They create broad authenticated access without enough awareness of what the session is allowed to do. In industrial settings, that means a single connection can reach multiple assets and execute harmful commands. The risk is amplified when the access path is undocumented, shared, or hard to recertify.
Why Legacy Remote Access Becomes Dangerous in OT
Legacy VPNs and jump servers were built to solve connectivity, not to enforce precise mission scope. In industrial environments, that matters because remote access often crosses trust boundaries between IT, OT, and vendor support. Once authenticated, the session may inherit broad reach across controllers, historians, engineering workstations, or maintenance tools, even when the operator only needed one asset.
This is why NHI governance and remote-access hygiene are increasingly linked. The same pattern shows up when credentials, service access, or vendor pathways are too durable or too widely shared, which is a recurring theme in Top 10 NHI Issues and the Ultimate Guide to NHIs – Key Challenges and Risks. NIST also emphasizes that access decisions should be tied to identity assurance, lifecycle, and continuous risk management, not just a valid login event, as described in the NIST Cybersecurity Framework 2.0 and NIST SP 800-63 Digital Identity Guidelines.
In practice, many security teams discover the blast radius of a remote session only after a maintenance account has already been reused in ways no one documented.
How It Works in Practice
A VPN typically authenticates the user or vendor, then places that session inside a broader network segment. A jump server adds a layer of mediation, but it still often relies on static trust: if the person is allowed through the front door, the session may reach a wide set of systems. That model is especially risky in OT because industrial tools often trust the network location, not the intent of the session.
Better practice is to break the problem into smaller controls. Current guidance suggests pairing OWASP NHI Top 10 style identity discipline with session-level restriction, so the access path is time-bound, recorded, and tied to a specific asset or change window. This usually means:
- short-lived credentials rather than shared, standing accounts;
- per-session authorization for one system or one workflow;
- tight command logging and protocol-aware monitoring;
- separate approval for vendor support, engineering changes, and emergency break-glass access;
- automatic revocation when the task ends.
For industrial operations, the key issue is not just who logged in, but what the session was actually allowed to do. That is why organisations increasingly map remote-access controls to identity assurance principles in NIST guidance, then validate the operational path against NHI governance practices such as recertification and secret containment, as reinforced by the Ultimate Guide to NHIs – Why NHI Security Matters Now.
These controls tend to break down when the same jump host serves many plants or vendors because shared administration makes session intent hard to prove and harder to investigate.
Where the Risk Gets Hardest to Control
Tighter remote-access control often increases operational friction, so organisations have to balance availability against containment. That tradeoff is real in industrial settings where downtime is costly and support teams expect fast access during faults or production stoppages.
There is no universal standard for every plant topology, but current guidance suggests three common edge cases matter most. First, vendor-managed environments often keep standing pathways alive far longer than necessary, which makes recertification weak. Second, emergency access can bypass normal approval flows, so break-glass accounts need stronger monitoring than routine accounts. Third, flat OT networks can make a single authenticated session behave like a roaming administrator, especially when legacy devices cannot enforce fine-grained policy.
That is why the strongest programmes combine PAM, ZTA, and strict asset scoping rather than relying on the VPN alone. The practical goal is to make every session narrowly explainable: which operator, which asset, which time window, which command set, and which business reason. If that cannot be answered quickly, the access design is too broad for industrial risk. For many teams, the failure appears first in incident response, not in architecture review, because undocumented access paths are usually uncovered only after something has already gone wrong.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Remote access often depends on long-lived secrets and shared credentials. |
| NIST CSF 2.0 | PR.AC-4 | Broad VPN and jump-host access is an access-control governance issue. |
| NIST Zero Trust (SP 800-207) | Industrial remote access should verify each session continuously, not once. |
Replace standing remote-access secrets with short-lived, task-scoped credentials and rotate them aggressively.
