Industrial secure remote access is becoming an identity control

At a glance

What this is: This analysis argues that industrial secure remote access is shifting from a convenience layer to a core identity and governance control for OT environments.

Why it matters: It matters because IAM, PAM, and NHI teams must govern third-party and contractor access in plants, fleets, and factories without breaking operational continuity or auditability.

👉 Read SSH Communications Security’s analysis of industrial secure remote access and OT identity governance

Context

Industrial secure remote access is the control layer that lets remote vendors, contractors, and engineers reach OT assets without exposing the whole environment. The problem is that many industrial organisations still depend on shared accounts, broad VPN access, and legacy systems that were never built for identity-first governance.

That creates an identity governance gap across NHI and privileged access: access can be technically possible without being tightly bounded, auditable, or easy to revoke. For security and operations teams, the question is no longer whether remote access exists, but whether it is tied to the right identity, task, and approval path.

Key questions

Q: How should security teams govern remote vendor access in OT environments?

A: Security teams should bind every remote vendor session to a named identity, a specific task, and a revocation path. Shared accounts and broad VPN reach are the main reasons OT access becomes ungovernable. Strong practice means per-user access, short-lived credentials, session logging, and explicit offboarding when the work ends.

Q: Why do shared accounts create such a large risk in industrial remote access?

A: Shared accounts break attribution, make least privilege impossible to enforce cleanly, and weaken incident response because no one can tell which operator did what. In OT, that becomes a safety and resilience issue as well as a security issue. A single account serving many users is usually a sign that governance has been replaced by convenience.

Q: What breaks when VPN-based remote access is the default for OT?

A: VPN-based access often grants broader network reach than the task requires, which expands the attack surface and makes lateral movement easier. It also tends to preserve standing access instead of limiting sessions to the maintenance window or emergency use case. The breakage is not just technical, it is governance failure through overexposure.

Q: How should OT teams balance emergency response with Zero Trust controls?

A: OT teams should allow emergency access, but only through identity-bound, time-limited, fully logged sessions that can be approved and terminated without exposing the whole environment. Zero Trust in industrial settings is about constraining scope while preserving operational continuity. If emergency access cannot be audited, it is not governed.

Technical breakdown

Shared vendor accounts and broad VPN access

Industrial environments often grant third parties access through shared vendor accounts or VPNs that expose more of the network than the job requires. That model makes it difficult to separate one contractor’s activity from another’s, and it weakens accountability when something goes wrong. In OT, where maintenance windows and emergency response matter, convenience often wins over precise identity binding. The result is a control plane that is functional but not governable. Practical implication: replace shared pathways with per-user, per-task access that preserves attribution and audit trail.

Practical implication: replace shared pathways with per-user, per-task access that preserves attribution and audit trail.

Why legacy OT systems make secure access harder

Many OT assets run on legacy hardware or fixed firmware that cannot support modern encryption, agent-based tooling, or frequent patch cycles. That means secure access often has to be layered around the system rather than directly inside it. Protocols such as Modbus TCP and OPC UA add another constraint because the access method must protect the session without breaking operations. In these environments, secure remote access is as much about containment as authentication. Practical implication: isolate legacy OT paths and map which protocols require protocol-aware controls rather than generic network access.

Practical implication: isolate legacy OT paths and map which protocols require protocol-aware controls rather than generic network access.

Zero Trust secure remote access for OT

Zero Trust in OT is not just about blocking the perimeter. It means every remote session is identity-bound, continuously validated, and limited to the minimum operational scope needed for the task. Just-in-time access and short-lived certificates are especially relevant because they reduce standing exposure while preserving emergency and maintenance workflows. This is the practical bridge between resilience and governance in industrial settings. Practical implication: move from persistent authorisations to task-scoped sessions that can be approved, observed, and revoked without disrupting the plant.

Practical implication: move from persistent authorisations to task-scoped sessions that can be approved, observed, and revoked without disrupting the plant.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Industrial remote access is now an identity problem, not a connectivity problem. The core failure is treating remote links as network plumbing while the real risk sits in who can reach what, under what identity, and for how long. Shared accounts, VPN sprawl, and weak attribution all turn maintenance access into an uncontrolled access path. Practitioners should treat OT remote access as a governed identity workflow rather than a transport feature.

