Why Managing OT Access Like IT Always Breaks

At a large industrial site, a contractor needed temporary access to a controller to complete routine maintenance. The process was familiar. A VPN account was issued, an existing credential was reused for speed, and the task finished without incident. Weeks later, the same access path was still active. No one could say with confidence who had used it since, which systems had been touched, or whether any changes exceeded the original scope. Nothing malicious was proven, but operationally, control had already been lost.

This pattern appears repeatedly across factories, utilities, and transport networks. OT access does not fail because organisations ignore security. It fails because access is still governed using IT models that were never designed for operational environments.

Why IT access models do not translate to OT

Enterprise access control assumes stable connectivity, centralised identity services, and systems that can be updated and governed continuously. OT environments operate under very different conditions. Systems are long lived, changes are constrained by safety, networks are segmented or deliberately isolated, and uptime is non negotiable. External access is necessary, frequent, and difficult to attribute.

When access control is designed around IT assumptions, risk accumulates quietly. Password reuse becomes normal, VPN accounts persist beyond their purpose, and privileges expand over time because removing them is operationally harder than granting them. Logs may record connections, but they rarely explain what action was taken or why.

The issue is structural not behavioural

When weaknesses surface, the instinctive response is to tighten rules. Stronger passwords, additional approvals, narrower access windows, and more monitoring are introduced. These measures address symptoms rather than cause.

The underlying structure remains unchanged. Access is still built on static credentials and long lived trust. Once issued, access continues to exist independently of the task that justified it. In OT, where a single action can interrupt production or affect safety, this model is fundamentally misaligned with operational risk.

At its core, the problem is not how access is enforced, but what access is anchored to.

How access diverges from real operational work

OT work is task driven. An engineer adjusts a single parameter, a vendor diagnoses a fault remotely, or a technician performs a brief intervention. These activities are bounded by purpose, scope, and time. Yet many organisations manage them using access mechanisms that remain valid indefinitely.

A more realistic model begins by reframing the questions being asked. Instead of focusing on who has access in general, effective OT access asks:

• what action is being performed
• on which asset
• for how long
• under what operational conditions

When access is treated as a bounded event rather than an ongoing entitlement, control improves without adding friction. Access ends when the task ends, not when someone remembers to revoke it.

Why sessions and roles fail to deliver accountability

IT systems often treat the session as the unit of trust. Authenticate once and rely on the session until it expires. OT work rarely aligns with session boundaries. Responsibility is also operational rather than organisational. The person requesting access may not be the one executing the action, and approved access does not guarantee correct execution.

After an incident, many organisations can identify who connected. Far fewer can determine what was done, on which endpoint, and whether it matched the approved intent. Visibility exists, but accountability remains incomplete.

Designing for environments that may not be connected

Another defining characteristic of OT environments is that connectivity cannot be assumed. Maintenance may occur in remote locations, segmented networks, or during outages. Access control that depends on constant communication with central servers often fails at the moment it is needed most.

Effective OT access control must therefore function under disruption. Approvals need to be verifiable locally, access should expire automatically when conditions change, and evidence must be created at the moment of access rather than reconstructed later. This requirement explains the growing interest in dynamic, task bound authorisation models that reduce reliance on reusable credentials.

A more grounded way forward

Improving OT access control does not require radical change. It requires shifting what access is designed around. Organisations can begin by focusing on a small number of practical steps:

• reduce shared and long lived credentials where risk is highest
• replace standing privileges with task bound approvals
• ensure access can be verified locally
• capture clear evidence for every critical action

These measures strengthen security while supporting uptime, safety, and regulatory expectations.

Managing OT access like IT may feel efficient, but it continues to break because it was never designed for operational reality. Access control that understands tasks, endpoints, and conditions is not an enhancement. It is the foundation of reliable OT security.