Ensuring Cybersecurity for Remote Operations

Summary

Remote access to plant floor machines saves manufacturers time and money. Instead of costly downtime waiting for engineers to arrive, remote access can resolve issues without needing an onsite engineer.

Remote monitoring is a necessity for today’s global manufacturing operations, said Nick Shaw, vice president of product at Dragos. “There are numerous scenarios from remote diagnostics and maintenance to condition monitoring that enables predictive maintenance, to   acting as an enabler for large-scale distributed operations.

Remote monitoring can also assist post-incident recovery to ensure that control is restored safely to operations,” he said.

“Manufacturing plants with distributed facilities need centralized visibility into production metrics and equipment performance,” said James Winebrenner, CEO at Elisity. “Critical infrastructure like power generation, water treatment and oil and gas pipelines demand 24/7 monitoring regardless of physical location. During unplanned events or emergencies, experts must quickly access systems without physical presence. Predictive maintenance programs require continuous data collection from industrial equipment, while contract manufacturers and supply chain partners often need secure visibility into production processes. The COVID-19 pandemic accelerated this trend, establishing remote operations as a standard business continuity requirement rather than an exception.”

The expertise to be able to troubleshoot issues and understand what's happening is not always onsite. “To me, the biggest use case is to be able to leverage offsite expertise within their own company from the other sites that may have experience to help drive issues,” said Travis Cox, chief technology evangelist at Inductive Automation. “Users being able to see the data and understand what they’re doing helps play a big role in that. Integrators are crucial to many projects for remote access.”

Oil and gas pipelines also have remote infrastructure like compressor stations or pumping stations. “For gas, it’s a compressor station, and for liquid, it’s a pumping station. Water/wastewater facilities have similar assets. They are geographically distributed and need to connect remotely,” said Gurvie Waraich, director of sales and marketing at Skkynet.

Remote operation risks

Remote operation can pose risks as it exposes the network to unauthorized individuals. It introduces several significant security risks to operational technology (OT) environments. “When you do remote access, you’re opening [the network] to contractors and other third parties that can get access to your tools and link to data, disrupt processes and affect safety,” said Cox. “There are many systems that use legacy protocols that weren’t designed with security in mind.”

Shaw often speaks about viewing risks through the lens of safety, productivity and quality. “Some of the biggest risks include exploitation of remote connections to gain control over critical systems, and once in an OT environment, an attacker could potentially pivot toward impact, such as causing physical damage or operational disruption of a process.”

“Expanded network connectivity creates additional attack surfaces and potential entry points for threat actors,” explained Winebrenner. “Legacy OT systems, often designed without built-in security controls, become exposed to modern cyber threats when connected to external networks. Authentication vulnerabilities may allow unauthorized access, but increased IT/OT integration can enable lateral movement if segmentation is inadequate. The introduction of remote access tools can introduce unpatched vulnerabilities, and remote monitoring often requires privileged access credentials that become high-value targets. Many industrial protocols also lack encryption, which potentially exposes sensitive operational data during transit across networks.”
 

Pros and cons of VPNs

“VPN [virtual private network] creates a tunnel from one server to the other side,” said Waraich. “Your service provider keeps logs of the information. [But] only the paranoid can survive. You must be paranoid about your information. You must be super hypervigilant about your privacy and data ownership because things are getting connected to the cloud. Companies were told to send data to the cloud. So, who owns that data?”

Cox said that one of the biggest risks is out-of-date VPNs because they have vulnerabilities that lead to cyberattacks. “VPNs are important, but they’re also a risk that cyber attackers can exploit. If they know the endpoint—the URL for that VPN—they could do harm,” he said. “Many OT people deploy VPNs but they don’t change them, they don’t update them, they’re not managing them properly and that becomes a bigger risk over time. IT [information technology] can be very successful in deploying VPNs, securing them and keeping them going. I think [deploying] the traditional VPN into the OT network directly is the wrong approach. But VPNs are a necessary evil because these systems are on-premises.”

Scott Dowell, senior vice president and general manager at Wesco, wrote an Automation.com article, The Cybersecurity Threat Lurking in Your Operational Efficiency Efforts: Remote Access Vulnerabilities. In it, he said, “VPNs in particular can represent a significant risk to OT networks due to their potential to grant extensive access to critical systems. When implemented without appropriate security measures, VPNs can open the door for unauthorized access, allowing malicious actors to infiltrate the entire network, including sensitive OT infrastructure.

“This vulnerability exists primarily because attackers can exploit weaknesses within the VPN itself or obtain user credentials, providing them with a gateway to industrial processes that are crucial for daily operations,” Dowell continued. “Given that many OT systems [use] older protocols that are inherently more susceptible to cyber threats, unauthorized access can lead to severe consequences, including operational disruptions and physical damage to equipment. Without stringent security controls and vigilant monitoring, organizations risk compromising their entire operational framework.

Instead of VPNs, use a cybersecurity platform designed for OT networks that allows remote access to a controlled environment, urges Dowell. “Consider a solution that includes a virtual server environment that has both the resources and tools that an engineer may need to access the network—without having to dial in to a VPN. A virtual network enables the engineer to safely connect without allowing access from an outside, untrusted network. Plus, they help consolidate hardware infrastructure, leading to cost savings; improve flexibility and scalability by allowing for the easy creation and migration of virtual machines (VMs); and management is simplified through centralized tools.”

