Your firewall, MFA, and PAM confirm who connects to your SCADA systems. But once the session starts, nothing governs what happens inside it. This is the Governance Gap that enabled unauthorised commands in Oldsmar and persistent state-sponsored access through Volt Typhoon.
Your identity tools grant access. Your SIEM logs what happened. Keystrike governs what happens during the live session. You don't have to rip out or replace the tools you already have. Keystrike is the essential final piece that makes your existing stack deliver Continuous Access Governance.
You need to see what is happening right now, especially the sessions your existing tools miss. Keystrike gives you live visibility: a real-time map of every remote access connection, across every protocol, including sessions from unmanaged and unknown clients.
You need certainty that every remote session in your OT environment is governed, not just logged. Keystrike gives you real-time enforcement: deterministic verification that blocks unauthorised commands over RDP and SSH in real time, before they execute. A binary cryptographically attested signal ensures deterministic enforcement, not probabilistic detection.
You need evidence — not just policies. Keystrike gives you provable governance: tamper-evident session records mapped directly to NERC CIP, IEC 62443, and NIST requirements. Every remote access session generates audit-ready evidence automatically.
Hijacked sessions and unverified remote commands are sufficient to cause operational disruption, no full system compromise required. A single automated or malicious command can trip a breaker, shut down a pump, or alter water pressure.
Hijacked sessions and unverified remote commands are sufficient to cause operational disruption, no full system compromise required. A single automated or malicious command can trip a breaker, shut down a pump, or alter water pressure.
In January 2024, attackers caused a water tank overflow in Muleshoe, Texas by exploiting unverified remote sessions in a municipal SCADA system, forcing operators to switch to manual control. The attack was attributed to foreign hacking groups. — Chemical Processing, 2025
Keystrike blocks every unattested command in real time. Only verified physical operator input reaches OT systems, whether the session is hijacked, credentials are stolen, or the command originates from an automated script.
With Keystrike:
Third-Party Vendor Access as an OT Attack Vector
Utilities depend on contractors and vendors for maintenance and monitoring. Compromised vendor credentials are among the most common initial access vectors in OT environments, and once inside, no session-level verification exists to stop what happens next.
In the Oldsmar, Florida water treatment incident, an attacker used a legitimate remote access tool to raise sodium hydroxide to dangerous levels, endangering thousands of residents. The session appeared legitimate. The command was not. — ICS-CERT
Keystrike validates every vendor and contractor action before execution. Compromised credentials cannot produce commands that pass Keystrike's physical attestation requirement.
With Keystrike:
IT-to-OT Lateral Movement as a Persistent Threat Vector
Most OT breaches begin in IT. Attackers use phishing, stolen credentials, or vendor access to move laterally into operational control systems, exploiting the absence of session-level verification between IT and OT environments.
In 2023, Volt Typhoon — a Chinese state-linked threat actor — maintained persistent access to Littleton Electric Light and Water in Massachusetts for over 300 days via lateral IT-to-OT movement. No session-level control existed to detect or block commands from the compromised IT environment. — CISA Advisory, 2024
Keystrike enforces session-level isolation between IT and OT. Stolen credentials and compromised IT sessions cannot produce attested commands in OT systems, regardless of how network access was achieved.
With Keystrike:
Your identity tools grant access. Your SIEM logs events. Keystrike governs what happens during the live session.
Keystrike does not record keystrokes, credentials, or personally identifiable information. Verification is cryptographic and deterministic — not behavioral — eliminating false positives and privacy concerns. Keystrike evaluates governance signals, it does not capture, store, or replay session content. No keystrokes are recorded.
| Tool | Without Keystrike | With Keystrike |
|---|---|---|
| IAM / PAM / MFA | Verify identity at login, then hand off control entirely. No oversight of what happens inside the session. | Every action inside the session is verified and enforced. |
| SIEM / SOAR / XDR | Detect and alert on anomalies after commands execute. No ability to act within the session itself. | Commands are blocked inside the session, before your detection stack ever sees them. |
NERC CIP requires organisations to log and monitor all electronic access to critical cyber assets. IEC 62443 mandates access control and security zone enforcement for industrial control systems. EPA guidance requires utilities to document and audit remote access to operational technology.
Keystrike supports each requirement by producing continuous, cryptographically attested session-level evidence of every privileged action, without capturing keystrokes, storing session content, or requiring changes to existing infrastructure.
Continuous compliance evidence across every governed session. Track progress toward regulatory goals with live data. Prove your remote access governance posture is improving in real time, not reconstructed after the fact.
“In about 20 minutes, I had Keystrike up and running. The deployment is simple, well thought out, with clear documentation. Now Keystrike helps us establish that commands are genuine and trustworthy by detecting lurking attackers and blocking when they inject themselves into active sessions. With the combination of powerful technology and ease of deployment, I highly recommend Keystrike.”
Compromised credentials, hijacked sessions, and unverified vendor access remain the three leading causes of OT operational disruption. Keystrike makes every privileged session visible, verifiable, and policy-controlled — deploying alongside your existing infrastructure without replacing tools or disrupting operations.
Session governance for OT environments means continuously verifying and controlling what happens during every privileged remote access session in operational technology infrastructure — including SCADA, ICS, and DCS systems. Unlike perimeter security or identity security, session governance operates after authentication, ensuring that authorised users only execute authorised commands.
OT network monitoring tools focus on network traffic analysis and asset discovery. Keystrike operates at the session layer, governing what authenticated users do during privileged remote sessions. Where IAM and PAM verify who gets access and SIEM and XDR record what happened, Keystrike enforces policy during the live session. It strengthens every tool in your stack by providing the continuous session governance they were not built to deliver.
No. Keystrike deploys without agents on OT endpoints, PLCs, RTUs, or HMIs. It governs sessions transparently within existing remote access workflows. Typical deployment completes in 20 minutes.
Keystrike completes and strengthens PAM and IAM by governing what happens inside the sessions they grant. PAM controls who gets access to OT systems and manages privileged credentials. Keystrike governs what those users do once they're inside the session, verifying commands in real time and blocking unauthorized actions before they execute.
SIEM and XDR log events after they occur and detection is therefore inherently reactive. Keystrike complements your SIEM by governing what happens during the live session and generating cryptographically attested session evidence that enriches your existing log data with verified records.
Keystrike governs third-party vendor sessions transparently — vendors connect through existing remote access tools with no additional steps. Every vendor session is subject to the same deterministic enforcement and generates the same tamper-evident record as internal operator sessions.
No. Keystrike verifies that commands originate from a physical human operator through cryptographic attestation — without recording keystrokes, capturing screens, or conducting behavioural analysis.
Yes. Keystrike operates within the access pathways that already exist in Purdue Model architectures — governing sessions at the points where remote access enters the OT network.
Keystrike supports compliance with NERC CIP (CIP-004, CIP-005, CIP-007), IEC 62443, EPA cybersecurity directives for water and wastewater systems, NIST Cybersecurity Framework, and NIST SP 800-82 through continuous session verification, deterministic policy enforcement, and cryptographically attested governance evidence across every privileged remote session.