By NHI Mgmt Group Editorial TeamPublished 2026-03-23Domain: Workload IdentitySource: Appgate

TL;DR: Industrial environments now depend on remote access, but VPN-centric trust still exposes broad network reach in systems built for reliability and flat connectivity, according to Appgate. Identity-based Zero Trust changes the access layer without re-architecting the plant, and network-level trust is no longer a safe assumption for OT security.


At a glance

What this is: This is an analysis of why legacy VPN-based remote access no longer fits OT environments and how identity-centric Zero Trust reduces exposed reach.

Why it matters: It matters because OT teams must secure vendors, engineers, and operators without disrupting deterministic operations or expanding the blast radius of compromised credentials.

👉 Read Appgate's analysis of Zero Trust access for OT environments


Context

Industrial connectivity has outgrown the security assumptions built into older remote access models. OT networks were designed for reliability, safety, and constrained communication, not broad external access from engineers, vendors, and operators who now work remotely across converged IT and OT environments.

The core governance problem is identity and access control, not just transport encryption. When a remote access model gives authenticated users too much network visibility, lateral movement becomes a function of trust design rather than an isolated misconfiguration. For teams managing industrial access, that is the same structural problem the Ultimate Guide to NHIs addresses across machine identities, service access, and privilege boundaries.

Appgate's argument is that OT access should be enforced at the identity layer and policy boundary, while preserving the operational characteristics industrial systems depend on. That framing is typical for modern OT security discussions: the challenge is not whether access is needed, but how to grant it without inheriting enterprise-network assumptions that break in plant environments.


Key questions

Q: How should security teams modernize OT remote access without disrupting operations?

A: Security teams should move from network-level trust to resource-level access policies. The goal is to keep industrial traffic deterministic while limiting each user, contractor, or vendor to the exact systems required. That usually means explicit authorisation, device and context checks, and removing broad subnet visibility after authentication.

Q: Why do VPNs create more risk in OT than in normal enterprise networks?

A: VPNs create more risk in OT because authenticated users often inherit broad internal visibility, and industrial environments are frequently flatter, harder to segment, and less tolerant of endpoint controls. In those conditions, one stolen credential can become a lateral movement path across controllers, gateways, and vendor-managed systems.

Q: What should teams get wrong about Zero Trust in industrial environments?

A: Teams often assume Zero Trust means adding another access tool or moving traffic through a cloud broker. In OT, the real requirement is preserving operations while removing implicit trust. The useful test is whether access can be narrowed to a specific resource without exposing the broader environment.

Q: Who is accountable when third-party access to OT systems is over-permissioned?

A: Accountability sits with the organisation that owns the industrial environment and the access lifecycle, even when a vendor performs the work. Access reviews, offboarding, and policy enforcement must be documented and owned internally, because the operational consequences of over-permissioned access remain inside the plant.


Technical breakdown

Why VPN trust models fail in OT environments

Traditional VPNs authenticate a user and then expose a large portion of the internal network. That model works poorly in OT because flat or lightly segmented architectures make lateral movement easy once credentials are compromised. Many industrial environments also rely on legacy hardware, proprietary protocols, and systems that cannot be patched or taken offline easily, so network exposure becomes the main control surface. In practice, the problem is not just encryption in transit. It is the trust boundary: once inside, the user often sees too much. That is fundamentally different from granting access to a single industrial resource.

Practical implication: replace network-wide remote access assumptions with resource-level access boundaries.

How Zero Trust Network Access changes industrial connectivity

Zero Trust Network Access verifies identity and device context before allowing access to explicitly approved resources. Instead of joining the network, the user connects to the specific system, port, or service the policy allows. In OT, that matters because it preserves deterministic traffic patterns while removing implicit trust in the broader network. Direct-routed architectures also avoid cloud backhaul, which can matter where latency and reliability are operational constraints. The technical shift is simple in concept but important in effect: access becomes granular, invisible to unauthorized users, and far easier to scope to role and context.

Practical implication: scope OT access to systems and services, not to network segments.

What cloaked infrastructure and micro-perimeters do

Cloaked infrastructure hides services, ports, and internal addresses from unauthorised discovery, reducing reconnaissance opportunities before access is granted. Identity-defined micro-perimeters then limit communication to what the policy explicitly allows, which helps contain compromised credentials or endpoints. This is especially relevant in industrial networks where lateral communication may be common and traditional endpoint controls are difficult to deploy. The security value is not just concealment. It is reducing the number of paths an attacker can test, traverse, or reuse once they have valid access.

Practical implication: reduce discovery and lateral movement paths around PLCs, RTUs, and other exposed industrial assets.


Threat narrative

Attacker objective: The attacker seeks broad operational reach inside industrial systems by turning one remote-access foothold into wider plant visibility and lateral movement.

  1. Entry occurs when an attacker uses stolen credentials or over-permissioned remote access to gain a foothold in an OT environment.
  2. Escalation follows when the access model reveals too much of the internal network, allowing the attacker to move laterally across industrial systems and vendor-managed assets.
  3. Impact is reached when production systems, controllers, or sensitive operational environments are accessed beyond the intended scope, increasing the chance of disruption or unsafe control changes.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Network-level trust is the wrong security premise for OT access. VPN design assumes that once a user is authenticated, broad internal visibility is acceptable. In industrial environments, that assumption collides with flat architectures, legacy controllers, and vendor access requirements. The result is a trust model that expands the blast radius of stolen credentials instead of constraining it. Practitioners should treat network-level access as a governance failure, not just a tooling choice.

