Critical Infrastructure Security: Identity & OT Security

Securing Critical Infrastructure Through Identity-First OT Security

Federal and state leaders have maintained consistent focus on critical infrastructure protection through their cybersecurity evolution. Their priority remains preventing the disruption of essential services, including power, water, emergency response, transportation, communications, and healthcare. The reality driving this urgency is clear: adversaries and nation-state actors don’t need “Hollywood-style hacking” to cause real-world impact. Increasingly, they win by abusing access through compromised identities, overprivileged accounts, weak remote access paths, and other OT security gaps.

This is why the intersection of identity security and operational technology (OT) security has become the defining battleground for critical infrastructure resilience. It’s also why agencies like CISA have prioritized identity controls and remote access governance as core elements of protecting the nation’s critical infrastructure sectors. Now that operational technology is no longer truly air-gapped and remote operations and vendor support is a necessity, one question remains:

Can you prove who accessed what, when, from where—and what they did—without opening the network to do it?

This blog summarizes CISA’s 16 critical infrastructure sectors, explains why hacktivists, cybercriminals, and nation-states are increasingly targeting these environments, and dives into the practical “do-this-now” use cases for reducing risk using BeyondTrust Privileged Remote Access (PRA) and Identity Security Insights.

Strengthening Critical Infrastructure Security Across the 16 CISA Sectors

Strengthening critical infrastructure security involves protecting the 16 CISA sectors whose assets, systems, and networks are vital to national security. Each sector depends on a mix of IT and OT, and nearly every operational workflow depends on identity (human, service, vendor, and machine identities) and privilege (admin rights, access to consoles, remote control tools, and “break glass” accounts). [1]

Critical Infrastructure Sectors – Disruption Risk Overview

Here’s a practical summary of all 16 sectors through the lens of disruption risk:

Sector	Primary Disruption Risk	Why It Matters (Operational Lens
Chemical	Safety systems, process controls, and supply chains	Availability and integrity matter as much as confidentiality
Commercial Facilities	Large venues and public spaces	Safety, access control, and building systems rely on connected operations
Communications	Public safety and continuity	Telecommunications, internet and network access are high-value targets for espionage and disruption
Critical Manufacturing	Production uptime, safety, and quality systems	Often OT-heavy environments that are third-party vendor-supported
Dams	Flood control and hydro operations	Industrial control components and specialized remote workflows control water flow and safety mechanisms
Defense Industrial Base	Highly targeted for espionage and supply chain compromise	Privileged access pathways are a primary objective for supply chain compromise and nation-state intrusion
Emergency Services	911, fire, police, and EMS systems	An outage equals immediate safety risk
Energy	Electric utilities and generation	A top disruption target with extensive vendor remote access
Financial Services	Transaction integrity	High-confidence identity controls matter; cascading impacts can follow even limited outages
Food & Agriculture	Processing and cold-chain operations	Increasingly OT-enabled and time-sensitive
Government Facilities and Education	Direct disruption of normal day to day lives of citizens	Facilities and campuses anchor emergency response, public services, and community continuity operations
Healthcare & Public Health	Care delivery, patient safety, and public trust	Ransomware and outage pressure remains persistent
Information Technology	Cloud, hosting, managed services, and software dependencies	Identity is the control plane
Nuclear Reactors, Materials & Waste	High assurance and strict oversight	Remote access must be governed and auditable
Transportation Systems	Public transit, DOT operations, ports, and aviation support	Availability and safety drive security decisions
Water & Wastewater Systems	Community-scale essential services	Often feature aging OT, lean teams, and frequent vendor access requirements

NA

For state or local leaders, the takeaway is clear: even when you don’t “own” every asset, you often authorize access, operate identity systems, manage vendor relationships, coordinate incident response, and set minimum baselines. Resilience is still part of your job, and critical to your mission of serving and protecting your citizens and their families.

