Understanding the OT Environment
Before deploying PAM controls, you must understand what makes OT systems fundamentally different from enterprise IT — and why the same attacks hit very differently.
What is Operational Technology?
Operational Technology refers to hardware and software that monitors or controls physical devices, processes, and infrastructure. Unlike IT systems where data confidentiality is the primary concern, OT systems directly interface with the physical world — disruptions can cause equipment damage, environmental harm, or even loss of human life.
The Purdue Reference Model
The Purdue Enterprise Reference Architecture defines logical security zones in industrial environments. Understanding these zones is essential for applying PAM controls at the right boundaries.
Key OT Characteristics vs. IT
| Characteristic | IT Environment | OT Environment | PAM Impact |
|---|---|---|---|
| Availability Priority | High (99.9% SLA) | Extreme — downtime = physical impact | No reboot tolerances |
| Patch Cycle | Monthly / on-demand | Annual or longer; some never patched | Legacy auth protocols |
| System Lifespan | 3–7 years | 15–30+ years | Windows XP/2003 common |
| Authentication | MFA / SSO / PKI | Shared local accounts, no MFA | High priority vault |
| Network Protocols | TCP/IP standard | Modbus, DNP3, PROFINET, OPC | Protocol awareness req. |
| Change Management | Agile / frequent | Strict change windows only | Workflow integration needed |
Security Gaps in the OT Perimeter Model
OT security was historically built on physical isolation and implicit trust. Understanding why this model fails is the foundation for a modern PAM strategy.
OT systems were designed in an era when "air gap = security." Operators assumed that if an attacker couldn't physically touch the network, they couldn't cause harm. Stuxnet (2010) permanently invalidated this assumption. Today, 89% of critical infrastructure organizations have experienced at least one OT security incident in the past two years.
The Air-Gap Myth
The Five Critical Security Gaps
OT systems routinely use shared "admin" accounts known to dozens of engineers and vendors. Many PLCs and HMIs ship with hardcoded default passwords that are never changed, or cannot be changed due to vendor support requirements. These credentials are often documented in plaintext on sticky notes near equipment, in shared spreadsheets, or inside vendor documentation stored on uncontrolled file shares.
PAM Impact: Delinea Secret Server must vault all SCADA admin credentials, service accounts, and vendor-supplied credentials. Automated password rotation must be carefully planned to avoid breaking active sessions.
HMI workstations running Windows XP, Windows 2003, or embedded Windows CE are common in OT environments. These systems cannot run modern security agents, cannot support modern MFA solutions, and may not receive patches for known vulnerabilities. Vendors may void support warranties if security software is installed.
PAM Impact: Delinea Privileged Behavior Analytics and session proxies must operate at the network layer, not the endpoint, for these systems. Jump server architecture through Secret Server Web Launcher can enforce MFA without touching the legacy endpoint.
OT systems require regular maintenance by original equipment manufacturers (OEMs) and specialized vendors — Siemens, Rockwell Automation, Schneider Electric, Honeywell. These vendors typically demand always-on remote access via dedicated VPN tunnels or vendor-specific platforms that bypass corporate security controls entirely.
PAM Impact: Third-party vendor accounts must be created in Delinea as time-limited, session-specific credentials. Vendor access should be routed through Delinea's session recording capability so every action is logged and reviewable.
In IT, password rotation is standard practice. In OT, rotating a SCADA server password can break a running process if any of the dozens of dependent services haven't been updated simultaneously. As a result, passwords are often never rotated — some remain unchanged for 10+ years. Engineers who left the organization five years ago may still have valid credentials to critical control systems.
PAM Impact: Delinea's dependency mapping for OT accounts must be conducted before any rotation is enabled. Rotation should occur during planned maintenance windows and include automated verification of all dependent connections.
Unlike enterprise environments where Active Directory logs every logon event, OT systems often have minimal logging capabilities. PLCs may have no log storage at all. SCADA systems may overwrite logs after 72 hours. There is typically no centralized SIEM receiving OT logs, meaning forensic investigation after an incident relies on unreliable human memory.
PAM Impact: Delinea Session Recording provides the audit trail that OT systems themselves cannot. Recording engineering workstation sessions creates irrefutable evidence of what configuration changes were made, by whom, and when.
IT/OT Convergence Threats
The integration of enterprise IT with OT networks creates a new threat landscape where enterprise-targeted attacks now have a clear path to physical infrastructure.
Why Convergence is Happening
Business drivers pushing IT/OT convergence are powerful: real-time production data for ERP systems, remote monitoring for predictive maintenance, cloud-connected analytics, Industry 4.0 initiatives, and cost reduction through shared IT services. These are legitimate business objectives — the problem is that security architecture has not kept pace with connectivity demands.