Identity-defined access boundaries are the real control plane for converged IT and OT environments. The article reflects a wider shift in industrial security: access must be tied to the specific resource, role, and context rather than to the network perimeter. That aligns with Zero Trust Architecture and with NHI governance principles where privilege should be explicit, bounded, and revocable. For industrial organisations, the practical question is not whether remote access exists, but whether it can be isolated to the smallest operational unit required.

Cloaked infrastructure creates a smaller attack surface than exposed internal routing. Hiding services and limiting who can even see them changes the economics of reconnaissance and lateral movement. In OT, where patching is difficult and downtime is expensive, reducing discoverability often matters more than adding another visibility layer. The implication is straightforward: if a controller, gateway, or vendor bridge can be hidden from unauthorised users, it should be.

Direct-routed Zero Trust is an operational compromise, not an architectural luxury. Many OT teams hesitate to adopt cloud-brokered access because latency and dependency risk can interfere with plant reliability. That concern is real, but it does not validate VPN-style trust. The field is moving toward access models that preserve operational integrity while removing implicit network exposure, and teams that delay this shift will continue to inherit unnecessary lateral movement risk.

From our research:

  • 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
  • The Ultimate Guide to NHIs explains why identity boundaries, lifecycle control, and visibility are the common failure points across machine and autonomous access.

What this signals

Industrial organisations should read this as a broader access-governance signal: the perimeter is no longer the security boundary, identity is. When remote access is embedded in normal operations, the control problem shifts from network trust to lifecycle discipline, authorisation scope, and recoverability after compromise.

Identity blast radius: in OT, the most important design question is how far one valid session can move before it is contained. That means treating vendor access, engineering access, and operator access as distinct governance classes, then checking whether any of them still inherit unnecessary network reach.

For teams building a converged IAM and OT programme, the immediate watchpoint is whether access reviews can actually detect overbroad industrial reach. The same governance discipline that limits machine and service identities in IT also needs to constrain remote industrial access, and the NIST Cybersecurity Framework 2.0 remains a useful organising model for that work.


For practitioners

  • Map every remote access path into OT Inventory employee, contractor, vendor, and support access to PLCs, RTUs, controllers, and engineering stations. Identify where network-wide visibility still exists after authentication and remove it where a single-resource policy would suffice.
  • Replace broad VPN reach with resource-scoped policies Define access by specific system, port, service, and context rather than by subnet or plant segment. Preserve operator workflows while ensuring that compromise of one account does not expose the broader industrial network.
  • Hide exposed industrial services from unauthorised discovery Use cloaking or equivalent exposure reduction so services, ports, and internal IP addresses are not visible until policy conditions are met. This reduces reconnaissance and lowers the chance that stolen credentials become a discovery engine.
  • Treat vendor access as a lifecycle control problem Require joiner-mover-leaver discipline for third-party industrial access, including explicit offboarding, time-bound approvals, and review of dormant accounts. In OT, the hardest failures usually come from access that outlives the relationship.

Key takeaways

  • OT remote access still fails when it inherits network-level trust instead of identity-scoped policy.
  • Legacy industrial environments make lateral movement easier, so exposed visibility becomes the real security debt.
  • Modern OT access control should constrain each session to the smallest operational unit that the job requires.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST Zero Trust (SP 800-207)The article centres on Zero Trust access for industrial systems.
NIST CSF 2.0PR.AC-4The article is about restricting access to authorised resources only.
OWASP Non-Human Identity Top 10NHI-03Over-permissioned remote access and exposed credentials are central NHI risks in OT.
NIST SP 800-53 Rev 5AC-6Least privilege is the core control needed to limit OT lateral movement.

Apply Zero Trust principles to remote OT access so each session is explicitly verified and resource-scoped.


Key terms

  • Zero Trust Network Access: A remote access model that verifies identity and context before allowing access to specific resources. In OT, it matters because it can preserve plant communication patterns while removing the broad internal visibility that VPNs often create after login.
  • Cloaked Infrastructure: A design that keeps services, ports, and internal addresses hidden from unauthorised users until policy conditions are met. For industrial networks, this reduces reconnaissance and helps prevent lateral movement before an attacker can discover what exists inside the environment.
  • Identity-Defined Micro-Perimeter: A policy boundary built around an identity and the exact resource it needs, rather than around a subnet or network segment. In OT, this is a practical way to narrow reach without redesigning plant networks or disrupting deterministic operations.

What's in the full article

Appgate's full article covers the operational detail this post intentionally leaves for the source:

  • How Appgate's direct-routed architecture is positioned to preserve OT performance without cloud backhaul.
  • The specific mechanics of cloaked infrastructure and single packet authorization in industrial environments.
  • Examples of how the Appgate Connector is used for legacy assets and unmanaged devices.
  • The article's full breakdown of identity-based policy controls for vendor and contractor access.

👉 The full Appgate article covers direct-routed connectivity, cloaked infrastructure, and legacy asset access in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or access governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org