How Identity Becomes the Missing Layer in OT Security

Even after a year filled with operational technology (OT) security investments, audits, and framework updates, one pattern kept resurfacing in 2025. Every major incident began long before malware was deployed or networks were disrupted. The breach always started at the same point — identity.

From misused remote credentials to compromised operator accounts, attackers did not need to “break in.” They simply walked in through identity gaps that were never treated as part of the OT security perimeter.

And as reviews from organisations such as the European Union Agency for Cybersecurity (ENISA) and the Cybersecurity and Infrastructure Security Agency (CISA) consistently showed, identity and access remain the most common initial access vectors in critical infrastructure attacks.

This is why 2026 is shaping up to be the year OT security shifts its centre of gravity from networks to identities — because the missing layer was never hidden. It was simply ignored.

Where every story begins with identity misuse

The pattern across 2025 became clearer when looking at real incidents:

• In Norway, the Bremanger dam incident in April 2025 involved attackers accessing exposed operational interfaces.
  Investigators noted weak access controls, including long-unused credentials and an externally reachable management pathway — conditions that allowed misuse of legitimate access rather than a sophisticated intrusion.
• In Canada, attacks on water, oil and gas, and agricultural ICS equipment in October 2025 were enabled through exposed systems and insufficiently restricted remote access.
  These systems were reachable without strong identity validation, allowing unauthorised commands to be issued even while the infrastructure appeared operational.
• In the UK, the Jaguar Land Rover supply chain disruption in mid-2025 highlighted improper credential reuse and poor third-party account hygiene.
  A single compromised partner account affected production across multiple manufacturing sites.

None of these incidents began with a classic network breach. They began with access pathways that were trusted when they should not have been, or credentials that remained active long after they should have been rotated or restricted.

The conclusion is unavoidable: When identity and access controls are weak, every other layer becomes optional for attackers.

Why networks can no longer carry OT security alone

For years, OT security strategies were built around the network — segmentation, firewalls, monitoring, anomaly detection. These remain essential, but no longer sufficient.

In practice:

• Segmentation fails when an attacker uses valid credentials
• Multi-factor authentication (MFA) fails when the authentication server is unreachable
• Monitoring fails when early access logs are missing
• Air gaps fail when contractors or remote operators require periodic access

These failures do not come from flawed design. They come from a misplaced assumption — that identity is a secondary control rather than the first target attackers pursue. The more distributed, remote-enabled, and automated OT becomes, the more identity moves from important to foundational.

The blind spot in authentication that depends on the network

Most OT environments rely on authentication methods originally designed for stable IT networks:

• Server-dependent MFA
• Credential storage on central servers
• Username and password dependencies
• Remote access tokens that expire unpredictably
• Privileged accounts that remain active offline

But OT is not a stable network environment. It is a world of:

• intermittent connectivity
• isolated or air-gapped facilities
• vendor-managed remote access
• ageing industrial control systems (ICS)
• operators who often work in offline or semi-offline conditions

Identity frameworks that assume “always-on connectivity” simply do not reflect how OT systems operate. This is why identity keeps breaking in OT — even when everything else appears compliant.

The missing layer made for disconnected environments

If OT networks cannot guarantee stable connectivity, identity must be designed to operate even without it. This is where 2026 marks a turning point.

Identity-first OT security means:

• authentication that can function during partial outages or limited connectivity
• credentials that minimise the risk of reuse or theft through dynamic generation
• verification methods that do not rely on constant central-server availability
• access control tied to individuals instead of devices or network zones
• identity events that can be logged locally and synchronised once connections return

This shift is already emerging across critical sectors in the adoption of dynamic, one-time authentication models. Each credential is generated independently, so trust can be maintained even when network paths are unavailable.

This mirrors the principle behind one-way, dynamic identity systems such as OTAC, where no static passwords are stored and no reusable secrets exist. In architectures where verification libraries are available locally — such as standalone deployments — identity checks can even be performed offline while maintaining trusted control.

Not as a replacement for traditional OT security. But as the layer that completes it.

Why this matters for OT endpoints

OT endpoint security — PLCs, HMIs, RTUs, and other ICS devices — has always been vulnerable because these systems were never designed with strong identity validation in mind.

They were not built to:

• enforce modern authentication
• reject stolen or reused credentials
• validate dynamic identity codes
• operate securely with intermittent connectivity

By centring identity, 2026 becomes the first time OT endpoints can be protected before the attacker reaches them — not after the breach has already begun.

This is also why identity-centric approaches align with swIDch’s mission. Dynamic, non-reusable authentication methods reduce reliance on passwords and support more resilient OT endpoint protection regardless of network stability.

The shift ahead as identity becomes the new OT perimeter

2025 made one reality impossible to ignore:

Networks can be segmented.
Firewalls can be tuned.
Monitoring can be improved.

But if identity remains static, shared, or dependent on central servers, attackers will always find a way in.

2026 will not be defined by bigger network perimeters. It will be defined by identity that travels with the user and remains verifiable even in disconnected environments — the one perimeter attackers cannot bypass simply by stealing or guessing a password.

And as operators plan next year’s investments, the smartest ones are recognising a simple truth:

Strengthen the identity layer,
and everything else becomes stronger with it.