Identity Security in Critical Infrastructure: Why OT Security is the New Battleground

Securing Critical Infrastructure Through Identity-First OT Security
Federal and state leaders have maintained consistent focus on critical infrastructure protection through their cybersecurity evolution. Their priority remains preventing the disruption of essential services, including power, water, emergency response, transportation, communications, and healthcare. The reality driving this urgency is clear: adversaries and nation-state actors don’t need “Hollywood-style hacking” to cause real-world impact. Increasingly, they win by abusing access through compromised identities, overprivileged accounts, weak remote access paths, and other OT security gaps.
This is why the intersection of identity security and operational technology (OT) security has become the defining battleground for critical infrastructure resilience. It’s also why agencies like CISA have prioritized identity controls and remote access governance as core elements of protecting the nation’s critical infrastructure sectors. Now that operational technology is no longer truly air-gapped and remote operations and vendor support is a necessity, one question remains:
Can you prove who accessed what, when, from where—and what they did—without opening the network to do it?
This blog summarizes CISA’s 16 critical infrastructure sectors, explains why hacktivists, cybercriminals, and nation-states are increasingly targeting these environments, and dives into the practical “do-this-now” use cases for reducing risk using BeyondTrust Privileged Remote Access (PRA) and Identity Security Insights.
Strengthening Critical Infrastructure Security Across the 16 CISA Sectors
Strengthening critical infrastructure security involves protecting the 16 CISA sectors whose assets, systems, and networks are vital to national security. Each sector depends on a mix of IT and OT, and nearly every operational workflow depends on identity (human, service, vendor, and machine identities) and privilege (admin rights, access to consoles, remote control tools, and “break glass” accounts). [1]
Critical Infrastructure Sectors – Disruption Risk Overview
Here’s a practical summary of all 16 sectors through the lens of disruption risk:
Sector | Primary Disruption Risk | Why It Matters (Operational Lens |
|---|---|---|
Chemical | Safety systems, process controls, and supply chains | Availability and integrity matter as much as confidentiality |
Commercial Facilities | Large venues and public spaces | Safety, access control, and building systems rely on connected operations |
Communications | Public safety and continuity | Telecommunications, internet and network access are high-value targets for espionage and disruption |
Critical Manufacturing | Production uptime, safety, and quality systems | Often OT-heavy environments that are third-party vendor-supported |
Dams | Flood control and hydro operations | Industrial control components and specialized remote workflows control water flow and safety mechanisms |
Defense Industrial Base | Highly targeted for espionage and supply chain compromise | Privileged access pathways are a primary objective for supply chain compromise and nation-state intrusion |
Emergency Services | 911, fire, police, and EMS systems | An outage equals immediate safety risk |
Energy | Electric utilities and generation | A top disruption target with extensive vendor remote access |
Financial Services | Transaction integrity | High-confidence identity controls matter; cascading impacts can follow even limited outages |
Food & Agriculture | Processing and cold-chain operations | Increasingly OT-enabled and time-sensitive |
Government Facilities and Education | Direct disruption of normal day to day lives of citizens | Facilities and campuses anchor emergency response, public services, and community continuity operations |
Healthcare & Public Health | Care delivery, patient safety, and public trust | Ransomware and outage pressure remains persistent |
Information Technology | Cloud, hosting, managed services, and software dependencies | Identity is the control plane |
Nuclear Reactors, Materials & Waste | High assurance and strict oversight | Remote access must be governed and auditable |
Transportation Systems | Public transit, DOT operations, ports, and aviation support | Availability and safety drive security decisions |
Water & Wastewater Systems | Community-scale essential services | Often feature aging OT, lean teams, and frequent vendor access requirements |
NA
For state or local leaders, the takeaway is clear: even when you don’t “own” every asset, you often authorize access, operate identity systems, manage vendor relationships, coordinate incident response, and set minimum baselines. Resilience is still part of your job, and critical to your mission of serving and protecting your citizens and their families.
Why Adversaries Are Targeting Critical Infrastructure Now
1) Hacktivists are chasing disruption and psychological impact
In December 2025, U.S. and international partners warned that pro-Russia hacktivists were conducting opportunistic attacks against critical infrastructure and using minimally secured, internet-facing VNC connections to access OT control devices—explicitly impacting sectors like water and energy. These actors are often less sophisticated than top-tier APTs, but their opportunistic targeting raises the odds of “wrong place, wrong time” disruption. [2]
2) Cybercriminals are monetizing downtime—and critical infrastructure has the most leverage
Ransomware remains a pervasive driver of risk. FBI data highlights that ransomware is a prevalent threat to manufacturing, healthcare, government, finance, and IT. Criminal groups are looking for the easiest access pathways, like stolen credentials, exposed services, unmanaged vendor access, and overprivileged identities. [3][4]
3) Nation states are pre-positioning for crisis leverage
Strategic actors want access that looks legitimate, lasts a long time, and can be activated when it matters. In 2026 U.S. government reporting and advisories have confirmed this pattern: adversaries aim to blend into normal administrative activity, making remote access paths and identity systems prime territory for their operations. Iranian and Chinese nation-state groups are directly targeting critical infrastructure. [5][6]
For more information, see the BeyondTrust Threat Advisory about critical risk related to Iranian groups.
