Securing Remote Access to OT Environment

When to Use

• When implementing or upgrading remote access architecture for OT environments
• When onboarding vendors who require remote access to OT systems for support and maintenance
• When implementing CIP-005-7 R2 requirements for remote access management including MFA
• When replacing legacy direct VPN access to OT networks with a secure jump server architecture
• When responding to an incident involving unauthorized remote access to industrial control systems

Do not use for securing IT-only remote access without OT components, for configuring VPN for corporate workers (see general VPN guides), or for physical access control to OT facilities.

Prerequisites

• DMZ infrastructure (Level 3.5) between corporate IT and OT networks
• Jump server/bastion host platform (CyberArk, BeyondTrust, or hardened Windows/Linux server)
• Multi-factor authentication solution (Duo, RSA SecurID, YubiKey, smart cards)
• Session recording capability for audit trail compliance
• Firewall rules permitting remote access only through the DMZ intermediate system