As outlined in To Boldly Secure OT Clouds: The Prime Directive this series begins with Identity and Access Management (IAM)—specifically, how established OT security standards define IAM requirements and how those requirements can be practically applied when enabling OT workloads in the cloud.
The upcoming posts will explore IAM in the context of cloud-enabled OT environments, mapping standards-based OT security requirements to real-world Azure implementations. The objective is to bridge the gap between traditional OT security principles and modern cloud identity capabilities, while maintaining strong security, operational resilience, and regulatory compliance.
This post focuses on the IAM requirements and controls that form the foundation of a secure, standards-aligned identity model for OT workloads. Unlike traditional IT environments, OT systems operate under a distinct set of safety, reliability, and security constraints. These constraints must be clearly understood and respected before introducing cloud capabilities, ensuring that identity solutions enhance—not compromise—the integrity and availability of OT operations.
Requirements and Controls
As discussed in To Boldly Secure OT Clouds: The Prime Directive the following industry standards as primary reference points to provide a overview of how these standards influence Identity and Access Management (IAM) design:
Both ISA/IEC 62443 and NIST SP 800-82 share two common themes when it comes to IAM:
- Authentication and authorisation technologies
- Identification and authentication controls
While the structure, terminology, and level of detail differ between the two standards, their underlying intent is closely aligned: to ensure that identities interacting with OT systems are strongly authenticated, appropriately authorised, and governed by clearly defined security controls.
The next section provides a side-by-side comparison of how these themes are addressed across both standards.
Authentication and Authorisation Technologies
ISA/IEC 62443
- Authentication:
- Password Challenge/response
- Physical/token Smart card
- Biometric Location-based
- Password distribution and management technologies
- Device-to-device
- Role-based authorisation tools
NIST SP 800-82
- User, Device and Asset Authentication:
- Physical Token
- Biometric Smart Card
- Multi-Factor Password
- Logical Access Controls:
- Role-Based Access Control
- Attribute-Based Access Control
Identification and Authentication Controls
ISA/IEC 62443
- Human user identification and authentication
- Software process and device identification and authentication
- Account management
- Identifier management
- Authenticator management
- Wireless access management
- Strength of password-based authentication
- PKI Certificates Strength of public key authentication
- Authenticator feedback
- Unsuccessful login attempt
- System use notification
- Access via untrusted network
NIST SP 800-82
- Policy and procedures Account management
- Access enforcement Information flow enforcement
- Separation of duties
- Least privilege
- Unsuccessful logon attempts
- System use notifications
- Concurrent session control
- Device lock
- Session termination
- Permitted actions without identification or authentication
- Remote access
- Wireless access
- Access control for mobile devices
- Use of external systems
- Information sharing
- Publicly accessible content
When reviewing the technologies and controls defined across both standards, it becomes clear that there is a high degree of alignment between them.
In the next article, we will explore how Microsoft Entra ID (formerly Azure Active Directory) can be used to address these requirements, and how its identity, authentication, and authorisation capabilities can be applied to support secure, cloud-enabled OT environments.
Johan’s Tech Bites 
Leave a comment