Remote Access for OT Environments
Remotely connect to HMIs, PLCs and industrial systems in Operational Technology (OT) environments with zero-trust access. KeeperPAM offers session recording, credential protection and seamless deployment.
Human-Machine Interfaces (HMIs) are often low-spec Windows CE machines with no ability to join domains, apply patches or enforce user controls. They typically don't support third-party software and often live on isolated private networks. Despite hosting RDP or VNC services, these devices are rarely accessed remotely due to security and connectivity limitations.
SCADA systems typically replicate only the most essential HMI screens. Critical diagnostic views and OEM-specific tools are often left out. When issues occur, teams must return to the physical HMI to investigate and resolve the problem. This lack of full visibility delays response times, increases operational risk and leaves organizations dependent on outdated, manual access methods.
KeeperPAM enables secure, time-limited access without ever exposing passwords or SSH keys. Remote operators and engineers can safely interact with systems as needed - no standing privileges, no unnecessary risk.
Deploying Keeper in OT environments is simple. A single gateway connects outbound to Keeper Cloud, eliminating the need for firewall changes or VPN dependencies. It's scalable, secure and made for minimal infrastructure.
Whether you're connecting to a touchscreen panel via VNC or troubleshooting a controller through SSH, KeeperPAM supports it out of the box, without the need to install agents on target machines.
With KeeperPAM, teams can use tools like Ignition's SDKs or scripting features to create custom launch points that open sessions through the Keeper Vault. This enables seamless access to underlying HMIs without rebuilding screens or interrupting your established workflow.
When SCADA doesn't expose all control screens, KeeperPAM bridges the gap. Operators and engineers can remotely access native HMI interfaces to troubleshoot faults and access functions that weren't rebuilt in SCADA systems.
In the event of equipment failure, immediate remote access enables faster root-cause analysis and safer shutdowns, minimizing disruptions and downtime.
KeeperPAM eliminates insecure credential storage by securing passwords and SSH keys in a zero-knowledge vault. Credentials are injected during sessions and automatically rotated after use.
Every remote session is logged and recorded, including screen activity and keystrokes, to ensure full transparency for audits, compliance and security investigations. Recordings are encrypted, stored in the cloud and support standards like SOC 2 and NIST 800-53.
Flexible, cloud-native access for legacy and modern systems
KeeperPAM delivers agentless, credential-free access to HMIs, PLCs and other OT systems using standard protocols like RDP, VNC and SSH. For IT environments that require privilege enforcement on desktops or servers, Keeper also offers an optional agent-based Endpoint Privilege Manager.
Trusted by security and compliance teams
With built-in support for frameworks like NIST 800-53, ISO 27001 and SOC 2, KeeperPAM helps teams meet compliance mandates with ease. All sessions are logged, recorded and governed by granular Role-Based Access Controls (RBAC) to support audits and reduce risk.
Yes. KeeperPAM enables secure access to legacy and modern HMIs using RDP, VNC, SSH and browser isolation, without exposing credentials or requiring a VPN. It supports Windows, Linux and web-based HMIs, with features like credential injection, session recording, real-time monitoring and role-based access. All connections are encrypted, helping organizations meet OT security and compliance requirements while preserving air gaps.
No. KeeperPAM does not require any software to be installed on HMIs, PLCs or other target systems. Instead, a lightweight Keeper Gateway service is deployed on a single server or VM (Linux or Docker) with network access to the devices you want to reach. The Gateway connects outbound over HTTPS (port 443) to Keeper Cloud - no inbound firewall changes required. This approach preserves the integrity and performance of OT devices while enabling secure credential injection, session proxying (RDP, VNC, SSH, HTTP/S) and complete audit logging.
Yes, simply deploy a Keeper Gateway to each site. It can be installed on Windows, Linux or any system running Docker. The Keeper Gateway only needs line-of-site network access to the target systems over native protocols.
No, the Keeper Gateway works by creating outbound-only connections to the Keeper Cloud. Once the connection is established, users can establish zero-trust connections to the target infrastructure directly from the Keeper Vault.
You must accept cookies to use Live Chat.