Secure Remote Access

Remote access in industrial environments is a critical control point, not a convenience feature. Engineered correctly, it enables operations and support; implemented poorly, it becomes the most reliable path for disruption.

Architecture for Secure Industrial Remote Access

Controlled Connectivity Without Compromising Industrial Operations

The Fundamental Flaw: Treating OT Access as an IT Problem

Industrial remote access is not about connecting users to a network; it is about enabling controlled interaction with long-lived, stateful, and often safety-critical systems without introducing unpredictability.

The majority of significant operational technology (OT) security incidents originate not from sophisticated external attacks, but from remote access paths that were created for convenience and lacked architectural control. Traditional IT models - built on VPNs and broad network trust - collapse when applied to environments where a single misstep can have physical consequences.

Secure remote access, therefore, is an architectural discipline. Its primary objective is to remove implicit trust from the connectivity model, ensuring that every interaction is authorised, scoped, observable, and incapable of destabilising the underlying operational processes.

Why the Standard VPN Model Is a Systemic Risk

Virtual Private Networks (VPNs) are the default choice for many, yet they create a structural vulnerability in industrial settings by eroding segmentation and creating permanent, poorly audited trust.

A VPN extends the network boundary. Once authenticated, a remote user or device is effectively "inside," often with visibility across broad segments of the network. This undermines core OT security principles like segmentation and least privilege. The risks compound over time as temporary exceptions become permanent, vendor accounts persist, and credential management becomes opaque.

Collapsed Segmentation: A VPN connection can bridge security zones, allowing a breach in a business network to propagate directly to control systems.
Standing Privilege: Access is often granted indefinitely, with no mechanism to automatically revoke it after a task is complete.
Lack of Granularity: Users typically gain network-level access, not asset- or application-specific access, increasing the potential blast radius of any compromise.
Inbound Exposure: VPN gateways require open inbound ports on the firewall, creating a visible and attractive target for attackers.

The Architectural Shift: Outbound-Only Connectivity

A cornerstone of secure industrial remote access is reversing the connection model: initiating sessions from inside the OT environment to a secure broker, eliminating inbound firewall rules and invisible network exposure.

In an outbound-only model, devices within the industrial network establish a secure, authenticated connection to a cloud-based or centrally managed access platform. Remote users connect to that same platform. The industrial network itself never accepts an inbound connection; it remains dark and undiscoverable from the public internet.

This simple architectural reversal neutralises entire threat vectors, including port scanning, brute-force attacks on VPN endpoints, and exploitation of vulnerabilities in internet-facing services. Connectivity is possible when needed, but exposure is not permanent.

Operational Principle: The network should be reachable only when it chooses to be, not whenever someone attempts to connect. Outbound-only architecture enforces this principle by design.

Session-Based Access: Replacing Permanent Trust with Controlled Events

Secure access replaces standing privilege with just-in-time, just-enough authorization. Each connection is a discrete event with defined boundaries, not a persistent state.

A session-based model requires explicit approval for each access request (either through a ticketing system integration or a manual approval workflow). Once granted, the session is tightly scoped and time-bound.

Access Characteristic	Traditional VPN / Standing Access	Engineered Session-Based Access
Duration	Indefinite (weeks, months, years). Credentials rarely rotated.	Time-limited (hours, shifts). Automatically expires. Must be re-authorised.
Scope	Broad network-level access. "All access to Sub Station LAN."	Granular asset/application access. "Read-only HMI for Pump #3 at Plant A."
Audit Trail	Logs show "user connected to VPN." Activity within network is opaque.	Full session recording or command logging. "User viewed alarm history, changed setpoint X to Y."
Revocation	Manual, reactive. Requires finding and disabling a specific user account.	Implicit (session expiry) or instant (revoke active session).

Preserving Determinism and Network Performance

Security controls must not interfere with the deterministic performance of control traffic. Remote access architectures must be isolated from critical operational data flows.

Inline security appliances, deep packet inspection, and poorly configured tunnels can introduce latency, jitter, and packet loss - any of which can disrupt sensitive industrial protocols. Secure remote access should be designed as a parallel, out-of-band path.

This is achieved by dedicating specific communication channels (e.g., a separate cellular link, a distinct VLAN) for remote access traffic, ensuring it never shares queues or bandwidth with real-time control system data. From the perspective of a PLC or protection relay, network behaviour remains consistent and predictable, regardless of remote support activity.

Granular Control Across Heterogeneous Assets

Industrial sites contain diverse assets with vastly different risk profiles. Access must be enforceable at the level of individual devices or applications.

A third-party motor drive specialist does not need access to the SCADA historian. A control engineer troubleshooting a loop may not need rights to the safety system. Effective architectures support policy enforcement at this granular level, typically through a proxy or broker that mediates all connections.

Asset-Level Policies: Rules defined per device type (PLC, RTU, HMI), function, or even specific IP address.
Protocol-Aware Control: Allowing read-only Modbus queries but blocking write commands, for example.
Contextual Authorization: Restricting access based on time of day, originating country, or device health status.

Operational Visibility and Forensics

Without detailed logs and session records, security is unverifiable and incidents are uninvestigable. Comprehensive visibility is a non-negotiable requirement.

A secure remote access system must answer key operational questions automatically: Who connected? When? To what? What did they do? Did their actions deviate from normal patterns? This level of telemetry transforms security from a theoretical policy into an observable, manageable aspect of operations.

It enables rapid root-cause analysis during incidents, provides evidence for compliance audits, and offers insights for continuously refining access policies to match actual operational needs.

Designing for Harsh and Distributed Realities

Industrial remote access must function reliably in substations, trackside cabinets, and remote plants where connectivity is intermittent, bandwidth is low, and environmental conditions are severe.

The architecture must be resilient and simple. On-site components (agents or gateways) should be lightweight, have minimal dependencies, and support store-and-forward capabilities for periods of disconnection. Management must be centralised and scalable, avoiding the need for complex configuration at each remote site.

Secure remote access is not about adding connectivity; it is about engineering control, observation, and resilience into every external interaction.

Throughput Technologies advises on secure remote access architectures tailored to the constraints and risks of operational environments. We focus on replacing risky, opaque models with outbound-only, session-based, and observable designs that support operational needs without compromising safety or network integrity.

Talk with a Secure Access Specialist to analyse your current remote access pathways
and design a model that enables operations without introducing silent risk.

Solutions

About Throughput

Since 1997, Throughput Technologies has acted as a trusted guide in industrial data communications. We support system integrators and OT teams in designing resilient, secure networks for rail, mining, utilities, manufacturing, and smart infrastructure — focusing on architectural clarity, field-proven reliability, and long-term operational resilience.