CyberArk for OT (ICS/SCADA)

Skills : Senior Consultant CyberArk for OT (ICS/SCADA)Experience : 08 - 12 YearsLocation : LTM PAN IndiaRole Summary We are seeking a Senior Consultant to lead the design and implementation of CyberArk Privileged Access Management (PAM) for Operational Technology (OT) environments at a Construction/Manufacturing customer. The role will secure and govern privileged access pathways into OT assets (SCADA/HMI, historians, engineering workstations, jump servers, OT servers, OT applications) while respecting OT constraints—segmented networks, high availability, legacy systems, limited patch windows, vendor access needs, and safety-critical operations. You will design OT access architecture (including industrial DMZ patterns), implement credential vaulting, session brokering and recording, and integrate with IT identity/MFA/ITSM/SIEM to deliver auditable, least-privilege privileged access with minimal operational disruption.Key Responsibilities OT Privileged Access Architecture & Design · Lead discovery workshops with OT stakeholders (plant operations, controls engineers, maintenance, vendors, IT security) to document: · OT asset inventory and zones (engineering workstations, SCADA/HMI servers, historians, PLC access paths) · Privileged account landscape (local admins, domain admins, service accounts, vendor accounts) · Remote access patterns (VPN/ZTNA, jump hosts, vendor portals) and constraints. · Define OT privileged access target architecture incorporating: · Industrial DMZ access patterns · Bastion/jump server approach · Identity controls (MFA, conditional access) where applicable. · Create high-level and low-level designs (HLD/LLD), including security controls, network flows, firewall requirements, and operational runbooks CyberArk Implementation (Core Delivery) · Implement and configure CyberArk components as per scope: · Vault / PVWA, CPM, PSM, PSMP (as required) · Onboard privileged accounts in OT scope, including: · Windows local and domain privileged accounts (engineering workstations, SCADA/HMI servers) · Linux/Unix privileged accounts (OT apps, historians, collectors)· OT application/service accounts (historians, collectors, middleware, schedulers) · Network devices / appliances (firewalls/switches in OT zones) if in scope. · Configure password management: · Rotation schedules aligned with OT change windows · Reconciliation processes and emergency rotation procedures. · Implement privileged session access: · RDP/SSH brokering via PSM/PSMP · Session recording policies, command controls (where applicable) · Least-privilege access workflows for OT administrators and vendors. Vendor and Contractor Access (OT-Focused) Design and implement controlled vendor access patterns: · Time-bound, approved access windows · Brokered sessions via jump hosts · Session recording and accountability Reduce/replace shared local admin usage with named access wherever feasible. Define and implement break-glass procedures aligned to safety and operational needs. Integration (IT/OT Convergence) Integrate CyberArk with enterprise services: · AD/LDAP for identity and group-based access · MFA/IdP integration (Okta/Entra) where required for privileged workflows · ITSM (ServiceNow/Jira) for approvals, exception handling, and evidence · SIEM (Splunk/Microsoft Sentinel) for audit and detection use cases. Collaborate with network/security teams to implement connectivity in segmented OT networks and DMZs. Documentation, Training, and Governance Produce artifacts suitable for regulated and audit environments: · HLD/LLD, SOPs/runbooks, as-built documents, test evidence, support playbooks Conduct training for OT admins/support teams: · How to access OT assets through CyberArk · How to request/approve vendor access · How to handle emergencies and break-glass.Skills- Must Have CyberArk Strong hands-on experience implementing and operating: · CyberArk PVWA, CPM, PSM, PSMP, Vault fundamentalsProven experience onboarding and managing: · Windows local/domain privileged accounts · Linux/Unix privileged accounts · Service/application accounts and handling dependencies Strong knowledge of: · Credential rotation/reconciliation strategies · Session management, recording, and audit trails · Safe design, role design, and least privilege OT / ICS Security Practical experience working in OT/ICS environments (manufacturing, construction plants/sites, industrial facilities). Solid understanding of OT access patterns and constraints: · Segmented OT networks and industrial DMZ concepts · Engineering workstation and vendor access realities · Safety/availability considerations and strict change control Ability to work effectively with controls engineers, plant ops, and vendors Infrastructure & Networking Strong knowledge of Windows and Linux administration concepts relevant to PAM. Networking fundamentals: DNS, routing, firewall rules, ports, RDP/SSH, proxies. Troubleshooting complex connectivity across segmented networks/DMZ. Nice to Have · Familiarity with OT security frameworks and approaches (zones/conduits mindset, risk-based segmentation). · Experience integrating CyberArk with: o Okta/Entra ID/ (MFA/IdP) o ServiceNow/Jira (approvals/evidence) o SIEM tooling for audit analytics and alerting · Experience securing remote vendor access solutions (jump servers, VDI/Citrix, ZTNA). · Knowledge of OT security monitoring platforms and how PAM complements them.Tools/technologies · CyberArk - PVWA, CPM, PSM, PSMP, Vault · AD/LDAP integration · ServiceNow/Jira integrations

Apply Now