Bridging the Gap: Integrating Identity Security with OT Security
OT security conversations often get stuck on tools and architecture diagrams. But current guidance is straightforward and clear: reduce exposed attack surface, enforce strong authentication, eliminate standing privilege, and ensure accountability for remote activity. [7]
The real-world pattern is equally blunt: attackers repeatedly exploit remote services and valid accounts to gain access, move laterally, and persist—especially where OT and IT converge. [8] So the practical question for state and local critical infrastructure leaders becomes:
How do we enable remote operations and vendor support without turning VPNs, jump servers, and shared accounts into “permanent breach infrastructure”?
The Secure Remote Access Problem is the Control-Plane Problem
In OT environments, remote work is not optional. Specialized engineers, integrators, OEMs, and field technicians need access to:
Engineering workstations
SCADA/HMI consoles
Historians
Dispatch/CAD and supporting systems
PLC programming tools and vendor software
Segmented networks aligned to the Purdue Model
As you modernize your OT, your attack surface expands. Traditional VPNs force broad network access, create long-lived pathways, and make it harder to prove accountability. Meanwhile, many zero trust network access (ZTNA) approaches struggle with custom PLC controllers and bespoke manufacturer software that don’t behave like more common web apps.
This is where Privileged Remote Access (PRA) helps, by providing point-to-point access to isolated and non-routable OT networks, outbound-only connectivity, and full recording for auditability without a traditional VPN.
Solving OT Security Challenges with BeyondTrust Privileged Remote Access and Identity Security Insights
Operational technology environments depend on trusted operators, vendors, and administrators who must access critical systems to maintain uptime and safety. The challenge is that attackers increasingly exploit the same pathways that legitimate users depend on. When credentials, vendor accounts, or remote access tools are compromised, attackers aim to operate like legitimate users to move laterally and persist.
BeyondTrust's privilege-centric identity security approach addresses this challenge by combining Privileged Remote Access (PRA) with Identity Security Insights, creating a practical model for securing OT environments built around three outcomes: visibility, intelligence, and protection.
Visibility - Organizations must be able to see who has privileged access, what they can reach, and what activity occurs during each session. PRA provides complete session visibility across internal users and third-party vendors through session governance, recording, and detailed metadata.
Intelligence - Identity Security Insights continuously analyzes identity relationships across endpoints, servers, identity providers, and cloud services to reveal hidden Paths to Privilege™. This includes identifying excessive permissions, risky credential relationships, and identity exposure that attackers often exploit to reach critical systems.
Protection - Once risky privilege paths are identified, organizations can reduce exposure by enforcing least privilege, time-bound access, and session-level governance. BeyondTrust offers a modern privilege access management (PAM) approach, where PRA ensures access occurs only when needed and under controlled conditions, and Insights prioritizes the most impactful remediation opportunities to reduce the blast radius of compromise.
Together, these capabilities allow organizations to control the privileged access pathways attackers rely on while preserving operational workflows required to maintain industrial and mission-critical systems.
Use case 1: Replace VPN-based third-party access with outbound-only, session-governed access
Problem: Vendors and contractors often connect through VPNs or jump servers that provide more network visibility than needed. This is hard to monitor consistently.
The Privilege Remote Access (PRA) approach: Provide controlled access that does not require inbound exposure and supports stronger identity controls per session. PRA is explicitly positioned to enable outbound-only connections and fully recorded sessions for auditing.
How Identity Security Insights strengthens this use case: Insights identifies vendor accounts, shared credentials, and hidden privilege relationships that may allow attackers to escalate access after a connection is established. This helps security teams prioritize and reduce risky identity pathways before they can be abused.
What “good” looks like (success criteria):
Replaced VPNs with outbound-only access that minimizes exposure
Enforced MFA and just-in-time (JIT) access for internal and third-party users
Achieved full session recording and audit evidence (video + logs)
Identified and reduced risky vendor privilege relationships
Use case 2: Secure access into segmented, non-routable, and “effectively air-gapped” OT networks
Problem: OT environments often include segmented zones that are non-routable, with restricted connectivity aligned to Purdue levels. Secure access is needed without flattening segmentation.
