Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

The Challenges of MFA Adoption in a Legacy OT Environment

Read More

Categories Arrow

All Posts

The Challenges of MFA Adoption in a Legacy OT Environment

Legacy operational technology (OT) environments face rising identity-based threats as remote access expands across control networks and vendor connections. Multi-factor authentication (MFA) strengthens access control and limits the impact of stolen credentials. However, it introduces operational and architectural challenges that differ sharply from information technology (IT) environments.

Tight uptime requirements and tightly coupled workflows make MFA adoption a complex exercise rather than a simple security upgrade. These environments often rely on shared accounts and implicit trust models that resist modern identity controls. Without careful design, MFA deployments can disrupt operations or create new failure points.

Identity Exposure Across IT-OT Convergence

Legacy OT environments increasingly rely on shared identities with IT systems, which creates pathways that attackers actively target. Legacy systems can serve as initial entry points and allow intruders to move laterally and place the entire network at risk. Email, remote access tools and administrative accounts often bridge IT and OT workflows.

Once credentials are compromised, attackers can access sensitive operational data and extend control beyond the plant floor. This convergence blurs traditional security boundaries and complicates incident containment. A single exposed account can escalate quickly into a site-wide or enterprise-level breach.

Core Challenges of MFA Adoption in Legacy OT Environments

Despite security benefits, MFA adoption remains difficult to execute. Deeply embedded systems and fragmented ownership models introduce challenges that slow or block implementation.

Compatibility Constraints with Legacy Systems

Many OT assets lack support for modern authentication protocols, which restricts direct MFA integration. Proprietary operating systems and hard-coded credentials further limit available deployment paths. In many cases, upgrades or system changes introduce unacceptable downtime risk or conflict with vendor support and warranty agreements.

These constraints often force teams to rely on compensating controls rather than native MFA enforcement. As a result, security improvements progress slowly and remain uneven across the environment.

Performance and Availability Concerns

Authentication latency can disrupt the time-sensitive control processes that depend on predictable response times. Always-on availability requirements leave little tolerance for authentication failures or service interruptions. Centralized MFA services can also introduce new single points of failure, increasing operational risk if dependencies are not carefully designed.

Even brief authentication delays can affect operator response during abnormal conditions. Redundancy and local failover capabilities become critical to maintaining system ability. Without these safeguards, MFA may be viewed as a reliability risk rather than a security improvement.

Operational Complexity and Skill Gaps

OT teams typically prioritize safety and uptime, which makes identity modernization a lower operational priority. That focus, combined with limited security team familiarity with OT protocols and workflows, creates friction during MFA design and rollout.

In practice, MFA adoption remains low unless organizations or service providers mandate its use through policy or contractual controls, since voluntary update rarely aligns with production pressures. Effective implementation depends on sustained coordination across IT, OT and vendors, supported by clear governance that turns MFA from an optional safeguard into an operational requirement.

Practical Strategies to Enable MFA in Legacy OT

Overcoming MFA adoption challenges in legacy OT environments requires a shift from one-size-fits-all security controls to operationally informed design. Practical strategies must balance identity protection with the reliability and safety demands of industrial systems.

Start With Careful Access Mapping and Risk Segmentation

MFA planning should begin with identifying high-risk access paths, particularly remote vendor connections and extremely exposed entry points. Enforcing MFA at these locations helps prevent criminals from using stolen credentials to access sensitive information in emails or other connected accounts that intersect with OT workflows.

Network segmentation can then limit the scope of MFA enforcement and reduce operational impact. Focusing first on human-to-machine access rather than machine-to-machine flows can strengthen identity controls without disrupting automated processes.

Use a Phased Implementation Approach

Phased MFA deployment often begins with monitoring and alert-only modes to establish baselines without disrupting operations. Initial enforcement should focus on jump hosts and remote access gateways, where MFA forces attackers to provide a second or third proof of identity when attempting to access accounts or devices.

This early control sharply reduces the value of stolen credentials. Coverage can then expand gradually as reliability improves and performance impacts stabilize across the environment. Each phase should include validation under real operating conditions. Lessons learned from early stages help refine policies before broader rollout.

Select MFA Solutions Built for OT Constraints

Selecting MFA for legacy OT environments requires balancing identity assurance with operational resilience. Solutions that support offline operation and local validation reduce dependence on centralized services and help maintain availability during network disruptions.

When paired with compatibility for legacy protocols and directory bridges, MFA can be introduced without intrusive system changes. Vendor experience in industrial environments further reduces risk by ensuring the solution aligns with OT safety and long-term support expectations.

Aligning Security Goals With OT Reality

MFA success depends on respecting operational priorities and the realities of industrial environments. One cybersecurity challenge chief information security officers face is protecting outdated legacy systems that continue to run critical operations.

Security controls must adapt to OT workflows rather than disrupt them, especially where uptime and safety remain non-negotiable. Cross-discipline collaboration across IT, OT and leadership turns MFA from a perceived blocker into a practical security enabler. Shared risk ownership helps align security objectives with production goals. This alignment builds trust and accelerates adoption.

Making MFA Work in Legacy OT Environments

MFA adoption in legacy OT environments remains challenging but achievable with the right approach. Compatibility limitations and expertise gaps drive most resistance. But careful planning and OT-aware tools allow MFA to strengthen OT security without compromising uptime.
Devin Partida
Devin Partida
Devin Partida is the editor-in-chief of ReHack Magazine.

    Recent Posts

    Fuel Your Professional Growth in 2026

    Related Posts

    The Challenges of MFA Adoption in a Legacy OT Environment

    Legacy operational technology (OT) environments face rising identity-based threats as remote access expan...
    Devin Partida Feb 16, 2026 1:00:00 PM

    Announcing the OT Security Knowledge Framework: A Guide for Educators & Students, Second Edition 2025

    Universities everywhere are feeling the pressure to keep pace with a rapidly changing industrial threat l...
    Kara Phelps Feb 10, 2026 11:00:00 AM

    5 Unique Challenges in Incident Response for Distributed Industrial Security Teams

    As industrial environments grow more connected and remote work becomes the standard, incident response in...
    Zac Amos Feb 6, 2026 10:00:00 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2026 International Society of Automation. All rights reserved.