Secure remote access for OT/ICS is now an identity problem

At a glance

What this is: This is a vendor analysis of secure remote access for OT/ICS, with the core finding that IT/OT convergence has made policy-enforced, monitored access essential.

Why it matters: It matters because industrial access governance now sits at the intersection of NHI, human admin access, and zero-trust control design across critical infrastructure.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read SSH Communications Security's analysis of secure remote access for OT/ICS

Context

Secure remote access for OT/ICS is the control layer that lets operators reach industrial assets without opening direct paths into sensitive process networks. In practice, it exists because legacy OT environments were not designed for modern authentication, encryption, or continuous verification, while industrial operations still need fast maintenance and emergency support.

The identity question is whether access can be constrained, monitored, and revoked with enough precision to protect critical systems without blocking operations. For OT and ICS, that means session-level control, protocol-aware enforcement, and strong governance over who can connect, when, and to which layers of the environment. The broader NHI and privileged access model still applies, but the operational context is tighter and less forgiving.

Key questions

Q: How should security teams govern remote access in OT and ICS environments?

A: They should govern OT remote access as a session-bound control plane, not as generic connectivity. That means mapping each path to an approved Purdue layer, requiring short-lived access, enforcing protocol-specific permissions, and preserving audit evidence for operations and compliance review. The main goal is to reduce exposure without blocking legitimate maintenance or incident response.

Q: Why does secure remote access matter more in OT than in standard IT environments?

A: OT environments contain legacy assets, fragile protocols, and safety-critical processes that cannot tolerate broad, persistent access. Secure remote access matters because it provides a mediated way to reach systems for maintenance and emergency work while limiting lateral movement and exposing only the minimum necessary session. Without that mediation, one compromised path can affect operational continuity.

Q: What breaks when OT access is handled like a normal VPN connection?

A: A normal VPN model creates too much reach for an environment where access should be tightly scoped by asset, protocol, and time. It breaks accountability because the session boundary is too coarse, and it increases blast radius if credentials are reused or stolen. In OT, the access method must reflect operational risk, not just remote convenience.

Q: Which frameworks should teams use to assess OT secure remote access governance?

A: Teams should align OT remote access with IEC 62443, NERC CIP, and NIS2 where applicable, then map identity and access controls to zero-trust principles and session monitoring requirements. The right assessment asks whether each connection is attributable, limited in scope, and revocable fast enough to protect plant operations.

Technical breakdown

Purdue model boundaries and secure remote access

The Purdue model separates enterprise IT from control layers so that direct access to the most sensitive OT segments is restricted. Secure remote access typically lands at Levels 3 and 3.5, where it can broker maintenance and emergency support without exposing lower device layers directly. The technical value is not remote connectivity alone, but controlled mediation: authentication, session recording, protocol filtering, and policy enforcement. In OT, that matters because many assets cannot tolerate noisy scanning, repeated logins, or agent-based tooling that assumes modern endpoint controls.

Practical implication: map every remote access path to the Purdue layer it can reach and remove any route that bypasses the brokered access tier.

Time-bound, protocol-specific access in OT/ICS

OT remote access differs from generic VPN use because the session itself is the control boundary. Time-bound access limits exposure, protocol-specific rules reduce unnecessary reach, and short-lived credentials shrink the window in which misuse can occur. This is especially important where legacy devices speak SSH, RDP, VNC, Modbus, OPC UA, or DNP3 and cannot enforce modern endpoint protections. The architecture works only when identity, protocol, and session policy are aligned tightly enough to permit work without creating persistent standing access.

Practical implication: require short-lived, protocol-scoped sessions for OT support and reject standing administrative connectivity into plant networks.

Continuous monitoring for industrial remote sessions

Continuous verification in OT is less about re-authenticating every click and more about preserving an auditable chain of control across the session. Real-time logging, anomaly detection, and live session observation help detect misuse, malware propagation, or lateral movement before industrial impact spreads. That makes monitoring part of the access architecture, not a separate detective control. For critical infrastructure, the question is whether the access path can prove what happened at session level, not just whether a login succeeded.

Practical implication: centralise session logs and operator activity telemetry so remote access events can be reviewed against plant safety and change records.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Secure remote access for OT is a control plane, not a transport feature. The article reinforces a basic industrial security reality: once IT and OT converge, the access layer becomes the place where operational continuity and attack containment meet. In that model, identity, session policy, and protocol awareness matter more than raw connectivity. Practitioners should treat remote access as governed execution, not mere administration.

