Best 10 Ways to Secure Remote Access to Industrial Controllers

Background: The New OT Perimeter is the Internet

For decades, the security strategy for Operational Technology (OT) environments-Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and the Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) at their heart-was air-gapping or network isolation. The premise was simple: if a controller isn’t connected to the corporate IT network or the internet, it’s secure.

The industrial landscape has fundamentally changed. The rise of Industry 4.0, the Industrial Internet of Things (IIoT), and the post-pandemic need for remote operations, vendor support, and continuous monitoring have all but eliminated the air gap. Remote access is no longer a luxury; it is a critical component of maintenance, efficiency, and uptime.

This convenience has introduced an unprecedented level of risk. According to recent SANS Institute reports, unauthorized external access remains a dominant cause of OT/ICS security incidents. Attackers, including sophisticated nation-state actors and opportunistic criminal groups deploying OT-aware ransomware, view the remote access pathway as the most valuable entry point to critical infrastructure.

Securing remote access to industrial controllers-the “brains” of the factory, utility, or plant-is therefore the most urgent task in industrial cybersecurity. This guide is built upon the latest frameworks, including NIST SP 800-82r3 (Guide to Operational Technology Security) and the principles of Zero Trust Architecture (ZTA), which represent the current gold standard for protecting these mission-critical systems.

The Ten Pillars of Secure OT Remote Access

The outdated “secure remote access” lists focused primarily on VPNs and firewall rules. Today’s robust strategy is a multi-layered approach, pivoting from a network-centric view to an identity-centric, least-privilege-based Zero Trust model.

Here are the 10 best, must-implement ways to secure remote access to your industrial controllers.

1. Implement Zero Trust Network Access (ZTNA)

The shift from the traditional Virtual Private Network (VPN) model to Zero Trust Network Access (ZTNA) is perhaps the most significant update in modern OT security.

The Problem with Traditional VPNs

A traditional VPN is a binary access tool: once authenticated, it grants a remote user full network-level access to the entire segment (the trusted zone) they are connecting to. In an OT context, this is a catastrophic level of implicit trust. A compromised vendor laptop or a single set of stolen credentials can enable an attacker to move laterally across an entire control network, a process known as lateral movement.

The ZTNA Solution

ZTNA operates on the principle of “Never Trust, Always Verify.”

• Granular Access: ZTNA connects the user only to the specific application, service, or, in our case, the single PLC or HMI they require for their task, not the entire network.
• Dynamic Policies: Access is granted based on context, including user identity, device posture (is the laptop patched, does it have anti-malware?), time of day, and geographic location.
• Micro-Segmentation: The access pathway effectively acts as a micro-segmentation layer, isolating the controller from everything else until a validated, authorized connection is established. This significantly reduces the “blast radius” of any potential breach.

2. Enforce Mandatory Multi-Factor Authentication (MFA)

MFA is no longer a “good idea”; it is the non-negotiable baseline for access to any OT system. Credentials remain the single most exploited vulnerability in remote access attacks.

MFA for Traditional and Legacy Systems

Many older PLCs and proprietary systems (RTUs, HMIs) do not natively support modern protocols like RADIUS or SAML required for typical MFA implementations. This is where modern solutions come into play:

• Jump Server/Bastion Host MFA: All remote connections must first land on an intermediate, hardened Jump Server or Bastion Host within the IT-OT Demilitarized Zone (DMZ). This server enforces strong, modern MFA (e.g., using hardware tokens or app-based one-time passwords) before forwarding the request to the low-security controller.
• Hardware/Biometric Overlays: For extremely sensitive or legacy devices, third-party solutions can introduce physical biometrics (like fingerprint scanners) or dynamic One-Time Authentication Codes (OTAC) which work offline, a crucial capability for disconnected OT zones.

Session Context

MFA should be re-validated periodically during long sessions or whenever the session context changes (e.g., elevated privilege requests).

3. Implement Least Privilege and Just-in-Time (JIT) Access

The principle of Least Privilege (PoLP) means users are only granted the minimum permissions necessary to perform their specific job function. For OT remote access, this is enforced with Privileged Access Management (PAM) and a JIT model.

Role-Based Access Control (RBAC)

• Define Roles: Separate user roles into distinct, non-overlapping categories (e.g., PLC Programmer, Maintenance Viewer, SCADA Administrator).
• Granular Permissions: A maintenance view-only role should not be able to issue a write command to a controller, which could halt or alter a process. JIT access ensures that even the PLC Programmer only gets the write permission for a defined 30-minute window, after which it is automatically revoked.

Just-in-Time Access

JIT access ensures that elevated privileges are granted only when required and only for the required duration. A user must explicitly request elevated access, provide a business justification (e.g., “PLC-5 Firmware Upgrade”), and have the request approved by a human or an automated policy engine before the short-lived, high-privilege token is issued. This eliminates standing privileges, which are a major target for attackers.

4. Prioritize Vendor Access Management and Isolation

Third-party vendors and external integrators (SIs) often present the highest remote access risk. They frequently require access to the most sensitive controllers (PLCs, HMIs) and often use their own less-secure devices.

Dedicated, Isolated Access Tunnels

• No Shared VPNs: Vendor access must never share the same VPN pools or credentials used by internal staff.
• Dedicated Access Solution: A dedicated solution, often a separate appliance or cloud service, must broker vendor connections. This platform must enforce the ZTNA and JIT principles, isolating the vendor to only the specific assets they are contracted to maintain (e.g., only the one robot’s controller, not the entire assembly line network).

Managed Session Controls

• One-Time Credentials: Issue credentials that expire immediately upon session termination.
• Disable After-Hours Access: Restrict all vendor access to pre-scheduled, pre-approved maintenance windows. Any access attempt outside this window should trigger an immediate high-priority alert.

