Why Is Password Management So Difficult in OT/ICS?

by | May 6, 2026 | Blog

Password management is often viewed as one of the most fundamental cybersecurity controls. Strong passwords, rotation policies, and account management practices are among the initial security measures taught in most IT security frameworks.

Why, after decades of guidance, audits, and security incidents, does password management still remain one of the weakest points in Operational Technology (OT) and Industrial Control Systems (ICS)? If you spend time in actual plants, substations, pipeline control stations, or manufacturing facilities, the answer quickly becomes obvious: password management was never designed around how industrial systems work. This is not due to a lack of awareness, concern for security, or carelessness on the part of OT engineers. And it definitely isn’t because OT engineers are careless. Instead, the challenge comes from a fundamental mismatch between:

  • How industrial systems are engineered
  • How they are operated and supported
  • How cybersecurity controls are typically designed

Recognizing this gap is the first step toward enhancing security in OT environments. This blog is the first part of a two-part series on password management in OT and ICS settings. In this initial post, we discuss why deploying traditional password controls in industrial systems is so challenging by analyzing the technical limitations of legacy devices, the operational realities of continuous processes, and the organizational issues that often weaken well-meaning security policies.In the next blog, we will explore practical strategies organizations can use to improve password and credential management in OT environments without disrupting operations or introducing new risks.

The IT Assumption That Breaks in OT

Much of modern password management guidance originates from enterprise IT environments. These environments operate under several assumptions that generally hold true for office networks and business systems.

Common IT assumptions include:

  • Systems can tolerate brief authentication failures
  • Accounts can be locked without affecting safety or operations
  • Password rotation is routine and automated
  • Centralized identity systems are always available
  • Users are individual employees working from dedicated workstations

These assumptions work well in corporate IT environments. However, in OT environments, they start to break down. Industrial systems do more than just host applications or process data; they control physical processes involving machinery, energy systems, chemical reactions, and manufacturing equipment.

In these environments:

  • Downtime can have immediate operational consequences
  • Operators must respond quickly to process disturbances
  • Systems may run continuously for years without rebooting
  • Access is often shared across shifts and operational roles
  • Vendor maintenance and troubleshooting frequently rely on known credentials

Applying IT-style password policies directly to OT systems may seem to work fine initially. However, the real issues become apparent when access is most critical. For instance, a password change could disrupt a service account, an operator might get locked out during an emergency, or a centralized authentication service could go down. These problems go beyond authentication and turn into significant operational challenges. In OT environments, security controls don’t fail quietly; they fail when operators cannot access the system when they need it most.

A Reality Check from the Field

Discussions about password management often take place in conference rooms, policy documents, and cybersecurity frameworks. However, the reality is quite different when you enter a plant or control room.

In real OT environments, password practices are driven more by operational needs than by policy. Systems need to stay accessible during incidents. Engineers require consistent methods to troubleshoot equipment. Vendors depend on reliable access to diagnose failures and quickly restore operations. Over time, these operational demands influence how authentication is practically implemented in the field.

As a result, in nearly every OT security assessment, you will encounter situations like:

  • A single HMI login shared across the control room
  • PLCs are still using vendor default credentials because changing them breaks uploads
  • Engineering workstations configured with automatic login
  • Passwords written inside control cabinets for emergency access
  • Vendor accounts that were intended to be temporary but were never removed

Each of these practices introduces cybersecurity risk. However, they are rarely signs of negligence or indifference to security. More often, they reflect environments where availability, safety, and maintainability were prioritized well before cybersecurity requirements were introduced. To understand why these practices persist, it is necessary to examine several underlying factors: limitations of legacy technology, ongoing operational demands, vendor support models, and organizational policy conflicts.

Legacy OT Devices Were Not Built for Modern Password Management

Many OT devices still in use today were designed long before cybersecurity was a part of the design process. When security features were later added, they were often basic or limited.

Common limitations in legacy OT devices include:

  • Support for only one or two local accounts
  • No role-based access control
  • No centralized authentication integration
  • No logging of login attempts
  • Passwords embedded directly in firmware
  • Hard-coded credentials required by vendor tools
  • Shared passwords across entire product lines

Even something as simple as changing a password can lead to unexpected consequences.

For example, changing a credential may:

  • Break firmware update tools
  • Prevent remote diagnostics
  • Void vendor support agreements
  • Require physical access and system downtime

From an engineering standpoint, leaving the credentials unchanged might seem like the safest choice. 

Due to these technical constraints, many password management practices common in IT environments cannot be directly implemented in OT systems. Even when stronger authentication controls are technically feasible, they still need to be balanced against the operational realities of industrial processes.

Availability and Safety Always Win

Even when systems technically support stronger password controls, operational priorities can make implementing them difficult.
Consider the situation shown in Image 1 – Shared Access Is Common in 24/7 Operations. In many industrial control rooms, multiple operators work across rotating shifts using the same Human Machine Interface (HMI) workstations. In these environments, system access must remain predictable and immediate regardless of which operator is currently on duty. In IT environments, a locked account is an inconvenience. In OT environments, it can become a safety issue.

Image 1 – Shared Access Is Common in 24/7 Operations

Imagine a process emergency unfolding in real time. Alarms ring out, parameters exceed normal limits, and the operator reacts quickly. They sit at the HMI, enter their credentials, and the account gets locked due to previous failed login attempts. Instead of stabilizing the process, the operator now must troubleshoot an authentication issue. Minutes pass, and the corrective action is delayed.

