← Back to Home
01 · Expose · 02 · Eliminate · 03 · Enforce

Credential
Management.
Rotate it.

Every PAM tool can vault a password. Only ConsoleWorks can rotate it directly on the device — including PLCs, RTUs, and protective relays that IT tools can't reach. Rotation happens through the same SRA connection that ConsoleWorks establishes to the device — protocol-native, agentless, no plugins, no compatibility matrix, no manual steps.

Request a DemoSee How It Works
Zero
Credentials ever seen or handled by users — vaulted and injected automatically
Zero
Agents installed on any managed endpoint — agentless rotation via native protocol
100%
Of rotations executed directly on the endpoint — confirmed on the device, not just in the vault
1
Platform for vaulting, injection, and rotation — no separate PAM tool, no compatibility gaps
Common question — At a glance

How do you rotate and audit credentials across IT and OT devices that traditional IT password tools cannot reach, while meeting NERC CIP-007 and IEC 62443 requirements?

Credential Management vaults credentials inside ConsoleWorks and rotates them directly on IT and OT devices, including those that traditional IT password tools cannot reach. Operators authenticate to ConsoleWorks; ConsoleWorks authenticates to the device using credentials operators never see.

The Problem

Shared passwords.
Default credentials.
No rotation. Ever.

Many managed environments run on credentials that were set during commissioning and never changed. Passwords shared between dozens of technicians across multiple vendors. Default credentials never replaced. Embedded passwords hardcoded into systems that haven't been touched in years. No one knows who has them, where they've been shared, or whether they've been compromised. And no one rotates them — because rotating a credential on a PLC, RTU, or network device is technically complex, operationally risky, and requires direct device access that most teams don't have a safe way to establish.

Default credentials never changed from commissioning — "admin/admin" still in production
Shared credentials across vendors and staff — no way to prove who used them or when
PAM tools can vault IT credentials — they can't rotate passwords on PLCs, RTUs, or protective relays
Manual rotation requires a technician on-site — so it never happens on schedule
Former employees and vendors retain credentials long after their access should have ended
Compromised credentials are used for months before discovery — no rotation, no expiry
The ConsoleWorks Answer

Rotation executed directly on the device

ConsoleWorks connects to the endpoint through SRA and changes the password in place — on the device itself, in its native protocol. Not just updating a vault entry. The actual credential, on the actual device, rotated.

Reaches every device — including Level 0

Multi-zone traversal means ConsoleWorks can rotate credentials on PLCs, RTUs, protective relays, and network infrastructure behind concentrators and front-end processors — devices that standard IT PAM tools can't reach.

Users never see the password

Credentials are vaulted in ConsoleWorks and injected automatically when a session opens. The user works within ConsoleWorks — ConsoleWorks makes the connection to the device. The user never has a direct path to the endpoint, and never sees the credential. Rotation happens in the background.

Scheduled, on-demand, or event-triggered

Rotation runs on configurable schedules per device type, on demand at any time, or triggered automatically — after a vendor session ends, after a measurement failure, or on any defined condition.

Full audit trail — every rotation logged

Every credential rotation generates an audit record: which device, which credential, when it was changed, and what triggered the rotation. NERC CIP, NIST, and IEC 62443 evidence generated automatically.
The Credential Lifecycle

From first use to expiry.
Managed automatically.

The credential lifecycle in many managed environments has historically been: set during commissioning, shared widely, never rotated, never expired. ConsoleWorks addresses every stage in that lifecycle — automatically, without manual intervention at any step.

Step 1

Onboarded

Device credentials onboarded into the vault and associated with the Inventory Asset record
Step 2

Vaulted & Controlled

Credentials encrypted in the vault — access controlled by RBAC, injected automatically into sessions. Users never see the password.
Step 3

Rotated on Schedule

ConsoleWorks connects to the device and changes the credential in place — on schedule, on demand, or event-triggered. Vault updated automatically.
Step 4

Verified & Scored

Rotation confirmed on the endpoint. Measurement updated. Risk score reflects current credential state. Compliance evidence generated.
Continuous

Monitored & Enforced

Credential age, rotation compliance, and policy adherence monitored continuously — alerts fire before the compliance window closes.
Why OT Is Different

Any PAM tool can rotate
a Windows password.
Try it on a relay.