Why Adversaries Are Targeting Critical Infrastructure Now

1) Hacktivists are chasing disruption and psychological impact

In December 2025, U.S. and international partners warned that pro-Russia hacktivists were conducting opportunistic attacks against critical infrastructure and using minimally secured, internet-facing VNC connections to access OT control devices—explicitly impacting sectors like water and energy. These actors are often less sophisticated than top-tier APTs, but their opportunistic targeting raises the odds of “wrong place, wrong time” disruption. [2]

2) Cybercriminals are monetizing downtime—and critical infrastructure has the most leverage

Ransomware remains a pervasive driver of risk. FBI data highlights that ransomware is a prevalent threat to manufacturing, healthcare, government, finance, and IT. Criminal groups are looking for the easiest access pathways, like stolen credentials, exposed services, unmanaged vendor access, and overprivileged identities. [3][4]

3) Nation states are pre-positioning for crisis leverage

Strategic actors want access that looks legitimate, lasts a long time, and can be activated when it matters. In 2026 U.S. government reporting and advisories have confirmed this pattern: adversaries aim to blend into normal administrative activity, making remote access paths and identity systems prime territory for their operations. Iranian and Chinese nation-state groups are directly targeting critical infrastructure. [5][6]

For more information, see the BeyondTrust Threat Advisory about critical risk related to Iranian groups.

Bridging the Gap: Integrating Identity Security with OT Security

OT security conversations often get stuck on tools and architecture diagrams. But current guidance is straightforward and clear: reduce exposed attack surface, enforce strong authentication, eliminate standing privilege, and ensure accountability for remote activity. [7]

The real-world pattern is equally blunt: attackers repeatedly exploit remote services and valid accounts to gain access, move laterally, and persist—especially where OT and IT converge. [8] So the practical question for state and local critical infrastructure leaders becomes:

How do we enable remote operations and vendor support without turning VPNs, jump servers, and shared accounts into “permanent breach infrastructure”?

The Secure Remote Access Problem is the Control-Plane Problem

In OT environments, remote work is not optional. Specialized engineers, integrators, OEMs, and field technicians need access to:

Engineering workstations
SCADA/HMI consoles
Historians
Dispatch/CAD and supporting systems
PLC programming tools and vendor software
Segmented networks aligned to the Purdue Model

As you modernize your OT, your attack surface expands. Traditional VPNs force broad network access, create long-lived pathways, and make it harder to prove accountability. Meanwhile, many zero trust network access (ZTNA) approaches struggle with custom PLC controllers and bespoke manufacturer software that don’t behave like more common web apps.

This is where Privileged Remote Access (PRA) helps, by providing point-to-point access to isolated and non-routable OT networks, outbound-only connectivity, and full recording for auditability without a traditional VPN.

Solving OT Security Challenges with BeyondTrust Privileged Remote Access and Identity Security Insights

Operational technology environments depend on trusted operators, vendors, and administrators who must access critical systems to maintain uptime and safety. The challenge is that attackers increasingly exploit the same pathways that legitimate users depend on. When credentials, vendor accounts, or remote access tools are compromised, attackers aim to operate like legitimate users to move laterally and persist.

BeyondTrust's privilege-centric identity security approach addresses this challenge by combining Privileged Remote Access (PRA) with Identity Security Insights, creating a practical model for securing OT environments built around three outcomes: visibility, intelligence, and protection.

Visibility - Organizations must be able to see who has privileged access, what they can reach, and what activity occurs during each session. PRA provides complete session visibility across internal users and third-party vendors through session governance, recording, and detailed metadata.
Intelligence - Identity Security Insights continuously analyzes identity relationships across endpoints, servers, identity providers, and cloud services to reveal hidden Paths to Privilege™. This includes identifying excessive permissions, risky credential relationships, and identity exposure that attackers often exploit to reach critical systems.
Protection - Once risky privilege paths are identified, organizations can reduce exposure by enforcing least privilege, time-bound access, and session-level governance. BeyondTrust offers a modern privilege access management (PAM) approach, where PRA ensures access occurs only when needed and under controlled conditions, and Insights prioritizes the most impactful remediation opportunities to reduce the blast radius of compromise.

