Remote Access to OT: How do you do that safely?

Remote access to OT (Operational Technology) is a current topic for many companies. Being able to monitor or maintain industrial systems remotely offers major advantages in efficiency and response time‍. At the same time, it involves serious risks if it is set up unsafely.‍. In this article, we discuss the challenges and risks of traditional remote access such as TeamViewer or direct VPN connections, highlight secure alternatives and link to Zero Trust architecture and Identity Management

Remote Access to OT Challenges and Risks

OT systems (e.g. DCS, SCADA, PLCs) are designed for reliability and physical safety, often without strong built-in IT security‍. When these industrial networks are suddenly made externally accessible, the “attack surface” increases‍. Here are the important challenges and risks:

• Proliferation of remote access tools: In practice, OT networks are often made accessible with a mixed bag of tools (TeamViewer, VNC, OEM tools, etc.). An analysis of 50,000 OT devices showed that 55% at least four had several remote access tools running‍. This “sprawl” creates security vulnerabilities, especially when tools don't offer enterprise-grade security. Many of these tools lack basic measures such as multi-factor authentication (MFA) or RBA (role-based rights).
• TeamViewer and similar tools: Easy-to-use remote desktop tools are popular but are on the radar of hackers. So warned Kaspersky as early as 2020 for TeamViewer attacks on OT systems/ICS. Incidents where malware was installed via TeamViewer abuse were already reported in 2023—2024. This is what happened in Florida tampered with a water installation by someone who was accidentally given access by Teamviewer.
• Direct VPN access: Traditional VPNs often create an “all-or-nothing” connection. Once connected, an external user often gets broad network access, something you'd prefer not to have, because it violates the least “privilege principle” in the Zero Trust philosophy. In addition, VPN credentials theft and misconfigurations are known causes of incidents (e.g. Colonial Pipeline hack in 2021 started with a stolen VPN password). In short, VPNs provide too broad access, making them a target for ransomware.
• Lack of monitoring and logging: Many remote sessions in OT are hardly or hardly logged. Claroty Team82 research team highlights in a white paper most legacy tools do not have session monitoring or auditing, but this is very important. Without insight into who is logging in remotely and what is happening, changes can go relatively unnoticed (until things go wrong, of course). This way, you'll never get a grip on incident response and compliance, which both start with just one thing: insight.
• Third-Party and OEM Access: OT environments rely on many external suppliers/technicians for maintenance. Managing hundreds of contractors who log in remotely is complex and risky. Without central and active management, passwords can be shared or accounts remain active even when a contract expires. This also increases the risk of abuse.

Uncontrolled or outdated remote access methods leave OT systems vulnerable to attackers. Now is the time for organizations to realize that remote access is one of the most dangerous vulnerabilities in the OT.

Zoom in: Why TeamViewer and traditional VPN fall short

Let's take a closer look at the two commonly used solutions — TeamViewer-like tools and VPN — and why they fall short in a modern OT security strategy:

TeamViewer (and similar tools)

These tools are useful for remote logging in, but they are often not secure enough. They run on the device itself (such as a control panel) and are sometimes the only layer between the Internet and an important system. That's dangerous: if the TeamViewer client is on an HMI (Human-Machine Interface) for example, is not up to date or poorly configured, an attacker can take over it and gain direct control of the system. In addition, these tools often rely on fixed IDs or passwords.

This is a common bad practice: sharing one TeamViewer account for multiple technicians, which is unfortunately common from a practical point of view. Monitoring is also often limited: without session recording, you won't know what changes a technician has made afterwards. Finally, these tools lag behind in applying Zero Trust principles, where you can only get to the parts you're looking for, and you also have to repeatedly prove that it's really you. Just to refer to the Florida water installation hack; it could have been prevented in this way.

Direct VPN access

‍Traditional VPNs have been the standard for a long time, but they're not a good fit for OT environments. As mentioned earlier, they violate network segmentation and least privilege principles. There are also operational disadvantages: VPN connections often remain open for a long time, even if the user does not actively need them. This opens a port that can be abused by attackers (such as vulnerable, unpatched VPN servers). In addition, a VPN ensures that all traffic from the user can flow into the (OT) network — including potential malware, which can disrupt production processes or disable safety mechanisms.

In short, there is broad consensus that “just opening a VPN” is not enough for strong OT security.

