Best Practices for Secure Remote Access to Industrial Control Systems (ICS)

Remote Access Best Practices

Before the Internet, most organizations' Industrial Control System (ICS) or Operational Technology (OT) environments were isolated, so cybersecurity was not a primary concern. In the modern, highly connected era, remote access is indispensable for efficient operation but also makes these systems attractive targets for attackers.

Importance of Remote Access Connections to ICS

Remote access allows vendors and technicians to inspect, re‑program, or update equipment without traveling, enabling a single technician to manage multiple sites and reducing costs. However, remote connections have been a key factor in high‑profile attacks such as Stuxnet (2014), the Ukrainian power‑grid breach (2015), and the 2021 Ozm... incident.

Purdue Enterprise Reference Architecture – Remote Access

Remote connections are defined as links from the Internet or the corporate network to the OT environment, providing access to devices at Purdue levels 3 and below. The Purdue model includes:

Level 5 – Enterprise Network (AD, email, CRM, HR, backup, SOC, etc.)

Level 4 – Business Network (workstations, local file/print servers, phone systems, AD replicas)

Level 3 – IT/OT Boundary (DMZ) – supervisory servers, HMI, alarm servers, analytics, historians

Level 2 – Local Supervision – PLC/HMI, alarm servers, process analysis, historians, control rooms

Level 1 – Local Controllers – PLCs, control processors, programmable relays, RTUs, micro‑controllers

Level 0 – Field Devices – sensors, actuators, smart IEDs, IIoT devices, gateways

Ideally, remote connections to the ICS should pass through a DMZ that separates the IT and OT zones, providing a controlled gateway for secure remote access.

Secure Remote Access Architecture via DMZ

Multiple DMZ servers positioned at the junction of Levels 3 and 4 should be dedicated to specific functions such as hosting remote‑access services, managing cloud connections, acting as an IT‑to‑OT gateway, and providing a reverse gateway from OT to IT. This design enables granular, least‑privilege access for remote users.

Authentication

All remote users must have unique, named accounts; shared accounts are prohibited. Access should be limited to the tasks each user needs to perform. Multi‑factor authentication (MFA) is required for VPN access, followed by a second authentication step using OT‑domain credentials when connecting to the jump host or secure file‑transfer service. All login activity must be logged, monitored, and accounts locked after repeated failures.

An Active Directory (AD) domain dedicated to the OT environment should reside in Level 3, isolated from the corporate AD. This OT‑specific AD enables centralized policy enforcement, role‑based access control, and comprehensive logging.

Jump Host

Technicians should access a role‑based jump host after VPN authentication. The jump host enforces strict communication boundaries: each role can only communicate with the devices it is authorized to manage, and local clipboard or drive redirection should be disabled. All required tools and data must be pre‑installed on the jump host.

File Transfer

Remote file transfer into and out of the OT network should use a dedicated file server in the DMZ with separate read‑only and write‑only directories, each scanned by antivirus tools. Users upload files to the write‑only share, the files are scanned, then copied to the read‑only share for use by OT systems. Permissions are granted per user group to enforce the principle of least privilege.

Direct Connection Best Practices

When a direct Internet‑to‑ICS connection is unavoidable (e.g., third‑party contractor tools), it must be tightly controlled: a formal approval process, VPN with MFA, static IP assignment, firewall rules limiting destination hosts/ports, and IP‑allow‑list enforcement. Contracts should require vendors to use dedicated, hardened devices and to follow strict security hygiene.

Preventing Unauthorized Remote Access

Administrators must audit for rogue connections such as cellular hotspots, dial‑up modems, unauthorized ISP links, or direct Ethernet/VPN links to vendor networks. Unauthorized connections create shortcuts for attackers and must be eliminated. Education, clear policies, and regular physical inspections are essential.

Conclusion

Although securing remote access through a DMZ adds authentication steps that may meet resistance from OT staff, the additional controls are vital to protect critical infrastructure. Organizations should apply patch management, employee training, formal risk assessments, DMZ isolation, dedicated authentication servers, full‑tunnel encryption, MFA, role‑based authorizations, and dedicated hardware/software for remote access. Following these best practices reduces the risk of successful attacks on remote‑access pathways and is a cornerstone of effective ICS security.