Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
Securing Critical Infrastructure: How KeeperPAM's Zero-Trust Architecture Protects Industrial Control Systems

The Cybersecurity and Infrastructure Security Agency (CISA) has recognized that Industrial Control Systems (ICS) and Operational Technology (OT) environments represent one of the largest threats to American critical infrastructure. The increasing convergence of IT and OT systems, combined with the rise of ransomware attacks targeting critical infrastructure and the growing sophistication of nation-state threats, has created unprecedented security challenges. 

As federal agencies face these evolving cyber threats, Keeper Security's Privileged Access Management (KeeperPAM) solution delivers robust protection through its FedRAMP Authorized zero-trust platform. By implementing end-to-end encryption using FIPS 140-3 validated modules and advanced cryptographic protocols, KeeperPAM ensures that access to critical systems remains secure while maintaining operational efficiency. This multilayered security approach not only fulfills CISA's stringent requirements for critical infrastructure protection, but also provides federal agencies with the tools they need to defend against emerging cyber threats targeting ICS.

Supporting CISA's goal 1: cross-sector cybersecurity performance

KeeperPAM helps organizations implement CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) through:

  • FedRAMP Authorized zero-trust architecture that spans both IT and OT environments
  • Comprehensive secrets management for securing critical access credentials
  • Advanced encryption protocols that meet federal security standards

Advancing CISA's goal 2: ICS workforce enhancement

KeeperPAM supports ICS workforce development and security through:

  • Intuitive interface that reduces training requirements
  • Role-Based Access Control (RBAC) to align with organizational structures
  • Comprehensive audit trails that support skill development and oversight

Meeting CISA's goal 3: Threat detection and response

KeeperPAM enables collaborative threat response through:

  • Real-time session monitoring and threat detection
  • Secure remote access capabilities for rapid incident response
  • Comprehensive audit trails for threat analysis

Zero-trust security architecture: Protecting ICS

In today's evolving threat landscape, securing ICS requires a modern approach that leaves nothing to chance. A robust zero-trust security architecture serves as the foundation for protecting critical infrastructure from increasingly sophisticated cyber threats.

Advanced encryption and authentication

At the core of this security framework is a FedRAMP Authorized platform that implements comprehensive end-to-end encryption. By utilizing FIPS 140-3 validated cryptographic modules and elliptic curve cryptography, the system ensures that all communications between users and ICS components remain secure and tamper-proof.

Strict access controls

The platform enforces a "never trust, always verify" approach, where:

  • Every user must authenticate before accessing any critical infrastructure component
  • Each device requires validation before establishing connections
  • All sensitive data stored in the vault is protected using AES-256 GCM encryption

This multilayered security approach helps federal agencies maintain complete control over their ICS environments while meeting CISA's stringent requirements for critical infrastructure protection. By implementing these controls, organizations can significantly reduce their attack surface and minimize the risk of unauthorized access to sensitive industrial systems without costly greenfield modernization.

Privileged session management and monitoring: Securing access to critical infrastructure

Maintaining strict oversight of privileged access is paramount to national security concerns for ICS. A robust privileged session management framework serves as a critical defense against unauthorized access and potential cyber threats.

Comprehensive session monitoring

KeeperPAM's privileged session management capabilities provide end-to-end visibility into all privileged access activities across ICS environments. Every session is meticulously tracked and optionally recorded, with audit trails protected by military-grade FIPS 140-3 encryption. This ensures that sensitive operational data remains secure while maintaining complete transparency for security teams and auditors.

Time-based access control

The platform implements a sophisticated time-limited access model, where:

  • Privileged users receive Just-in-Time (JIT) access to critical systems
  • Access credentials remain securely encrypted and never exposed
  • Secure connections are established through Keeper Gateway services using encrypted tunnels

Advanced auditing capabilities

To support compliance requirements and security investigations, KeeperPAM offers:

  • Full session recording with screen capture functionality
  • Detailed keyboard interaction logging
  • Encrypted storage of all session recordings
  • Comprehensive playback capabilities for audit review

This multilayered approach to session management helps federal agencies and industry maintain complete control over their ICS environments while meeting CISA's requirements for critical infrastructure protection. By implementing these controls, organizations can significantly reduce their attack surface and maintain detailed accountability for all privileged access to industrial systems.

Secure remote access: Zero-trust protection for critical infrastructure

Secure remote access to Supervisory Control and Data Acquisition (SCADA) systems and ICS components is crucial to defending against nation-state actors and other advanced threats. Legacy security solutions have failed to adequately secure the ICS environment while simultaneously hindering user productivity. Modern security solutions must provide robust protection that accelerate operational efficiency.

Advanced encrypted tunneling

KeeperPAM implements a sophisticated encrypted tunneling architecture that enables secure remote connections without traditional Virtual Private Network (VPN) dependencies. This approach provides:

  • Direct, encrypted access to critical infrastructure systems
  • Reduced attack surface by eliminating VPN vulnerabilities
  • Streamlined access for authorized personnel

Military-grade encryption

The platform leverages advanced cryptographic protocols to ensure maximum security:

  • WebRTC connections protected by ECDH symmetric keys
  • Keys securely stored within encrypted Keeper records
  • End-to-end encryption for all remote sessions

Comprehensive data protection

To prevent unauthorized data exposure, KeeperPAM enforces strict policy controls:

  • Granular restrictions on file downloads
  • Controls over clipboard operations (copy/paste)
  • Print function limitations for sensitive content
  • Session monitoring and recording capabilities

This multilayered approach to secure remote access helps federal agencies maintain complete control over their ICS environments while meeting CISA's stringent requirements for critical infrastructure protection. By implementing these controls, organizations can significantly reduce their attack surface while ensuring that authorized personnel maintain efficient access to essential systems.

Advanced authentication controls: Modernizing ICS access security

In today's threat landscape, robust authentication is crucial for protecting ICS from unauthorized access. Modern authentication controls must adapt to both new and legacy systems while maintaining the highest security standards.

Universal Multi-Factor Authentication (MFA)

KeeperPAM implements comprehensive MFA protection across the entire ICS environment:

  • Enforces strong authentication even on legacy systems that lack built-in MFA capabilities
  • Provides consistent security controls across both modern and traditional industrial systems
  • Creates a unified authentication layer that meets federal security requirements

Advanced authentication methods

The platform supports multiple modern authentication technologies:

  • FIDO2 WebAuthn hardware security keys for physical authentication
  • Biometric verification, including fingerprint and facial recognition
  • Various authenticator applications for flexible, yet secure access

Federal integration and zero-knowledge security

KeeperPAM maintains security while enabling seamless integration:

  • Connects with existing federal identity providers
  • Preserves zero-knowledge architecture throughout the authentication process
  • Ensures credentials never leave the encrypted environment

This comprehensive approach to authentication helps federal agencies maintain complete control over their ICS environments while integrating with their existing systems. This approach allows for the shortest time to protection in the industry. By implementing these advanced controls, organizations can significantly reduce their risk of unauthorized access to critical systems.

Compliance and audit support: Meeting federal security standards

In today's highly regulated environment, maintaining compliance while securing industrial control systems is paramount. KeeperPAM provides robust compliance and audit capabilities that meet the stringent requirements of federal agencies and critical infrastructure operators.

Comprehensive federal authorization

KeeperPAM maintains the highest levels of federal security compliance:

  • FedRAMP Moderate authorization for secure federal deployments
  • StateRAMP certification for state and local government use
  • Full alignment with NIST 800-53 security controls

Advanced audit capabilities

The platform delivers extensive auditing features that help organizations maintain complete visibility:

  • Encrypted session recordings for all privileged access
  • Comprehensive audit trails of all user activities
  • Secure storage of audit data using FIPS 140-3 encryption

Automated compliance controls

KeeperPAM streamlines compliance management through:

  • RBAC for granular permission management
  • Automated policy enforcement across all users and systems
  • Detailed compliance reporting for audit requirements

This multilayered approach to compliance and auditing helps federal agencies, contractors, critical infrastructure, etc. maintain complete control over their ICS environments while meeting CISA's requirements for critical infrastructure protection. By implementing these controls, organizations can significantly reduce their audit complexity while maintaining detailed accountability for all privileged access to industrial systems.

Secrets management for ICS/OT systems: Securing critical infrastructure access

In ICS and OT environments, protecting sensitive credentials and access keys is paramount to maintaining critical infrastructure security. Modern adversaries use this attack path to gain access to sensitive systems and move laterally - establishing command-and-control environments and providing a platform for re-entering the environment after being discovered.

Advanced secrets protection

KeeperPAM implements comprehensive secrets management capabilities that safeguard critical access credentials:

  • Automated rotation of sensitive credentials and API keys
  • Secure certificate management for OT environments
  • Protection of machine-to-machine authentication tokens

Zero-knowledge security architecture

The platform employs a sophisticated zero-knowledge encryption model:

  • All secrets are encrypted before leaving the client device
  • Credentials are never stored or transmitted in plaintext
  • Advanced encryption protects all stored secrets

Secure collaboration features

KeeperPAM enables safe credential sharing while maintaining security:

  • RBAC for credential distribution
  • Complete audit trails of all credential access and usage
  • Encrypted sharing between authorized team members

This approach to secrets management helps federal agencies maintain complete control over their ICS environments. By implementing these controls, organizations can significantly reduce their risk of credential compromise while improving the user experience.

Book a demo today to see how KeeperPAM can help secure your agency's critical infrastructure.

##

ABOUT THE AUTHOR

James-Scobey 

James Scobey, CISO, Keeper Security

James Scobey is the Chief Information Security Officer (CISO) of Keeper Security, Inc. He previously worked at the US Securities and Exchange Commission (SEC) as a Chief Information Security Officer. Prior to his position as CISO at the SEC, Scobey served as President and Chief Executive Officer (CEO) of SigmaCyber, Chief Technology Officer (CTO) and Assistant Director of Cybersecurity Operations at the SEC, as well as Principal Systems Engineer and Cyber Performance Systems Engineer at the federally funded research and development organization MITRE. Scobey has also served in leadership and engineering roles at S2i2, Federal Data Systems, USmax Corporation, By Light Professional IT Services and SMS Data Products Group.

Published Wednesday, February 05, 2025 7:31 AM by David Marshall
Filed under: ,
Get This Featured White Paper: The State of SaaS Data Resilience in 2024
You may also be interested in this white paper: Western Health Improves End-User Experience, Extends Endpoint Device Lifespan With IGEL
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Customer Connect
Global Digital
DTX
DTW-NA
innovatrix
GISEC
global-digital-cx
vExpert
Calendar
<February 2025>
SuMoTuWeThFrSa
2627282930311
2345678
9101112131415
16171819202122
2324252627281
2345678