Together, these capabilities allow organizations to control the privileged access pathways attackers rely on while preserving operational workflows required to maintain industrial and mission-critical systems.

Use case 1: Replace VPN-based third-party access with outbound-only, session-governed access

Problem: Vendors and contractors often connect through VPNs or jump servers that provide more network visibility than needed. This is hard to monitor consistently.

The Privilege Remote Access (PRA) approach: Provide controlled access that does not require inbound exposure and supports stronger identity controls per session. PRA is explicitly positioned to enable outbound-only connections and fully recorded sessions for auditing.

How Identity Security Insights strengthens this use case: Insights identifies vendor accounts, shared credentials, and hidden privilege relationships that may allow attackers to escalate access after a connection is established. This helps security teams prioritize and reduce risky identity pathways before they can be abused.

What “good” looks like (success criteria):

Replaced VPNs with outbound-only access that minimizes exposure
Enforced MFA and just-in-time (JIT) access for internal and third-party users
Achieved full session recording and audit evidence (video + logs)
Identified and reduced risky vendor privilege relationships

Use case 2: Secure access into segmented, non-routable, and “effectively air-gapped” OT networks

Problem: OT environments often include segmented zones that are non-routable, with restricted connectivity aligned to Purdue levels. Secure access is needed without flattening segmentation.

The Privilege Remote Access (PRA) approach: Supports workflows where teams must traverse segmented architectures without turning segmentation into a myth. In customer examples, PRA supports operations that traverse Purdue Model zones while enforcing stronger access controls.

How Identity Security Insights strengthens this use case: Insights maps identity relationships across IT and OT-adjacent systems to reveal potential privilege escalation paths that could bypass segmentation through identity compromise.

What “good” looks like (success criteria):

Enabled remote access across segmented zones without compromising firewall intent
Preserved existing workflows while improving control and auditability
Reduced the number of exposed services and “always-on” pathways
Identified privilege escalation paths that could bypass segmentation controls

Use case 3: Support custom industrial tools and protocols while standardizing security controls

Problem: OT often depends on custom protocols and vendor tooling (Siemens, Rockwell, etc.) that break many “app-layer only” access.

The Privilege Remote Access (PRA) approach: Supports specialized tools, including capabilities like Protocol Tunnel Jump and network tunneling services.

How Identity Security Insights strengthens this use case: Insights analyzes identities interacting with these specialized environments, identifying risky privilege combinations, unused privileges, and machine identities that could allow attackers to move between systems

What “good” looks like (success criteria):

Seamlessly supported specialized tooling workflows without exceptions that bypass security
Standardized access controls even when the tools are not standardized
Centralized governance over who can use which tool, to reach which asset, under what conditions
Identified excessive privileges tied to specialized operational accounts

Use case 4: Centralize control and auditing for internal admins and third parties

Problem: Scattered access tools (VPNs, jump boxes, shared accounts, and ad hoc tooling) make it hard to prove accountability quickly—especially under audit pressure or during incident response.

The Privilege Remote Access (PRA) approach: Centralized controls, complete visibility across roles and sessions (including vendors), and “hands-free” auditing with recorded sessions and detailed metadata.

How Identity Security Insights strengthens this use case:
Insights provides continuous identity risk visibility across the environment, identifying hidden privilege relationships and risky identity configurations that could enable unauthorized access.

What “good” looks like (success criteria):

Full session auditability with evidence for oversight and compliance
Faster investigation and containment via session replay and centralized records
Reduced operational friction for approvals and time-bound access
Continuous visibility into identity risk and privilege escalation paths across systems aligned to known attacker techniques and tactics

Outcomes That Matter: Mapping OT Security to Sector Realities

For water and wastewater; electric utilities, hydroelectric dams, and nuclear-adjacent operations; transportation; communications; and emergency services, the security conversation cannot end at “reducing risk.” These sectors live and die by continuity and trust. The outcomes below matter because they reduce the most common pathways to disruption while preserving the operational reality that remote work, remote maintenance, and third-party support are unavoidable.

