secrets are classic NHI exposure points in OT environments. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Legacy OT often cannot prove timely revocation or rotation of access credentials. |
Use NHI-03 to drive JIT access, short TTLs, and enforced rotation for vendor and maintenance credentials.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
