Across industrial sectors, most OT incidents do not begin with sophisticated exploits. They begin with access that already exists. Multiple industry studies show that the majority of serious OT incidents involve valid credentials, trusted connections, or previously approved access paths, rather than unauthorised intrusion. In other words, access did not need to be broken. It only needed to remain.
This pattern appears repeatedly in incident investigations. Access created for maintenance, vendor support, or commissioning persists long after the task has ended. Months later, sometimes years later, the same access becomes the entry point for disruption.
The risk is not that access was granted. The risk is that it was never withdrawn.
Persistent access feels normal because it was inherited from IT security models. In IT environments, users return regularly, roles are reused, and credentials are expected to remain valid. Efficiency improves when access does not need to be recreated for every interaction. Failures are often reversible, and systems can tolerate remediation after the fact.
OT environments operate under different realities. Assets remain in service for decades. Operational conditions change continuously. Vendors rotate, responsibilities shift, and systems age. What often does not change is the access created during earlier phases of the asset lifecycle.
Industry reporting consistently shows that only a small proportion of organisations actively review and expire OT access once the original task has been completed. Most access remains in place by default, not because it is still required, but because removing it is perceived as risky or inconvenient.
Over time, temporary access becomes standing authority.
Recent industry analysis reinforces this pattern from multiple angles.
Separately, government guidance from Cybersecurity and Infrastructure Security Agency and the National Cyber Security Centre repeatedly stresses that existing access paths represent one of the most significant risk multipliers in industrial environments. The concern is not limited to initial compromise. It is the accumulation of trusted access that remains available without continuous justification.
Across commercial incident reports and national guidance alike, the message is consistent: OT incidents disproportionately rely on access that was once legitimate. Persistent access is not an edge case. It is a primary enabler.
Approval and logging are often assumed to mitigate this risk. In practice, they do not.
Approval confirms that access was acceptable at a specific moment. Logging confirms that access was exercised at a later point. Neither mechanism enforces expiration. Once the original context has changed, approval history becomes irrelevant, and logs merely record the outcome.
This is why many post-incident reviews reach the same conclusion. Policies were followed. Access was approved. Activity was logged. Yet the incident still occurred because nothing required access to end when the task ended.
Persistent access exists outside both approval and visibility models.
Inherited access accumulates quietly. Each unresolved exception becomes part of the baseline. Each temporary workaround becomes permanent capability. Over time, OT environments contain layers of access that no longer map cleanly to current tasks, assets, or responsibilities.
This is not a failure of monitoring. It is not a failure of awareness. It is a failure of design. Access was treated as a state rather than an action.
In OT environments, where actions translate directly into physical outcomes, that distinction carries real operational risk.
In OT, access only has meaning in relation to a task. When the task ends, access should end with it. Binding access to execution rather than identity removes inheritance by default.
Task bound access does not rely on periodic reviews or after-the-fact detection. It prevents reuse altogether. It ensures that yesterday’s maintenance pathway cannot quietly become tomorrow’s incident vector simply because it was left in place.
This approach aligns closely with the direction of current industry guidance. The focus is shifting away from who can connect and towards how long access remains valid, for what purpose, and under what conditions.
Approval does not enforce control. Visibility does not enforce control. Persistence makes both failures permanent.
As long as access is allowed to outlive its purpose, OT environments will continue to experience incidents that involve no breach, no exploit, and no technical failure. Access will simply be reused.
Reducing operational risk in OT does not start with seeing more or approving better. It starts with ensuring that access cannot survive beyond the task that justified it in the first place.
--------------------
swIDch will continue its quest to innovate and pioneer next-generation authentication solutions. To stay up-to-date with the latest trends sign up to our newsletter and check out our latest solutions.