Safe Alternatives and Best Practices for OT Remote Access

Fortunately, there are now several safe alternatives for TeamViewer or direct VPN, which are better suited to OT. These solutions use principles such as Zero Trust Network Access (ZTNA), least privilege, strong identity and access control, and comprehensive logging. Important pillars of a secure OT remote access approach:

1. Zero Trust Network Access (ZTNA) instead of VPN

Zero Trust is the security principle of “never trust, always verify”. Access will be not provided based on network position (such as via VPN), but per session based on identity, context, and continuously validable criteria‍. For remote OT access, this means in concrete terms:

• Specific access per application or asset: Instead of making an entire OT network available via VPN, ZTNA only provides access to specific OT systems or applications for which the user is authorized‍. For example: a supplier only has access to the HMI system of line 3, nothing else. This drastically limits the impact of a possible hack.
• Micro-segmentation & “invisibility”: ZTNA ensures that OT systems are not visible to unauthorized persons. Devices such as applications or PLCs are not directly accessible from the internet. A user must first log in via the ZTNA broker. Only then will a secure connection be set up to that one device. As a result, there is less chance of attacks, because malicious actors can't find anything to attack at first.
• Continuous verification: Where a VPN usually requires authentication once upon login, Zero Trust continues to monitor you throughout the session. Each action checks whether it is safe and allowed. For example: you get an extra MFA check for sensitive actions, or the system detects abnormal behavior and blocks the session immediately.
• Contextual policies: Zero Trust can take devices and context into account. Only a pre-authorized, secure laptop can enter the OT environment. This is how you can demand that external connections solely come from laptops with current patches, encryption, antivirus, etc. This prevents an unsecured device full of malware from gaining access.

In short, a Zero Trust approach offers a much safer alternative to VPN. Various solutions offer this, such as Palo Alto Prisma Access, Cloudflare Access, but also Microsoft's own Azure AD Entra Private Access. These solutions ensure that remote users can only access the strictly necessary OT sources, via a secure connection. In practical terms, even if an attacker were to get a supplier's login details, they can't just roam around the OT network.

2. Identity & Access Management (IAM)

Identity is at the heart of Zero Trust, not IP addresses. For secure OT remote access, this means:

• Unique accounts + role-based access: No more shared logins. Each user gets a personal account with access to only what is necessary (least privilege).

• MFA required: Remote access always via MFA and encrypted connection.
• Vendor Management: Use guest accounts or federated identity (e.g. Azure AD B2B) to provide secure access to external parties.
• Just-In-Time Access: Temporary access on demand, automatically expiring after use.
• Strong device/network policy: Use Conditional Access to link access to device status, time, location, etc.

By integrating IAM into OT remote access, “Remote OT Management” becomes a controlled and centrally managed extension of your existing security policy. No more separate VPN accounts that stick around after a project: your CISO and IT management manage everything from one central location.

3. Network segmentation

A strong, well-separated network architecture prevents an attacker from having free rein once inside. The best practices at a glance:

• IT/OT separation via DMZ: Use a dual firewall with “DMZ/Landing Zone” between IT and OT. Remote access must first land in this buffer zone, not directly on OT.
• Jump servers/secure gateways: Do not allow external parties to log in to OT assets directly, but via a secure intermediate step. This jump host must be highly secured (MFA, patching, logging). This is how you restrict access, log everything, and isolate sessions.
• Separate managed networks: Laptops owned by technicians, for example, are not allowed directly into OT. They first connect to a separate management network and go to OT via jump servers. This way, you prevent OT contamination from an uncontrolled device.
• Protocol isolation & minimal permissions: Only give access to what is really necessary. This way, you limit the risk of misuse or unwanted tools.

A well-segmented network is like a modern office building with badge access per floor: you only get to the floor where you need to be, and all other doors remain closed. This way, access remains limited and the impact of a burglary is minimal.

4. Monitoring, Logging and Auditing Remote Sessions

Safety starts with insight. You can't always protect what you can't see. What is the best way to do that?

• Log everything: Record who does what and when during remote OT access. Use session recording tools to record actions for (later) audits.
• Active monitoring: Link logging to your SOC or SIEM to detect suspicious activity, such as unusual firmware updates or brute-force attempts.
• Periodic reviews: Quarterly evaluate who has access, if it's still necessary, and revoke any redundant rights. Zero Trust and Least privilege simply require active management.
• Vendor Management: Establish in contracts that external parties only work via your secure access channel, use MFA, and follow your policy. Check this through periodic audits and by issuing accounts yourself.

Conclusion

Remote access to OT requires a combination of Zero Trust principles, strong identity and access controls, network segmentation, and continuous monitoring. Traditional tools such as VPN or TeamViewer fall short in insight and security. Modern solutions facilitate limited access to what is strictly necessary, control sessions and provide control and insight via MFA, logging and jump servers. In doing so, they are better in line with current threats and regulations.