Replace VPNs with secure, outbound-only access to reduce remote access risk

VPNs and traditional jump servers expand network reach far beyond what a technician needs for a specific task, and they create durable pathways that are difficult to govern consistently, especially across vendors and distributed sites.

For critical infrastructure, the goal is remote access that doesn’t become the breach path. Eliminating or sharply reducing VPN reliance helps shrink the exposed surface area and prevents a single compromised credential from turning into broad network access.

What this looks like in practice:

Energy and dams: Vendor access must be time-bound and scoped to assets and zones rather than an open tunnel.
Water and wastewater: Enable remote troubleshooting without leaving internet-facing services exposed.
Emergency services: Grant access quickly during incidents without falling back to shared accounts or “always-on” admin connectivity.

Enable secure access to segmented, non-routable OT networks

Segmentation is a core safety feature in OT security, but it makes support inefficient, especially with legacy remote access approaches.

The goal is to traverse segmented architectures intentionally—without flattening zones, weakening firewall intent, or creating permanent routes that attackers can later abuse. This is especially relevant when:

OT networks are segmented along the Purdue Model (or similar), and the operator needs controlled access across zones.
Systems are non-routable by design (or effectively isolated) and cannot be reached by standard IT remote access tools.
Access must work for both internal teams and critical third parties during outages or safety events.

Centralize control and auditing

When access is scattered across multiple tools, governance becomes inconsistent. Centralization provides a single control plane to manage who can access which assets, under what conditions, for how long, with what authentication, and with what evidence of their actions. This matters for public sector entities because accountability expectations are higher, reporting requirements are real, and investigations often require rapid, defensible proof.

Support compliance and custom industrial tools

OT relies on specialized engineering workflows and vendor toolchains that don’t behave like standard enterprise applications. If security forces OT teams into fragile workarounds or forbids the tools that actually run the environment, security loses—because operations will route around it.

The outcome is a security model that supports specialized workflows, while still enforcing consistent controls: authentication, least privilege, time-bounded access, and session evidence. This is where many “generic remote access” solutions fail in OT. Critical infrastructure teams need remote access that respects OT reality.

Success Criteria: Your Operational Scorecard

Most critical infrastructure organizations struggle with modernizing OT remote access because the operational constraints are real, the toolchain is specialized, and the legacy approach has become embedded in how work gets done. These challenges must be addressed.

The following criteria turn the operational outcomes outlined above into measurable “done/not done” milestones, for state and local leaders who need to address challenges and show progress to executives, boards, regulators, auditors, or oversight bodies:

Operational Outcome	Success Criteria	Success Measures	Challenges to Overcome
Replace VPNs with secure, outbound-only access	VPNs are no longer the default remote access path for OT work, particularly for third parties.	The number of remote access workflows moved off VPN and the reduction in inbound connectivity exposure. Does the new method support time-bounded access and granular scoping?	Transitioning away from risky, long-lived, over-permissioned third-party vendor accounts that create permanent exposure.
Enable secure access to segmented, non-routable OT networks	Security shouldn’t be a friction layer and must align with Purdue zoning and remain functional during outages and emergencies.	MFA is required at the point of privileged access, permissions should be granted only for the smallest practical window, and third-party access is governed with the same rigor as internal admin access.	Solve for segmented or non-routable systems that legacy IT tools cannot reach.
Centralize control and auditing	Full session auditing with video, metadata, and logging	Security teams must be able to answer who, when, what, and how a system was accessed, backed by video and metadata evidence.	Eliminate error-prone manual logs in favor of automated, audit-ready evidence.
Support compliance and custom industrial tools	The solution supports end-to-end specialized OT workflows without requiring unsafe workarounds. Proprietary protocols are supported.	No shadow access methods; no operational bypasses; security integrated into vendor workflows.	OT workflows are full of exceptions: proprietary protocols, specialized engineering software, and vendor-specific requirements. If remote access solutions only support generic application patterns, they’ll force either unsafe workarounds or operational compromises.

