Secure remote access for OT and ICS needs identity-first control

At a glance

What this is: The article argues that secure remote access for OT and ICS should be treated as a core identity and security control, not an add-on, because legacy systems, vendor access, and lateral movement risks make simple tunnelling insufficient.

Why it matters: It matters because industrial environments now sit at the intersection of human and machine access, so IAM, PAM, and NHI teams need controls that handle context-aware authentication, monitoring, and just-in-time access together.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

👉 Read SSH Communications Security's analysis of secure remote access for OT and ICS

Context

Secure remote access in OT and ICS environments is the control layer that decides whether operators can manage industrial systems without expanding the attack surface. The problem is not remote access itself, but the assumption that connectivity can be separated from identity, privilege, and session governance when legacy systems, third-party technicians, and machine-to-machine workflows all share the same operational plane.

In this environment, Zero Trust is not a slogan. It requires context-aware authentication, central governance, session recording, protocol filtering, and just-in-time access that can withstand uptime constraints. For IAM and NHI teams, the practical question is how to govern access that is operationally necessary, externally mediated, and often far more persistent than teams realise.

Key questions

Q: How should security teams govern remote access in OT and ICS environments?

A: Security teams should govern OT and ICS remote access as privileged identity access with session controls, not as a simple VPN or tunnel problem. That means mapping every account to specific protocols and assets, enforcing context-aware authentication, and requiring just-in-time access with automatic expiry. The goal is to reduce operational reach while preserving uptime and supportability.

Q: Why do third-party vendors create extra risk in industrial access models?

A: Third-party vendors increase risk because their access is often durable, broad, and difficult to monitor across legacy OT systems. When support credentials are shared, reused, or left active after work is complete, they become standing paths into critical environments. That is why vendor access needs the same lifecycle discipline as any other privileged identity.

Q: What breaks when session monitoring is missing from industrial remote access?

A: Without session monitoring, organisations lose the ability to see what a privileged user or vendor actually did inside the environment. In OT and ICS, that gap matters because the same access used for maintenance can also be used for unsafe command execution or lateral movement. Recording and intervention are what turn remote access into governable access.

Q: Who is accountable when an OT remote access path is abused?

A: Accountability sits with the organisation that defined the access model, the operational owner that approved it, and the governance team that failed to constrain it. For industrial environments, accountability is not just about authentication success. It also includes segmentation, monitoring, and revocation discipline across the full access lifecycle.

Technical breakdown

Context-aware authentication for OT and ICS access

Industrial remote access cannot rely on static credentials alone because OT and ICS environments often mix long-lived assets, vendor support paths, and safety-critical operations. Context-aware authentication adds device, location, policy, and session conditions to the access decision, which is essential when a user or service is not connecting to a normal enterprise application. In practice, the access broker becomes the enforcement point for who may enter, what protocol they may use, and how their session is constrained. That matters because industrial compromise often begins with legitimate access that was too broad or too durable.

Practical implication: require context-based access decisions before any OT or ICS session is established, not after the connection is already active.

Session recording, protocol isolation, and lateral movement control

OT access needs to be treated as a controlled session, not a simple login. Session recording creates auditability, while protocol isolation and filtering reduce the chance that a remote user can pivot from a maintenance function into unrestricted device control. This is especially important where legacy protocols were never built with modern identity checks in mind. The architecture must separate authentication from command execution so that access can be watched, constrained, and terminated without destabilising the operational environment.

Practical implication: isolate industrial protocols and record every privileged session so that abuse can be detected and contained without affecting plant availability.

Just-in-time access and ephemeral credentials in industrial operations

Just-in-time access is valuable in industrial environments because it narrows the window in which a technician, vendor, or operator can act. Ephemeral certificates and keyless access reduce standing exposure, but they only work when the surrounding governance can issue, scope, and revoke access fast enough for operational reality. This is where OT differs from ordinary enterprise access: the system must support uptime, failover, and emergency intervention without defaulting to persistent privilege. The point is not convenience. It is reducing the blast radius of necessary remote work.

Practical implication: replace persistent vendor access with time-bound access flows that are tied to maintenance tasks and automatically expire when the session ends.

Threat narrative

Attacker objective: The attacker aims to turn remote access into control of operational systems while avoiding detection and expanding from a single access path into broader industrial impact.

1. Entry occurs when threat actors reach internet-accessible OT or ICS devices or when a third-party support path is exposed without strong identity controls.
2. Escalation follows when the attacker abuses inadequate session control, broad privileges, or weak segmentation to move from remote access into deeper operational systems.
3. Impact is achieved when lateral movement reaches critical industrial assets, creating disruption, manipulation risk, or loss of availability in systems that support physical operations.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Secure remote access has become an identity governance problem, not a networking feature. OT and ICS environments now depend on access brokers, policy engines, and session controls to decide who can enter and what they can do. That shifts SRA into the same governance conversation as PAM and NHI oversight, because the central risk is unmanaged privilege across operational sessions. Practitioners should treat secure remote access as part of identity control architecture, not a connectivity afterthought.

