In many of the writeups on predictions for cybersecurity in 2026, identity management featured quite prominently. This makes sense as growing AI-driven threats include the use of AI to overcome many of the current methods of verifying identity for both humans and non-humans. But where the action and energy needs to focus in 2026 is on the non-human side, otherwise thought of as OT, IoT, and other types of cyber-physical systems. The number of OT systems overwhelm humans in virtually all organizations with OT outnumbering humans by a factor of 10:1 or more, and increasingly are the targets of cybercriminals who are turning their focus to OT exactly because they lack effective identity and overall cybersecurity management. Every IP-connected sensor, printer, UPS, and lighting system on your network is a user that needs to be managed.
Here are some key methods and tactics to be aware of as you improve your OT identity management in 2026. The first two are ones your can deploy immediately and are foundational in OT security – you can’t do without these.
The first and most basic way to improve OT identity management is to ensure you have effective password management. No organization today would allow employees to use the same password for 10 years to log into company systems, yet many OT devices have had the same password since they were installed (and many still use the default password from the manufacturer). At a basic level your organization’s Information Security policy defines how passwords are managed internally; these policies are not just for humans to follow and need to be applied to OT systems. Compliance to these policies typically requires having a minimal password complexity and a schedule for how often the password should be changed. OT security platforms (like the Viakoo Action Platform) provide automation so being compliant to policies can be done with minimal human effort or expense.
The second foundation to managing OT identity is to be using certificates on all OT devices to establish their authenticity and ensure their traffic is encrypted. Without this your fleets of OT devices are essentially “unauthenticated users” roaming through your infrastructure. Unlike humans that can prove their identity and authorizations by usernames, passwords, MFA, or physical key (like YubiKey), OT devices must use certificates to prove their identity. As the OT device communicates across the network with other devices their certificates establish the “handshake” where they verify they are who they are before communicating. Managing certificates across fleets of devices at any scale should be done with an automated OT security platform in order to keep track of when certificates expire and to make sure they are renewed ahead of causing any disruption to their operations.
Having solutions in place as soon as possible is critical to building the “security muscle” that will be needed for emerging attack vectors. Because of more cybercriminals turning to OT devices for their attacks and because of the speed at AI offers in driving these attacks, expect that new methods will emerge that require efficient and fast management of passwords and certificates. As Viakoo highlighted in our 2026 predictions for OT security, the fast-approaching event of quantum computing breaking all current forms of encryption will likely be addressed by new forms of certificates that will have to be applied quickly across large estates of devices. Viakoo’s customers who use our Device Certificate Manager have reported they are planning to reduce the certificate expiration time as an improvement to their security; in theory you may be in a situation where you would want to update certificates daily or even hourly, as an automated certificate management solution allows.
Ready to take the next step? Start by scheduling a meeting with one of Viakoo’s OT security experts. We can show you how to implement a cost-effective and automated solution for password and certificate management, and give you control over the identity management of your OT, IoT, and ICS systems so you can confidently address the growing attacks vectors focused on your infrastructure and ensure you remain compliant.
