Unsecured vendor RDP and VPNs are the primary entry for ICS attacks. Discover how to implement zero-trust remote access that enables experts without exposing your control network.
That emergency call from your OEM vendor at 2 AM just became your worst security nightmare.
The very feature that enables global expertise and keeps your operations running - third-party remote access - has become the most exploited attack vector in industrial cybersecurity. According to Dragos, over 70% of initial access into operational technology environments comes through exactly these connections. Unsecured RDP sessions, vendor portals with default credentials, and broad network-level VPNs aren't just vulnerabilities; they're invitations.
The problem isn't remote access itself. The problem is how we've implemented it for decades.
Every time you grant a third-party integrator full network access to service a single drive, you're not being efficient - you're being reckless. You're handing over master keys to your entire facility for what should be a targeted repair. Modern adversaries know this weakness intimately. They don't waste time trying to breach fortified perimeters when they can simply walk through the unlocked door you provided to your maintenance team.
These attacks follow a predictable pattern. Threat actors scan for exposed RDP ports and VPN gateways, often finding them within hours of being opened for vendor support. Once they gain initial access, they don't trigger immediate alarms. They lie dormant, move laterally through your flat network, and wait for the optimal moment to disrupt operations or deploy ransomware.
The Colonial Pipeline incident didn't start with a sophisticated attack on pipeline controls. It began with a compromised VPN password that should have been deactivated. The cost? $4.4 million in ransom and days of fuel shortages across the Eastern United States.
Most organizations believe they have remote access under control because they use standard security measures. But let's examine what "secure" really means in today's threat landscape:
The solution requires a fundamental mindset shift - from verifying once at the network perimeter to verifying continuously at the asset level. This is the essence of Zero-Trust Architecture for industrial environments.
Instead of asking "Is this user on our network?" we must ask "Should this specific user access this particular asset right now, and what should they be allowed to do?"
This approach transforms remote access from a binary state (inside/outside) to a dynamic, contextual relationship. Imagine a system where:
This isn't a theoretical future state. The technology exists today and is being deployed in critical infrastructure facilities worldwide.
Implementing secure third-party access requires more than just new technology - it demands a new process framework. The most successful implementations follow these core principles:
Transitioning from traditional remote access to a Zero-Trust model doesn't happen overnight, but the journey begins with straightforward steps:
Start by conducting an audit of all current remote access methods. How many vendors have persistent access? Which systems can they reach? You'll likely discover connections you forgot existed.
Next, prioritize based on risk. Begin with vendors who have access to your most critical systems or those with the weakest authentication methods. The goal isn't perfection on day one - it's meaningful risk reduction with each implementation.
Finally, select technology that understands industrial protocols. A solution that works perfectly for office IT may fail miserably in an OT environment where Modbus TCP, EtherNet/IP, and OPC UA communications must be properly handled and monitored.
The manufacturers and utilities leading in operational technology security aren't necessarily those with the largest budgets. They're the ones who recognized that the convenience of broad remote access had created an unacceptable risk - and they took deliberate steps to implement granular, controlled alternatives that keep both their operations and their people safe.
Quite the opposite. With proper planning, Zero-Trust access can be faster than traditional methods. Pre-approved access policies allow you to grant precise, time-limited credentials instantly when an emergency occurs—no need to manually configure firewall rules or hunt down IT staff after hours. The vendor receives immediate access to only what they need, and you maintain control and visibility.
The beauty of asset-level Zero-Trust is that it doesn't require changes to your endpoints. The security enforcement happens at the network gateway level. The gateway acts as a broker, authenticating the user using modern methods and then brokering the connection to the legacy device using whatever protocol it requires. Your 20-year-old PLC continues communicating as it always has, but now through a secure, monitored channel.
Modern Zero-Trust platforms are designed specifically for operational teams, not cybersecurity experts. The management interfaces are intuitive, and many providers offer managed services where they handle the complex configuration and monitoring. For resource-constrained teams, this approach actually reduces administrative burden by eliminating the need to constantly manage VPN credentials and firewall rules for dozens of vendors.
Frame the conversation around shared risk. Explain that unsecured remote access puts both your operations and their reputation at risk. Many leading OEMs now prefer secure access methods because it protects their intellectual property and demonstrates their commitment to security. For resistant vendors, start with monitoring and logging of their existing access - the visibility alone often changes the conversation.
Properly implemented Zero-Trust access should be virtually transparent to operational traffic. The authentication happens at session initiation, not with every packet. For the most latency-sensitive applications, solutions exist that can establish secure tunnels without adding meaningful delay. The key is working with providers who understand industrial real-time requirements, not just enterprise IT.
While MFA is a critical improvement over passwords alone, a VPN still typically grants network-level access. Once authenticated, a user can probe other systems on the network. Zero-Trust provides an additional layer by ensuring that even with valid credentials, users can only reach explicitly authorized assets. It's the difference between having a key to the building versus a key that only works on one specific door.
The threat isn't theoretical, and the solution isn't a distant promise. The technology and methodologies to secure third-party remote access exist today. Continuing with traditional approaches means accepting an unnecessary and growing risk.
Subscribe to the Link & Layer | Smart Learning Hub to receive our exclusive implementation framework: "The 90-Day Plan to Zero-Trust Remote Access." This detailed guide walks you through the technical specifications, vendor communication templates, and policy frameworks you need to transform your highest-risk access points into your most controlled.
Don't let convenience compromise your security. The backdoor you close today might be the one that saves your operations tomorrow.
Unknown devices create unmonitored attack paths in industrial networks. Discover passive discovery techniques to build a dynamic OT asset inventory without disrupting operations
Securing remote access for legacy PLCs is the critical, often overlooked, frontier in industrial cybersecurity. This guide reveals a practical, defense-in-depth strategy to protect your vital assets without a full-scale rip-and-replace
Legacy PLCs and RTUs cannot be patched but run critical operations. Discover layered compensating controls that protect inherently vulnerable industrial assets from modern threats