How BeyondTrust Privilege Remote Access (PRA) Enables OT Security Outcomes

Here’s how the outcomes listed above can be achieved in practice using BeyondTrust Privilege Remote Access:

Operational Outcome	PRA Capability That Enables It	Why it Matters in OT Environments
Replace VPNs with secure, outbound-only access	Outbound-only access	Avoids inbound exposure and reduces VPN reliance, upholding the “don’t expose it” resilience rule.
Enable secure access to segmented, non-routable OT networks	Support for segmented access patterns and zone traversal workflows	PRA supports access architectures that can traverse segmented networks intentionally, enabling authorized users to reach the right systems while preserving the security intent of the segmented design
Centralize control and auditing	Audit-ready evidence	Provides full session monitoring and recording for faster investigations, compliance readiness, operational accountability, and third-party governance improvements.
Support compliance and custom industrial tools	Protocol tunneling for proprietary and engineering protocols	Enables secure remote access for specialized engineering tools and proprietary industrial protocols.

Why Now: The 2026 Compliance and Threat Reality

State and local critical infrastructure operators are facing a three-part pressure system: opportunistic OT intrusions that exploit exposed remote access and weakly secured services, ransomware disruption pressure that monetizes downtime, and nation-state prepositioning that aims for persistence and crisis leverage [2][3][5].

All three share a common truth: attackers repeatedly benefit from legitimate access pathways. That makes identity controls and remote access governance disproportionately valuable.

Baseline expectations

CISA’s push toward measurable cross-sector resilience expectations reflects what operators already know: foundational controls matter most when resources are limited, and the consequences are high. Expectations are increasingly framed around demonstrable outcomes, not just “we bought a tool.” [9]

The 2026 reality for regulated energy environments

For private and public energy organizations that fall under NERC CIP applicability, timelines are concrete. With an effective date of April 1, 2026 for CIP-003-9 and remote access expectations shaping program requirements, remote access governance is not just “a best practice.” It becomes a readiness milestone. [10]

And even outside strict U.S. applicability, global frameworks and supplier requirements are tightening. IEC 62443 and NIS2 are signals of a broader shift: if you operate, support, or supply critical services, you will increasingly be expected to prove controlled access, governance, and accountability—not merely assert it. [11][12]

The Cost of Delay: What You Pay for Unmanaged Access

Financial costs

Impact of Inaction	Reasoning
Higher breach risks	OT recovery involves specialized expertise, physical coordination, and longer restoration than IT events.
Longer downtime	In public services, downtime has compounding effects: safety impacts, service backlogs, and public scrutiny.
Higher audit costs	Manual log collection, evidence building, and one-off audit preparation becomes an invisible tax that never goes away.
Lost technician productivity	If engineers and technicians waste time “getting in” rather than fixing problems, the organization pays in response time, overtime, and missed preventative maintenance work.
Expensive incident response and remediation	Investigations and remediation take longer, because you don’t have clean proof of what happened.

Strategic costs

Impact of Inaction	Reasoning
Falling behind in OT maturity	Organizations that don’t modernize access accumulate hidden risk, exceptions, and vendor sprawl.
Delayed modernization and cloud initiatives	Remote access risk becomes the blocker. If leadership doesn’t trust access paths, modernization slows down.
Increased non-compliance risk	Whether it’s NERC CIP applicability, supplier requirements, or broader governance expectations, the trendline is tightening.
Limited visibility and control	When incidents happen, leadership will ask: Who had access? What changed? Where’s the evidence?
Weakened credibility	Critical infrastructure exists to serve the public. When services fail due to preventable access gaps, this damages governance, credibility, and national resilience.

