The February 2021 attack on Oldsmar's water treatment facility in Florida began with a single compromised credential. Within minutes, an attacker had gained remote access and attempted to poison the water supply for 15,000 residents by increasing sodium hydroxide levels to dangerous concentrations. Only quick intervention by an on-site operator prevented catastrophe.
This incident crystallises a fundamental shift in critical infrastructure security. As operational technology (OT) systems converge with IT networks, the traditional air-gap defence has dissolved. What remains is an authentication architecture designed for office environments, now protecting systems that control power grids, refineries, and water supplies.
The convergence problem
Energy sector organisations face an unprecedented authentication challenge. Legacy OT systems, designed for isolation and reliability, now require connectivity for efficiency and monitoring. Meanwhile, IT systems demand flexibility and user convenience. The result is a hybrid environment where industrial control systems share network infrastructure with corporate applications, each governed by incompatible security models.
The complexity multiplies across typical energy infrastructure. A single facility might host distributed control systems managing turbines, SCADA networks monitoring transmission lines, enterprise resource planning systems tracking maintenance, and cloud-based analytics platforms optimising performance. Each system requires authentication, yet none were designed to work together securely.
This convergence creates what security researchers term "credential sprawl" – the proliferation of usernames, passwords, certificates, and tokens across systems. Workers managing both IT and OT systems often reuse credentials or store them in accessible locations to maintain operational efficiency. The result is an expanded attack surface where compromise of any single credential can cascade across both domains.
The scale of exposure
Recent data reveals the magnitude of this vulnerability. The 2023 Verizon Data Breach Investigations Report found that 49% of breaches involved stolen credentials, with critical infrastructure sectors experiencing a 13% increase year-over-year. Within energy specifically, the Industrial Control Systems Cyber Emergency Response Team reported 70 incidents in 2022, with 43% attributed to credential-based attacks.
More alarming is the convergence trend itself. Dragos Inc.'s 2023 Industrial Cybersecurity Year in Review found that 74% of industrial organisations now have some level of IT-OT network convergence, compared to 52% in 2020. Yet only 31% have implemented unified authentication policies across both domains.
The financial implications are substantial. According to IBM's Cost of a Data Breach Report 2023, critical infrastructure breaches cost an average of $5.04 million – 4.5% above the global average. For energy companies specifically, operational disruption costs can exceed security remediation by a factor of ten, as extended outages trigger regulatory penalties and customer compensation requirements.
Perhaps most concerning is the persistence problem. Mandiant's M-Trends 2023 report found that attackers maintain access to critical infrastructure networks for an average of 146 days before detection. During this period, they often establish multiple credential-based footholds, making complete remediation extremely difficult.
Why current solutions fall short
Traditional identity and access management approaches prove inadequate for this converged environment. Single sign-on systems, designed for IT convenience, often cannot integrate with industrial protocols. Privileged access management tools may protect high-value accounts but leave standard OT credentials exposed. Multi-factor authentication, while valuable, can be bypassed through credential stuffing or social engineering.
The fundamental problem lies deeper than tool selection. Most authentication systems assume users should create, know, and control their own credentials. This user-centric model prioritises convenience over security, allowing password reuse, weak credential selection, and insecure storage practices.
Zero Trust architectures, increasingly popular in enterprise IT, face similar limitations in OT environments. While continuous verification improves security posture, these systems still rely on initial credential-based authentication. If those underlying credentials are compromised, Zero Trust verification becomes meaningless.
Rethinking credential control
A structural solution requires abandoning user-controlled credentials entirely. Instead of allowing workers to create and manage authentication tokens, organisations must generate, distribute, and revoke every credential through centralised systems. Users should never see, store, or control the credentials that grant them access.
This approach, exemplified by solutions like MyCena's patented credential control technology, inverts the traditional model. Rather than protecting user-held credentials, it eliminates user credential visibility entirely. Access becomes unphishable because workers cannot inadvertently share what they do not possess.
The technology encrypts and distributes credentials automatically based on role requirements and security policies. When access is needed, the system provides temporary, encrypted tokens that authenticate without user knowledge. Revocation becomes instantaneous since credentials exist only within the managed system.
For energy sector applications, this model addresses both IT and OT requirements. IT systems benefit from seamless authentication without password management overhead. OT systems gain modern authentication capabilities without compromising operational reliability. The unified approach eliminates credential sprawl by centralising all authentication tokens under organisational control.
The strategic imperative
Energy sector leaders face a clear choice. The convergence of IT and OT systems is irreversible, driven by efficiency demands and digital transformation initiatives. Traditional credential management approaches, designed for simpler environments, cannot secure this new reality.
Regulatory pressure intensifies this timeline. The EU's NIS2 Directive, effective October 2024, explicitly requires critical infrastructure operators to implement "state-of-the-art" cybersecurity measures. US pipeline operators face similar requirements under Transportation Security Administration directives following Colonial Pipeline's 2021 ransomware attack.
The solution requires recognising that identity and access are distinct concepts. Workers need verified identity to perform their roles, but they do not need to hold the credentials that grant system access. By separating these functions, organisations can maintain operational efficiency while achieving unprecedented security resilience.
The question is not whether credential-based attacks will target converged IT-OT infrastructure – they already have. The question is whether energy sector organisations will abandon vulnerable authentication models before the next Oldsmar incident succeeds.