User Management in OT: MFA, Jump Hosts, and Least Privilege

Most industrial networks still share generic accounts like “Engineer” or “Vendor”. IEC 62443 calls for strict user management to minimize risk through authentication, authorization, and auditing. Here’s how to implement MFA and jump hosts in a way that works for factories.

The 62443 Requirements

• Each user must have a unique ID and credential.
• Access should follow the principle of least privilege.
• All authentication attempts must be logged and reviewable.
• Temporary access for vendors must expire automatically.

Implementing MFA in OT

Multi-factor authentication (MFA) can be deployed at the gateway level — not necessarily inside every PLC. Combine username/password with hardware token or one-time code for remote access and engineering workstations.

Jump Hosts and Session Control

• Centralize all remote logins through a jump server.
• Record all keystrokes and screen activity for audit.
• Disallow direct connections to PLCs or HMIs.
• Integrate with directory services (Active Directory or LDAP).

Least Privilege in Practice

Define access roles: Operator, Engineer, Maintenance, Vendor. Each role should have only the permissions needed to perform its function — and nothing more.

Case Example: Pharmaceutical Facility

After deploying jump hosts and MFA, a pharmaceutical site reduced shared account usage by 90%. Security incidents tied to remote access dropped to zero in 12 months.

Related Articles

• IEC 62443 Without Jargon: Zones, Conduits, and Real Controls
• Secure Remote Access to OT Assets: A 62443-Compliant Approach
• Writing a 62443-Compliant Supplier Spec: What to Include

Conclusion

User management is the human layer of IEC 62443. Unique accounts, MFA, and controlled jump hosts create accountability and traceability — essential for compliance and for real security in connected factories.