Keystrike
Critical Infrastructure · OT · ICS · SCADA · Utilities

OT Session Governance: Continuous Control of Every Privileged Remote Session in Critical Infrastructure

Your Perimeter Stops Intrusions. Your IAM Grants Access. But Who Governs What Happens During the Session?

Your firewall, MFA, and PAM confirm who connects to your SCADA systems. But once the session starts, nothing governs what happens inside it — the Governance Gap that enabled unauthorised commands in Oldsmar and persistent state-sponsored access through Volt Typhoon.

Keystrike closes that gap. Purpose-built for OT, ICS, and SCADA, it maps every remote session in real time, blocks unauthorised commands before execution through deterministic enforcement, and generates cryptographically attested audit records mapped to NERC CIP, IEC 62443, and NIST requirements.

Deploys in 20 minutes. No endpoint agents. No keylogging.

73% of organisations experienced an OT intrusion in the past year
Fortinet, 2024 State of OT Cybersecurity Report
Completing the Identity Stack · Gatekeeper · Historian · Governor

How Keystrike Governs OT Sessions

Your identity tools grant access. Your SIEM logs what happened. Keystrike governs what happens during the live session. You don't have to rip out or replace the tools you already have. Keystrike is the essential final piece that makes your existing stack deliver Continuous Access Governance.

SEE — Live Visibility

Discover and map every remote access session in your OT environment in real time. See sessions across RDP, SSH, PowerShell, WinRM, WMI, SMB, TeamViewer, and NinjaOne — including connections from unmanaged or unknown clients that your existing tools cannot see.

CONTROL — Real-Time Enforcement

Verify that every command originates from a verified physical human operator. Block unauthorised commands through deterministic enforcement before they reach your OT systems. Zero false positives — because enforcement is based on cryptographic attestation, not probabilistic analysis.

PROVE — Continuous Governance

Generate tamper-evident session records for every remote access event. Map directly to NERC CIP, IEC 62443, EPA, and NIST requirements. Deliver audit-ready evidence and board-level governance reporting without manual log compilation.

OT Security Incidents · SCADA · Water · Energy · Utilities

Documented OT Cyberattacks on Water, Energy, and Utility Infrastructure and the Session Gap That Enabled Them

Unauthorised Remote Commands in Water and Energy SCADA Systems

Hijacked sessions and unverified remote commands are sufficient to cause operational disruption — no full system compromise required. A single automated or malicious command can trip a breaker, shut down a pump, or alter water pressure.

In January 2024, attackers caused a water tank overflow in Muleshoe, Texas by exploiting unverified remote sessions in a municipal SCADA system, forcing operators to switch to manual control. The attack was attributed to foreign hacking groups. — Chemical Processing, 2025

Keystrike response: Keystrike blocks every unattested command in real time. Only verified physical operator input reaches OT systems — whether the session is hijacked, credentials are stolen, or the command originates from an automated script.

  • Unauthorised commands stopped before execution
  • Operational continuity across water, energy, and electricity infrastructure
  • Full support for remote operations and hybrid control rooms

Third-Party Vendor Access as an OT Attack Vector

Utilities depend on contractors and vendors for maintenance and monitoring. Compromised vendor credentials are among the most common initial access vectors in OT environments — and once inside, no session-level verification exists to stop what happens next.

In the Oldsmar, Florida water treatment incident, an attacker used a legitimate remote access tool to raise sodium hydroxide to dangerous levels — endangering thousands of residents. The session appeared legitimate. The command was not. — ICS-CERT

Keystrike response: Keystrike validates every vendor and contractor action before execution. Compromised credentials cannot produce commands that pass Keystrike's physical attestation requirement.

  • Third-party sessions governed at the command level
  • Vendor collaboration preserved without expanding the attack surface
  • No network re-architecture required

IT-to-OT Lateral Movement: Stopping Attackers Before They Cross the Air Gap

Most OT breaches begin in IT. Attackers use phishing, stolen credentials, or vendor access to move laterally into operational control systems — exploiting the absence of session-level verification between IT and OT environments.

In 2023, Volt Typhoon — a Chinese state-linked threat actor — maintained persistent access to Littleton Electric Light and Water in Massachusetts for over 300 days via lateral IT-to-OT movement. No session-level control existed to detect or block commands from the compromised IT environment. — CISA Advisory, 2024

Keystrike response: Keystrike enforces session-level isolation between IT and OT. Stolen credentials and compromised IT sessions cannot produce attested commands in OT systems — regardless of how network access was achieved.

  • Lateral movement from IT to OT blocked at the session level
  • IT/OT segmentation enforced without network re-architecture
  • Pumps, valves, turbines, meters, and substations protected from unverified commands
Post-Authentication Security Gap

Completing the OT Security Stack

Your Gatekeeper grants access. Your Historian logs events. Keystrike is the Governor — governing what happens during the live session.

ToolsWhat It DoesPost-Authentication Gap
IAM / PAM / MFAGrants accessBlind after the session starts
SIEM / SOAR / XDRLogs events after the factDetection is reactive — damage is already done
KeystrikeGoverns the live sessionNone. Unauthorised commands blocked before execution.

Keystrike does not record keystrokes, credentials, or personally identifiable information. Session verification is cryptographic — not behavioural — eliminating false positives and privacy exposure.

