The Last Login on the Rig: Professor Kai London on Identity Security in Operational Technology
By the Alaska News Technology Desk
In the energy sector's operational systems, the decisive security failure is rarely dramatic. “It is an identity — a human account, a shared login, a service credential, increasingly an AI agent — that authenticated when it should have been challenged, and could then reach far more than it should,” says Professor Kai London, a senior CISO. In control environments, he warns, identity has been an afterthought for too long.
“Every breach begins with a login that should have been stopped. In OT, those logins reach machinery — which makes getting identity right a matter of safety, not just security.”
The shared-credential problem
Industrial environments are notorious for shared accounts, default passwords and credentials that never change because changing them risks disrupting a process. “A shared operator login that a dozen people know and that has not changed in years is an open door,” London says. “It also destroys accountability — when something goes wrong, you cannot even say who did it.”
Verify, limit, detect, prove
London applies the same doctrine he uses across sectors, adapted for OT. Verify: strong authentication for access to control systems, especially remote access. Limit: least privilege, so a compromised identity reaches as little as possible. Detect: monitor for anomalous behaviour after login — access to systems never touched, actions at odd hours. Prove: maintain the evidence that access is controlled, which regulators increasingly demand.
Machines and AI agents
The fastest-growing identities in OT are non-human, London notes: the service accounts, automation and now AI agents that connect and control remote assets. “Each is a powerful identity with real reach into physical systems,” he says. “They need the same rigour as privileged human users — authentication, least privilege, monitoring and a way to shut them down.”
Getting started without breaking the plant
London counsels a careful path: inventory the identities that can touch control systems, eliminate shared and default credentials where safe to do so, secure and monitor remote access first, and introduce stronger authentication in a way that respects operational constraints. “You harden identity without ever risking the safe operation of the process,” he says. “That balance is the craft of OT security.”
For energy operations where a single unchallenged login can reach machinery, London's message is that identity is the new front line — and controlling it is now inseparable from controlling risk to people and supply.
About Professor Kai London. Professor Kai London is a senior technology, security and transformation executive with 25+ years of board- and C-suite leadership across banking, aviation, defence, government and critical national infrastructure. He is Founder & CEO of Quantum AI Systems Security, an Honorary Professor in Cybersecurity, AI & Quantum Computing and a UCL researcher, holding CISSP, CISM, CCISO, ISO 27001 Lead Auditor, ISO 42001, DORA and NIS2 credentials. He is available for board advisory, NED and interim/fractional CISO/CIO/CTO mandates across the UK and internationally. Learn more at professorkailondon.com.