In an office environment, that delay might mean a postponed meeting or a missed email. In a control room, it can escalate into something far more serious. A delayed response may:

  • Trip critical equipment
  • Trigger an unplanned shutdown
  • Cause a spill
  • Damage product
  • Put personnel at risk

Viewed through this perspective, the choice to avoid aggressive lockout policies or frequent password changes does not seem reckless. Instead, it appears to be a thoughtful risk trade-off prioritizing operational safety and uptime.

This is why many OT environments depend on:

  • Shared credentials
  • Non-expiring passwords
  • Emergency access accounts known to operators across shifts

These decisions are not made out of negligence. They show that losing access during an incident can be riskier than the security flaw itself.

Password Rotation Collides with Continuous Operations

Password rotation policies sound straightforward in theory. They assume that systems can be updated during maintenance windows and that changes can be tested and rolled back if necessary. These assumptions rarely reflect OT reality.

Most industrial systems run nonstop, 24 hours a day, 365 days a year. Tight production schedules make downtime costly, and maintenance windows are often brief. When maintenance occurs, it usually focuses on hardware repairs, system upgrades, or process changes that directly affect production. Password changes rarely take priority. Even when organizations attempt to rotate passwords, unexpected dependencies can cause issues.

Changing a password can break old scripts that no one documented. A service account might silently fail authentication and stop sending data to a historian. A vendor needing emergency access could suddenly be locked out during a critical failure. The real challenge is uncertainty.In many OT environments, the full dependency chain for a credential is often not well documented. The potential impact or scope of a password change is difficult to predict. Consequently, password rotation is frequently delayed. “We’ll do it later, when things are less busy.” However, in busy industrial settings, “later” rarely happens.

Shared Accounts Become an Operational Shortcut

Because industrial systems must always stay accessible, many organizations adopt practices that prioritize operational continuity over strict identity management. Shared accounts are among the most common examples. They persist because they solve real operational problems such as:

  • Faster shift handovers
  • Minimal training requirements
  • Guaranteed access during emergencies
  • Reduced administrative overhead

In a control room, the primary focus is straightforward:

“Can someone operate the system right now?”

Not:

“Can we prove exactly who logged in at 03:17?”

From a cybersecurity standpoint, shared accounts pose several risks. They remove individual accountability, break audit trails, complicate incident response, and violate most security standards. Yet, without practical alternatives that align with operational workflows, shared accounts remain prevalent in OT environments.

Vendor Access Turns Passwords into Trust Tokens

Vendor access presents another key challenge for OT password management. Industrial systems often depend on vendors for maintenance, diagnostics, and specialized support.

To perform these tasks, vendors often require:

  • Persistent credentials
  • Administrative privileges
  • Emergency access capability
  • Compatibility with proprietary tools

In practice, this often results in vendor credentials that are widely shared among teams and reused across systems. Access may stay active indefinitely, and authentication controls like multi-factor authentication are frequently unsupported or bypassed.

When something breaks in a plant, the focus is clear:

“Get the vendor connected and get us running.”Security controls that slow down the process are often bypassed and once bypassed, they tend to stay that way.

Centralized Identity Isn’t Always Safe in OT

Given these challenges, many organizations turn to centralized identity systems such as Active Directory or enterprise Identity and Access Management (IAM) platforms as solutions. Centralized identity can offer improved visibility and control, but it also brings new risks in OT environments.

Potential concerns include:

  • Dependency on IT infrastructure
  • Authentication failures affecting operational systems
  • Increased attack surface between IT and OT networks
  • Loss of deterministic system behavior

To reduce these risks, many industrial organizations purposely isolate control networks. While isolation safeguards operational reliability, it also creates fragmented authentication environments with:

  • Local accounts
  • Inconsistent password policies
  • Limited visibility into credential use

Centralized identity management isn’t inherently wrong in OT environments, but it must be implemented carefully and isn’t suitable in all cases.

Security Policies Often Ignore OT Constraints

Many of the challenges discussed above become even more complex when enterprise security policies are implemented. Corporate security teams often create standardized password policies tailored for enterprise IT environments. These policies generally require:

  • Frequent password rotation
  • Strict complexity requirements
  • Account lockout thresholds
  • Centralized enforcement mechanisms

On paper, these policies are technically sound and often align with regulatory requirements. However, once these policies reach the control room, issues start to emerge. OT teams attempt to comply. Some systems accept the changes, while others react unpredictably. A password change can disrupt legacy integrations. An account lockout affects a production workstation. A service account tied to a historian fails silently. To keep systems operational, exceptions are requested. These exceptions are initially temporary, but over time, they tend to accumulate.

Eventually, the policy stays the same while the environment shifts around it. This creates a subtle but serious issue: security theater. Audits show compliance because the policy exists. Operations teams follow a different set of informal practices because production demands it. Security assumes controls are enforced. Operations assumes security understands the constraints. Neither assumption is entirely accurate.

When security governance ignores operational realities, it does not improve protection. Instead, it promotes workarounds and makes risk harder to identify and resolve.

Understanding the Challenge

Managing passwords in OT environments is challenging, not because organizations lack security awareness, but because the systems were never built with modern identity management in mind.

Legacy technology, ongoing operations, safety concerns, vendor dependencies, and enterprise policy conflicts all add to the problem. Understanding these constraints is crucial before trying to address them.

At Enaxy, we help organizations design practical credential and access management strategies for OT environments. By working closely with engineering, operations, and security teams, we develop solutions that strengthen authentication and accountability while respecting the realities of industrial systems and maintaining uptime. If you need help improving password and credential management in your OT environment, contact Enaxy at info@enaxy.com.

Next we will examine how organizations can implement effective password and credential management strategies in OT environments without interrupting operations or endangering safety.