Developed a comprehensive identity and access management strategy for a Queensland clean energy generator, establishing a unified approach to identity governance across corporate IT and operational technology environments. The engagement delivered an IAM relationship model, persona-based access controls, and a roadmap aligned to AESCSF and IEC 62443 requirements.
The Challenge
A government-owned clean energy generator operating renewable and low-emission generation assets across Queensland faced significant challenges with fragmented identity management. Manual onboarding and offboarding processes created administrative overhead and security risks, while disparate identity repositories made it difficult to maintain consistent access controls across corporate IT and operational technology environments. Global access policies had resulted in excessive permissions, particularly concerning for high-security OT zones controlling generation and distribution assets. Limited multi-factor authentication coverage, especially for administrative and privileged access, elevated risk exposure. The organisation needed a unified IAM strategy that could mature their identity landscape while addressing the distinct requirements of OT environments - where safety, protection, and availability must be balanced against security controls.
Our Approach
We conducted a comprehensive assessment of IAM practices across both ICT and OT environments, mapping existing identity repositories, authentication mechanisms, and access control patterns. The assessment identified gaps against AESCSF, ISM, and IEC 62443 frameworks, with particular focus on identity governance maturity and threat exposure. We developed an IAM relationship model using enterprise architecture notation to establish clear traceability between user personas, roles, security groups, and system permissions across both IT and OT domains. This model defined how identities flow between corporate Active Directory, Entra ID, and OT-specific directory services while maintaining appropriate segmentation. The strategy established role-based and attribute-based access control patterns tailored to different user personas - employees, contractors, OT operators, and third-party vendors - with specific consideration for OT environments where offline authentication capabilities and safety-critical access controls are essential. We designed identity lifecycle management processes covering joiner-mover-leaver scenarios, including patterns for mergers and acquisitions that the organisation anticipated as part of its growth strategy.
Results
IAM relationship model establishing identity architecture across IT and OT environments
Persona and role mapping with RBAC and ABAC patterns for diverse user types
Gap analysis against AESCSF, ISM, and IEC 62443 with prioritised remediation roadmap
Authentication and authorisation model addressing OT-specific requirements including offline MFA
Identity lifecycle management processes for onboarding, role changes, and offboarding
Hybrid directory integration design for on-premises AD and Entra ID
IAM governance framework with RACI matrix and policy standards
Implementation roadmap with quick wins, tactical fixes, and strategic investments
Further Reading
The Purdue Enterprise Reference Architecture remains foundational for OT security, but modern requirements demand adaptation. Explore how to extend the model for cloud connectivity, remote access, and micro-segmentation.
Navigate the Australian Energy Sector Cyber Security Framework with actionable guidance on C2M2-based domains, maturity levels, and building a sustainable compliance program aligned with the SOCI Act.
Successful IT/OT convergence requires more than technology integration. Learn how to navigate cultural divides, establish governance frameworks, and implement security that respects operational constraints.
Get in touch to discuss how we can help your organisation.
We take our confidentiality obligations seriously. The project descriptions on this page have been generalised to protect client identities. We are happy to discuss our experience and approach where appropriate during a confidential conversation.