Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

OT remote access: is your VPN model creating lateral movement risk?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Industrial environments now depend on remote access, but VPN-centric trust still exposes broad network reach in systems built for reliability and flat connectivity, according to Appgate. Identity-based Zero Trust changes the access layer without re-architecting the plant, and network-level trust is no longer a safe assumption for OT security.

NHIMG editorial — based on content published by Appgate: Industrial Connectivity Has Changed; Security Models Haven’t

Questions worth separating out

Q: How should security teams modernize OT remote access without disrupting operations?

A: Security teams should move from network-level trust to resource-level access policies.

Q: Why do VPNs create more risk in OT than in normal enterprise networks?

A: VPNs create more risk in OT because authenticated users often inherit broad internal visibility, and industrial environments are frequently flatter, harder to segment, and less tolerant of endpoint controls.

Q: What should teams get wrong about Zero Trust in industrial environments?

A: Teams often assume Zero Trust means adding another access tool or moving traffic through a cloud broker.

Practitioner guidance

  • Map every remote access path into OT Inventory employee, contractor, vendor, and support access to PLCs, RTUs, controllers, and engineering stations.
  • Replace broad VPN reach with resource-scoped policies Define access by specific system, port, service, and context rather than by subnet or plant segment.
  • Hide exposed industrial services from unauthorised discovery Use cloaking or equivalent exposure reduction so services, ports, and internal IP addresses are not visible until policy conditions are met.

What's in the full article

Appgate's full article covers the operational detail this post intentionally leaves for the source:

  • How Appgate's direct-routed architecture is positioned to preserve OT performance without cloud backhaul.
  • The specific mechanics of cloaked infrastructure and single packet authorization in industrial environments.
  • Examples of how the Appgate Connector is used for legacy assets and unmanaged devices.
  • The article's full breakdown of identity-based policy controls for vendor and contractor access.

👉 Read Appgate's analysis of Zero Trust access for OT environments →

OT remote access: is your VPN model creating lateral movement risk?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Network-level trust is the wrong security premise for OT access. VPN design assumes that once a user is authenticated, broad internal visibility is acceptable. In industrial environments, that assumption collides with flat architectures, legacy controllers, and vendor access requirements. The result is a trust model that expands the blast radius of stolen credentials instead of constraining it. Practitioners should treat network-level access as a governance failure, not just a tooling choice.

A few things that frame the scale:

  • 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

A question worth separating out:

Q: Who is accountable when third-party access to OT systems is over-permissioned?

A: Accountability sits with the organisation that owns the industrial environment and the access lifecycle, even when a vendor performs the work. Access reviews, offboarding, and policy enforcement must be documented and owned internally, because the operational consequences of over-permissioned access remain inside the plant.

👉 Read our full editorial: Why identity-based Zero Trust is replacing VPNs in OT access



   
ReplyQuote
Share: