Securing OT Access with Identity and Visibility: Kroll, Saviynt and Nozomi Networks

This article was authored by Sameer Koranne, Gaurav Sheth and Sorabh Chopra

Industrial organizations face a new era of risk. As operational technology (OT) environments become more connected, the challenge of securing access and maintaining visibility continues to grow. In response, Kroll, Saviynt, Nozomi Networks and CrowdStrike have joined forces to deliver a unified solution that empowers organizations to protect their critical infrastructure without disrupting operations. This article outlines key OT security threats and increasingly complex regulatory pressures and sets out how organizations can enhance their OT security and wider operational resilience in response.

 

OT Risks on the Rise

The critical role of OT networks in key industries makes them a prime target for threat actors. The scope for exploitable vulnerabilities is broadened still further by the increasingly interconnected nature of OT and IT infrastructure and the growing number of businesses relying on the cloud. Targeting critical infrastructure through OT cyberattacks is also now a key aspect of the global geopolitical landscape.

In its Q4 2024 Cyber Threat Landscape Report, Kroll observed that manufacturing was the second-most attacked industry in 2024. This threat now affects many sectors, with recent research suggesting that more than half of global organizations have been impacted by an OT incident over the past 12 months. Other research identified that 80% of manufacturing companies experienced a significant increase in overall security incidents or breaches in 2024. Yet traditional IT security tools lack the necessary context and capabilities to effectively monitor and control access in OT environment, presenting a further risk to organizations.

 

The Critical Role of IGA

Identity Governance and Administration (IGA) is a foundational control for securing OT environment. The ISA/IEC 62443 framework recognizes that, without proper identity and access management, other technical controls can be bypassed by attackers with valid credentials. The frequency of related security incidents proves that weak IGA can lead to security threats and related catastrophic events. Despite the challenges of legacy systems and cultural hurdles, the trend in critical infrastructure is toward adopting robust IGA practices—driven by both escalating threats and regulatory pressures. High profile examples of attacks resulting from a lack of IGA include:

• The 2015 Ukrainian Power Grid Cyberattack

  In this major security incident, attackers lurked on the IT network and harvested employee VPN credentials. They then used those stolen credentials to remotely access the Supervisory Control and Data Acquisition (SCADA) network and ultimately took control of operator stations to open circuit breakers. This sophisticated attack succeeded by exploiting insufficient identity governance: no multifactor authentication on remote access and failure to quickly detect unauthorized use of valid credentials.
 

• The 2000 Maroochy Shire, Australia Attack

  Insider threat and privilege misuse is arguable, however, extremely important. Insiders know the critical intricacies and how to fly under the radar. In what is often described as “the first OT hack”, an ex-employee attacked the SCADA radio-controlled sewage equipment to release 265,000 gallons of untreated sewage into local parks and rivers, causing serious damage to the local environment. Another example of this type of attack was the 2017 Triton Attack involving what is suspected to be an insider-involved attack on a petrochemical plant’s safety system.

Another common form of attack linked to a lack of IGA is lateral movement from trusted networks in highly converged cloud/IT/OT infrastructure. In these instances, attackers can pivot from trusted networks to OT network and gain control of critical assets. Advanced threat groups can create new accounts or change device passwords impacting the view and control of operations. The threat is significant because OT systems rely on specialized legacy devices such as SCADA systems, industrial control systems (ICS) and Industrial Internet of Things (IIoT). These must run continuously making standard IT security tools ineffective.

Added to this, because these older systems do not have multiuser capabilities, their limited access controls will be tough to use without IGA. A lack of clear visibility into who is accessing what means that organizations face greater risk of unauthorized access and system disruptions. All security events outlined above—and many others— emphasize how IGA (combining credential management policies, unique accounts, audit trail, least privilege, monitoring of accounts and multifactor authentication) is critical to ensuring safe and reliable OT operations.

 

Regulatory Drivers Accelerating the Need for OT Security

Governments and industry bodies are enforcing stricter mandates to protect critical infrastructure, energy grids and manufacturing systems from cyberattacks. Key regulations and standards include:

ISA/IEC 62443 (International): Standards for cybersecurity in industrial automation and control systems. They define FR1: identification and authentication control and FR2: use control as an essential security function.