Standing access is the hidden weakness in industrial remote support. Industrial access patterns often rely on persistent vendor routes, durable credentials, and exceptions created for uptime. That creates a governance gap where access outlives the job it was meant to support. The implication is that industrial programmes need to re-evaluate any control model that assumes access can remain continuously available without expanding risk.

Session visibility is the boundary between operational support and silent compromise. The article’s emphasis on monitoring, recording, and intervention reflects a core truth: if an industrial remote session cannot be inspected in real time, it cannot be governed in real time. This is especially relevant where legacy protocols carry commands directly into critical systems. Practitioners should make session-level visibility a baseline control for privileged OT access.

Zero Trust in industrial environments only works when least privilege is enforced at the session level. The article shows that authentication alone is insufficient if protocol reach, command scope, and lateral movement are left intact. For security architects, the lesson is that industrial Zero Trust must combine identity, segmentation, and just-in-time privileges into one operational control plane. Practitioners should measure whether access is actually constrained after login, not just before it.

Identity blast radius is the right named concept for industrial remote access. In OT and ICS, the damage from a single over-broad credential is defined less by the login itself than by how far that identity can move once inside the environment. Legacy systems, third-party access, and machine-to-machine links all widen that blast radius. Practitioners should design around containment, because in industrial settings the value of access control is measured by how much it prevents from spreading.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• For a broader control baseline, see Ultimate Guide to NHIs , Standards for the frameworks that map industrial access into Zero Trust and identity governance.

What this signals

Industrial access governance is converging with NHI control design. As OT and ICS environments adopt Zero Trust patterns, teams need to think beyond network perimeter rules and toward identity, session, and protocol enforcement. The practical shift is that every remote support path should be measurable, revocable, and tied to a specific operational purpose, not treated as permanent infrastructure.

Remote access without lifecycle discipline becomes standing privilege by default. That is the hidden programme risk for industrial operators: access created for maintenance often persists longer than the work it was meant to support. Teams should review whether vendor, contractor, and internal support paths are governed as temporary entitlements or as persistent exceptions, because the latter quietly expands operational blast radius.

For practitioners

• Classify OT remote access as privileged identity access Treat remote support for industrial systems as a privileged identity path, not generic connectivity. Map every vendor, operator, and maintenance account to the assets it can reach, the protocols it can use, and the session conditions under which it is allowed to operate.
• Replace persistent vendor access with time-bound sessions Use just-in-time access for maintenance and support tasks, with explicit expiry tied to the work order or session closure. Ensure access is revoked automatically when the task is complete so that third-party credentials do not remain available outside the maintenance window.
• Record and inspect privileged industrial sessions Enable session recording, command logging, and real-time intervention for every privileged OT or ICS access path. Where possible, filter protocols so that only approved commands and destinations are allowed during the session.
• Enforce segmentation around remote access entry points Place OT remote access behind explicit segmentation boundaries so that compromise of a support path does not become unrestricted movement into operational systems. Validate that the access broker cannot be used as a pivot into higher-trust zones.

Key takeaways

• OT and ICS remote access is an identity control problem because legacy systems, vendor paths, and operational uptime make simple tunnelling too weak to govern risk.
• Session recording, protocol filtering, and just-in-time access are the controls that turn remote access from a blind trust channel into an auditable operational capability.
• Teams that leave persistent third-party access in place are creating standing privilege inside industrial environments, which is exactly where lateral movement becomes most dangerous.

Key terms

• Secure Remote Access: Secure remote access is the controlled method of reaching systems from outside their normal operating boundary. In industrial environments it must combine identity verification, session governance, and protocol constraints so that support access does not become unrestricted operational control.
• Just-In-Time Access: Just-in-time access grants privileges only when they are needed and removes them as soon as the task is complete. For OT and ICS environments, the value is not only reduced exposure, but also tighter alignment between maintenance work, session duration, and operational accountability.
• Session Recording: Session recording captures what a privileged user or vendor does during an access session. In industrial environments it provides auditability, supports real-time intervention, and gives security teams evidence when access must be investigated without relying on assumptions about intent.
• Identity Blast Radius: Identity blast radius is the amount of systems, data, and operational capability an identity can reach if it is misused or compromised. In OT and ICS settings, it is shaped by protocol reach, segmentation, and privilege scope, not just by whether authentication succeeded.

Deepen your knowledge

Industrial remote access, Zero Trust enforcement, and just-in-time control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for OT, ICS, or third-party operational access, it is worth exploring.

This post draws on content published by SSH Communications Security: secure remote access for OT and ICS environments. Read the original.