The convergence of IT and OT in industrial and critical infrastructure is rapidly increasing the number of IoT devices and potential entry points for cyber attackers, increasing the need for privileged access management (PAM).
IDC expects the IoT to reach 55.7 billion devices this year, yet many of these devices lack strong security – sometimes none at all. Unmanaged or outdated systems and limited visibility across sprawling networks create an environment where organisations can lose track of the security status of individual devices over time.
Research by network security firm Byos found that 73% of OT devices remain completely unmanaged, creating a critical weakness in industrial settings. Threat actors like Water Barghest look for exactly this kind of vulnerability. In one attack, the group compromised 20,000 devices in minutes using automation, turning them into a botnet of residential proxies infected with Ngioweb malware. This malware can shut devices down, interrupt entire processes, or provide a backdoor for further attacks.
Last year’s CyberArk Identity Security Threat Landscape Report found that half of those surveyed believe their organisation’s human and machine identities will triple within 12 months. For many, the biggest risk lies in machine identities in OT accounts or IoT devices that allow attackers to slip under the radar. The 2024 Waterfall ICS STRIVE report has also shown a 19% year-on-year rise in OT security incidents with physical consequences, demonstrating that these threats are not hypothetical but very real.
One of the most effective ways to address these vulnerabilities and manage the expanding IoT landscape is privileged access management (PAM). While PAM has long been used to control user credentials and permissions in IT environments, its core principles also help solve the growing security gaps in IoT/OT devices. By ensuring only properly authorised individuals and systems can perform critical functions, PAM helps organisations take back control of their sprawling IoT estates, reducing opportunities for attackers to exploit any weaknesses.
PAM gives organisations more than a fighting chance
PAM has become central to the fight against these emerging threats at a time when almost every successful industrial, manufacturing or infrastructure organisation is expanding its IoT estate.
Organisations need to extend the principles of privileged access management (PAM) used in IT systems into their IoT environments, creating a unified approach. What this means in simple terms is ensuring only those with the appropriate credentials have access to perform critical functions within the infrastructure. This is what happens when PAM is implemented In IT system and organisations manage and secure privileged accounts. We are now at the point where these organisations must extend the same approach to IoT networks.
Automation is a big advantage in credential management
While PAM provides a structured approach to securing privileged accounts in IoT ecosystems, many devices cannot support manual credential rotation, causing specific challenges. Automation is therefore critical, ensuring passwords are regularly rotated and promptly deleted when no longer needed.
A key security priority is the integration of automated identity authentication for every device. Advanced platforms now allow IoT device certificates to be securely generated, signed, and managed using policy-driven automation. A PAM solution should continuously authenticate devices and onboard new accounts when more are added.
If organisations integrate PAM across IT and OT environments alike, they streamline device and credential management while significantly enhancing oversight and control. This approach, with the integration of identity threat detection and behavioural analytics, is more likely to pick up activity by malicious insiders with access to credentials and privileges. They are a serious threat, and often difficult to detect because of the legitimate focus on ransomware and nation-state threats.
A unified security framework incorporating behavioural analytics can help detect and mitigate unauthorised activity from insiders or contractors with a grudge, or who are operating in collusion with criminals.
PAM and best practice
PAM implementation in IoT should align with best practice protocols, starting with a comprehensive audit of all privileged accounts and access credentials. The number of privileged accounts often exceeds the number of employees by a ratio of three or four, adding significant complexity to security management.
Automating password generation and rotation is vital, ensuring organisations strengthen security without overburdening IT teams. Passwords must be updated frequently and stored securely. Firmware updates and patches need to come only from solutions that an organisation’s PAM technology has approved.
Organisations must also gain complete visibility into all devices to prevent shadow IoT. Performing an accurate inventory is often the most urgent step in extending PAM to OT networks. Real-time tracking and auditing of user activity are also crucial for rapid incident response and forensic investigations. Without it, organisations may leave themselves susceptible to serious damage if individuals, partners or suppliers with access privileges operate in the shadows, free of real-time oversight.
Such monitoring and detailed logging of sessions have real compliance benefits in relation to regulations such as GDPR, NIST, and HIPAA. Automated compliance management simplifies adherence to evolving standards, helping organisations avoid penalties in highly regulated industries like healthcare.
In the event of a breach, regulators want evidence of what happened and how the organisation defended itself and its supply chain partners. Providing the necessary information is faster if a solution has already logged activity.
Consistency in enforcement is another important step. The principle of least privilege must be rigorously applied, with organisations implementing role-based access control (RBAC) to assign permissions based on specific job functions. Temporary access should only be granted when necessary and revoked as soon as individuals complete their tasks.
Among the most effective of best practices when extending PAM is multi-factor authentication (MFA), which adds an extra layer of security by requiring multiple steps in verification for all privileged accounts. This is part of the widespread adoption of zero trust as a principle of security. Biometric authentication and OTP tokens, which eliminate traditional passwords, are also likely to become integral to access management. The entire PAM approach will be shaped by advances in AI and machine learning.
A unified PAM strategy brings IT and OT under a common zero-trust safety umbrella
Right now, however, PAM must play a more central role – minimising the risk of credential theft, reducing unauthorised access, and preventing cybercriminals from creating botnets or infiltrating sensitive IT systems via compromised IoT devices.
A unified PAM strategy, featuring automated credential management and session monitoring, significantly reduces manual security administration, easing the workload for IT and security teams while minimising human errors.
With machine identities now outnumbering human identities by a ratio of 45:1, IoT security must be fully integrated into IT frameworks using zero-trust principles and least-privileged access. A seamless approach combining continuous assurance, threat validation, lifecycle management, policy-driven encryption, and automated monitoring ensures that IoT ecosystems remain secure.
This comprehensive security strategy is essential for safeguarding the rapidly expanding IoT networks that are essential to the future of our critical industries, utilities, and public services.
See also: Davide Aurucci, Siemens: How AI is advancing the smart factory
Want to learn more about IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.
IoT News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
