A single dormant account should not have the keys to a city’s infrastructure – and yet, as a recent municipal breach shows, it can. The consequence wasn’t an embarrassing press release alone; it could have been life‑threatening when attackers shifted from conference-room projectors to industrial control systems. That gap between nuisance and catastrophe is where architecture and governance must meet.
Context
A third‑party investigation found attackers moving laterally through a city network via an account belonging to a long‑departed auditor. The account retained broad privileges – domain admin, SCADA operator access and help‑desk rights – and was likely compromised through reused credentials from an external data leak. Basic lifecycle and access hygiene had failed.
Analysis – why this should keep every CTO awake at night
This incident is not primarily an “IT problem” – it is an architectural and organisational failure. Three deep lessons stand out.
1) Identity lifecycle is an architectural surface area. Every account is an interface into your estate. When HR offboards an employee, identity should be deprovisioned automatically and irrevocably. Manual, ticket‑based processes are brittle; automation is not optional if you care about scale or public safety.
2) Privilege and operational technology (OT) must be strictly bounded. The convergence of IT and OT increases efficiency but multiplies risk. Giving domain admin rights that can affect SCADA from general user accounts breaks the most fundamental rule of least privilege. Segmentation, separate AA/AD for OT, and strict change controls are nondiscretionary.
3) Humans will reuse passwords and fall prey to breaches. Assume credentials are leaked. Build controls that don’t rely on perfect human behaviour: enforce MFA, deploy credential exposure monitoring, and require just‑in‑time (JIT) privileged elevation rather than standing privileges.
Strategic trade‑offs and pragmatic choices
Organisations often trade security for convenience: a single admin account shared across teams is “easier,” and legacy systems resist change. But that convenience is technical debt that compounds risk exponentially. For resource‑constrained entities (municipalities, smaller enterprises), “perfect” solutions may be unaffordable; the right approach is prioritised, layered defense:
– Start with low‑cost, high‑impact controls: multi‑factor authentication, removal of local admin from daily accounts, and basic network segmentation between administrative and OT networks.
– Move to identity governance: periodic access attestation (quarterly at minimum), automated deprovisioning tied to HR systems, and discovery of stale/dormant accounts.
– Invest in Privileged Access Management (PAM) and JIT access for accounts that truly need high privilege. Prefer ephemeral credentials and session logging over permanent higher rights.
– Harden monitoring and detection: alert on anomalous account activity, credential use from unexpected geographies or times, and changes to OT control configurations.
– Run tabletop exercises and incident playbooks that include OT scenarios – test not just IT restoration but safe rollback of physical processes (pumps, valves, power systems).
Actionable checklist for CTOs and city CISOs (first 90 days)
– Execute a full audit of privileged accounts and service accounts; disable or rotate all dormant credentials.
– Link HR offboarding to automated deprovisioning. No manual step should be the gatekeeper for account removal.
– Mandate MFA for all administrative and remote access; block legacy protocols that bypass MFA.
– Segment OT from IT with access gateways and restrict SCADA access to a minimal set of managed identities.
– Enable centralized logging and alerting for privileged operations; retain logs to support forensic timelines.
A local note (why this matters for India and similar digital public utilities)
In India’s expanding e‑governance landscape, municipal IT and utility systems are modernising rapidly. That makes them attractive targets. The same principles-automated identity lifecycle, least privilege, OT segmentation-apply equally to urban local bodies and state utilities. Frugal architecture choices that prioritise these controls can prevent small lapses from becoming public emergencies.
Closing thought
Security is not a checklist; it’s an architectural discipline. Treat identities as gateway resources, automate their life cycles, and design systems so that no single forgotten account can take a city’s lifelines offline. The cost of prevention is almost always less than the price of being on the 5 o’clock news.
About the Author Sanjeev Sarma is the Founder Director of Webx Technologies Private Limited, a leading Technology Consulting firm with over two decades of experience. A seasoned technology strategist and Chief Software Architect, he specializes in Enterprise Software Architecture, Cloud-Native Applications, AI-Driven Platforms, and Mobile-First Solutions. Recognized as a “Technology Hero” by Microsoft for his pioneering work in e-Governance, Sanjeev actively advises state and central technology committees, including the Advisory Board for Software Technology Parks of India (STPI) across multiple Northeast Indian states. He is also the Managing Editor for Mahabahu.com, an international journal. Passionate about fostering innovation, he actively mentors aspiring entrepreneurs and leads transformative digital solutions for enterprises and government sectors from his base in Northeast India.
