Updated: 13 May 2026
A composite case study drawn from Proactive Data Systems deployments in Indian automotive manufacturing. Company details have been anonymised at the client's request.
An automotive Tier-1 supplier running five plants across Pune and Chennai had 38 third-party vendor accounts with standing remote access to its SCADA systems. Nobody on the IT team could say with certainty how many of those accounts were still being used, or by whom. A CERT-In audit was 90 days out. Two OEM customers had written to ask for documented MFA deployment by year-end. The IT head had one hard constraint from plant operations: nothing touches the line. Cisco Duo was fully deployed across vendor access, 1,800 corporate users, and 3,200 plant floor operators in 45 days. This is what that actually looked like.
Before the engagement began, the IT head did something that turned out to matter more than any technology decision: he sat down and tried to produce a list of every active remote access credential in the system.
He couldn't.
"I knew we had vendors. I knew they needed access. What I didn't know was which engagements were still live, which accounts had been sitting unused for a year, and whether the credentials from a SCADA project we finished eighteen months ago had ever been turned off. The honest answer was: probably not, because we had no process for that."
The Proactive team's first week on site was not configuration. It was forensics. Working through the VPN logs, Active Directory, and a spreadsheet the IT head had started and abandoned twice before, they built the first complete picture of the organisation's remote access posture.
Thirty-eight vendor accounts existed in the system. Of those, eleven had no recorded session in the previous six months. Nine had no session log at all; either the logging hadn't been active when the account was created, or the logs had been overwritten. Seven belonged to vendors whose project engagements the IT head was fairly sure had ended, but he had no documentation to confirm it.
"When we finally put the list in front of the plant operations head, his reaction was not anger. It was something quieter than that. He said: 'So anyone with one of these passwords could be in our SCADA system right now and we wouldn't know.' I said yes. That was the conversation that got us full cooperation from operations for the rest of the project."
Fourteen accounts were deactivated before Duo was configured anywhere.
The decision to start with vendor access rather than the plant floor was not universally popular internally.
The CISO's instinct — and the IT head shared it initially — was to lead with the corporate IT rollout. Eighteen hundred users, familiar technology, straightforward Active Directory integration. Get a win on the board, build momentum, then approach the politically sensitive OT environment from a position of demonstrated success.
Proactive's recommendation was the opposite. Start with vendor access. It was the highest-probability initial access vector, it required no plant floor changes, and it was the specific control that CERT-In auditors and OEM security questionnaires were asking about. The IT head deferred to that judgment, with some reluctance.
"I'll be honest: I thought we were going to spend two weeks doing vendor account admin while the real deployment waited. I was wrong about that."
Cisco Duo was deployed for VPN authentication first. The shared credential pool was decommissioned. Every inbound remote session now required a named individual — not a company, a person — plus a second factor. Vendors were notified that their access was being restructured. They were asked to nominate a named individual to hold the credential for their account.
That last step took eleven days. Not because of technical complexity but because four vendors had never received a named-user access request before. One vendor — a SCADA integrator that had done work at two of the five plants — replied initially that they used a shared team account "for operational efficiency" and asked whether an exception could be made. It could not. The integrator nominated named individuals within 48 hours.
By Day 18, the vendor access picture looked like this: 24 active accounts, each tied to a named individual at the vendor company, each with a 30-day expiry requiring formal renewal, each with session recording active. The Proactive deployment lead printed the session log from the first two weeks and showed it to the IT head.
"He looked at it for a long time. Then he said: 'This is the first time I've ever seen who was actually in our systems.' That's what MFA documentation looks like when it's working."
The corporate IT rollout was, in principle, the simple phase. Active Directory integration, push notification on Duo Mobile, 1,800 users, eight days. In practice, Day 1 of enrolment produced 187 helpdesk tickets.
Most were straightforward: users who hadn't read the enrolment email, users who had installed the app on an old phone they no longer used, users whose IT-issued laptop was at home when the deadline was set. One category was not straightforward: employees who did not have a smartphone, or who had a smartphone but were reluctant to install an authenticator app on a personal device.
"We hadn't modelled that properly. We knew our workforce was mixed, but we assumed smartphone penetration would be high enough that it wouldn't be a material problem. It was more of a problem than we expected."
The Proactive team handled it with hardware TOTP tokens for the subset of corporate users who couldn't or wouldn't use Duo Mobile — the same token model that had already been selected for plant floor operators. Eleven corporate users received hardware tokens. The decision to have already procured tokens for the plant floor deployment meant the solution was immediately available rather than requiring a two-week procurement cycle.
By Day 8, daily helpdesk volume had dropped below ten. By Day 12, the corporate IT environment was fully enrolled. The adaptive policies applied to plant historian access — step-up authentication for any device failing a health check, any session from outside the corporate network — closed the IT/OT boundary without touching a single OT system.
