CyberArk for OT (ICS/SCADA)

Skills : Senior Consultant CyberArk for OT (ICS/SCADA)

Experience : 08 - 12 Years

Location : LTM PAN India

Role Summary

We are seeking a Senior Consultant to lead the design and implementation of CyberArk Privileged Access Management (PAM) for Operational Technology (OT) environments at a Construction/Manufacturing customer. The role will secure and govern privileged access pathways into OT assets (SCADA/HMI, historians, engineering workstations, jump servers, OT servers, OT applications) while respecting OT constraintssegmented networks, high availability, legacy systems, limited patch windows, vendor access needs, and safety-critical operations. You will design OT access architecture (including industrial DMZ patterns), implement credential vaulting, session brokering and recording, and integrate with IT identity/MFA/ITSM/SIEM to deliver auditable, least-privilege privileged access with minimal operational disruption.

Key Responsibilities

OT Privileged Access Architecture & Design Lead discovery workshops with OT stakeholders (plant operations, controls engineers, maintenance, vendors, IT security) to document: OT asset inventory and zones (engineering workstations, SCADA/HMI servers, historians, PLC access paths) Privileged account landscape (local admins, domain admins, service accounts, vendor accounts) Remote access patterns (VPN/ZTNA, jump hosts, vendor portals) and constraints. Define OT privileged access target architecture incorporating: Industrial DMZ access patterns Bastion/jump server approach Identity controls (MFA, conditional access) where applicable. Create high-level and low-level designs (HLD/LLD), including security controls, network flows, firewall requirements, and operational runbooks CyberArk Implementation (Core Delivery) Implement and configure CyberArk components as per scope: Vault / PVWA, CPM, PSM, PSMP (as required) Onboard privileged accounts in OT scope, including: Windows local and domain privileged accounts (engineering workstations, SCADA/HMI servers) Linux/Unix privileged accounts (OT apps, historians, collectors)

OT application/service accounts (historians, collectors, middleware, schedulers) Network devices / appliances (firewalls/switches in OT zones) if in scope. Configure password management: Rotation schedules aligned with OT change windows Reconciliation processes and emergency rotation procedures. Implement privileged session access: RDP/SSH brokering via PSM/PSMP Session recording policies, command controls (where applicable) Least-privilege access workflows for OT administrators and vendors. Vendor and Contractor Access (OT-Focused) Design and implement controlled vendor access patterns: Time-bound, approved access windows Brokered sessions via jump hosts Session recording and accountability Reduce/replace shared local admin usage with named access wherever feasible. Define and implement break-glass procedures aligned to safety and operational needs. Integration (IT/OT Convergence) Integrate CyberArk with enterprise services: AD/LDAP for identity and group-based access MFA/IdP integration (Okta/Entra) where required for privileged workflows ITSM (ServiceNow/Jira) for approvals, exception handling, and evidence SIEM (Splunk/Microsoft Sentinel) for audit and detection use cases. Collaborate with network/security teams to implement connectivity in segmented OT networks and DMZs. Documentation, Training, and Governance Produce artifacts suitable for regulated and audit environments: HLD/LLD, SOPs/runbooks, as-built documents, test evidence, support playbooks Conduct training for OT admins/support teams: How to access OT assets through CyberArk How to request/approve vendor access How to handle emergencies and break-glass.

Skills

- Must Have CyberArk Strong hands-on experience implementing and operating: CyberArk PVWA, CPM, PSM, PSMP, Vault fundamentals

Proven experience onboarding and managing: Windows local/domain privileged accounts Linux/Unix privileged accounts Service/application accounts and handling dependencies Strong knowledge of: Credential rotation/reconciliation strategies Session management, recording, and audit trails Safe design, role design, and least privilege OT / ICS Security Practical experience working in OT/ICS environments (manufacturing, construction plants/sites, industrial facilities). Solid understanding of OT access patterns and constraints: Segmented OT networks and industrial DMZ concepts Engineering workstation and vendor access realities Safety/availability considerations and strict change control Ability to work effectively with controls engineers, plant ops, and vendors Infrastructure & Networking Strong knowledge of Windows and Linux administration concepts relevant to PAM. Networking fundamentals: DNS, routing, firewall rules, ports, RDP/SSH, proxies. Troubleshooting complex connectivity across segmented networks/DMZ.

Nice to Have

Familiarity with OT security frameworks and approaches (zones/conduits mindset, risk-based segmentation). Experience integrating CyberArk with: o Okta/Entra ID/ (MFA/IdP) o ServiceNow/Jira (approvals/evidence) o SIEM tooling for audit analytics and alerting Experience securing remote vendor access solutions (jump servers, VDI/Citrix, ZTNA). Knowledge of OT security monitoring platforms and how PAM complements them.

Tools/technologies

CyberArk - PVWA, CPM, PSM, PSMP, Vault AD/LDAP integration ServiceNow/Jira integrations