What is the Red Envelope Procedure?
The Red Envelope procedure is a controlled and secure process in which sensitive access information such as admin passwords or backdoor credentials is stored in a secure βenvelopeβ, whether physical or digital. It may only be opened in emergencies, such as a cyber incident or loss of access to critical OT systems.
In OT environments, this is part of Contingency Planning, aimed at preserving availability during crisis situations such as Ransomware attacks, network outages or sabotage.
π§ How does the Red Envelope procedure work?
- Generating access information
- Critical passwords, unlock codes, recovery accounts
- Secure storage
- Physical: a sealed paper envelope in a safe
- Digital: an encrypted file in a password vault with multi-user access control
- Access protocol on incident
- Only on approved triggers: cyber attack, system lockout, forensic investigation
- Usually requires:
- Multi-person authorisation (two or more individuals)
- Logging and reporting
- Post-incident review and re-sealing
- After use
- Credentials are immediately invalidated and replaced
- A new version of the Red Envelope is prepared
π Use in industrial networks
- Restoring access to PLCs, SCADA, Firewalls and Engineering Stations after an incident
- Procedures included in the Incident Response Plan or Disaster Recovery plan
- Often used in sectors with high compliance requirements: energy, chemicals, pharmaceuticals
- Third-party access (suppliers) can be incorporated (temporary access)
π Red Envelope vs. break-glass access vs. password vault
| Method | Description |
|---|---|
| Red Envelope | Passwords physically or digitally sealed; only available on incident |
| Break-glass access | Temporary emergency access to systems, usually via automated triggers |
| Password vault | Digital safe for passwords, accessed via roles and permissions |
π Security considerations
- Passwords are stored offline or encrypted
- Only usable in defined scenarios
- Mandatory use of Logging, Change Management and Audit
- Combine with Least Privilege and Access Control: a Red Envelope does not provide unconditional access
- Review whenever staff change, the system changes or periodically (e.g. every 6 months)
Without strict management, a Red Envelope can introduce risks such as unauthorised access or outdated credentials.
π In summary
The Red Envelope procedure is a controlled method for gaining emergency access to critical OT systems. It safeguards continuity and recoverability, without unnecessarily exposing sensitive access information to misuse or leaks.