The plant operations head, watching the corporate rollout from a distance, made one observation that the IT head passed on to the Proactive team: "He said that if this is what it looks like for the office, he wanted to know what it was going to look like on the floor before he agreed to it. That was the meeting that set the ground rules for Phase 3."
The meeting with plant operations happened on Day 19. Three plant managers were in the room, along with the operations head, the IT head, and the Proactive deployment lead.
The operations head's position was direct: "No authentication system goes live on a production line unless we have tested it on a non-production shift first. If an operator gets locked out during a shift, that is a production event. I will not authorise this for a production shift without a pilot."
The Proactive deployment lead agreed immediately. The pilot structure was proposed on the spot: start with the night shift at the smallest Pune plant, 40 operators, the lowest-throughput shift, the most time to troubleshoot. If the night shift ran for two weeks without an incident, the rollout would proceed to the day shift.
The operations head accepted that. The meeting that the IT head had been dreading for three weeks lasted 40 minutes.
The hardware token decision had been made in the first site visit, before any configuration discussion. Proactive's deployment lead had asked to walk the Pune press shop floor before the project kick-off meeting. The gloves answered the smartphone question immediately. The Chennai assembly lines had a FOD (foreign object debris) protocol that prohibited personal mobile devices on the floor entirely. Hardware TOTP tokens — a six-digit code every 30 seconds, no connectivity, no app — were the only viable factor for both environments.
Three thousand, two hundred tokens were procured over ten days. Each was individually serialised and assigned to a named operator account before distribution. Each came with a laminated card: three steps, illustrated, in English and the regional language of the plant — Marathi at Pune, Tamil at Chennai. The IT head had pushed back initially on the regional language cards.
"I said, our operators all read English. The Proactive team said: Maybe. But we know they won't need to read the card after the first week, and we want adoption in the first week. That argument won."
The night shift pilot at Pune began on Day 28. The first shift ran cleanly. The second shift produced one issue: the authentication proxy session timeout had been configured at eight hours to match the standard shift length, but the night shift at that plant ran 8.5 hours, including handover. Three operators triggered a re-authentication prompt 30 minutes before the end of their shift, during the busiest part of the handover window.
This was not a security failure. It was a configuration error — the session length had been set to the wrong shift duration. It was identified within the shift, corrected by the next morning, and did not affect any production metrics. The operations head was informed. His response: "That's the kind of thing we needed to find on night shift. Good."
Day shift followed. Then the larger plants. The Chennai facility — 850 operators across three production lines — was the final migration, completed on Day 43. Two days of acceptance testing. Sign-off on Day 45.
Zero production stoppages across the full deployment. One configuration issue, caught and corrected on the pilot shift before it reached scale.
Vendor access: 38 standing accounts, at least 7 of which had no confirmed active engagement, reduced to 24 named, time-limited, session-recorded credentials. Complete audit trail from Day 1.
Corporate IT: 1,800 users enrolled. 11 on hardware tokens. Adaptive policies governing historian and IT/OT boundary access. No user locked out of a system they legitimately needed.
Plant floor: 3,200 operators, five plants, two cities, hardware TOTP tokens. Shared SCADA accounts eliminated. Every HMI session logged to a named individual. Shift-based session model running without incident.
CERT-In audit, 45 days later: zero access control findings. The auditor asked specifically about vendor session recording and the operator individual accountability. Both were demonstrated in the session logs produced during the audit.
OEM supplier qualification: the Japanese customer received a documented MFA deployment report covering architecture, user population, factor types, break-glass procedures, and audit results before their year-end deadline. Supplier status confirmed for the following year.
Six months after deployment, the IT head was asked what he would do differently.
"The vendor audit. I would have done it before I called anyone. Not as part of the project — before. Because when you sit down to clean your credential inventory, you find out things about your own organisation that change how you think about the problem. We found accounts we didn't know existed. We found vendors who had more access than they needed. We found that our process for decommissioning access didn't exist. None of that required Duo to discover. I just hadn't made myself do it."
He was also asked what had surprised him most about the deployment.
"The plant floor operators. I expected resistance. I expected the union rep to be in my office the week we distributed tokens. None of that happened. The operators treated the token like a site ID card — something you carry, something you use, something you don't think about much. What I underestimated was how much the individual accountability actually meant to them. When we explained that the old shared login meant that if something went wrong on a machine, there was no way to know who had been logged in, some of them didn't like that. They wanted their own account. The security argument and the fairness argument were the same argument."
Proactive Data Systems is a 35-year-old IT infrastructure company and Cisco Preferred Partner across Security, Networking, Collaboration, Cloud & AI, and Services. Our manufacturing security practice deploys Cisco Duo across hybrid IT/OT environments in automotive, pharmaceutical, and process manufacturing across India.
If you are facing a CERT-In audit window, an OEM supplier qualification requirement, or a DPDP Act readiness project, Proactive can provide a no-obligation deployment assessment scoped to your plant infrastructure and timeline. Write to [email protected] for a consultation.
We'll get back to you shortly.