Winebrenner added, “VPNs typically grant broad network access rather than limiting connections to specific required resources, which violates the principle of least privilege. VPN vulnerabilities are regularly discovered and exploited by threat actors, as seen in recent high-profile attacks targeting industrial organizations.

Additionally, VPNs often lack OT-specific security controls and monitoring capabilities, and their authentication methods may not provide sufficient protection for critical industrial systems. The persistent connections VPNs establish can also serve as long-term attack vectors into sensitive OT networks, especially when over-privileged accounts are compromised.”

Effective cybersecurity solutions

Data diodes, network segmentation and multifactor authentication are among the cybersecurity solutions that apply to remote operations and monitoring. However, according to Winebrenner, the most effective cybersecurity approach for remote industrial operations combines several complementary technologies and practices.

“For IT environments, identity-based access controls provide precision in managing user access. For OT and IoT [Internet of Things] environments, network-based microsegmentation enables OT security experts to define and enforce clear boundaries based on operational requirements and risk profiles—without changing the underlying infrastructure,” Winebrenner said.

Elisity's platform and others support this approach by respecting the unique needs of both IT and OT environments while providing a unified management plane. “Network monitoring solutions with OT protocol awareness provide visibility into industrial network traffic. For unidirectional data flow requirements, software-defined microsegmentation can enforce one-way traffic patterns without dedicated hardware appliances,” he said.

Waraich said that Skyynet’s Cogent DataHub has security features that include multifactor authentication, the ability to white-label IP addresses and protocols, the creation of custom roles, data diode mode, data isolation, tunneling, and DMZ.

“It’s important to consider the Zero Trust methodology,” Cox explained. “Turn everything off and be very selective about who’s getting access to what and making sure the proper firewalls are in place. If we want to open up access to somebody, there must be some process and awareness around the authorization to allow that kind of access.

“There should be no direct access whatsoever to programmable logic controllers [PLCs], devices and/or these legacy protocol type systems,” Cox continued. “It’s advantageous for integrators to be able to access the PLC program and potentially change things. There might be scenarios where you want to allow it, but ultimately, they should be onsite for something like that because there are safety implications to changing control programs. Companies must figure out what remote access means to them. Segmented networks and having layers of security are important. Zero Trust methodology is important. To me, transport layer security [TLS] authentication or encryption, two-factor authentication and strong passwords are big and a lot more approachable.”

Cox added that it’s important to make sure the system is up to date, patched regularly, there are audit trails set up, and employees and contractors are trained on how to operate and manage security effectively.
Shaw said starting with a purpose-built remote access solution for ICS [industrial control system] environments, look for features such as multifactor authentication, session recording, encrypted communications and granular access control. “Network segmentation features and OT-protocol specific features further reduce risk. Outside of the core secure remote access solution, ICS network visibility and monitoring are a must to audit access and detect threats.”

Data diodes. Winebrenner said that hardware-based data diodes are not ideal for every remote access scenario, despite their security benefits for one-way data transfers. Their inflexibility makes them ill-suited for dynamic environments requiring frequent configuration changes, and their hardware implementation limits deployment locations and increases costs. “Many industrial use cases require bidirectional communication for control functions, making unidirectional diodes impractical,” he said.

Data diodes (Figure 1) can be overkill in some cases. Waraich explained that if you’re reading a temperature from a remote well site, you are monitoring only a temperature measuring device. There is no control element connected to it. “A data diode could be overkill in that scenario. But if it’s connected to a control valve, then it might make sense,” he said.

Pursuing integration and resilience

Effective OT/IT convergence is crucial for remote monitoring security, but it must respect the fundamental differences between these environments. Winebrenner explained that while traditional approaches kept these domains strictly separated, “modern digital transformation requires secure integration with appropriate boundaries. Unified security governance between IT and OT teams enables consistent policy enforcement, streamlined incident response and comprehensive visibility across both domains.”

Solutions that bridge this gap must honor OT security principles while providing the controls that OT security teams design based on operational requirements and risk assessments. “Organizations should pursue what Gartner calls ‘controlled convergence’—strategic integration with appropriate security controls rather than complete unification or continued strict separation,” Winebrenner added.

As industrial organizations embrace remote monitoring capabilities, it’s critical to adopt security solutions that enhance operational resilience rather than impede it. Traditional security approaches often force difficult tradeoffs between security, operational needs and cost. Winebrenner said that modern microsegmentation platforms provide an alternative by enforcing network-based security policies without requiring network reconfiguration, new hardware or agents.

“By leveraging the organization’s existing network infrastructure as the enforcement fabric, [an effective] solution enables industrial organizations to implement secure remote monitoring solutions in days rather than months,” Winebrenner explained. “This approach respects the distinct requirements of OT environments while allowing OT security teams to define and enforce appropriate control boundaries based on their expert understanding of industrial processes and risk profiles. Most importantly, it reduces the attack surface and minimizes lateral movement risk, addressing the primary threat vector exploited in most industrial cybersecurity incidents.”

“Companies need to take digital transformation seriously,” added Cox. “That means becoming more digital, having remote operations, being able to get data to the cloud, and having OT and IT work together. That is a leadership culture change exhibited by the ones who are successful. They’re getting everybody in the organization trained, they’re communicating well together, they’re working together to solve these challenges, and they can accomplish those goals in a more secure way that mitigates more risks.”

_{This feature originally appeared in the April 2025 issue of Automation.com Monthly.}