Legacy SCADA systems increase risk because many were built for isolated operation, not modern authentication, segmentation, or vendor connectivity. Once connected to enterprise systems and remote maintenance tools, older devices can inherit exposure they were never designed to handle. The issue is not age alone, but age plus connectivity and weak identity governance.
Why This Matters for Security Teams
Legacy SCADA is not just a reliability concern. When older control systems are connected to enterprise networks, remote access brokers, vendor laptops, historians, and cloud dashboards, they become identity targets as much as OT targets. That matters because many SCADA estates still rely on shared accounts, static secrets, flat trust zones, and maintenance paths that were never designed for NIST Cybersecurity Framework 2.0 style access governance or NHI lifecycle control. The risk is not only intrusion, but command integrity, safety impact, and production stoppage.
In NHI terms, these environments often have hidden machine identities that are overprivileged, poorly inventoried, and difficult to revoke. NHIMG research shows that 97% of NHIs carry excessive privileges and only 5.7% of organisations have full visibility into their service accounts, which is exactly the kind of blind spot that legacy OT connectivity creates. In practice, many security teams encounter SCADA exposure only after a vendor path or maintenance credential has already been abused, rather than through intentional design review.
How It Works in Practice
Legacy SCADA systems increase cyber risk when identity controls are bolted on after the fact instead of built into the access path. A typical failure chain starts with remote maintenance, moves through a VPN or jump host, and ends with broad, persistent access to engineering workstations, PLC programming interfaces, or operator consoles. That is why current guidance from CISA cyber threat advisories and NIST Cybersecurity Framework 2.0 continues to emphasise segmentation, asset visibility, and least privilege.
For SCADA environments, the practical controls are straightforward but often incomplete:
- Replace shared vendor and operator accounts with named accounts and strong accountability.
- Use PAM and JIT access for maintenance tasks so elevated rights expire when the task ends.
- Store secrets in managed vaults, not in scripts, HMI exports, or engineer laptops.
- Separate IT and OT trust zones so enterprise compromise does not become plant-floor compromise.
- Log and review every remote session that can reach control assets, including vendor service paths.
NHIMG data in the Ultimate Guide to NHIs — Why NHI Security Matters Now shows that 91.6% of secrets remain valid five days after notification, which is a reminder that revocation lag is a real operational problem. The issue in SCADA is even sharper because availability constraints often delay patching, credential rotation, and architecture changes. These controls tend to break down when legacy controllers must stay online continuously and vendor support still depends on long-lived remote access credentials.
Common Variations and Edge Cases
Tighter access control often increases operational overhead, requiring organisations to balance plant uptime against stronger identity governance. That tradeoff is especially visible in brownfield facilities, multi-vendor environments, and 24/7 plants where maintenance windows are rare. There is no universal standard for SCADA identity modernisation yet, so best practice is evolving around compensating controls rather than immediate replacement.
Two edge cases come up often. First, some organisations assume air-gapping makes legacy SCADA low risk, but temporary connections for updates, diagnostics, or production reporting usually erode that assumption. Second, some systems cannot support modern authentication at all, which means compensating controls such as strict network segmentation, one-way transfer patterns, allowlisted engineering stations, and monitored break-glass access become the realistic option. The Top 10 NHI Issues and The 52 NHI breaches Report both reinforce the same operational lesson: when machine identities are unmanaged, compromise scales faster than manual response.
For governance, align SCADA identity decisions with MITRE ATLAS adversarial AI threat matrix only where automation or autonomous tooling is already touching OT workflows, and use OWASP NHI Top 10 as a reference when machine access can move laterally across systems. The practical reality is that legacy SCADA becomes dangerous fastest when long-lived credentials and weak segmentation survive while the network around it becomes more connected.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers credential rotation gaps that make SCADA maintenance access durable. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access control are central to reducing SCADA blast radius. |
| NIST Zero Trust (SP 800-207) | Zero Trust reduces reliance on implicit trust in legacy OT networks. |
Inventory SCADA-related machine credentials and rotate or revoke anything with long-lived access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
