Industrial organizations often need to give contractors, technicians, or engineers remote access to HMIs, PLCs, and other devices. But exposing these systems directly to the internet or corporate VPN can be catastrophic. Here’s how to do it securely:
1. Never Expose Devices Directly to the Internet
Tools like Shodan constantly scan for exposed PLCs and web interfaces. If an attacker finds yours, they can exploit it in minutes.
Fix: Use firewalls and NAT to block direct access. Never open RDP, VNC, or HTTP/S to OT devices from the outside.
2. Use a Jump Server or Secure Access Gateway
A jump server sits between your users and the OT network. Only authorized users can reach it, and it logs everything.
Tools: Fortinet ZTNA, Apache Guacamole, Tailscale, or hardened Windows servers with MFA.
3. Enforce Multi-Factor Authentication (MFA)
Passwords alone aren’t enough. MFA is essential—especially for accounts that access ICS systems remotely.
4. Log, Monitor, and Record All Remote Sessions
You should know who connected, when, what they accessed, and what changes they made. Session recording is a must for accountability.
5. Isolate OT from IT
Even with remote access, don’t bridge your OT and IT networks. Use VLANs, firewalls, and access control lists to maintain separation.
Final Tip
Regularly test your remote access setup as if you were an attacker. If you can find a way in, so can someone else.
Need help setting this up right? Contact FortifySec for secure remote access audits tailored to ICS environments.