Shared vendor access is a standing privilege problem in disguise. When contractors reuse accounts or inherit broad VPN reach, accountability disappears and revocation becomes imprecise. That is not just a control gap, it is a lifecycle failure across third-party access. The implication is that industrial teams need identity-bound delegation with clear joiner, mover, leaver handling for external operators.

Identity blast radius: the smallest unit of operational access is becoming the most important security boundary. In OT, a single remote session can affect safety, uptime, and recovery if it is not tightly scoped. Short-lived credentials, protocol isolation, and site-level approval logic reduce the chance that one access path can touch too much of the environment. Practitioners should organise OT access around the task, not around the network.

Zero Trust for OT only works when remote access is both continuous and contextual. Static perimeter controls and persistent authorisations assume a stable environment that industrial operations no longer have. Remote engineers, emergency responders, and maintenance vendors need access that changes with the task, the site, and the time of use. Practitioners should align governance with operational context, not with old perimeter assumptions.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and a further 47% only partial visibility, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• For the wider governance context, see Ultimate Guide to NHIs , Key Challenges and Risks for how visibility gaps, over-privilege, and unmanaged credentials accumulate across NHI programmes.

What this signals

Identity-bound access will become the control expectation for OT remote operations. As industrial workflows keep shifting toward remote execution, teams will be judged less on whether access exists and more on whether it is attributable, revocable, and limited to the task. That pushes OT governance closer to NHI-style lifecycle discipline than traditional perimeter thinking.

Third-party access governance is where industrial programmes will be measured first. If contractors can still enter critical environments through shared accounts or broad network paths, the governance model is already behind the operational model. Security leaders should expect remote access reviews to become part of safety and resilience conversations, not just IAM.

Identity blast radius: the smallest access decision now shapes the biggest operational outcome. In OT, one over-broad remote session can affect uptime, recovery, and physical safety, so programme owners need to treat access scope as an operational risk signal rather than a pure technical setting.

For practitioners

• Inventory every third-party OT access path Map shared vendor accounts, VPN routes, and emergency access channels to the exact OT assets and protocols they can reach. Remove any access path that cannot be tied to a named individual and a specific task.
• Move contractor access to identity-bound sessions Use per-user access with short-lived credentials so maintenance and support work can be approved, monitored, and revoked without relying on persistent authorisations. Keep session records that separate one operator from another.
• Segment legacy OT protocols from general network access Treat Modbus TCP, OPC UA, and other industrial protocols as distinct control surfaces. Place them behind protocol-aware access controls and micro-segmentation so a remote session cannot expand into unrelated systems.
• Build revocation into vendor offboarding workflows When a vendor relationship ends or changes scope, revoke credentials, remove broad network routes, and confirm no shared account remains active. Make offboarding evidence part of the access record, not an afterthought.

Key takeaways

• Industrial remote access is becoming a governed identity control, not just a secure connectivity problem.
• Shared vendor accounts and broad VPN paths remain the clearest signs that OT access is too wide to audit well.
• Task-scoped sessions, short-lived credentials, and protocol-aware segmentation are the controls that reduce operational blast radius.

Key terms

• Industrial Secure Remote Access: Industrial secure remote access is the controlled method for reaching OT systems from outside the plant or site. It ties remote connectivity to identity, approval, and session boundaries so maintenance, support, and emergency work can happen without exposing the full environment.
• Identity-Bound Session: An identity-bound session is a remote access session tied to a named user or operator rather than a shared account or generic network path. In OT, it gives security teams attribution, revocation leverage, and audit evidence while keeping the operational task intact.
• Identity Blast Radius: Identity blast radius is the amount of operational damage that can flow from one access decision, credential, or session. In OT, the concept is especially important because a single remote connection can affect uptime, safety, and recovery if it is too broadly scoped.
• Protocol Isolation: Protocol isolation means placing industrial protocols behind controls that restrict how they are reached and what they can touch. It helps protect legacy OT systems that cannot support modern agents, frequent patching, or direct exposure without increasing operational risk.

Deepen your knowledge

Industrial secure remote access, third-party identity control, and OT governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme has to balance uptime with access accountability, it is worth exploring.

This post draws on content published by SSH Communications Security: industrial secure remote access, OT governance, and Zero Trust access controls. Read the original.