The Privilege Remote Access (PRA) approach: Supports workflows where teams must traverse segmented architectures without turning segmentation into a myth. In customer examples, PRA supports operations that traverse Purdue Model zones while enforcing stronger access controls.
How Identity Security Insights strengthens this use case: Insights maps identity relationships across IT and OT-adjacent systems to reveal potential privilege escalation paths that could bypass segmentation through identity compromise.
What “good” looks like (success criteria):
Enabled remote access across segmented zones without compromising firewall intent
Preserved existing workflows while improving control and auditability
Reduced the number of exposed services and “always-on” pathways
Identified privilege escalation paths that could bypass segmentation controls
Use case 3: Support custom industrial tools and protocols while standardizing security controls
Problem: OT often depends on custom protocols and vendor tooling (Siemens, Rockwell, etc.) that break many “app-layer only” access.
The Privilege Remote Access (PRA) approach: Supports specialized tools, including capabilities like Protocol Tunnel Jump and network tunneling services.
How Identity Security Insights strengthens this use case: Insights analyzes identities interacting with these specialized environments, identifying risky privilege combinations, unused privileges, and machine identities that could allow attackers to move between systems
What “good” looks like (success criteria):
Seamlessly supported specialized tooling workflows without exceptions that bypass security
Standardized access controls even when the tools are not standardized
Centralized governance over who can use which tool, to reach which asset, under what conditions
Identified excessive privileges tied to specialized operational accounts
Use case 4: Centralize control and auditing for internal admins and third parties
Problem: Scattered access tools (VPNs, jump boxes, shared accounts, and ad hoc tooling) make it hard to prove accountability quickly—especially under audit pressure or during incident response.
The Privilege Remote Access (PRA) approach: Centralized controls, complete visibility across roles and sessions (including vendors), and “hands-free” auditing with recorded sessions and detailed metadata.
How Identity Security Insights strengthens this use case:
Insights provides continuous identity risk visibility across the environment, identifying hidden privilege relationships and risky identity configurations that could enable unauthorized access.
What “good” looks like (success criteria):
Full session auditability with evidence for oversight and compliance
Faster investigation and containment via session replay and centralized records
Reduced operational friction for approvals and time-bound access
Continuous visibility into identity risk and privilege escalation paths across systems aligned to known attacker techniques and tactics
Outcomes That Matter: Mapping OT Security to Sector Realities
For water and wastewater; electric utilities, hydroelectric dams, and nuclear-adjacent operations; transportation; communications; and emergency services, the security conversation cannot end at “reducing risk.” These sectors live and die by continuity and trust. The outcomes below matter because they reduce the most common pathways to disruption while preserving the operational reality that remote work, remote maintenance, and third-party support are unavoidable.
Replace VPNs with secure, outbound-only access to reduce remote access risk
VPNs and traditional jump servers expand network reach far beyond what a technician needs for a specific task, and they create durable pathways that are difficult to govern consistently, especially across vendors and distributed sites.
For critical infrastructure, the goal is remote access that doesn’t become the breach path. Eliminating or sharply reducing VPN reliance helps shrink the exposed surface area and prevents a single compromised credential from turning into broad network access.
What this looks like in practice:
Energy and dams: Vendor access must be time-bound and scoped to assets and zones rather than an open tunnel.
Water and wastewater: Enable remote troubleshooting without leaving internet-facing services exposed.
Emergency services: Grant access quickly during incidents without falling back to shared accounts or “always-on” admin connectivity.
Enable secure access to segmented, non-routable OT networks
Segmentation is a core safety feature in OT security, but it makes support inefficient, especially with legacy remote access approaches.
The goal is to traverse segmented architectures intentionally—without flattening zones, weakening firewall intent, or creating permanent routes that attackers can later abuse. This is especially relevant when:
OT networks are segmented along the Purdue Model (or similar), and the operator needs controlled access across zones.
Systems are non-routable by design (or effectively isolated) and cannot be reached by standard IT remote access tools.
Access must work for both internal teams and critical third parties during outages or safety events.
Centralize control and auditing
When access is scattered across multiple tools, governance becomes inconsistent. Centralization provides a single control plane to manage who can access which assets, under what conditions, for how long, with what authentication, and with what evidence of their actions. This matters for public sector entities because accountability expectations are higher, reporting requirements are real, and investigations often require rapid, defensible proof.
