Traditional PAM fails in OT environments

Industrial security in a world that has changed

For decades, Privileged Access Management (PAM) solutions have been the standard in corporate security. Servers, critical applications, and complex IT environments have relied on these tools as an effective defense against privilege abuse, credential leakage, and lack of traceability in sensitive access. Companies worldwide trust PAM solutions from major vendors to protect their digital infrastructure.

However, transferring this same model to industrial environments (OT) has proven problematic, if not directly counterproductive. The reason is simple: OT is not IT. The rules that work in a datacenter do not apply in a production plant, a SCADA system, a PLC, or a legacy machine that has been operating unchanged for decades.

In OT, a human error or a poorly executed change can have immediate physical and economic consequences. And this is where traditional PAM shows its limitations.

The root of the problem: IT assumptions that do not exist in OT

Traditional PAM is built on several assumptions that are valid in IT but break down in industrial environments:

1. Agent installation on systems. Traditional PAM solutions rely on software installed on each endpoint or server to manage access, control sessions, and audit activity. In OT, many devices do not allow agent installation. Legacy PLCs, embedded systems, or machines with proprietary firmware simply cannot be modified without risking operational disruption.
2. Ability to modify configurations and apply patches. Most PAM solutions assume systems can be continuously configured and updated. In OT, any change can halt critical processes, impact safety certifications, or violate operational regulations.
3. Availability of maintenance windows. Industrial machines operate 24/7, and stopping a production line to install software or perform integrations is not feasible. Traditional PAM solutions do not account for the need to operate in real time without interruptions.
4. Stable and homogeneous networks. IT solutions assume reliable, fast, and controllable networks. OT environments feature heterogeneous topologies, temporary remote access from vendors, external integrators, and legacy systems that do not always behave predictably.

These assumptions invalidate much of the traditional PAM architecture when applied to OT. Attempting to adapt it often results in unnecessary complexity, operational risks, and a false sense of control.

The illusion of credential-based security

One of the pillars of traditional PAM is credential management. The approach is solid in IT: protecting passwords, rotating them periodically, and auditing access reduces the attack surface and ensures compliance.

But in OT, this approach is insufficient. The greatest risk is not “who gets in,” but “what they can do once inside.” An external technician with valid credentials can alter critical parameters, stop production lines, or introduce errors that generate immediate losses.

Traditional PAM records sessions, raises alerts, and allows access revocation, but it does not eliminate direct system exposure. This creates a paradox: even with control, the real risk remains. And in OT, active prevention is far more valuable than reactive traceability.

The trap of session monitoring

Some advanced PAM solutions include session monitoring, activity recording, and real-time alerts. This adds value in IT environments, where errors can be corrected without physical consequences.

In OT, however, monitoring is not enough. Knowing what happened after an incident does not prevent damage. An accidental change in a PLC or an incorrect action in a SCADA system can cause irreversible failures.

Here, traditional PAM fails because control remains reactive and user-centric, rather than proactive and asset-centric. As long as direct system access exists, risk persists.

Direct connection and operational risk

A critical point often overlooked: traditional PAM maintains a direct connection between user and asset. Even with proxies, jump servers, or additional controls, the user still interacts directly with the system.

This opens the door to operational and security risks that do not exist in IT in the same way:

• Lateral movement: a compromised access can allow exploration of the OT network.
• Exposure of critical systems: insecure industrial protocols remain exposed.
• Endpoint dependency: if the user’s device is compromised, system security is compromised.

In IT, these risks can be managed with network segmentation or endpoint policies. In OT, where operations are continuous and critical systems cannot be modified, these risks are structural.

Paradigm shift: from managing access to eliminating exposure

In OT, the conceptual error of traditional PAM is that it tries to manage access, when what is needed is to eliminate asset exposure.

This is not an incremental improvement, it is a paradigm shift that redefines industrial cybersecurity. Instead of granting direct access and trusting it will be secure, a controlled intermediate environment is introduced, where the user operates without directly touching the system.

Shielded Workspace: the industrial solution

The Shielded Workspace is the industrial alternative to PAM that addresses the fundamental limitations of traditional PAM in OT.

In this model, the user interacts with the system through a fully controlled remote environment. Only events are transmitted: keyboard, mouse, video, and audio. There is never direct access to the network or critical systems.

The industrial asset is intrinsically protected: no agents are required, system configuration remains untouched, and the session can be controlled, audited, or interrupted in real time.

This approach delivers critical advantages that traditional PAM cannot provide:

1. Full compatibility with legacy systems, without installing additional software or modifying firmware.
2. Active risk prevention, eliminating asset exposure and preventing incidents before they occur.
3. Protection against lateral movement, as sessions are encapsulated with no direct OT network connection.
4. Endpoint-independent security, removing reliance on the integrity of the user’s device.
5. Advanced regulatory compliance, enabling traceability, auditing, and control without compromising critical operations.

Conceptual comparison: traditional PAM vs Shielded Workspace

The contrast is clear. While traditional PAM focuses on credential management and access monitoring, the Shielded Workspace focuses on isolation, active prevention, and session control. This transforms operational risk into a design problem, not a user problem.

In environments where every action can have physical impact, the difference is not theoretical, it is operational and economic.

Examples of prevented risk

Consider a common scenario: an external vendor needs access to a PLC for maintenance. With traditional PAM, the vendor connects using privileged credentials. Even if the session is monitored and audited, any human error or misuse can impact the production line.

With a Shielded Workspace, the vendor accesses an isolated environment. Interaction with the PLC is indirect. All events are controlled and auditable. The asset remains secure, and operations continue without risk of disruption or damage.

This example shows that controlling direct access is not enough; the key is eliminating the possibility of the user compromising the asset.

Industry needs less exposure, not more PAM

Industry has spent decades adding layers of control: monitoring, auditing, credential rotation, proxies, jump servers. In IT, this works because direct system risk is limited. In OT, each additional layer applied to a flawed model increases complexity, friction, and false security.

The real evolution is not more PAM, it is less exposure. It is designing secure environments where the user session becomes the perimeter. Where critical assets cannot be directly reached. Where prevention outweighs auditing.

Conclusion

Traditional PAM, even with the most advanced capabilities from leading vendors, has structural limitations in OT environments. All rely on IT assumptions that do not exist in OT: the ability to install agents, modify systems, apply patches, or trust the endpoint.

The alternative is not a heavier PAM or an improved IT-centric model. It is a strategic shift. A Shielded Workspace eliminates direct asset exposure, encapsulates sessions, protects critical systems, and enables real-time operations without risk.

For industrial companies, adopting this approach is not just about security. It is an operational, economic, and strategic decision that ensures continuity, integrity, and resilience against modern threats.

In a world where digital risks directly impact physical production,the future of industrial cybersecurity is not more PAM, but less exposure.

Endurance, defining RSW

To close this analysis, it is important to highlight Cosmikal’s Endurance, which defines the concept of Remote Shielded Workspace (RSW). It is not merely an iteration of the traditional privileged access management paradigm, but a new architectural concept redefining the exposure surface between user and asset. Endurance natively integrates PAM, VDI, IAM, and DLP capabilities into a single solution, where each workspace session is created and isolated within a shielded environment acting as a secure intermediary layer between the endpoint and critical IT/OT assets, eliminating any direct connection to the target system and drastically reducing the attack surface by design.

Technically, this means that Endurance combines a secure connection broker with user-specific remote desktops, an encrypted vault for credential management, identity control mechanisms, Zero Trust policies, and data loss prevention, alongside real-time session monitoring. All of this operates within an environment where only keyboard, mouse, video, and audio events are transmitted, with no transfer of sensitive data outside the enclave, preventing lateral movement, exfiltration, or endpoint exploitation even if the source device is compromised.

Additionally, Endurance has been formally recognized within the national security products catalog with LINCE certification from the Spanish National Cryptologic Center, validating its architecture in the privileged access control category and confirming its suitability for protecting critical infrastructures under regulatory frameworks such as NIS2 and the National Security Framework (ENS).

This unified approach, going beyond simply adding layers of control to traditional PAM, represents a true alternative: a solution that redefines the security boundary in complex IT/OT environments, where eliminating direct asset exposure is as critical as identity management and data protection at rest, in transit, and in use.