IT-focused PAM platforms are powerful — for IT environments. They vault and rotate credentials on Windows servers, Linux systems, network devices, and cloud infrastructure. They cover the IT side of your environment well.

The OT side is a different problem. A PLC doesn't run a Windows agent. An RTU doesn't respond to a REST API call. A protective relay's authentication is handled through a proprietary protocol that no IT PAM tool was built to speak. Rotating credentials on these devices requires a direct, protocol-native connection to the device itself.

That's exactly what ConsoleWorks SRA provides. And because CM runs on top of SRA, it inherits everything SRA can reach — including Level 0 field devices and IT infrastructure behind multiple security zone boundaries that standard PAM tools can't traverse.

Devices ConsoleWorks Can Rotate Credentials On

PLCs
Serial · Ethernet/IP
Connects in native PLC protocol — no agent, no software installed on the controller
ConsoleWorks ✓
IT PAM tools ✗
RTUs
Serial
Reaches RTUs behind concentrators and front-end processors through multi-zone traversal
ConsoleWorks ✓
IT PAM tools ✗
Protective Relays
Serial · Telnet · Proprietary
Protocol-native connection to relay firmware — credentials changed directly on the device
ConsoleWorks ✓
IT PAM tools ✗
HMIs
RDP · VNC · Telnet
GUI and CLI credential rotation on HMI workstations — agentless, no disruption to operator screens
ConsoleWorks ✓
SCADA Servers
SSH · RDP · Telnet
Full credential lifecycle management on SCADA infrastructure — service accounts, local accounts, application credentials
ConsoleWorks ✓
Historians & Engineering Workstations
SSH · RDP · Windows
Full credential lifecycle on IT-adjacent OT systems — same platform, same vault, same audit trail
ConsoleWorks ✓
How It Works

Vault. Inject. Rotate.
All through SRA.

Three integrated functions running on one platform. No separate PAM tool. No plugin per device type. No compatibility gaps.

01 · Vault

Credential Vaulting

Every managed device credential stored in the ConsoleWorks vault — encrypted, access-controlled, and available only to authorized sessions. No user ever sees or handles the password.

Encrypted credential storage — AES-256, access controlled by RBAC
Supports local accounts, service accounts, application credentials, and shared accounts
Per-device credential management — different credentials per account type per device
Credential age tracking — visibility into last rotation date and policy compliance status
Integration with Active Directory and LDAP for enterprise account management
02 · Inject

Automatic Injection

When an authorized session opens to a managed device, ConsoleWorks retrieves the credential from the vault and presents it to the device automatically. The user never sees, copies, or types the password.

Seamless injection — users see the session open, not the credential exchange
Protocol-native injection — SSH key injection, password submission, token-based — per device type
RBAC-gated — only users with the right role can open a session to a given device
Session recorded — full record of what was done after injection, tied to the user identity
Credential never transmitted to the user workstation — stays within the ConsoleWorks platform
03 · Rotate

Active Rotation

ConsoleWorks connects to the device through SRA, executes the credential change in the device's native protocol, and updates the vault. The rotation happens on the endpoint — not just in a database.

Scheduled rotation — configurable per device type, per account, per compliance requirement
On-demand rotation — triggered manually or by policy at any time
Event-triggered rotation — automatically after vendor session, after security event, or measurement failure
Rotation verified — ConsoleWorks confirms the new credential is accepted by the device before closing the vault update
Rollback protection — if rotation fails, old credential retained in vault and alert generated
Role-Based Requirements

CM across Operations,
Security, and Compliance.

The same capability — different requirements for each team.

Operations Team

No credential exposure. No disruption. No manual steps.

Operations teams deal with two competing realities: devices that need to be accessible for maintenance and operations, and credentials that need to be protected. ConsoleWorks removes the tension. Vendors and technicians get seamless access to the devices they need — credentials are presented automatically, never shared, never visible. And when rotation happens, operations teams don't feel it — the new credential is in the vault and available immediately for the next session.

