Back to blog
Industrial Security

Secure remote access in OT environments: real risks and controls that work

Remote access to industrial networks has multiplied, but most implementations ignore OT-specific risks. We break down the attack vectors and the controls that actually protect.

Roger
#OT#remote access#VPN#IEC 62443#jump server#SCADA

Secure remote access in OT environments

The pandemic accelerated something already in motion: technicians connecting to PLCs from home, vendors accessing SCADA systems from another country, engineers modifying control logic without setting foot in the plant. Remote access to OT networks went from a controlled exception to standard practice. The problem is that most implementations were designed in a rush and with an IT mindset, ignoring the specifics of industrial environments.

The risk is not theoretical

In 2021, an attacker accessed the SCADA system at the Oldsmar, Florida water treatment plant through TeamViewer. They attempted to increase the sodium hydroxide concentration in drinking water by a factor of one hundred. The remote access had been configured without multi-factor authentication, with a shared password among all operators and no segmentation between the corporate and control networks.

It wasn't a sophisticated attack. It was an open door.

Similar cases keep appearing across energy, pharmaceutical, and manufacturing sectors. CISA and ICS-CERT reports document hundreds of annual incidents where the entry vector is a misconfigured remote connection: default credentials, VPNs with unrestricted destination access, sessions that stay active for weeks.

Why generic VPNs fall short

IT's typical response to remote access needs is deploying a VPN. In corporate environments, this works reasonably well. In OT, a VPN without additional controls creates a direct tunnel from the internet to the control network, which is what any attacker would want.

A VPN doesn't limit which devices a user can reach once inside. It doesn't restrict which protocols they can use. It doesn't log actions performed on industrial equipment. And if credentials are compromised, the attacker inherits the same privileges as the legitimate technician.

IEC 62443-3-3 is explicit on this point: remote access must pass through an intermediate control point that enforces authentication, granular authorization, and session logging. The VPN is just the transport layer, not the complete solution.

Remote access architecture: jump servers and DMZ zones

The most robust pattern for OT remote access combines several elements:

  1. Jump server (bastion host) in the industrial DMZ: every remote connection terminates here, never directly in the control network. The user authenticates, opens their work session, and accesses only authorized equipment.

  2. Mandatory multi-factor authentication: something the user knows (password) plus something they have (token or authenticator app). No exceptions, including external vendors.

  3. Full session recording: every command sent to a PLC, every HMI screen viewed, every configuration change gets logged. When an incident hits, this allows exact reconstruction of what happened.

  4. Time-limited access windows: connections are authorized for specific periods. A vendor who needs to service a variable frequency drive gets access during the agreed window, not a permanent account.

  5. Per-asset segmentation: remote access doesn't grant free rein over the entire OT network. Each session is restricted to the specific equipment or segment requiring intervention.

The human factor: vendors and third parties

Industrial equipment manufacturers typically require remote access for support and maintenance. This creates blind spots if not managed properly. Each vendor should have unique credentials, access limited to their equipment, and audited sessions. The practice of sharing a generic VPN account with the manufacturer's logo is still common and unacceptable from any security standpoint.

NERC CIP-005-7, applicable to the electric sector in North America, mandates specific controls for interactive remote access: encryption, MFA, and the ability to detect and disable unauthorized sessions. Even if your organization isn't subject to NERC CIP, these requirements are a useful reference for any industrial sector.

Verify before you trust

Before assuming your remote access is secure, ask yourself three questions: can you identify right now every active remote connection on your OT network? Do you know what each remote user can do once connected? Do you have recordings of the last remote maintenance sessions?

If the answer to any of these is no, you have work to do.

Need to review your industrial remote access security? Contact us for a no-obligation assessment.

Want to talk about your industrial security?

Free initial assessment, no commitment.

Contact us
See all articles