Attack Vectors Created by IT/OT Convergence
| Attack Vector | How It Works | Real-World Example | Delinea Control |
|---|---|---|---|
| IT → OT Lateral Movement | Attacker compromises IT system, pivots through historian or DMZ to reach OT network | Colonial Pipeline 2021 — ransomware entered IT, forced OT shutdown out of caution | Zone-specific vaulted accounts |
| Credential Reuse | Same AD credentials used in both IT and OT zones; IT breach = OT breach | Ukraine Power Grid 2015 — Sandworm used IT credentials to reach SCADA HMIs | Separate OT credential vault |
| Vendor Remote Access | Compromised vendor supply chain → persistent access to multiple customer OT networks | SolarWinds 2020 — OT customers exposed via IT monitoring tool | Time-limited vendor sessions |
| Engineering Workstation Compromise | Dual-homed workstations bridging IT and OT are targeted to plant malware on PLCs | Stuxnet 2010 — targeted Siemens Step 7 engineering software | Session recording + app control |
| Ransomware Cascade | Ransomware encrypts historian/SCADA servers, blinding operators who shut down OT as precaution | Oldsmar Water Facility 2021 — operator noticed mouse cursor moving | Session anomaly detection |
Engineering workstations (EWS) are the most dangerous convergence point. They must connect to both corporate networks (for email, documentation, vendor software updates) and OT control networks (to program PLCs). Delinea's application control policy on EWS — allowing only whitelisted programs to run and recording all privileged sessions — is the highest-value control you can implement for an OT environment.
Vaulting SCADA Credentials
Extending Delinea Secret Server to OT environments requires careful planning around dependency mapping, rotation scheduling, and legacy protocol support.
SCADA Credential Inventory — First Steps
The most common mistake is deploying Secret Server before completing a thorough credential inventory. In OT environments, undocumented credentials are the norm, not the exception. A service account that controls the pressure in a refinery pipeline must be discovered before it can be managed.
OT-Specific Secret Templates
POST /api/v1/secret-policy
{
"policyName": "OT-ControlNetwork-Tier2",
"autoChangeSchedule": {
"changeType": "ScheduledMaintenance",
"allowedWindows": ["SAT 02:00-06:00", "SUN 02:00-06:00"],
"requireChangeApproval": true,
"approvalGroups": ["OT-Change-Board"]
},
"checkoutEnabled": true,
"checkoutIntervalMinutes": 120,
"requireComment": true,
"sessionRecordingEnabled": true,
"heartbeatEnabled": true
}
Session Recording & Least Privilege
Recording engineering workstation sessions and enforcing least privilege in OT requires a fundamentally different approach than IT — one that prioritizes availability and operational continuity above all.
Engineering Workstation Session Recording
Engineering workstations (EWS) are the primary target for attackers seeking to modify PLC logic. Session recording on EWS accomplishes two critical objectives: it deters insider threats by establishing that all actions are logged, and it provides forensic evidence when incidents occur — down to every keystroke in SCADA configuration tools like Siemens TIA Portal or Rockwell FactoryTalk.
What Must Be Recorded in OT
| Session Type | Recording Priority | Retention | Alert Trigger |
|---|---|---|---|
| PLC programming sessions (Step 7, TIA Portal) | MANDATORY | 7 years (regulatory) | Any logic download to PLC |
| SCADA configuration changes (Wonderware, iFIX) | MANDATORY | 7 years | Tag database modifications |
| HMI setpoint adjustments beyond ±10% | REQUIRED | 3 years | Safety limit boundary approach |
| Vendor remote access sessions | MANDATORY | 7 years | All sessions — real-time monitoring |
| Historian database access | REQUIRED | 2 years | Bulk data export events |
| Safety Instrumented System (SIS) access | MANDATORY | Lifetime of facility | Any access attempt — immediate alert |
Least Privilege in OT — Without Disrupting Operations
In IT, removing admin rights is straightforward — reinstall the software with standard user privileges. In OT, many SCADA and HMI applications were designed to run only under local Administrator accounts. Removing those privileges without testing in a parallel environment first will break running production processes. Least privilege in OT must be implemented incrementally over months, not overnight.
OT PAM Deployment Guide
A complete framework for extending Delinea PAM controls to OT environments while maintaining continuous operations and regulatory compliance.
OT PAM Implementation Roadmap
Regulatory Compliance Mapping
| Regulation | Applicable Sector | Key PAM Requirement | Delinea Control |
|---|---|---|---|
| NERC CIP | Electric utilities | CIP-004: Access management; CIP-007: System security | Secret Server + Session Recording |
| IEC 62443 | Industrial automation | Zone-based access control, account management, audit logging | Zone-specific vault policies |
| NIST SP 800-82 | Federal critical infrastructure | Least privilege, account management, remote access control | Privilege Manager + Secret Server |
| TSA Pipeline | Oil & gas pipelines | Cybersecurity implementation plan; access control | Full PAM suite |
| AWIA 2018 | Water utilities | Risk & resilience assessments including cybersecurity | Secret Server + Audit Reports |
Common OT PAM Anti-Patterns to Avoid
In OT environments, an overly aggressive security control that triggers a process shutdown is itself a security incident — and potentially a safety incident. Every Delinea PAM control deployed in an OT environment must be reviewed by both the OT security team AND the process engineering team. The goal is a security posture that makes attacks harder without creating new failure modes for the process. When in doubt, instrument and monitor before you enforce.