How to Strengthen OT Cyber Defenses Before It’s Too Late
The Skinny
-
Legacy OT systems and shared credentials remain major security gaps not fully addressed by federal guidance, making them prime targets for cyber attackers.
-
Modern authentication methods — such as Passkeys, smart cards and phishing-resistant MFA — can significantly reduce intrusion risks by enforcing individual accountability and preventing credential theft.
-
Critical infrastructure operators should begin with an authentication risk assessment, enforce MFA across all access points, and eliminate shared credentials to strengthen their overall cyber defense posture.
As threat actors grow more brazen and critical infrastructure becomes increasingly digital, securing operational technology (OT) environments has taken on new urgency. In response, federal agencies including CISA, FBI, EPA and DOE recently issued joint guidance aimed at helping critical infrastructure operators safeguard their industrial control systems from cyber intrusions. While the recommendations mark a significant step forward, some cybersecurity experts believe key gaps remain — especially when it comes to authentication practices at the OT endpoint level.
SecurityInfoWatch consulted with Raul Cepeda Jr., vice president at rf IDEAS, a logical access solutions provider, for a deeper look into how organizations can move beyond traditional password-based access and embrace more modern, resilient authentication strategies. From eliminating shared credentials to deploying phishing-resistant multi-factor authentication and Passkeys, in the following interview, Cepeda outlines practical mitigations that align with — and extend — the protections laid out in the federal guidance.
Where Federal Guidance Falls Short
Why do you believe the recent CISA and FBI guidance on OT cybersecurity, while important, still leaves critical gaps that need addressing?
The recent joint guidance from CISA, FBI, EPA and DOE on operational technology (OT) cybersecurity is a significant step forward in addressing the growing threat landscape for critical infrastructure. However, despite its strengths, several critical gaps remain that need further attention:
First, there is currently an insufficient focus on the dangers of legacy systems. Many OT environments largely rely on legacy systems that cannot be easily patched or segmented. The guidance does not provide practical strategies for securing or isolating these legacy assets, which are often the most vulnerable. Additionally, remote access options have not been fully explored. While the guidance advises securing remote access, it doesn’t delve deeply into how to balance operational efficiency with security, especially for smaller frontline operators who rely on remote access for maintenance and monitoring.
Finally, there is minimal guidance on incident response and recovery. The focus right now is on prevention, which is important, but detection, response and recovery — especially in OT environments where downtime can be catastrophic — are not sufficiently addressed. Among the four pillars of IAM is auditing, which includes having a mechanism to detect, respond to, and recover from cyberattacks.
How does implementing secure authentication at each OT endpoint strengthen an organization’s overall cyber defense posture?
OT endpoints — often shared workstations or legacy systems — are typically not designed with modern security in mind. In fact, passwords and PINs are frequently reused or shared among frontline workers, making them easy targets for attackers. Implementing secure authentication methods such as smart card readers and biometric readers ensures that only authorized personnel can access critical systems.
These methods provide non-repudiation, ensuring accountability for actions taken on OT systems, resistance to credential theft, as smart cards or biometrics cannot be easily duplicated or phished, and compliance with zero trust principles, which require strong identity verification before granting access.
What are the operational or security risks of continuing to rely on traditional passwords in OT environments?
Traditional passwords are one of the most exploited attack vectors in OT breaches, and even strong passwords can be phished, guessed, or stolen. Additionally, PINs are just as unsecure as passwords as they can also be easily compromised or guessed. CISA advises changing default credentials and using strong passwords by removing the password attack surface entirely.
The Case for Modern Authentication
Can you explain how passwordless authentication methods, such as Passkeys, work and why they may be a better fit for OT systems?
Passkeys — cryptographic credentials tied to a user’s device and biometric identity — offer a phishing-resistant alternative to passwords. Passwords remain one of the most exploited attack vectors in OT breaches and even strong passwords can be phished, guessed, or stolen. Passkeys prevent credential reuse across systems, eliminate the risk of password theft via keyloggers or phishing and simplify user experience while enhancing security.
Additionally, passkeys can enable unique individual credentials within shared workstations and accounts, thus boosting accountability. Overall, passkeys are a better, more secure fit for OT systems than traditional passwords.
Multi-factor authentication (MFA) is often discussed in IT circles. How should it be adapted or implemented for OT systems with unique constraints?
Multi-factor authentication should be implemented across all critical systems and access points, including local OT workstations, engineering workstations, SCADA, PLC and HMI interfaces and business applications that interface with OT systems. In doing so, systems ensure that even if one factor — such as a password or proximity card — is compromised, unauthorized access is still blocked. Using phishing-resistant MFA, like FIDO2 tokens or biometric-based MFA, is especially critical in high-risk environments.
What practical challenges do OT teams face when trying to implement modern authentication methods, and how can they overcome them?
OT teams face several practical challenges when trying to implement modern authentication methods like MFA, single sign-on (SSO), or certificate-based authentication. These challenges stem from the unique nature of OT environments, which differ significantly from traditional IT systems.
Many OT systems were designed decades ago and lack support for modern authentication protocols (like SAML, OAuth, or even LDAP). There are two main ways this can be solved. First, OT teams can use protocol translation gateways or identity-aware proxies to bridge modern IAM systems with legacy OT devices. Alternatively, OT teams can implement network segmentation to isolate legacy systems and apply compensating controls like jump servers with MFA.
Another significant challenge is the needs of remote access. Remote maintenance and monitoring are common in OT, but they introduce authentication risks. OT teams should enforce MFA for all remote access or use zero trust network access (ZTNA) or VPNs with strong identity verification.
OT systems can also come with high uptime requirements. OT systems often run 24/7 and cannot afford downtime for authentication system upgrades or failures. A way to solve this is to use offline-capable MFA solutions (like smart cards) that don’t rely on internet connectivity. Additionally, OT environments often have fragmented identity systems or shared accounts. OT teams need to implement either centralized identity stores (like Active Directory) with role-based access control (RBAC) or unique credentials within shared workstations and accounts to enforce individual accountability.
First Steps Toward Stronger OT Access Control
For critical infrastructure operators looking to strengthen authentication protocols, what are the first two or three steps you’d recommend they take today?
For critical infrastructure operators aiming to strengthen their authentication protocols, the first step is to conduct an authentication risk assessment or audit. Organizations need to understand where their current authentication practices are weakest, especially in OT environments where legacy systems and shared accounts/workstations are common. It’s also important to enforce MFA for all access.
MFA is one of the most effective defenses against credential-based attacks, especially for remote access and administrative accounts. Finally, I’d recommend implementing unique credentials within shared accounts and workstations to make it possible to trace actions to individuals.
About the Author
Rodney Bosch
Editor-in-Chief/SecurityInfoWatch.com
Rodney Bosch is the Editor-in-Chief of SecurityInfoWatch.com. He has covered the security industry since 2006 for multiple major security publications. Reach him at [email protected].