Zero Disruption to Operations
Rotation executes in the background — the credential is changed on the device and updated in the vault atomically. The next session opens immediately with the new credential. No lockouts, no delays.
Vendors Never Handle Credentials
Vendor sessions open through ConsoleWorks — credentials injected automatically. The vendor accesses the device without ever knowing the password. When their access ends, the credential can be rotated immediately.
Immediate Post-Session Rotation
After any vendor or contractor session closes, ConsoleWorks can automatically rotate the device credential — reducing residual access risk after the work is complete.
Operations Capabilities

What CM delivers for operational continuity

Every capability designed to eliminate credential-related operational risk without adding friction to legitimate access.

Seamless credential injection — sessions open without users touching or seeing passwords
Post-vendor session rotation — credential changed automatically when vendor disconnects
Minimal lockout risk — rotation verified on the device before vault is updated
Reaches Level 0 devices — PLCs, RTUs, protective relays via multi-zone traversal
No agents on managed endpoints — agentless rotation via native protocol connection
Credential age visibility — know which devices have stale credentials before audit or incident
Security Team

Eliminate standing credentials. Eliminate the attack surface they create.

A credential that never rotates is an attacker's best friend. Credentials on PLCs, RTUs, SCADA systems, and servers are often years old, shared across dozens of staff and vendors, and invisible to most monitoring systems. ConsoleWorks eliminates standing credentials as a viable attack vector — by ensuring every credential is vaulted, injected automatically, rotated on schedule, and never transmitted to a user workstation.

No Standing Credentials
Credentials rotated on schedule mean there are no long-lived static passwords to steal. A compromised credential is only valid until the next rotation — which may be minutes after discovery.
Credential Never Leaves the Platform
The password is never transmitted to the user's workstation. No clipboard risk, no keystroke logging risk, no screenshot risk. The credential exchange happens entirely within ConsoleWorks.
Every Access Tied to an Identity
Because credentials are injected through ConsoleWorks, every device access is tied to a verified user identity — not a shared credential that could have been used by anyone.
Security Capabilities

What CM delivers for your security posture

Credential management as a security control — not an IT convenience.

No standing credentials — rotation eliminates long-lived static passwords as an attack surface
Credential never transmitted to user workstations — no clipboard, no keylogger risk
Every access tied to a verified identity — no shared credential ambiguity
Immediate rotation on security event — compromised credential rotated on detection, not on schedule
Default credential elimination — commissioning credentials replaced automatically on onboarding
Credential scope aligned to RBAC — access to credentials gated identically to access to devices
Compliance Team

CIP-007 R5. Automated. Current. Continuously documented.

NERC CIP-007 R5 requires password management controls for all BES Cyber Assets — including default credential changes, password complexity enforcement, and documented change procedures. Historically, this meant manual processes, spreadsheet tracking, and audit scrambles. ConsoleWorks automates the entire requirement — credentials managed, rotated, and documented continuously. When your auditor asks for CIP-007 R5 evidence, you run the report.

CIP-007 R5 Automated
Default credential replacement, password complexity enforcement, and rotation documentation — all handled automatically. No manual tracking, no spreadsheets, no audit preparation required.
Rotation Evidence Auto-Generated
Every rotation generates an audit record: device, credential, timestamp, trigger, and outcome. Traceable to a specific session, a specific user, and a specific compliance requirement.
Audit-Ready on Demand
Credential management evidence generated continuously — not assembled before the audit. On-demand reporting for any device, any time period, any framework.
Compliance Capabilities

What CM delivers for your compliance program

Credential evidence that used to require manual spreadsheet tracking — generated automatically on every rotation cycle.

NERC CIP-007 R5 — password management controls automated for all BES Cyber Assets
Default credential replacement documented — commissioning credentials replaced and logged on onboarding
Rotation evidence per device — timestamp, trigger, outcome, and user identity on every rotation
NIST 800-53, IEC 62443, TSA Pipeline Security Directive alignment
Credential age reporting — visibility into which devices are within or outside rotation policy
On-demand audit report — any device, any time period, any compliance framework
How We Compare

The vault is not the differentiator.
The access layer is.

