You probably know that nuts can reduce the risk of cardiovascular disease. In a similar way—though admittedly this is not scientifically proven—the same could be said of mature security concepts in a business context. Because without successful cyberattacks on IT infrastructure and operational technology (OT), management is far less likely to suffer temporary heart palpitations. But before organizations can feel truly secure, they first have to crack a few nuts of varying hardness: Identity and Access Management, Privileged Access Management, and OT security.

Security has never been a luxury. It has always been essential. Yet companies often fall into two traps when putting it into practice.

Mistake #1: Defining cybersecurity too narrowly.
You have firewalls and antivirus software and feel secure? We need to step in here. Poorly protected identities and privileged access are the easiest and most effective attack vector for cybercriminals—and, unfortunately, also one of the most frequently overlooked. Without a well-thought-out Identity and Access Management (IAM) strategy, hackers can take over entire systems with a single stolen password. It becomes even more dangerous when organizations neglect Privileged Access Management (PAM), because compromised privileged accounts give attackers the perfect tools to gain maximum control without being noticed.

Mistake #2: Overlooking physical risks.
Especially in industry, transportation, and utilities, another area is becoming increasingly critical as digitization advances and internet connectivity expands: the security of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems—commonly grouped together under the term Operational Technology (OT). Without reliable protection for these components, production outages, manipulation, and in the worst case even physical harm to people and machines become only a matter of time. And attacks are becoming more devastating, as seen in the outages affecting Ukraine’s power grid.

Our strongest recommendation for avoiding disaster is this: start your Zero Trust strategy with solid IAM and PAM concepts. At the same time, make sure that OT security aligns with your remote access and access protection requirements and works in lockstep with the IT components of those two concepts. That is the only way to ensure, for example, that only authorized people and machines can access OT systems—including from outside the organization. In industry and critical infrastructure in particular, a compromised privileged account is a direct threat to physical safety.

One question remains: how do you actually crack these nuts?

What is OT security? 

OT security means far more than simply protecting physical devices and infrastructure. It is about securing people, systems, and processes alike, monitoring critical infrastructure, and detecting attacks early. To do that, organizations use technologies such as Next-Generation Firewalls (NGFWs) and Security Information and Event Management (SIEM) systems—always adapted to OT requirements. The guiding principle is caution, because mistakes here can quickly lead to physical disruptions. One thing we have already learned: IAM and PAM are essential, but OT’s special requirements must remain front and center.

Well-protected digital identities are the cornerstone of every security strategy. Without structured Identity and Access Management, there is no control over who can access which systems, applications, and data. Effective IAM is much more than simply issuing user accounts. It ensures that every user gets the right permissions at the right time—and no more than that. It governs which external partners or service providers may access sensitive systems and automates permission assignment to reduce human error. In short: IAM makes entitlements transparent, traceable, and secure.

This peanut can be cracked fairly easily with the right moves. Three must-haves:

• Regular entitlement reviews: Who really needs access? Which rights can be reduced to support the principle of least privilege?

• Automation: Role-based access assignment reduces the burden on IT teams and minimizes human error.

• Single Sign-On (SSO): Simplifies login without sacrificing security. One important condition: companies should combine SSO with multi-factor authentication (MFA), ideally using FIDO2-based methods or phishing-resistant tokens.

While IAM provides visibility across all identities, Privileged Access Management (PAM) focuses on critical access: administrator accounts, root users, service accounts, and all other highly privileged permissions that enable full control over systems, networks, and databases. These privileged accounts are a primary target for attackers. A regular user can certainly cause damage—but a compromised admin account can bring an entire IT infrastructure to a halt. That is why strict control is needed over who can access highly critical systems, when, and how.

PAM also has a few technical tricks of its own:

• Just-in-time access: Privileged rights are granted only for the exact moment they are needed. The goal should always be zero standing privilege.

• Session monitoring: All privileged user sessions are monitored and logged, whether through simple keystroke logging or full screen recordings.

• MFA-based access control: An admin login without an additional security check? No way.

• Credential vaults: Passwords for privileged accounts are not used directly, but are protected and rotated through secure vaulting.

Your company does not operate any industrial control systems? You are not a utility provider? And you do not transport people—whether by train or elevator? Then IAM and PAM may already cover a great deal for you. Everyone else should definitely keep reading, especially if OT security has so far been treated as an afterthought.

This much is true: OT systems were never originally designed to be networked with IT—let alone exposed to the internet. Many plants, machine controllers, and industrial robots were developed decades ago and still operate with insecure protocols, unencrypted communication, and default credentials that reflected the state of the art back in the 1980s or 1990s. At the same time, the many “privileges” that exist in OT—from configuring safety sensors to adjusting drive systems and quality measurement technology, all the way to supervisory control systems in manufacturing and building automation—are often ignored.

Times are changing quickly, and OT security is lagging behind in many places. Even today, many industrial systems are still protected by default passwords or have maintenance access paths that were never disabled. And while IT systems are patched regularly, OT systems often run for years with known vulnerabilities simply because they cannot be updated without production downtime—or because they are only allowed to operate in an outdated, approved baseline state.

That means one thing: there is catching up to do. And while the checklist below may sound simple enough on paper, in reality this is an extremely tough nut to crack—more like a macadamia nut. That is why organizations need strong partners with real experience in IAM, PAM, and OT security to get to the core of the matter: a secure company. We would be happy to apply for the role.

Checklist for OT security

• Discover all privileged access paths in your OT environment—without exceptions.

• Document and secure all accounts with administrative privileges.

• Gain visibility into the activities of your privileged users.

• Eliminate hard-coded and plaintext credentials in applications.

• Where possible, implement OT-adapted multi-factor authentication for every administrative access path.

• Allow only the minimum necessary set of privileges for each individual job.

• Enable automated access provisioning and monitoring to reduce the burden on teams.

Without IAM, there is no clear control over digital identities and access points. Without PAM, highly privileged accounts remain a major vulnerability. And without OT security, every connected production system becomes a potential target—with real, physical consequences.

But once these security measures start working together, they deliver far more than just protection. Companies can begin to unlock the full potential of digitization. Efficient data usage, smart production processes, optimized operations, and predictive maintenance are just a few examples of what an IT-OT partnership can achieve when it is built for the future.