Standing access is the wrong assumption for industrial support. OT environments often need urgent intervention, but urgency does not justify persistent paths into sensitive layers. The governance model that assumes an engineer should remain broadly reachable across plants, protocols, and shifts is fragile. The implication is that industrial access policy must be designed around short-lived, attributable sessions rather than always-on entitlements.

Secure remote access exposes the gap between legacy systems and modern identity controls. Many OT assets still cannot authenticate or encrypt in the same way as enterprise systems, which means the brokered session becomes the compensating boundary. That shifts the burden onto the surrounding control stack: approval, monitoring, segmentation, and forensic traceability. Practitioners should view OT SRA as the control that makes modern identity governance usable in an environment that cannot be modernised end to end.

Zero trust in OT only works when it respects operational constraints. The article shows why generic remote access tooling is insufficient in industrial settings: the controls must be strong enough to narrow exposure but lightweight enough to preserve uptime. That is a governance balance, not a vendor feature checklist. Security teams should evaluate whether their remote access design can support both emergency response and strict accountability without creating permanent access exceptions.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• That fragmentation matters because the Ultimate Guide to NHIs shows how visibility and lifecycle controls define whether remote access remains governable.

What this signals

Session-bound access is becoming the practical identity boundary for OT. As industrial environments keep converging with IT, the governance task is no longer just to authenticate users, but to ensure each access path is attributable, time-limited, and tied to the specific protocol in use. Teams that still treat remote access as a network problem will miss the control point that matters most.

With 43% of security professionals already concerned about AI systems learning and reproducing sensitive information patterns from codebases, per The State of Secrets in AppSec, the same lesson applies to industrial access logs and configuration trails. Telemetry without governance becomes another sensitive dataset to protect, not a control outcome.

The remote access market for OT will keep moving toward zero-trust mediation, but programme owners should watch for a deeper shift: access is being redefined as a session with provable scope, not a standing path. That is where the Ultimate Guide to NHIs , Key Challenges and Risks becomes relevant, because sprawl and over-privilege are just as corrosive in industrial support as they are in cloud workloads.

For practitioners

• Inventory every OT remote access path Document which users, contractors, and support vendors can reach each Purdue layer, then remove any direct route that bypasses the brokered access tier. Include emergency paths, jump hosts, and temporary exceptions in the same review.
• Replace standing admin access with short-lived sessions Issue time-bound access for maintenance and change windows, with protocol-specific rules that limit each session to the exact industrial service required. Make session approval and expiration part of the access workflow, not an afterthought.
• Centralise session monitoring and audit evidence Send live session logs, command history, and anomaly alerts into a shared review process so operations and security can correlate access with plant changes. Preserve records long enough to support incident review and compliance evidence.
• Align OT remote access with regulatory requirements Map remote access controls to IEC 62443, NERC CIP, and NIS2 obligations, then test whether the access path can prove who connected, when they connected, and what they touched.

Key takeaways

• Secure remote access for OT/ICS is now an identity governance problem because industrial connectivity without session control creates avoidable exposure.
• The control value lies in short-lived, protocol-specific, monitored sessions that protect legacy systems while preserving operational continuity.
• Practitioners should measure OT access by scope, duration, and auditability, not by whether remote connectivity is available.

Key terms

• Secure Remote Access: Secure remote access is a controlled method for connecting to operational systems without exposing them to unmanaged direct entry. In OT and ICS, it usually means mediated, logged, and time-bounded sessions that preserve safety, limit lateral movement, and create evidence for review and compliance.
• Purdue Model: The Purdue model is an industrial network segmentation framework that separates enterprise IT from operational control layers. It helps define where remote access may be brokered, which layers are most sensitive, and why direct connectivity into lower OT levels creates unacceptable risk.
• Session-bound Access: Session-bound access is access that exists only for a specific activity window and then disappears. In OT governance, it is the right pattern for remote support because it reduces persistent exposure, improves accountability, and fits the operational reality of maintenance and incident response.
• Protocol-specific Access: Protocol-specific access limits a session to the exact industrial protocol required for a task, such as SSH, RDP, Modbus, or OPC UA. This avoids broad network reach and helps prevent misuse, accidental change, and lateral movement across mixed IT and OT environments.

Deepen your knowledge

OT/ICS secure remote access and zero-trust session governance are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are translating industrial access requirements into identity controls, it is worth exploring.

This post draws on content published by SSH Communications Security: secure remote access for OT/ICS and its role in industrial cybersecurity. Read the original.