When it comes to critical infrastructure, one principle reigns supreme: if something goes down, we need to know why—and we need to know immediately. But unlike IT environments, where forensic data and investigation processes are mature and centralized, operational technology (OT) environments are an entirely different beast.
OT networks are essentially systems of systems—fragmented, aging, often air-gapped, and highly specialized. They lack the telemetry and centralized visibility that IT counterparts take for granted. In a traditional IT breach, you can pick up the phone and call Mandiant, or other incident response providers, and get a high-fidelity picture of what happened. In OT, the data is often transient, ephemeral, or simply unavailable. Governments and private operators alike often don’t even know if a disruption was caused by a cyberattack, misconfiguration, or equipment failure.
And the problem isn’t just visibility, it’s access. Remote access to these environments is more common than ever, whether for third-party vendors, maintenance engineers, or remote operators. But most OT environments still rely on legacy technologies like flat networks or traditional VPNs that can’t enforce who gains access to what, when, or how. That lack of granularity doesn’t just hinder investigations; it opens the door to adversaries.
State-sponsored groups from the Peoples Republic of China (PRC) are exploiting that very weakness. These advanced threat actors use stolen credentials, compromised assets, and Living Off the Land (LOTL) attack techniques to embed themselves quietly within OT environments. Their goal isn't smash-and-grab. It’s long-term persistence, data exfiltration, and strategic disruption.
In this environment, secure, controlled, and auditable access isn’t just a cybersecurity best practice—it’s a frontline defense. And it’s often the first control that breaks down when OT and IT worlds collide.
The Industrial Cyber Kill Chain Is Different
Understanding OT threats requires a shift in mindset. Traditional cybersecurity frameworks (again, built for IT) focus almost exclusively on prevention. But in OT, operational errors—not just malware—are the real threat. Incorrect commands, unauthorized access, or even improper patching can result in physical consequences, from production line stoppages to public safety risks. This is why the ICS Cyber Kill Chain and frameworks like SANS 5 ICS Cybersecurity Critical Controls are so vital. They offer practical, prioritized guidance tailored for industrial environments.
Incident Response and Recovery: OT networks must assume that breaches will happen. This control emphasizes building and regularly testing incident response and recovery procedures, specifically for ICS environments. Response playbooks should account for operational dependencies, physical safety, and manual fallback procedures when automation is unavailable.
Defensible Architecture: Flat industrial networks are common and dangerous. This control advocates for creating segmented architectures that prevent adversaries from moving laterally. It includes recommendations such as demilitarized zones (DMZs), secure enclaves for critical assets, and proper isolation between IT and OT systems.
Risk-Based Vulnerability Management: Many OT systems run on legacy platforms that can’t be patched. This control advises prioritizing vulnerabilities based on risk to operations, not just Common Vulnerability Scoring System (CVSS) scores. It encourages the use of passive scanning, asset inventories, and compensating controls to minimize exposure.
Secure Remote Access: As remote work and third-party access become standard, securing these connections is critical. This control recommends identity-based, least-privileged access, strong authentication, session monitoring, and audit logging. VPNs alone are no longer sufficient—modern solutions like Zero Trust Network Access (ZTNA) provide stronger control and visibility.
Monitoring and Anomaly Detection: Traditional signature-based detection won’t cut it in OT. This control promotes continuous monitoring for behavioral anomalies and process deviations—signals that something is wrong even when malware isn’t present. It emphasizes the importance of baselining normal operations and setting alerts for deviations that could indicate early-stage compromise or operational error.
Taken together, these five controls lay the groundwork for a resilient OT security strategy focused not just on prevention, but on anticipating disruptions, minimizing impact, and preserving operations. One of the most urgent—and often overlooked—of these is secure remote access.
A Closer Look at Secure Remote Access
What used to be a convenience is now a core requirement: industrial systems need secure remote access to function. Maintenance engineers connect from offsite locations. OEM vendors require access to diagnose and troubleshoot equipment. Operators log in remotely to monitor production or respond to alerts. Without this access, operations slow, SLAs slip, and costs rise. But the security models underpinning these connections haven’t kept pace.
The challenge is that traditional remote access tools—especially legacy VPNs—were never designed for industrial use cases. They’re coarse-grained, over-permissive, and lack contextual awareness. Once a user or third-party gains access through a VPN, they often land inside a flat network with broad lateral visibility. There’s no granular segmentation, no robust device posture checks, no enforcement of time-bound or task-specific access. That’s not just a visibility issue; it’s an adversary’s playground.
This is where secure access becomes a frontline security control. It’s not just about getting in; it’s about how access is provisioned, constrained, and monitored. In OT, the stakes are too high to trust access by default. You need to assume compromise, verify every connection, and enforce access based on identity, device, and operational context. And you must do all of this without introducing friction that slows down operations or impacts uptime.
This is the promise of modern ZTNA solutions. By shifting away from network- to identity-centric access, ZTNA ensures that only the right people, using secure devices, can access the specific systems they need and nothing more. Appgate’s approach to ZTNA enables dynamic, policy-based enforcement that’s tailored to the realities of OT environments: segmenting by role, geography, schedule, or risk posture. Access becomes precise, auditable, and revocable in real time.
This kind of access control does more than reduce attack surface. It helps enable operational resilience. In a world where adversaries like PRC-linked threat groups are using stolen credentials and compromised routers to burrow into critical infrastructure, preventing lateral movement is table stakes. Secure access is the containment layer—the control that limits how far an adversary can get, how long they can persist, and how easily they can disrupt.
Remote access isn’t going away. In fact, it’s expanding across geographies, contractors, vendors, and workloads. That’s why industrial organizations must treat it as a core security priority. It’s not just a matter of connecting people to machines; it’s about keeping those machines—and the communities that depend on them—safe from harm.
Ready to take your critical infrastructure security to the next level? Read the white paper to learn how universal ZTNA can protect your organization from evolving threats.