Home Innovation Identity and Access Management Federal Agencies Urge Stronger...

Federal Agencies Urge Stronger Identity Controls to Protect U.S. Critical Infrastructure

Identity and Access Management

Business Honor
09 May, 2025

Simple cyber intrusions expose urgent need for robust identity and access safeguards.

In response to a growing number of cyber incidents targeting operational technology (OT) systems, U.S. federal agencies are urging infrastructure operators to adopt stronger identity and access management (IAM) measures.

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI, Department of Energy (DOE), and Environmental Protection Agency (EPA), issued a joint advisory on May 8 highlighting how even “unsophisticated” cyber actors have recently exploited weak identity controls to breach industrial systems across energy, water, and transportation sectors.

Many of these systems, often connected to the public internet for remote support, continue to rely on default credentials and lack fundamental access safeguards. Attackers have used these vulnerabilities to make unauthorized configuration changes, disrupt operations, and in some instances, cause physical damage.

“Cybersecurity starts with identity,” said Thomas Richards, infrastructure security practice director at Black Duck. “If critical infrastructure relies on default or shared credentials and lacks proper authentication layers, it’s a matter of when—not if—a compromise will occur.”

The advisory outlines immediate IAM-focused steps to help asset owners reduce cyber risk:

Replace default credentials with strong, unique passwords across all OT and IT systems
Implement phishing-resistant multi-factor authentication (MFA) for remote access
Restrict access by segmenting IT and OT networks
Use VPNs or private IP networks to secure remote connectivity
Establish clear identity governance policies for all users and service accounts

These actions align with cybersecurity best practices and NIST guidelines, reinforcing the role of IAM as a frontline defense against unauthorized access.

“Organizations must take identity management seriously,” Richards added. “Implementing industry-standard IAM frameworks and conducting regular access reviews are critical steps for securing infrastructure.”

The agencies emphasize that protecting access points is foundational to cyber resilience, especially as digital transformation extends deeper into industrial environments.

As attacks grow in frequency and impact, effective identity and access management can significantly reduce risk and ensure operational continuity.