5. Segment the OT Network (The Foundation of Defence)

Security controls on the remote access path are useless if the OT network structure allows an attacker to easily jump from one controller to another after the initial breach. Network segmentation is the bedrock of defense-in-depth for OT environments.

The IEC 62443 Zone and Conduit Model

The international standard IEC 62443 mandates separating the industrial environment into Zones (groups of assets with similar security requirements, e.g., the Control Zone, the Safety Zone) and controlling traffic between them using Conduits (secure paths enforced by firewalls).

• OT DMZ (Industrial Demilitarized Zone): This is the mandatory buffer zone between the corporate IT network and the core OT control network. All remote access traffic (and any communication between IT and OT) must terminate here. The DMZ hosts the jump servers, data historians, and secure remote access gateways.
• Process Segments: Even within the OT network, controllers should be segregated. For example, the PLC for the water pump station should not be able to communicate directly with the PLC for the chemical treatment unit.

6. Enforce Session Recording and Auditing

In an OT environment, accountability for actions is paramount because a single command can have real-world physical and safety consequences. If a process stops, or if an asset configuration is changed, you must know exactly who did it, and when.

Comprehensive Session Logging

• Record Everything: Every remote session, whether via RDP, SSH, or vendor-specific protocol, must be recorded and indexed. Logs should capture:
  • User Identity (via the MFA and JIT system).
  • Start/Stop Time and Duration.
  • Source IP and Target Controller (PLC/RTU) IP.
  • Protocol Used (e.g., RDP, Modbus TCP, EtherNet/IP).
• Video Recording (for RDP/VNC): Remote desktop sessions (RDP/VNC to HMIs or engineering workstations) should be video-recorded, much like security footage. This provides an indisputable record of the user’s graphical actions.

Real-Time Monitoring and Alerting

The system must actively monitor the content of the remote session in real-time, looking for anomalous commands (e.g., an engineer running a shell command instead of opening the PLC software) and immediately generating an alert.

7. Harden and Maintain the Access Gateway (The Jump Server)

The Jump Server, Bastion Host, or Remote Access Gateway is the bridge between the untrusted external world and your trusted controllers. It is a high-value target that must be protected with extreme diligence.

Technical Hardening

• Disable Unnecessary Services: Remove all non-essential operating system services, unnecessary applications (like web browsers), and default user accounts.
• Application Whitelisting: Implement Application Whitelisting to ensure only the specific remote access software (e.g., the RDP client, the SSH client, or a specific vendor tool) is allowed to execute. This prevents an attacker from uploading and running malware.
• Operating System Patching: The gateway must be on a regular, enforced patching schedule, unlike many controllers.

Protocol Control

The gateway must act as a protocol break, translating the secure, authenticated remote access session into the native protocol needed for the controller (e.g., RDP, SSH). This ensures the authentication and encryption layers are applied before the traffic enters the OT network.

8. Securely Manage Credentials for Controllers

While modern access is centralized on the ZTNA/PAM platform, the controllers themselves (PLCs, RTUs) still have local credentials, often static and poorly secured, which are needed by the remote user.

Credential Vaulting and Rotation

• Automated Credential Injection: The PAM solution should manage the actual PLC credentials in a secure vault. When a JIT session is approved, the PAM solution injects the controller’s password directly into the session without exposing it to the remote user.
• Forced Rotation: Implement an automated policy to regularly rotate controller passwords, especially for vendor accounts, even if the native controller software doesn’t easily support it. This prevents the long-term use of static, easily-guessed passwords.

9. Maintain a Comprehensive OT Asset Inventory

You cannot secure what you don’t know exists. The problem of “Shadow OT”-unauthorized or unknown controllers-is rampant in industrial environments, often appearing as a maintenance technician’s forgotten wireless access point or a temporary controller left connected.

Discovery and Configuration Management

• Continuous Discovery: Employ passive, OT-native network monitoring tools to continuously discover all devices (PLCs, HMIs, network gear) on the network. This must be done without creating excessive traffic that could disrupt control processes.
• Baseline and Change Control: Establish a secure, known baseline configuration for every remote-accessible controller. The system should alert on any change to this baseline, whether it’s an operating system setting, a port being opened, or new control logic being uploaded. A remote user should only be allowed to make configuration changes if it aligns with their approved JIT request.

10. Conduct Regular Disaster Recovery and Incident Response Testing

The best security controls are useless if the team is unprepared for an incident. The remote access path is a key element of both the attack surface and the response strategy.

Remote Access Scenarios for Tabletop Exercises

Your Incident Response (IR) plan must specifically address scenarios involving the remote access channel:

• Compromised Vendor Account: What is the procedure for immediately revoking all access for a specific vendor account, even if they are mid-session?
• Ransomware Entry: If an attacker gains access via a remote desktop session and attempts to launch malware, what are the immediate steps to isolate the jump server and the compromised controller without disrupting the rest of the plant?
• Secure Response Access: In an outage, how do internal IR team members gain emergency, high-privilege access to the controllers when normal systems are down (e.g., bypassing a failed MFA server)? These emergency procedures must be documented, practiced, and highly auditable.

Regulatory Alignment

Ensure your remote access policies and controls align with current regulatory requirements, such as NERC CIP (for electric utilities), CISA guidelines, and the latest version of the ISA/IEC 62443 standards, particularly the requirements for secure remote access and component security.

The modern threat landscape has forced industrial organizations to abandon implicit trust. Securing remote access to your industrial controllers requires a fundamental shift in strategy, adopting an identity-driven, least-privilege approach championed by Zero Trust Architecture. By implementing these ten comprehensive pillars, your organization can leverage the efficiency of remote operations while drastically reducing the risk of a catastrophic cyber event.