Operational Technology (OT) environments — from industrial control systems to critical infrastructure networks — have traditionally prioritized safety and availability. The newly published Secure Connectivity Principles for Operational Technology (OT) guidance produced by the UK National Cyber Security Centre (NCSC) in partnership with agencies from Australia, Canada, US, Germany, Netherlands, and New Zealand underscores how evolving connectivity demands require a modern security posture that does not compromise operational integrity while facing an expanding threat landscape.
At the FIDO Alliance, our mission has always been to champion open, scalable, and trusted identity and authentication standards that are simple to use. Today those same principles, originally forged to eliminate the weak link of shared secrets on the web, are directly applicable to securing OT connectivity and distributed device environments.
Below I’ll outline how FIDO phishing-resistant authentication (passkeys), FIDO Device Onboard (FDO) and emerging work in Bare Metal Onboarding (BMO) support these secure connectivity principles, enabling organizations to achieve strong authentication, trusted connectivity, secure supply chains and secure update of software at scale.
Phishing-Resistant Authentication Is Now Table Stakes for OT
The OT guidance emphasizes strong authentication at network boundaries, remote access points, and management planes. This is exactly the problem FIDO set out to solve with passkeys. Passkeys replace passwords and shared secrets with device-bound cryptographic credentials that are phishing-resistant, replay-resistant, and built on open standards.
For OT operators, engineers, and vendors accessing jump hosts, DMZ gateways, or privileged access workstations, this removes the most common root cause of breaches: stolen credentials. That simple shift from shared secrets to cryptography dramatically reduces risk at OT boundaries.
Practically speaking, this enables organizations to:
- Enforce phishing-resistant MFA for all remote/vendor access
- Secure privileged admin workflows
- Reduce helpdesk overhead from tokens/password resets
- Strengthen auditability and attribution of actions
This aligns directly with the guidance’s goals of minimizing exposure and hardening connectivity with modern, standardized controls.
Securing Vendor and Remote Access Without Increasing Complexity
OT environments frequently require third-party maintenance and specialized engineering support. Historically, that has meant VPN accounts, shared credentials, or brittle remote access solutions. The guidance recommends organizations move to centralized, controlled connectivity and brokered access patterns. FIDO authentication fits naturally into the recommended control framework:
- FIDO authentication-secured jump hosts, remote workstations, and more
- Privileged access gateways
- Just-in-time access provisioning
- Device-verified operator identity
This approach delivers both least privilege and strong non-repudiation — two capabilities that are increasingly important for regulated industries. Most importantly, it does so without adding friction for operators, which is critical in environments where uptime and usability are non-negotiable.
Establishing Trust in Devices with FIDO Device Onboard (FDO)
Users aren’t the only identities that matter in OT. Devices — gateways, sensors, controllers, and edge systems — must also prove they are trusted before joining operational networks. This is where FIDO Device Onboard (FDO) comes in. FDO provides:
- Zero-touch onboarding
- Cryptographic device attestation
- Secure ownership transfer
- Encrypted provisioning channels
- “Late binding” to the correct management platform at deployment time
Rather than shipping devices with default passwords or manual configuration steps, FDO allows them to securely authenticate and receive credentials automatically. For OT environments, this:
- Eliminates weak factory credentials
- Reduces field provisioning errors
- Supports standardized onboarding across diverse hardware
- Strengthens supply-chain assurance
In other words, devices join the network only after cryptographically proving who they are. This satisfies a foundational requirement for segmentation and isolation strategies described in the guidance, delivering value today for industrial IoT, gateways, and modern edge infrastructure.
But secure onboarding is only the first step.
Bare Metal Onboarding and Lifecycle Resilience
One of the most important, and often overlooked, requirements in the OT guidance is the need to keep systems securely updated and maintain a known-good state over time. This has historically been difficult in OT. Devices may be deployed in remote locations, managed by non-IT personnel, or running outdated software because rebuilding them is complex and risky.
This is exactly the challenge that FIDO Bare Metal Onboarding (BMO) addresses. Building on FDO’s trusted foundation, BMO extends late binding beyond ownership to the entire software stack:
- Operating system
- Applications
- Configuration
- Credentials
With BMO, a device can be powered on with no preinstalled OS and securely receive:
- Authorized OS images
- Approved software packages
- Policy-defined configurations
- Verified updates
All cryptographically validated and delivered through the same attested, encrypted control plane established by FDO.
In doing so, BMO unlocks several capabilities that are particularly powerful for OT operators:
- Zero-touch secure deployment: Devices can be installed by non-technical personnel and automatically provision themselves safely.
- Secure rebuilds and recovery: If compromise or corruption is suspected, systems can be wiped and reinstalled to a known-good state.
- Reliable patching and upgrades: Organizations can keep software current (a key expectation in the UK guidance) without manual intervention.
- Standardization across vendors: A consistent, open, interoperable approach replaces fragmented proprietary tooling.
In short, BMO transforms onboarding into lifecycle assurance. Where FDO answers “Can I trust this device?”, BMO answers “Can I trust exactly what is running on it, not just today but after every update?”
That’s a critical step forward for OT resilience.
[For more information on BMO, check out this webinar]
A Clear Roadmap to go from Principles to Practice
Organizations aligning with the OT secure connectivity principles can take concrete action today, while preparing for what’s next:
Now
- Require phishing-resistant FIDO passkeys for all OT remote and privileged access
- Standardize FIDO authentication at gateways and management interfaces
- Adopt FDO for zero-touch, secure onboarding of new edge and industrial devices
2026 and beyond
- Incorporate FIDO Bare Metal Onboarding into procurement requirements
- Enable secure OS/app provisioning and automated rebuilds
- Maintain known-good state and rapid recovery across distributed OT estates
Identity as the Foundation of OT Security
The OT threat landscape has changed permanently. Connectivity is no longer optional, and security can’t rely on isolation alone. The future is identity-first: verifiable users, verifiable devices, and verifiable software state. FIDO standards provide open, scalable building blocks for all three, turning the guidance principles into something actionable:
- Passkeys secure the people.
- FDO secures the devices.
- BMO secures the software lifecycle.
FIDO technologies already deliver meaningful protection today. And with Bare Metal Onboarding, they will enable an even more resilient, zero-touch, secure-by-design OT ecosystem in the years ahead.
