CPS remote access and shadow access: are controls keeping up?

TL;DR: Remote access is moving from a maintenance convenience to a primary CPS attack vector, with Gartner warning that attacks using remote access may grow from negligible levels to more than 20% by 2029, while shadow access and legacy VPN-style tools leave operators with poor visibility and overly broad privilege. The governing assumption that network access equals safe operational access is no longer valid.

NHIMG editorial — based on content published by SSH Communications Security: secure remote access for CPS and the shift from connectivity to secure operations

By the numbers:

• By 2029, the percentage of attacks on CPS using remote access vectors will grow from negligible numbers to over 20%.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, and organisations failing to scope AI access properly are 4.5x more likely to experience a security incident.

Questions worth separating out

Q: What breaks when remote access into CPS is treated like ordinary IT access?

A: Ordinary IT access controls stop at network connectivity, but CPS risk lives in the commands that follow.

Q: Why do legacy VPNs and jump servers create risk in industrial environments?

A: They create broad authenticated access without enough awareness of what the session is allowed to do.

Q: What do security teams get wrong about shadow access in CPS?

A: They often treat shadow access as a visibility problem alone, when it is also a lifecycle and accountability problem.

Practitioner guidance

• Map every CPS remote path to an owner and expiry condition Inventory VPNs, jump servers, OEM tunnels, and ad hoc support connections.
• Enforce command-level least privilege for remote sessions Scope access to specific devices, applications, and protocol actions so a legitimate support session cannot issue unsafe write commands.
• Replace network-only trust with protocol-aware controls Use controls that can inspect native industrial protocols and block unauthorized actions before they reach physical systems.

What's in the full article

SSH Communications Security's full report covers the operational detail this post intentionally leaves for the source:

• Gartner's market framing on why secure remote access is moving from connectivity to secure operations.
• The specific capabilities the market guide associates with CPS remote access, including just-in-time access and elimination of standing privilege.
• The regulatory context behind the shift, including IEC 62443, NIS2, NERC CIP, and NIST SP 800-82.
• The practical distinctions between agentless architectures, protocol awareness, and session recording in CPS environments.

👉 Read SSH Communications Security's analysis of secure remote access for CPS →

CPS remote access and shadow access: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →