What is Session Recording?
Session Recording is the capture and storage of administrative sessions (e.g. RDP, SSH, console) on systems with elevated privileges. It makes it possible to see exactly what a user has done, when, on which system, and for what purpose.
In OT environments this is essential for traceability, incident investigation, and Compliance, especially with remote access to systems such as PLCs, SCADA, or Engineering Stations.
🎯 Goal of Session Recording
| Goal | Explanation |
|---|---|
| Audit trail | Accurate reconstruction of administrative actions |
| Forensic investigation | Support in analysing incidents or sabotage |
| Compliance | Meeting requirements from, among others, IEC 62443, NIS2, ISAE 3402 |
| Oversight | Monitoring external suppliers or temporary administrators |
| Training & quality control | Use of recordings for awareness or evaluation of practices |
🧠 What is recorded?
| Data type | Description |
|---|---|
| Video (screen capture) | Exact rendering of screen activity (most useful with RDP/GUI) |
| Keystroke logging | Typed commands (especially for SSH or command-line sessions) |
| Metadata | Username, timestamp, IP address, system name |
| Event markers | Tags on suspicious or critical actions (e.g. config change, file copy) |
🔐 Integration with PAM
Session Recording is often part of a PAM platform and is then carried out via:
- Jump Server or proxy between administrator and target device
- Just-in-Time Access or approval workflow
- Automatic storage in an encrypted archive
- Possibility of live observation (real-time monitoring)
🏭 Application in OT environments
| Situation | Example recording |
|---|---|
| Remote access to SCADA | RDP recording of an external engineer changing settings |
| Firmware upgrade on PLC | SSH session including commands and feedback |
| Management of Firewall or switch | Logging of config changes and interface management |
| On-site access via Engineering Station | Detection of unauthorised actions during a service visit |
✅ Best practices
- Inform users that sessions are being recorded (GDPR)
- Store recordings encrypted and for at least 90 days
- Implement event tagging for critical actions
- Integrate with SIEM for alerting on unusual behaviour
- Combine with 2FA, PAM, and Least Privilege for full administrative control
- Grant access to recordings only to authorised auditors
📌 In summary
Session Recording provides visibility and control over administrative access to critical OT and IT systems. It is an essential part of responsible Cybersecurity and risk accountability in industrial environments.