Strengthening Critical Infrastructure Protection Through Identity Security

Critical infrastructure protection comes down to a simple operational truth: if you can’t govern access or see privilege, you can’t reliably prevent disruption. Detection matters, but it’s not a substitute for proactively eliminating risky pathways and shrinking standing privilege.

In the face of rising pressure from hacktivists, cybercriminals, and nation states, state and local leaders must prioritize the most common chokepoint: the identity and remote access pathways that lead into operational environments.

Because OT is where legitimate access becomes operational control, the most impactful step you can take today is redesigning that access to be outbound-only, point-to-point, time-bound, and fully auditable. That shift protects the workflows that keep communities running, ensuring that trusted access never becomes a breach path. BeyondTrust Privileged Remote Access is designed for the practical realities of OT, offering support for specialized tools, segmented networks, non-routable environments, and third-party dependencies.

If identity is the new battleground, then OT remote access is one of the most important front lines, and it is one you can materially improve by redesigning how access is granted, monitored, and proven.

Learn more about securing critical infrastructure for state and local governments, or get started today with a critical infrastructure OT assessment.

References

[1] Critical Infrastructure Sectors. Cybersecurity and Infrastructure Security Agency (CISA). https://www.cisa.gov/topics/cr...

[2] Advisory AA25-343A: Pro-Russia Hacktivists Targeting OT Control Devices via Internet-Facing VNC. Cybersecurity and Infrastructure Security Agency (CISA). Dec 9, 2025. https://www.cisa.gov/news-even...

[3] FBI Reporting on Ransomware Complaints Tied to U.S. Critical Infrastructure. Reuters. Apr 23, 2025. https://www.reuters.com/world/...

[4] StopRansomware Advisory AA25-071A: Medusa Ransomware Impacting Critical Infrastructure Sectors. Cybersecurity and Infrastructure Security Agency (CISA). Mar 12, 2025. https://www.cisa.gov/news-even...

[5] Disruption of PRC-Linked Volt Typhoon Activity Targeting Critical Infrastructure. U.S. Department of Justice. Mar 6, 2024. https://www.cisa.gov/news-even...

[6] Sanctions Related to PRC-Linked Salt Typhoon Telecom Intrusions. U.S. Department of the Treasury. Jan 17, 2025. https://www.cisa.gov/news-even...

[7] Primary Mitigations to Reduce Cyber Threats to Operational Technology. Cybersecurity and Infrastructure Security Agency (CISA). May 6, 2025. https://www.ic3.gov/CSA/2024/2...

[8] MITRE ATT&CK for ICS: Remote Services Exploitation and ICS Techniques. MITRE ATT&CK. https://attack.mitre.org/techn...

[9] Cybersecurity Performance Goals 2.0. Cybersecurity and Infrastructure Security Agency (CISA). Dec 2025. https://www.cisa.gov/sites/def...

[10] CIP-003-9 Security Management Controls (Effective April 1, 2026). North American Electric Reliability Corporation (NERC). https://www.nerc.com/standards...

[11] ISA/IEC 62443 Standards Overview. International Society of Automation (ISA). https://www.isa.org/standards-...

[12] NIS2 Directive Overview. European Commission Digital Strategy. https://digital-strategy.ec.eu...

About the Author

Bill Venteicher

Director of Public Sector marketing, BeyondTrust

Bill Venteicher is the Director of Public Sector marketing at BeyondTrust, where he helps federal, state and local, and education organizations strengthen identity security that is critical to securely completing their mission. As a 19-year product marketing leader and evangelist, Bill builds stories, marketing, and positioning that connect mission outcomes and needs to practical controls and measurable risk reduction. Before BeyondTrust, he has been a trusted source and public speaker. He led vertical product marketing in HR tech, CrowdStrike, and IBM Security, with specialization in SaaS, Security Services, and offensive and defensive cybersecurity. Bill lives in Austin and is a proud dad of three, bringing an educator’s clarity and a coaching mindset to every project.