Support compliance and custom industrial tools
OT relies on specialized engineering workflows and vendor toolchains that don’t behave like standard enterprise applications. If security forces OT teams into fragile workarounds or forbids the tools that actually run the environment, security loses—because operations will route around it.
The outcome is a security model that supports specialized workflows, while still enforcing consistent controls: authentication, least privilege, time-bounded access, and session evidence. This is where many “generic remote access” solutions fail in OT. Critical infrastructure teams need remote access that respects OT reality.
Success Criteria: Your Operational Scorecard
Most critical infrastructure organizations struggle with modernizing OT remote access because the operational constraints are real, the toolchain is specialized, and the legacy approach has become embedded in how work gets done. These challenges must be addressed.
The following criteria turn the operational outcomes outlined above into measurable “done/not done” milestones, for state and local leaders who need to address challenges and show progress to executives, boards, regulators, auditors, or oversight bodies:
Operational Outcome | Success Criteria | Success Measures | Challenges to Overcome |
|---|---|---|---|
Replace VPNs with secure, outbound-only access | VPNs are no longer the default remote access path for OT work, particularly for third parties. | The number of remote access workflows moved off VPN and the reduction in inbound connectivity exposure. Does the new method support time-bounded access and granular scoping? | Transitioning away from risky, long-lived, over-permissioned third-party vendor accounts that create permanent exposure. |
Enable secure access to segmented, non-routable OT networks | Security shouldn’t be a friction layer and must align with Purdue zoning and remain functional during outages and emergencies. | MFA is required at the point of privileged access, permissions should be granted only for the smallest practical window, and third-party access is governed with the same rigor as internal admin access. | Solve for segmented or non-routable systems that legacy IT tools cannot reach. |
Centralize control and auditing | Full session auditing with video, metadata, and logging | Security teams must be able to answer who, when, what, and how a system was accessed, backed by video and metadata evidence. | Eliminate error-prone manual logs in favor of automated, audit-ready evidence. |
Support compliance and custom industrial tools | The solution supports end-to-end specialized OT workflows without requiring unsafe workarounds. Proprietary protocols are supported. | No shadow access methods; no operational bypasses; security integrated into vendor workflows. | OT workflows are full of exceptions: proprietary protocols, specialized engineering software, and vendor-specific requirements. If remote access solutions only support generic application patterns, they’ll force either unsafe workarounds or operational compromises. |
How BeyondTrust Privilege Remote Access (PRA) Enables OT Security Outcomes
Here’s how the outcomes listed above can be achieved in practice using BeyondTrust Privilege Remote Access:
Operational Outcome | PRA Capability That Enables It | Why it Matters in OT Environments |
|---|---|---|
Replace VPNs with secure, outbound-only access | Outbound-only access | Avoids inbound exposure and reduces VPN reliance, upholding the “don’t expose it” resilience rule. |
Enable secure access to segmented, non-routable OT networks | Support for segmented access patterns and zone traversal workflows | PRA supports access architectures that can traverse segmented networks intentionally, enabling authorized users to reach the right systems while preserving the security intent of the segmented design |
Centralize control and auditing | Audit-ready evidence | Provides full session monitoring and recording for faster investigations, compliance readiness, operational accountability, and third-party governance improvements. |
Support compliance and custom industrial tools | Protocol tunneling for proprietary and engineering protocols | Enables secure remote access for specialized engineering tools and proprietary industrial protocols. |
Why Now: The 2026 Compliance and Threat Reality
State and local critical infrastructure operators are facing a three-part pressure system: opportunistic OT intrusions that exploit exposed remote access and weakly secured services, ransomware disruption pressure that monetizes downtime, and nation-state prepositioning that aims for persistence and crisis leverage [2][3][5].
All three share a common truth: attackers repeatedly benefit from legitimate access pathways. That makes identity controls and remote access governance disproportionately valuable.
