Request demo
Product_page_Icon

PrivX™ OT Case Study - Industrial Crane Manufacturer

PrivX_background_01_mobile

A Marine Vessel Operator Secures Remote Access, Diagnostics and IoT Data Collection 

Industrial Crane Manufacturer Secures and Simplifies On-site and Off-site Port Maintenance

PrivX for IT/OT Access Get the 2-pager

 

Remote_Port_operations_simplified

Customer

The customer is a global industrial crane manufacturer and services provider with operations in major ports for loading and unloading containers using automation. 

Customer's security and operational concerns

Crane operations are mostly automated but they need regular optimization, maintenance and upgrades to be effective. These adjustments are done mostly remotely by engineers and technicians from all over the world. 

The customer soon realized that this mission-critical access from the public cloud environment came with risks, including:

  1.  Production disruptions: Remote-operated cranes are vulnerable to cybersecurity attacks, whether they are connected to the internet. A hacker accessing a crane could disrupt port operations, cause material accidents or jeopardize the safety of the harbor workforce.
  2. Industrial espionage: Ungoverned access to port operations could allow stealing optimization, diagnostics or other type of data from cranes.
  3. Regulatory violations: With the emergence of the Network and Information Security 2 (NIS2) Directive, poorly secured ports are subject to substantial fines.

Customer challenge - complex access management, incomplete control

The customer had segmented its networks and was running a private port network with basic level access control to the 5G port network itself. However, with this set up:
  • There was a general lack of oversight of remote access to ports (who did what, when and with what rights)
  • The customer was not able to limit access even per maritime facility, meaning that a technician operating in Asia could access ports in Europe, and vice versa.
  • Once a technician was inside the network, they had access to many cranes.
  • Restricting privileges to the minimum for the task at hand was hard to configure or limited.
  • Internal employee and third-party access tracking and identification was limited.
  • The customer had multiple point solutions in use for access.
  • Access credentials were insufficiently managed.
The customer decided to look for an access solution that could meet their requirements and discovered PrivX OT by SSH Communications Security.
Complex remote access management to industrial cranes at a port

 

PrivX OT deployment in the customer environment

The customer decided to radically simplify their access management environment by replacing the point solution approach they had implemented earlier. Instead of using VPN tunnels per access, they centralized their management under one Digital Gatekeeper, PrivX OT.

Remote_Port_operations_architecture

  1. PrivX was integrated with multiple IAMs and ADs to always link an ID to a role for each session. 
  2. Both employees and vendor technicians log in to a VPN service, opening access to a VPN gateways zone behind a firewall.
  3. After this phase, PrivX restrict access to a minimum needed to get the job done.
  4. PrivX offers multiple authentication methods, including: 
    • AD/LDAP user & password
    • Local user & password
    • OpenID Connect
    • MFA (TOTP & Biometric)
    • Passkeys / FIDO2
    • TLS client certificate
    • SSH public key
    • External JSON web token
    • PrivX Authorizer
  5. After authentication, PrivX automatically maps the identity to the right role for access.
  6. PrivX stores and rotates the credentials needed for access or enables passwordless access. Credentials are vaulted and rotated after use, or in the case of passwordless access, the user never even sees or handles any credentials.
  7. The user (maintenance engineer, vendor engineer, ship technician, etc.) only sees a list of available targets based on the role – and nothing else.
  8. The user selects the target from the list and gets access to it. The target can be a single application, gauge, or crane operation module, depending on the task at hand. The actions the user is allowed to perform can be restricted as necessary, allowing options ranging from read-only or to full access.
  9. Through AWS Direct Connect, the traffic is routed to a cloud-hosted PrivX instance best suited for the connection, based on the load and location.
  10. All sessions produce an audit trail. For the most important connections, session recording or live monitoring is available. It also possible to require external authorization by the site admin for critical sessions.
  11. After the session is over, offboarding is automatic. Every session is verified each time it is made, in a just-in-time (JIT) fashion to align with the Zero Trust security framework. 

Ensuring access control and restrictions at the user level

Global
Regional restrictions to access maritime ports. Increased security and control over vendor technician access for debugging and maintenance sessions.
Robot-hand
Automated linking of a role to an identity ensuring that all sessions can be verified with strong IDs.

.

Users
Adding granular access control with minimal changes to existing VPN/Firewall/technology infrastructure.
certificate
Just-in-time (JIT) access instead of always-on connections to the ships. Each connection to a port or crane is establish at the same time as the authorization and is verified each time it is made – in a true Zero Trust fashion.
Priviledged-access-management
All the secrets (passwords) are managed centrally for risk mitigation.
Secure-file-transfer

PrivX OT is the centralized and streamlined access gateway for all the cranes at port. Any employee or third party gets access from any location to an individual crane in a uniform, controlled way.

Checklist
All connections are tracked and produce a solid audit trail – with session recordings and live monitoring available.
Cloud
Scalable cloud deployment ensures that the solution can expand as the port operations expand.

PrivX PAM technology comes in different flavors

 

PAM for industrial automation and manufacturing businesses

PrivX OT Edition

 

Go beyond mere secure remote access (SRA) with a full-scale OT access management solution.

PrivX OT provides on- and off-site secure access to modern IT/OT targets in hybrid environments.

Learn more

PAM for managed hosts and multi-tenant environments

PrivX MSP Edition

 

Grant secure access for multiple roles to multi-tenant customer environments and managed hosts.

Demonstrate proper access governance to your customers with audit trails of all activities.

Learn more

passwordless and keyless access

Zero Trust, Just-in-Time Access Management


Manage encryption keys and passwords from a single pane of glass. Start small or go to
 enterprise scale.

Then, radically reduce the number of encryption keys and passwords to manage with credential-less authentication.

Zero Trust Suite