• NIST SP 800-82 (USA): Guidance for securing OT systems, including ICS, building automation and more.
• NERC CIP (North America): Critical Infrastructure Protection (CIP) standards for electric utilities. Mis-managed identities/accounts present significant risk to reliability of the grid. NERC CIP places explicit access and account/governance obligations (via CIP-004, CIP-003, CIP-011) which align directly with identity governance disciplines.
• NIS2 Directive (EU): Expands cybersecurity obligations for operators of essential services and critical infrastructure. It is directly relevant to IGA because it requires organizations to demonstrate who can access sensitive systems, control access and manage user lifecycles.

These frameworks require organizations to adopt robust identity governance, risk management and monitoring for OT environments—making compliance and security inseparable. By setting out the need for strong IGA practices, these types of standards ensure that every account is identifiable and authenticated, role-based access control and least privilege is enforced, credentials are managed securely, and all aspects are fully audited and monitored.

 

The Solution: Unified OT Risk Mitigation and Governance Insight 5-Step Approach

With the threat landscape evolving fast, organizations must ensure that their OT security strategy keeps pace. Without proper identity and access management, other technical controls can be bypassed by attackers with valid credentials. Despite the challenges of legacy systems and internal obstacles, the trend in critical infrastructure is moving toward adopting robust IGA practices—driven by both escalating threats and regulatory pressure. To help businesses stay ahead, Kroll, Saviynt, Nozomi Networks and CrowdStrike have developed a combined solution to advance OT security and ensure readiness to respond to the security risks of today and tomorrow.

By combining data between Saviynt’s IGA platform, Nozomi Networks’ enhanced operational security and Kroll’s deep OT security expertise, organizations gain real-time visibility into OT access and activity. This merges identity intelligence with advanced threat detection, enabling teams to quickly spot risks and take action, strengthening governance and reducing operational threats. The solution achieves this through an integrated 5-step approach, as outlined below:

• Establish Unified Visibility Across OT Environments

  Integrate Saviynt’s IGA platform, Nozomi Networks’ operational security, with CrowdStrike’s Falcon for xIoT and Next-Gen SIEM, and Kroll’s OT expertise to create a centralized inventory of users and devices—laying the foundation for identity-aware OT security.
 

• Detect and Prioritize Risk Through Contextual Intelligence

  Enable real-time monitoring of user activity and device behavior. Alerts are enriched with identity context (e.g., role, department, location) and correlated centrally with threat intelligence to improve threat detection and risk prioritization.
 

• Synchronize Alerts and Accelerate Response

  Leverage synchronized alerting across platforms with automation and workflows to ensure rapid detection and response to OT security events—minimizing dwell time and potential damage. 
 

• Drive Governance with Actionable Risk Reporting

  Generate comprehensive reports that combine identity and OT activity data. Empower security teams to assess, accept or remediate risks with automated workflows and ITSM integration. 
 

• Ensure Resilience and Regulatory Readiness

  Protect against insider and third-party threats, support structured recovery during disruptions and meet evolving regulatory requirements with automated controls and compliance reporting.

With downtime a key concern for organizations, this combined solution remove the risk of disruption to critical system by:

• Protecting against insider and third-party risks
• Enabling detection and containment during disruptive events
• Supporting and improving structured recovery of access for privileged accounts and third-party vendors

 

Enhance Your Operational Resilience with Kroll

Kroll secures industrial systems with minimal disruption, leveraging decades of cyber risk and incident response experience to deliver deep OT expertise. Our holistic, risk-driven approach ensures that solutions go beyond technology, focusing on operational resilience and real-world threat intelligence. We have a proven track record in applying industry frameworks such as IEC 62443 and NIST SP 800-82.

Organizations can rely on our proven track record in Identity and Access Management (IAM) which enables the seamless modernization of access controls. With thousands of incident responses worldwide, Kroll brings unmatched insight to OT-IAM convergence, not only improving security but also delivering tangible financial benefits such as cost savings and a better return on investment. This includes support with Purdue Model adoption for OT-IT segmentation.

With Zero Trust a growing priority for many organizations, Kroll is uniquely positioned to help you define, validate and scale a Zero Trust strategy for your OT environment. Let’s build operational resilience together—where identity meets visibility, and security drives innovation.

Ready to Advance your OT Security?

Reach out to our global leaders below or reach us at [email protected]