Secure remote access into Operational Technology (OT) networks is no longer optional. It is a business requirement. Engineers need to support sites remotely. Vendors require controlled access for maintenance. Organisations want centralised visibility across distributed assets. At the same time, OT environments control physical processes. The risk profile is very different from traditional IT.
Multiple high-profile incidents have shown that attackers frequently enter through remote access pathways rather than exploiting PLCs directly. Both the National Cyber Security Centre and the Cybersecurity and Infrastructure Security Agency consistently highlight exposed remote services, weak VPN configurations and shared credentials as common root causes in critical infrastructure breaches.
In OT, remote access is not just a connectivity problem. It is a safety, reliability and compliance issue.
Why Remote Access Is High Risk in OT
OT networks typically include:
- Building Management Systems (BMS)
- SCADA platforms
- PLCs and RTUs
- Industrial HMIs
- Environmental and safety control systems
Unlike IT systems, availability and deterministic behaviour matter more than speed. An unplanned change can affect physical equipment. A compromised remote access pathway can allow lateral movement into safety systems.
Common weaknesses include:
- Flat network design without segmentation
- VPN access that exposes entire subnets
- Shared engineering accounts
- No session recording
- No time-based access controls
This is why secure design must go beyond “install a VPN and enable MFA”.
Core Principles of Secure OT Remote Access
A secure model should include:
- Strong identity integration (Active Directory or Microsoft Entra ID)
- Multi-factor authentication (hardware token or app-based MFA)
- Role-based access control aligned to job function
- Time-bound approvals for privileged access
- Full session logging and audit
- Network segmentation aligned to the Purdue Model
Encryption is table stakes. IPsec and SSL/TLS VPNs protect data in transit. But secure architecture determines whether a compromise remains contained or becomes catastrophic.
Increasingly, organisations are moving toward Zero Trust Network Access (ZTNA) rather than traditional full-tunnel VPNs. Vendors such as Fortinet, Palo Alto Networks and Zscaler provide identity-aware access that connects users to specific applications, not entire networks. That limits blast radius and reduces lateral movement opportunities.
For many OT deployments, a hardened jump host model remains the most practical approach.
The Jump Host / Bastion Pattern
In this design:
- External users authenticate to a firewall or secure access gateway.
- MFA is enforced before any internal connectivity is granted.
- Users are only allowed to access a hardened jump server in a DMZ.
- From the jump server, engineers access OT systems using controlled credentials.
The jump server should be:
- Domain joined with RBAC enforced
- Hardened using CIS benchmarks
- Logging all user activity
- Integrated with SIEM
- Restricted from outbound internet browsing
This approach creates a monitoring and control point. It also enables privileged access management integration for password vaulting and just-in-time credential release.
Secure Access to Air-Gapped Networks
Air-gapped environments introduce a different challenge. By definition, they have no permanent connection to untrusted networks. But they still require maintenance, patching and vendor support.
There are secure ways to enable controlled interaction without breaking the air gap.
1. Supervised On-Site Access
Engineers travel on-site and connect locally. Remote support is provided via:
- Screen sharing from an adjacent secure zone
- Voice or video coordination
- No direct inbound connectivity to the OT network
This preserves the logical air gap while enabling expertise to be applied remotely.
2. Controlled, Temporary Connectivity
In some environments, a physically switched link can be enabled during approved maintenance windows. The process should include:
- Change control approval
- Time-bound firewall rules
- Continuous monitoring
- Automatic rule removal after the window
No persistent remote access pathway should exist.
3. Data Diodes and Unidirectional Gateways
Where telemetry must leave the OT network but no inbound traffic is allowed, unidirectional gateways enforce one-way communication at a hardware level. This enables:
- Monitoring data export
- Security logging export
- No return path into control systems
4. Secure Media Transfer
When updates must be transferred:
- Media is scanned in a staging environment
- Hashes are validated
- Access is logged
- Chain of custody is maintained
This process-based control is often required in highly regulated sectors.
Design for Auditability and Compliance
In the UK, frameworks such as Cyber Essentials Plus and NIS2-aligned requirements emphasise access control, logging and least privilege. Remote access design must stand up to audit scrutiny.
At minimum, you should be able to answer:
- Who accessed the system?
- When did they access it?
- What systems did they touch?
- What commands were executed?
- Was access approved and time limited?
If you cannot answer those questions quickly, your remote access model needs redesign.
Final Position
Secure remote access in OT is about control, not convenience.
It must be:
- Identity driven
- Least privilege by default
- Segmented
- Monitored
- Logged
- Time restricted
When designed correctly, remote access improves resilience. It enables faster incident response. It reduces travel costs. It supports centralised engineering teams.
When designed poorly, it becomes the primary attack vector into critical infrastructure.
The difference lies in architecture, governance and discipline.