Secure remote access for OT/ICS - what IAM teams need to know

TL;DR: KuppingerCole’s Leadership Compass on secure remote access for OT/ICS argues that IT/OT convergence is widening attack surfaces while policy-enforced, session-monitored access becomes operationally necessary across critical sectors, according to SSH Communications Security. The governance shift is clear: remote access now depends on time-bound, auditable identity controls, not generic connectivity.

NHIMG editorial — based on content published by SSH Communications Security: secure remote access for OT/ICS and its role in industrial cybersecurity

Questions worth separating out

Q: How should security teams govern remote access in OT and ICS environments?

A: They should govern OT remote access as a session-bound control plane, not as generic connectivity.

Q: Why does secure remote access matter more in OT than in standard IT environments?

A: OT environments contain legacy assets, fragile protocols, and safety-critical processes that cannot tolerate broad, persistent access.

Q: What breaks when OT access is handled like a normal VPN connection?

A: A normal VPN model creates too much reach for an environment where access should be tightly scoped by asset, protocol, and time.

Practitioner guidance

• Inventory every OT remote access path Document which users, contractors, and support vendors can reach each Purdue layer, then remove any direct route that bypasses the brokered access tier.
• Replace standing admin access with short-lived sessions Issue time-bound access for maintenance and change windows, with protocol-specific rules that limit each session to the exact industrial service required.
• Centralise session monitoring and audit evidence Send live session logs, command history, and anomaly alerts into a shared review process so operations and security can correlate access with plant changes.

What's in the full report

SSH Communications Security's full analysis covers the operational detail this post intentionally leaves for the source:

• Protocol-by-protocol OT access coverage for SSH, RDP, VNC, HTTPS, Modbus, OPC UA, and DNP3.
• Deployment guidance for on-premises, Kubernetes, and air-gapped industrial environments.
• Live session monitoring, forensic logging, and compliance-oriented access evidence for industrial operations.
• How PrivX OT aligns with identity management, SIEM, and SOAR workflows in mixed IT/OT estates.

👉 Read SSH Communications Security's analysis of secure remote access for OT/ICS →

Secure remote access for OT/ICS - what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →