Most of our IAS systems have a lot of vendor provided pieces of equipment (aka skids). Those skids usually have their own PLC and HMI. The HMI’s usually have some function to login and they apply security based on the users group or security level. Most of them have common or shared accounts that everybody knows the password for (even the disgruntled guy you just fired).
The other way that shows up a lot is having individual user account & privileges being role based. If you have 15 users and 30 skids, that becomes a management nightmare trying to disable users, remember passwords, etc. You could draw the same corollary to a bunch of Windows PCs’. Security would be much easier to manage from a single location. Our IAS system are always built on top of a Windows ActiveDirectory (AD) Domain. This at least simplifies all of the SCADA security to be managed in one place: the domain controller (DC). Wouldn’t it be nice to use that to manage the skids too?