• Operational Technology, or OT, are systems that manage, monitor and control industrial operations
• Gartner definition: “Hardware and software that detects or causes a change through the direct monitoring
and/or control of physical devices, processes and events in the enterprise”
• Examples include: Supervisory Control and Data Acquisition (SCADA) software, Programmable
Logic Controllers (PLCs), physical plant equipment, machinery, Remote Terminal Units (RTUs),
remote industrial software and hardware, Human Machine Interfaces (HMIs)
• These are present in all types of organizations, but particularly present in Manufacturing, Energy, Utilities,
Healthcare and Financial Services
• OT devices are frequently sought after by attackers not only because of the power it grants them
(and the rewards they can evoke) but also because they are easy targets
• Weak password security, connected to other devices (lateral movement)
WHAT IS OT? WHY DOES THIS MATTER?
• OT devices are increasingly connected to the outside world; not just in air-gapped environments
• SANS indicates that 64% of OT devices are connected
• These devices all have administrative accounts that need to be managed, but with a very strict caveat
that it cannot come at the expensive of operations
• Most OT software applications have shared accounts used by many people that creates accountability
• Remote users, and in particular, external vendors, manage devices in OT environments in a variety of
ways and are difficult to provision access as well as provide secure access when offline
Privileged Access Manager
• Use Privileged Access Manager to discover privileged accounts that exist in OT systems and onboard them to be managed
• In OT environments where end-users are never online, leverage the offline access capability within the CyberArk Mobile app
• Privileged Session Management capabilities are recommended to isolate sessions so credentials never reach the
workstation, monitor and audit
• Leverage Remote Access to ensure biometric authentication and Zero Trust access to critical resources without the need
for VPNs, passwords or agents
• For external vendors, leverage Vendor PAM to provision access just-in-time; this will be very common within OT
environments, with many vendors who require access to various devices
Endpoint Privilege Manager
• Implement application whitelisting in top-hierarchy control computers such as Human Machine Interfaces (HMIs) represents
one of the most critical steps in securing an OT environment.
• Remove local administrator rights from the HMI, and seamlessly elevate privileges, based on an organization’s policy, as
required by trusted (whitelisted) applications.
THE CYBERARK SOLUTION
• What is the current workflow for the privileged users who work in your OT environments?
• How do they log in to systems?
• Do they have regular, intermittent or none internet connectivity?
• How are you managing passwords for their privileged accounts?
• Are there external vendors who require access to these devices? Device manufacturers, managed service
providers, IT contractors, etc.?
• How do you ensure that users are who they say they are?
• Is there an audit trail?
• Is there accountability and session recording?
• What security controls are in place on Tier0 endpoints like HMIs?
• Discuss other technology partners they may have in their stack
• Gateway connections: Eaton, GE, Schweitzer
• These make it easier for organizations to permit secure connections to OT devices by the leading manufacturers with
secure session management and credential protection
• Relevant CyberArk offerings:
• Privileged Access Manager
• Centralized repository to manage credentials for ALL devices in IT network (servers, databases, IoT, OT, etc.)
• Within CyberArk Mobile, offline access is permitted where user can retrieve credentials within the app
• Vendor PAM
• A lot of organizations with OT leverage vendors/device manufacturers to maintain and operationalize these devices
• Endpoint Privilege Manager
• Least privilege and application control on the endpoint, in particular high value ones like HMIs