# Identity and Credentials: The New Air Gap Industrial Cybersecurity Best Practices - [Assessing Your Industrial Cyber Security Posture](/assessing-your-industrial-cyber-security-posture/) - [Boundary Defence: The First Layer of Industrial Cyber Security](https://www.agilicus.com/boundary-defence-the-first-layer-of-industrial-cyber-security/) - [Identity and Credentials: The New Air Gap](https://www.agilicus.com/identity-and-credentials-the-new-air-gap/) - Halting Lateral Movement in Operational Technology - System Hardening: Fortifying Industrial Infrastructure - Visibility and Detection: Illuminating the Industrial Network - A Pragmatic Blueprint for Industrial Cyber Security [Download the Best Practices Guide](/white-papers/industrial-cyber-security-best-practices/) [Take the Cybersecurity Assessment](/l/industrial-cyber-security-best-practices-scorecard/) Welcome to the third post in our series on industrial cyber security best practices. After establishing robust [Boundary Defence](#) in our previous post, we now move to the second orthogonal dimension: Identity and Credentials. In an environment where network boundaries are increasingly porous, identity is the new air gap. When physical separation is no longer possible due to the convergence of Information Technology and Operational Technology, robust authentication becomes your primary line of defence. This dimension mandates a shift to an architecture where identity is unified, heavily verified, and tied strictly to least privilege. ### Phishing-Resistant Multi-Factor Authentication Relying on passwords alone is a proven failure. Legacy authentication methods, such as short message service codes, are easily intercepted by modern threat actors through techniques like sim-jacking. When administrative access to an infinitely important role relies on weak authentication, the entire perimeter is compromised the moment a single credential is stolen. We believe phishing-resistant multi-factor authentication, such as hardware security keys, is an absolute necessity. As we outlined in our article on [uncorrelated risks in multi-factor authentication](#), tying a digital identity to a physical token ensures that stolen passwords cannot be leveraged by a remote attacker. This adds a crucial layer of defence in depth. Mandate hardware security keys for highly privileged access and disable email-based authentication methods. ### Unified Identity and Single Sign-On When operators manage hundreds of separate local accounts across disparate human-machine interfaces, password reuse and credential sprawl become inevitable. This operational friction results in dormant accounts remaining active long after an employee departs, providing a silent vector for exploitation. Unifying identity through a single corporate directory eliminates this risk. Centralised authentication allows for immediate, global revocation of access when personnel change, ensuring that the operational technology environment remains strictly governed by a single source of truth. Disable local accounts on individual programmable logic controllers and centralise all human identities. ### Third-Party and Vendor Access Creating static, local accounts for third-party vendors typically results in shared passwords and non-expiring access. This makes it impossible to confidently verify who is actually connecting to your systems. As supply chains become more integrated, managing the lifecycle of these external identities creates immense administrative overhead. Permitting vendors to authenticate using their own native corporate identity provider shifts the burden of credential management back to them. You no longer store their passwords; you simply authorise their verified identity to access specific resources for a limited time. Eliminate shared generic accounts and implement time-bound access that automatically expires. ### Granular Role and Resource Authorisation Granting broad administrative access simply because an engineer needs to monitor a single process violates the core tenet of least privilege. When users possess more access than required, any compromised account becomes a highly destructive tool in the hands of an attacker. Granular authorisation ensures that roles are mapped tightly to specific tasks and individual devices. By decoupling network access from application access, you ensure that a contractor viewing read-only telemetry cannot inadvertently or maliciously issue a stop command to a programmable logic controller. Restrict access on a strict least-privilege basis. ### Machine-to-Machine Authentication Static application programming interface keys are often embedded directly into scripts and rarely rotated. They act as immortal passwords for automated systems. If an attacker extracts one of these keys from a compromised server, they gain unfettered, persistent access to internal interfaces. The modern approach requires abandoning static secrets in favour of short-lived tokens and continuous authorisation. By cryptographically binding machine identities to specific hardware and requiring frequent token renewals, the window of opportunity for an attacker to misuse a stolen credential is fundamentally eliminated. Identity is not just about logging in; it is about verifying context continuously. To see how your identity controls measure up, take our Cyber Security Assessment and download the companion best practices guide. In our next instalment, we will tackle the third dimension: Lateral Movement. Industrial Cybersecurity Best Practices - [Assessing Your Industrial Cyber Security Posture](/assessing-your-industrial-cyber-security-posture/) - [Boundary Defence: The First Layer of Industrial Cyber Security](https://www.agilicus.com/boundary-defence-the-first-layer-of-industrial-cyber-security/) - [Identity and Credentials: The New Air Gap](https://www.agilicus.com/identity-and-credentials-the-new-air-gap/) - Halting Lateral Movement in Operational Technology - System Hardening: Fortifying Industrial Infrastructure - Visibility and Detection: Illuminating the Industrial Network - A Pragmatic Blueprint for Industrial Cyber Security [Download the Best Practices Guide](/white-papers/industrial-cyber-security-best-practices/) [Take the Cybersecurity Assessment](/l/industrial-cyber-security-best-practices-scorecard/)