The Post-Authentication Risk in Numbers

65%

of OT environments have insecure remote access connections

Dragos, 2024 OT Cybersecurity Year in Review

70%

of OT vulnerabilities reside in the internal network, post-perimeter

Dragos, 2024 OT Cybersecurity Year in Review

71%

surge in attacks using stolen credentials in industrial environments

IBM X-Force, 2024 Threat Intelligence Index

#1

Manufacturing was the most-targeted sector for cyberattacks for the 5th consecutive year

IBM X-Force, 2025 Threat Intelligence Index

45%

of manufacturing cyberattacks involved credential theft or abuse

Verizon DBIR 2024

46%

of energy sector breaches involved third-party or partner access

Verizon DBIR 2024, Energy subset

83%

of water and wastewater systems had undocumented remote access connections

WaterISAC / CISA Advisory, 2024

OT Regulatory Compliance · NERC CIP · IEC 62443 · EPA · NIST

Meeting NERC CIP, IEC 62443, EPA, and NIST Requirements Without Disrupting Operations

NERC CIP requires organisations to log and monitor all electronic access to critical cyber assets. IEC 62443 mandates access control and security zone enforcement for industrial control systems. EPA guidance requires utilities to document and audit remote access to operational technology. Keystrike satisfies each requirement by producing continuous, tamper-evident, session-level records of every privileged action, without recording personally identifiable information or requiring changes to existing infrastructure.

Tamper-Evident Session Records

Continuous logs of every privileged action, structured for audit

Regulatory-Ready Evidence

Session evidence meeting NERC CIP, IEC 62443, and EPA standards

Board and Audit Reporting

On-demand evidence for regulatory review and incident response

NERC CIPEPA Safe Drinking Water ActIEC 62443ISO 27001NIST CSFState Energy & Water Regulations

Keystrike integrates natively with SCADA, ICS, IAM, and SIEM systems — enforcing policy-driven access controls, logging every operator action, and generating audit-ready evidence for board reporting, incident response, and regulatory review.

See how Keystrike maps to your compliance framework →
Built for Your Role

Keystrike Delivers What Your Role Demands

For the CISO

CONTROL — Real-Time Enforcement

You need certainty that every remote session in your OT environment is governed — not just logged. Keystrike gives you real-time enforcement: deterministic command verification that blocks unauthorised actions before they execute, with zero false positives.

For Compliance and Audit

PROVE — Continuous Governance

You need evidence — not just policies. Keystrike gives you provable governance: tamper-evident session records mapped directly to NERC CIP, IEC 62443, and NIST requirements. Every remote access session generates audit-ready evidence automatically.

For Security Operations

SEE — Live Visibility

You need to see what is happening right now — especially the sessions your existing tools miss. Keystrike gives you live visibility: a real-time map of every remote access connection, across every protocol, including sessions from unmanaged and unknown clients.

Frequently Asked Questions

What is session governance for OT environments?
Session governance for OT environments means continuously verifying and controlling what happens during every privileged remote access session in operational technology infrastructure — including SCADA, ICS, and DCS systems. Unlike perimeter security or identity security, session governance operates after authentication, ensuring that authorised users only execute authorised commands.
How does Keystrike differ from OT network monitoring tools like Dragos or Claroty?
OT network monitoring tools focus on network traffic analysis and asset discovery. Keystrike operates at the session layer — governing what authenticated users do during privileged remote sessions. Keystrike completes the security stack by adding the Governor layer alongside existing Gatekeeper (IAM/PAM) and Historian (SIEM/XDR) tools.
Does Keystrike require agents on OT endpoints or PLCs?
No. Keystrike deploys without agents on OT endpoints, PLCs, RTUs, or HMIs. It governs sessions transparently within existing remote access workflows. Typical deployment completes in 20 minutes.
Does Keystrike replace our PAM or IAM?
No. Keystrike completes PAM and IAM by governing what happens inside the sessions they grant. PAM controls who gets access to OT systems and manages privileged credentials. Keystrike governs what those users do once they're inside the session — verifying commands in real time and blocking unauthorized actions before they execute.
Does Keystrike replace our SIEM or XDR?
No. SIEM and XDR log events after they occur — detection is inherently reactive. Keystrike complements your SIEM by governing what happens during the live session and generating cryptographically attested session evidence that enriches your existing log data with verified, tamper-proof records.
How does Keystrike handle third-party vendor remote access?
Keystrike governs third-party vendor sessions transparently — vendors connect through existing remote access tools with no additional steps. Every vendor session is subject to the same deterministic enforcement and generates the same tamper-evident record as internal operator sessions.
Does Keystrike record or store keystrokes?
No. Keystrike verifies that commands originate from a physical human operator through cryptographic attestation — without recording keystrokes, capturing screens, or conducting behavioural analysis.
Can Keystrike operate in air-gapped or segmented OT networks?
Yes. Keystrike operates within the access pathways that already exist in Purdue Model architectures — governing sessions at the points where remote access enters the OT network.
What compliance frameworks does Keystrike support for critical infrastructure?
Keystrike maps directly to NERC CIP (CIP-004, CIP-005, CIP-007), IEC 62443, EPA cybersecurity directives for water and wastewater systems, NIST Cybersecurity Framework, and NIST SP 800-82.
CUSTOMER STORY

Global Water Resources Secures OT Without User Friction

"In about 20 minutes, I had Keystrike up and running. The deployment is simple, well thought out, with clear documentation. Now Keystrike helps us establish that commands are genuine and trustworthy by detecting lurking attackers and blocking when they inject themselves into active sessions. With the combination of powerful technology and ease of deployment, I highly recommend Keystrike."
Global Water Resources
Steven Brill
VP of IT Operations and Security, Global Water Resources
Critical Infrastructure / Water Utility
WATER · ENERGY · UTILITIES · MANUFACTURING

Close the Post-Authentication Gap Before Your Next Audit — or Incident

Compromised credentials, hijacked sessions, and unverified vendor access remain the three leading causes of OT operational disruption. Keystrike makes every privileged session visible, verifiable, and policy-controlled — deploying alongside your existing infrastructure without replacing tools or disrupting operations.

To speak with a Keystrike engineer: connect@keystrike.com