Baseline expectations
CISA’s push toward measurable cross-sector resilience expectations reflects what operators already know: foundational controls matter most when resources are limited, and the consequences are high. Expectations are increasingly framed around demonstrable outcomes, not just “we bought a tool.” [9]
The 2026 reality for regulated energy environments
For private and public energy organizations that fall under NERC CIP applicability, timelines are concrete. With an effective date of April 1, 2026 for CIP-003-9 and remote access expectations shaping program requirements, remote access governance is not just “a best practice.” It becomes a readiness milestone. [10]
And even outside strict U.S. applicability, global frameworks and supplier requirements are tightening. IEC 62443 and NIS2 are signals of a broader shift: if you operate, support, or supply critical services, you will increasingly be expected to prove controlled access, governance, and accountability—not merely assert it. [11][12]
The Cost of Delay: What You Pay for Unmanaged Access
Financial costs
Impact of Inaction | Reasoning |
|---|---|
Higher breach risks | OT recovery involves specialized expertise, physical coordination, and longer restoration than IT events. |
Longer downtime | In public services, downtime has compounding effects: safety impacts, service backlogs, and public scrutiny. |
Higher audit costs | Manual log collection, evidence building, and one-off audit preparation becomes an invisible tax that never goes away. |
Lost technician productivity | If engineers and technicians waste time “getting in” rather than fixing problems, the organization pays in response time, overtime, and missed preventative maintenance work. |
Expensive incident response and remediation | Investigations and remediation take longer, because you don’t have clean proof of what happened. |
Strategic costs
Impact of Inaction | Reasoning |
|---|---|
Falling behind in OT maturity | Organizations that don’t modernize access accumulate hidden risk, exceptions, and vendor sprawl. |
Delayed modernization and cloud initiatives | Remote access risk becomes the blocker. If leadership doesn’t trust access paths, modernization slows down. |
Increased non-compliance risk | Whether it’s NERC CIP applicability, supplier requirements, or broader governance expectations, the trendline is tightening. |
Limited visibility and control | When incidents happen, leadership will ask: Who had access? What changed? Where’s the evidence? |
Weakened credibility | Critical infrastructure exists to serve the public. When services fail due to preventable access gaps, this damages governance, credibility, and national resilience. |
Strengthening Critical Infrastructure Protection Through Identity Security
Critical infrastructure protection comes down to a simple operational truth: if you can’t govern access or see privilege, you can’t reliably prevent disruption. Detection matters, but it’s not a substitute for proactively eliminating risky pathways and shrinking standing privilege.
In the face of rising pressure from hacktivists, cybercriminals, and nation states, state and local leaders must prioritize the most common chokepoint: the identity and remote access pathways that lead into operational environments.
Because OT is where legitimate access becomes operational control, the most impactful step you can take today is redesigning that access to be outbound-only, point-to-point, time-bound, and fully auditable. That shift protects the workflows that keep communities running, ensuring that trusted access never becomes a breach path. BeyondTrust Privileged Remote Access is designed for the practical realities of OT, offering support for specialized tools, segmented networks, non-routable environments, and third-party dependencies.
If identity is the new battleground, then OT remote access is one of the most important front lines, and it is one you can materially improve by redesigning how access is granted, monitored, and proven.
Learn more about securing critical infrastructure for state and local governments, or get started today with a critical infrastructure OT assessment.
References
[1] Critical Infrastructure Sectors. Cybersecurity and Infrastructure Security Agency (CISA). https://www.cisa.gov/topics/cr...
[2] Advisory AA25-343A: Pro-Russia Hacktivists Targeting OT Control Devices via Internet-Facing VNC. Cybersecurity and Infrastructure Security Agency (CISA). Dec 9, 2025. https://www.cisa.gov/news-even...
[3] FBI Reporting on Ransomware Complaints Tied to U.S. Critical Infrastructure. Reuters. Apr 23, 2025. https://www.reuters.com/world/...
[4] StopRansomware Advisory AA25-071A: Medusa Ransomware Impacting Critical Infrastructure Sectors. Cybersecurity and Infrastructure Security Agency (CISA). Mar 12, 2025. https://www.cisa.gov/news-even...
[5] Disruption of PRC-Linked Volt Typhoon Activity Targeting Critical Infrastructure. U.S. Department of Justice. Mar 6, 2024. https://www.cisa.gov/news-even...
[6] Sanctions Related to PRC-Linked Salt Typhoon Telecom Intrusions. U.S. Department of the Treasury. Jan 17, 2025. https://www.cisa.gov/news-even...
[7] Primary Mitigations to Reduce Cyber Threats to Operational Technology. Cybersecurity and Infrastructure Security Agency (CISA). May 6, 2025. https://www.ic3.gov/CSA/2024/2...
[8] MITRE ATT&CK for ICS: Remote Services Exploitation and ICS Techniques. MITRE ATT&CK. https://attack.mitre.org/techn...
[9] Cybersecurity Performance Goals 2.0. Cybersecurity and Infrastructure Security Agency (CISA). Dec 2025. https://www.cisa.gov/sites/def...
[10] CIP-003-9 Security Management Controls (Effective April 1, 2026). North American Electric Reliability Corporation (NERC). https://www.nerc.com/standards...
[11] ISA/IEC 62443 Standards Overview. International Society of Automation (ISA). https://www.isa.org/standards-...
[12] NIS2 Directive Overview. European Commission Digital Strategy. https://digital-strategy.ec.eu...
