In a previous discussion, I drew parallels between inevitable changes and the world of industrial control systems, suggesting that secure remote access is no longer a question of if, but how. Today, I want to expand on the how, exploring the different methods organisations use to provide remote access to their critical industrial environments.
There are four main approaches we see in the field, each with its own set of benefits and drawbacks. Let’s delve into what they are, how they work, and why some are better suited for the modern industrial landscape than others.
The Traditional Choice: Virtual Private Network (VPN)
By far the most common method for remote access is the trusty VPN. A VPN essentially creates a secure tunnel between two networks, making them appear as if they are one, even if they are geographically separate. This is useful for giving remote users an IP address on the local network, allowing them to access resources as if they were physically on-site.
However, this traditional approach comes with significant downsides, especially in a sensitive industrial setting:
- Management Overhead: VPNs require software to be installed, maintained, updated, and licensed on both the user’s device and the network gateway.
- Identity Complexity: Integrating a VPN with your identity system for proper authentication can be a real headache. Providing access to various third parties—like managed service providers (MSPs), system integrators, and equipment vendors—often makes a seamless single sign-on experience nearly impossible. This frequently leads to the poor practice of creating shared accounts, which destroys any hope of a clear audit trail.
- Inherited Risk: This is the big one. A VPN connects two networks, meaning their network risk becomes your network risk. We all saw the consequences of this with the Colonial Pipeline incident, where a legitimate third-party’s compromised VPN access led to a widespread shutdown. While VPNs are a staple for IT teams needing broad access, they are a risky and overly permissive tool for task-based workers who only need limited access to specific systems.
The Isolated Kiosk: Jump Boxes
Another popular method involves using what I call “jump boxes.” This approach uses tools like TeamViewer, Remote Desktop (RDP), or VNC. You have a dedicated computer—a jump box—that lives on your operational technology network. When a remote user needs access, they connect to this machine and operate it as if they were sitting right in front of its keyboard.
This sounds simple enough, but it introduces its own set of problems:
- Stranded Software Licences: Expensive, specialised software, like Rockwell Studio for example, must be installed on the jump box. If you have multiple sites, you end up with costly licences stranded on individual machines, rather than allowing an integrator to use their own licensed copy on their own laptop.
- One at a Time: A standard jump box can only be used by one person at a time. If you require simultaneous access for multiple users, you need to build and maintain a whole farm of these machines.
- Maintenance Burden: Just like any other computer on your network, this machine needs to be constantly patched and updated to protect it from vulnerabilities.
- The Audit Black Hole: From the network’s perspective, all activity originates from the jump box itself, not the end-user. The system has no way of knowing who is actually logged in. This makes fine-grained permissions impossible; you can’t allow one user to only access an HMI while another can only perform backups. It’s an all-or-nothing proposition, resulting in a complete lack of a meaningful audit trail.
The Almost-There Approach: Orchestrated VPNs
A newer category of tools has emerged that I call “orchestrated VPNs,” with solutions like Tailscale or ZeroTier falling into this space. These are essentially more intelligent VPNs that use clever software to create more granular, segmented connections.
Instead of connecting a user to an entire network, they aim to connect a specific user to a specific resource. The catch? This model requires you to install a software client on every single device—both the user’s machine and every resource they need to access.
As you can imagine, this is a non-starter in most industrial control settings. You simply cannot install a third-party client on your PLCs, RTUs, or that ancient HMI running an unsupported OS. It’s a model designed for modern IT environments, not the realities of OT.
The Modern Method: The Identity-Aware Proxy
This brings us to the fourth and, in my view, superior approach: the Identity-Aware Proxy. This is the model we champion here at Agilicus.
The way an identity-aware proxy works is by creating an external facade, making it seem as though each of your industrial resources is available on the public internet. However, before anyone can connect, they must first prove who they are by authenticating with single sign-on and multi-factor authentication.
Based on their verified identity, the system knows precisely what they are permitted to do and which resources they are allowed to see. This approach, which the industry calls Zero Trust Network Access, comes with a host of benefits that directly address the failings of the other methods:
- No Client Software: The user doesn’t need to install anything. They access resources through a standard web browser on their laptop, tablet, or phone. This eliminates software management headaches.
- Fine-Grained Control and Audit: You get a detailed audit trail of who did what, when, and where. Because access is granted on a per-person, per-resource basis, you can enforce precise policies. You know that it was Jane from your team who updated the HMI, and Joe from the vendor who ran a diagnostic—not just that “the jump box” did something.
- Seamless and Secure Access: Users authenticate with their own corporate credentials, whether they are an internal employee or a third-party contractor. There are no shared accounts and no new passwords to remember.
- Operational Simplicity: There is no need to reconfigure your existing network. Your devices stay exactly as they are, with no changes to IP addresses or subnets. This makes deployment incredibly simple and fast.
- Efficient Licence Use: Your integrators and technicians can use their own licensed software on their own machines to connect to your resources, just as with a VPN, but without the associated security risks. No more stranded licences.
In short, the Identity-Aware Proxy model is faster to deploy, simpler to use, and fundamentally more secure. It provides the granular control and detailed auditing that is essential for protecting critical infrastructure in today’s threat landscape. It’s the only approach that truly aligns with the principles of Zero Trust, where we trust no one and nothing by default.