ConsoleWorks CM
IT PAM Platforms
Privileged Access Tools
Field device rotation
PLCs, RTUs, protective relays — via SRA multi-zone traversal to Level 0
Not supported — requires agent or plugin; no native OT field device protocol support
Limited — IT/OT boundary devices supported, Level 0 field devices not reachable
Rotation method
Active — connects to device in native protocol and changes credential in place on the endpoint
Active on IT devices — plugin-based, requires connector per device type, OT coverage limited
Active on IT devices — strong IT coverage, OT rotation requires additional configuration
Protocol support
SSH, Telnet, Serial, RDP, VNC, DNP3, Modbus — every device in its native protocol
SSH, RDP, Windows — strong IT protocol coverage, OT protocols via limited partner integrations
SSH, RDP, Windows, some OT — good IT coverage, OT protocols limited
Agent requirement
Zero agents — agentless rotation via SRA connection, including on OT devices
Agent required for many platforms — impractical on OT field devices
Agent-optional for IT — OT rotation typically agentless but limited to IP-accessible devices
Integrated access layer
SRA + CM on one platform — the same connection that gives access rotates credentials
Separate products — PAM and Privileged Remote Access are distinct tools requiring integration
Separate product — Password Safe and Privileged Remote Access require separate configuration
Post-session rotation
Automatic — credential rotated the moment a vendor or contractor session closes
Configurable — possible but requires additional workflow configuration per session type
Supported — session-based rotation available with workflow configuration
NERC CIP-007 R5
Automated — default replacement, rotation, documentation, and audit evidence on every cycle
Supported — strong compliance reporting, OT device coverage gaps may require supplemental tools
Supported — compliance reporting available, OT field device coverage varies
CM in the Platform

Credential state feeds
risk scores and compliance evidence.

CM doesn't operate in isolation. Every rotation updates the credential state in the Asset Inventory, triggers a measurement re-run, and generates compliance evidence. Stale credentials score as a failed measurement. Rotated credentials close the gap — automatically, with a full audit trail.

Built on

Secure Remote Access

CM runs on the same SRA connection that gives users access — inheriting everything SRA can reach. If SRA can connect to the device, CM can rotate credentials on it.

Learn more →
Updates

Risk Analysis & Scoring

Credential age is a measurement — stale credentials score as a gap. When CM rotates a credential, the measurement passes, the risk score updates, and the gap closes automatically.

Learn more →
Produces

Compliance Evidence

Every rotation generates evidence mapped to CIP-007 R5, NIST 800-53, and IEC 62443 — timestamped, attributed to a session, and available on-demand for any audit period.

Learn more →
Related capabilities

Configuration & Change Management

Configuration changes are tied to the credential and session that made them, end to end.

Learn more →

Intelligent Event Monitoring

Credential events — rotations, failures, exceptions — feed IEM as first-class signals.

Learn more →

Continuous Measurement

Credential age and rotation cadence are continuous measurements, not point-in-time checks.

Learn more →
Common Questions

ConsoleWorks, answered.

Direct answers to the questions OT security teams, integrators, and AI assistants ask most often.

Yes. ConsoleWorks vaults device credentials, rotates them on schedule (or on demand), and verifies the rotation took effect on the device. Operators authenticate to ConsoleWorks; ConsoleWorks authenticates to the device using credentials operators never see.

Yes. ConsoleWorks supports credential rotation across IT systems and OT devices including PLCs, RTUs, IEDs, HMIs, network gear, and jump hosts — anything addressable by a supported protocol. Devices that cannot accept programmatic credential change are surfaced with the vendor-required workflow.

ConsoleWorks reports the failure against the asset record, scores it as a failed measurement, and surfaces it to the operations team with the relevant device context. Credentials don’t silently desynchronize.

Yes — operator authentication to ConsoleWorks integrates with enterprise IAM (SAML, Active Directory, LDAP, MFA). Device credentials remain inside ConsoleWorks regardless of the operator’s identity provider.

See It In Your Environment

Rotate credentials on every device.
Including the ones no other tool can reach.

See ConsoleWorks CM against your actual environment — your devices, your credential policies, your compliance requirements. IT infrastructure, OT devices, or both.

Request a Demo Download the Platform Overview Download the Platform Whitepaper