This document provides an overview of an OT solution from CyberArk. It begins by defining operational technology (OT) and explaining that OT systems like PLCs, HMIs and SCADA software are increasingly connected and targeted by attackers due to weak security. It then outlines CyberArk's solution to secure OT environments, including using its Privileged Access Manager to discover and manage privileged accounts, its remote access and mobile capabilities for offline access, and Endpoint Privilege Manager for application control on endpoints. The document concludes by suggesting sales questions about the customer's current OT security practices and credentials management.
3. • Operational Technology, or OT, are systems that manage, monitor and control industrial operations
• Gartner definition: “Hardware and software that detects or causes a change through the direct monitoring
and/or control of physical devices, processes and events in the enterprise”
• Examples include: Supervisory Control and Data Acquisition (SCADA) software, Programmable
Logic Controllers (PLCs), physical plant equipment, machinery, Remote Terminal Units (RTUs),
remote industrial software and hardware, Human Machine Interfaces (HMIs)
• These are present in all types of organizations, but particularly present in Manufacturing, Energy, Utilities,
Healthcare and Financial Services
• OT devices are frequently sought after by attackers not only because of the power it grants them
(and the rewards they can evoke) but also because they are easy targets
• Weak password security, connected to other devices (lateral movement)
WHAT IS OT? WHY DOES THIS MATTER?
3
4. • OT devices are increasingly connected to the outside world; not just in air-gapped environments
• SANS indicates that 64% of OT devices are connected
• These devices all have administrative accounts that need to be managed, but with a very strict caveat
that it cannot come at the expensive of operations
• Most OT software applications have shared accounts used by many people that creates accountability
issues
• Remote users, and in particular, external vendors, manage devices in OT environments in a variety of
ways and are difficult to provision access as well as provide secure access when offline
THE CHALLENGES
4
5. Privileged Access Manager
• Use Privileged Access Manager to discover privileged accounts that exist in OT systems and onboard them to be managed
and rotated
• In OT environments where end-users are never online, leverage the offline access capability within the CyberArk Mobile app
• Privileged Session Management capabilities are recommended to isolate sessions so credentials never reach the
workstation, monitor and audit
Remote Access
• Leverage Remote Access to ensure biometric authentication and Zero Trust access to critical resources without the need
for VPNs, passwords or agents
• For external vendors, leverage Vendor PAM to provision access just-in-time; this will be very common within OT
environments, with many vendors who require access to various devices
Endpoint Privilege Manager
• Implement application whitelisting in top-hierarchy control computers such as Human Machine Interfaces (HMIs) represents
one of the most critical steps in securing an OT environment.
• Remove local administrator rights from the HMI, and seamlessly elevate privileges, based on an organization’s policy, as
required by trusted (whitelisted) applications.
THE CYBERARK SOLUTION
6. • What is the current workflow for the privileged users who work in your OT environments?
• How do they log in to systems?
• Do they have regular, intermittent or none internet connectivity?
• How are you managing passwords for their privileged accounts?
• Are there external vendors who require access to these devices? Device manufacturers, managed service
providers, IT contractors, etc.?
• How do you ensure that users are who they say they are?
• Is there an audit trail?
• Is there accountability and session recording?
• What security controls are in place on Tier0 endpoints like HMIs?
DISCOVERY QUESTIONS
7. • Discuss other technology partners they may have in their stack
• Gateway connections: Eaton, GE, Schweitzer
• These make it easier for organizations to permit secure connections to OT devices by the leading manufacturers with
secure session management and credential protection
• Relevant CyberArk offerings:
• Privileged Access Manager
• Centralized repository to manage credentials for ALL devices in IT network (servers, databases, IoT, OT, etc.)
• Within CyberArk Mobile, offline access is permitted where user can retrieve credentials within the app
• Vendor PAM
• A lot of organizations with OT leverage vendors/device manufacturers to maintain and operationalize these devices
• Endpoint Privilege Manager
• Least privilege and application control on the endpoint, in particular high value ones like HMIs
ADDITIONAL CONSIDERATIONS