Implementing Conduit Security for OT Remote Access

When to Use

• When replacing direct VPN connections from IT or vendors into OT control networks
• When implementing IEC 62443-compliant conduit architecture for remote access paths
• When deploying secure remote access for third-party vendor maintenance of ICS equipment
• When building approval-based access workflows for privileged OT system access
• When remediating audit findings about uncontrolled remote access to SCADA systems

Do not use for designing the overall Purdue Model segmentation (see implementing-purdue-model-network-segmentation), for deploying IT-only remote access solutions, or for configuring local console access to PLCs.

Prerequisites

• IT/OT DMZ (Level 3.5) deployed with dual-firewall architecture
• Jump server or privileged access management (PAM) platform (CyberArk, BeyondTrust)
• Multi-factor authentication (MFA) infrastructure for OT remote access users
• Session recording capability for compliance and forensic purposes
• Approval workflow system (ServiceNow, ticketing) for access requests