OT and ICS secure remote access: what IAM teams need to rethink

TL;DR: Industrial secure remote access is shifting from a connectivity layer to an identity control point as Zero Trust, third-party access, session recording, and microsegmentation become baseline requirements in OT and ICS environments, according to SSH Communications Security and KuppingerCole. The governance gap is no longer tunnel security but whether access can be contextual, monitored, and revoked before operational risk spreads.

NHIMG editorial — based on content published by SSH Communications Security: secure remote access for OT and ICS environments

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams govern remote access in OT and ICS environments?

A: Security teams should govern OT and ICS remote access as privileged identity access with session controls, not as a simple VPN or tunnel problem.

Q: Why do third-party vendors create extra risk in industrial access models?

A: Third-party vendors increase risk because their access is often durable, broad, and difficult to monitor across legacy OT systems.

Q: What breaks when session monitoring is missing from industrial remote access?

A: Without session monitoring, organisations lose the ability to see what a privileged user or vendor actually did inside the environment.

Practitioner guidance

• Classify OT remote access as privileged identity access Treat remote support for industrial systems as a privileged identity path, not generic connectivity.
• Replace persistent vendor access with time-bound sessions Use just-in-time access for maintenance and support tasks, with explicit expiry tied to the work order or session closure.
• Record and inspect privileged industrial sessions Enable session recording, command logging, and real-time intervention for every privileged OT or ICS access path.

What's in the full article

SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:

• A deeper breakdown of the six OT and ICS access challenges discussed in the analyst session.
• Specific capability mapping for PrivX OT across browser-based access, keyless authentication, and session recording.
• Deployment considerations for on-prem, cloud, Kubernetes, and airgapped industrial environments.
• The analyst's full commentary on why Zero Trust access and least privilege are becoming central to industrial security.

👉 Read SSH Communications Security's analysis of secure remote access for OT and ICS →

OT and ICS secure remote access: what IAM teams need to rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →