Identity and Access Management (IAM) is becoming an increasingly vital component of cyber defense in operational technology (OT) and critical infrastructure facilities. But its journey forward is anything but simple, complicated by legacy infrastructure, cultural reluctance to change, and a never-ending tussle between operational continuity and imposition of tighter security controls. IAM is evolving from a peripheral consideration to becoming a litmus test for industrial robustness, as the complexity of cyber threats becomes deeper and the degree of connectivity increases.
As promising as identity-oriented OT may be, the approach is beset by challenges from legacy systems and the decades-old practices of the industrial sector. Moving from boundaries to identity means a whole lot more than a technical shift. It stands the past its head and flies in the face of decades of physical barriers, asset-based controls, and trust models that have been a hallmark of plant floor security for years.
Bridging the industrial IAM divide entails addressing conflicting needs. Zero trust and least privilege need fine-grained access control, as production environments cannot afford operational disruptions or downtime. The need to balance operational continuity and deliver cybersecurity has resulted in low adoption rates, and organizations are increasingly looking for a reasonable middle ground.
Standards provide a framework, yet their real-world applicability remains in question. From IEC 62443 to NIST guidance, how far IAM standards go in OT is debatable. While they outline principles, but often lack the specificity needed for scalable enforcement across complex, distributed infrastructures.
Looking ahead, industrial IAM faces an AI-driven future. Artificial intelligence could help automate identity verification and detect anomalous behavior in real time, but it also introduces new risks of overreliance and opaque decision-making in mission-critical systems.
Identity-centric OT holds promise but faces pitfalls
Industrial Cyber reached out to experts to assess what are the key architectural and cultural challenges to adopting identity-centric models, like zero trust or least privilege, in OT environments. They also look at how organizations can address these without compromising uptime or safety.
Matthew Rogers, ICS cybersecurity expert in CISA’s office of the technical director and lead for secure by design for OT, identified that the technology to do IAM exists in OT and has existed for over a decade. “The architectural challenge is getting a critical mass of components (or intermediary gateways) that support IAM. Otherwise, secure communication cannot reasonably occur. Where the technology exists but is disabled, there are concerns over operational complexity, interoperability, sustained costs, and availability being impacted by poor key management or encryption, preventing troubleshooting.”
“Operators can address the availability concerns by using a phased deployment approach. Starting with a smaller network segment, begin by signing only and not dropping communication from expired certificates,” according to Rogers. “This adds minimal overhead risks. As confidence in key management increases, begin to drop unsigned communication and encrypt any network management (e.g., password changes, key exchanges). Eventually, encryption of operational data may be valuable for preventing an advanced threat actor from understanding the operational network, but this is a lower priority than the integrity and authentication benefits that come from signing.”
He added that, as for costs and complexity, operators should select vendors that embody Secure by Design principles. “This includes Secure by Default principles to simplify the initial deployment and guide the operator or system integrator into correctly deploying the supporting infrastructure, as well as removing fees to use the secure version of a protocol.”
Adopting zero trust or least privilege in OT often meets cultural resistance, as many see it as conflicting with defense-in-depth, Roman Arutyunov, co-founder and senior vice president of products at Xage Security, told Industrial Cyber. “In reality, the two can work together—Zero Trust can strengthen, not replace, existing layers of protection.”
He added that architecturally, organizations fear legacy systems require a costly ‘rip and replace.’ “However, they may not know that it is possible to implement an overlay approach that enables identity-based controls on top of existing assets without downtime. This approach preserves uptime and safety, while eliminating shared credentials, enabling MFA, improving user experience, and giving organizations granular control over access.”
Simon Moffatt, founder and research analyst at Cyber Hut, told Industrial Cyber that the biggest cultural challenge between OT and say enterprise IAM deployments is the use of the CIA triad of confidentiality, integrity, and availability for security and risk management. “Within OT, either availability becomes the primary concern, or indeed the triad is augmented alongside safety, with safety, then availability being a priority above confidentiality and integrity. This can entirely alter how identity conflicts like security, usability are handled and how IAM is deployed.”
That aside, Moffatt noted that many OT technologies are designed or implemented with IAM ‘hooks’ within them – resulting in static and isolated authentication and access control features. “To that end, performing discovery and visibility of the identity infrastructure becomes difficult – and from there, controls for the protection and detection of issues instantly become more complex and difficult.”
“The key architectural and cultural challenges to adopting identity-centric models in OT environments are rooted in human behavior and financial impact. First, any change costs money,” Morey Haber, chief security advisor at BeyondTrust, told Industrial Cyber. “Whether it is the licensing of new technology or man-hours to make changes, there is always a financial impact. If an OT environment cannot afford downtime, operates on fixed margins, or the organization does not have the financial means to make the necessary security changes, they will probably not happen.”
He added that if an organization can overcome this hurdle, then the human factor needs to be considered. “People do not inherently like change. If something is working, why change it and introduce risk? The problem with an identity-centric model is perception. Why change something if it is working and the organization has not had a problem?”
Unfortunately, Haber pointed out that this attitude is wrong, and improvements need to be made before an incident to avoid one in the first place. The cost of not doing anything, incurring a breach, and fixing it later will ultimately cost more than making the changes in the first place.
Haber added that these two issues assume that, architecturally, changes can be made. “In some cases, the technology used in OT environments is just not compatible with an identity-centric model. In these rare cases, adopting a zero trust enclave model is a must to isolate any identity-based attack vectors from being exploited. And even when this is the case, the cost and human factor may trump any decision process to do the right thing. No pun intended.”
From perimeters to identity in industrial cybersecurity
As OT systems grow increasingly connected, the executives consider whether identity should replace assets or perimeters as the foundation of industrial cybersecurity. If that shift is made, they examine what organizational changes in governance and technical implementation would be required.
“The asset and perimeter segmentation will always be important in OT as long as the lifespan of components is in the decades and patching is limited by operational impacts,” Rogers observed. “Identity needs to be an additional aspect, and that requires better collaboration between the IT and OT teams to help sustain an IAM solution without directly connecting those solutions.”
Arutyunov noted that identity should be the foundation of industrial cybersecurity, and it can complement, not replace, asset-centric protection. “By assigning identities and roles to both users and assets, access can be controlled based on actions rather than MAC or IP addresses. Another benefit of the aforementioned overlay approach, this shift requires no network rearchitecture, new assets, or hard-to-manage agents. The biggest cultural change—educating teams accustomed to IP-based access to embrace identity-driven controls.”
“Indeed. Perimeters are porous, assets are dynamic, and identities are often the consistent glue and pinchpoint that provides a fabric of security across locations and resources,” Moffatt said. “IAM needs to be treated as a first-class citizen – and not just an IT function with a limited and often decreasing budget. IAM can be an enabler for change that improves both security and productivity.”
He added that understanding the existing landscape is critical, which includes identities, permissions, and relying systems. “Only at this stage can identity risk management functions start to be applied that should focus on both identity data – the hygiene of accounts and permissions – alongside behaviour monitoring and detective controls.”
As OT systems become more connected, both identity and assets must be considered within the perimeter, Haber said, adding that “they are mutually inclusive.”
Haber added that in order to make this change, organizations should embrace a Purdue Model for OT security, separating assets and communications at each layer and modeling identities and accounts through each layer using strict policy controls and network access. “For example, identity and access management should be for the entire environment, separate from IT, and authentication and communications should be controlled at each layer of assets to avoid lateral movement within a layer and, more importantly, between layers.”
Closing the IAM gap in industrial environments
Given the fragmented and legacy nature of many OT systems, the executives examine how organizations can bridge the gap with modern IAM platforms. They also consider whether retrofitting existing systems is practical or if OT environments demand an entirely new industrial IAM approach.
Rogers mentioned that modern IAM platforms or OT secure protocol-specific platforms can retrofit into existing OT environments. “More testing may be required to ensure the overhead of IAM is acceptable and that vendor solutions work with each other, but the approach is not fundamentally different. OT simply puts more priority on the integrity and authentication than confidentiality, and that makes encryption a consideration rather than an automatic must-have.”
“Organisations don’t need to change assets or networks to integrate modern IAM with OT,” Arutyunov said. “Technology exists to extend existing AD and asset inventories to cover field devices, even those without native IdP or LDAP support. With a multihop, overlay approach, identity systems for IT, OT, or different sites can remain separate yet work together in a unified access flow, extending asset lifespan without costly rearchitecture.”
Moffatt detailed that OT environments are likely to contain a myriad of protocols, and even as interoperability increases, siloes and isolation will exist. “It will be impossible to rip and replace existing systems, and the use of proxies, overlay technologies, and segmentation will be essential. This will support a strategic journey to a standards-based IAM fabric that over time covers more systems and delivers an end-to-end range of capabilities.”
He added that the same concepts from the enterprise world can be leveraged, but of course, the deployment factor will often be different. “It is important to always find quick wins and leverage existing tools and capabilities where possible. An overarching IAM policy can help connect the dots, though.”
“Given the fragmentation and legacy nature of many OT environments, it simply may not be possible to implement identity best practices with existing environments,” Haber said. “In order to achieve similar goals, organizations should look at the NIST standards for Zero Trust and embrace an enclave architecture for the environment. This approach creates an air-gapped bubble around the existing OT technology with strict access using proxy or bastion host technology for access and communications.”
He added that all access is monitored, ephemeral, and implements best practices like MFA to ensure an identity-centric approach. “While it may be cost-ineffective and have a distinct technology barrier to implementing modern IAM, other technologies do exist, like privileged remote access solutions that can achieve comparable results.”
From IEC to NIST, how far IAM standards go in OT
The executives assess how far standards and frameworks such as IEC 62443, NIST SP 800-82, SP 800-63, and SP 800-53 provide actionable guidance for implementing IAM in real-world OT environments. They also consider whether these standards are practical enough to apply at scale or if they remain too abstract for effective operational use.
“IEC 62443 provides IAM guidance for OT components; however, these capabilities mostly exist at Security Level 3 or 4,” Rogers identified. “Secure communication requires all of the components to do key exchange and communicate on a secure protocol. Certified SL3 products exist, but this is too high a bar for such a fundamental technology in modern security.”
Arutyunov said that IEC 62443 and NIST 800-82 offer the most relevant IAM guidance for OT, but they fall short by not addressing compensating controls for assets incompatible with identity services or zero trust. “Organizations can still achieve this via overlays and network-based enforcement, yet many assume it’s impossible with existing assets. NIST and IEC are working on Zero Trust guidance, but it rarely extends beyond Layer 3-4. True resilience requires reaching Layer 1-2, where the most critical assets reside—and where guidance is currently most lacking.”
“Firstly, all implementations are different. Standards can be used to work towards a continuous compliance model – whereas guidelines are just that – they are not standards to be implemented step by step,” Moffatt pointed out.
He added that the NIST guidelines do provide great examples of the core functions that IAM should look to be measured against, however, including least privilege access, strong authentication, good identity data hygiene, and assurance models. “IAM often falls short, though, when it comes to metrics and how it is measured – and it is important to tailor IAM success to the OT world. This may see concepts like safety and availability rise above usability, for example, when it comes to key priorities during implementation.”
Haber said that existing standards and frameworks from IEC and NIST provide a launching point for architectures and vendors to implement zero trust and identity-centric approaches for OT. “They, however, do not contain real-world examples of how to accomplish these goals, except for individual vendor architectures.”
“Identity-centric models are not about products and vendors. They are about workflows and use cases,” according to Haber. “Therefore, security professionals should consider these documents for concepts and best practices, but document their individual use cases and workflows within an OT environment in order to overlay existing solutions and policies.”
Industrial IAM faces an AI-driven future
The executives explore the technological, operational, and philosophical shifts likely to shape the future of IAM in industrial cybersecurity over the next five years. They also examine the potential role AI could play in this evolution.
Rogers said that AI could be used to simplify deployment, either by helping operators or by integrating with automated provisioning and key deployment technologies. “In the next 5 years, I expect the conversation to shift on secure communications in OT. As more products support it and more organizations adopt it without issue, it will become more normalized and result in more movement of legacy protocols.”
“As the industrial workforce modernizes, employees will demand identity-first access models, moving away from outdated perimeter-based controls,” Arutyunov assessed. “With AI agents becoming more common, IAM must extend beyond humans—enforcing just-in-time and just-enough privilege to prevent rogue actions.”
He added that the recent Replit incident is a cautionary tale when an AI assistant deleted a production database. “Without strict identity controls, approval workflows, and real-time auditing, AI can cause catastrophic damage—whether intentional or not.”
Arutyunov added that in OT, the answer lies in identity-driven policies to both humans and machines, even on legacy assets. “Zero trust principles, enforced for all identities, will be critical for safety, uptime, and resilience over the next five years.”
Moffatt said that there are numerous changes happening in the IAM world right now. “My latest book IAM at 2035: A Future Guide to Identity Security takes a look at how new technologies focused on identity security posture management, identity threat detection and response, contextual authorization, passwordless authentication, and non-human identity (NHI) management will be mainstream within 5 years.”
He added that as IT and OT start to converge, “we will start to see the use of identity data fabrics across the OT landscape as well as concepts being taken from the NHI world, such as dynamic credential management and behaviour monitoring too. It is important to figure out both the attribution and intention of every interaction on any network – irrespective of whether that is people, software, or hardware related.”
Moffatt further noted that AI already has a huge impact on identifying access control issues, detecting malicious behaviour patterns, and increasing productivity as it comes to identity security, and that will continue with improved chatops integrations and recommendations, and nudging technologies.
“The biggest changes in technology, operations, and policies for IAM will come from the realization that identity-based flaws are just as exploitable as a missing security patch or zero-day,” Haber recognized. “After all, it is easier and more cost-effective for a threat actor to log in versus hack in.”
He concluded that IAM is changing every aspect of connected devices, and the community needs to be aware that while we have matured vulnerability assessment and patching over the last two decades, managing identity hygiene is becoming just as important.
