198eb936 supply mesh

Enabling NIS2 Compliance for VNC Remote Access in Industrial Control Systems

Securing legacy HMI and operational technology environments without architectural changes

Executive Summary

The NIS2 Directive is now law, imposing strict cybersecurity requirements on essential entities, including manufacturing, energy, and water. A critical focus is securing remote access to operational technology and industrial control systems. For legacy systems relying on Virtual Network Computing (VNC), such as embedded Human Machine Interfaces (like Siemens or Rockwell Automation PanelView), compliance seems daunting. This whitepaper details how Agilicus AnyX enables NIS2 compliance for existing VNC deployments without network changes, virtual private networks, or client software.

The NIS2 Directive and the Challenge of Remote Access

NIS2 mandates stringent risk management measures, explicitly requiring multi-factor authentication and secured remote access for critical infrastructure. Non-compliance carries severe penalties, including holding C-level management personally liable. For operational technology environments, this means the era of shared passwords and unencrypted internal traffic is over. Every remote session must be tied to a verified identity, continuously authenticated, and strictly authorised.

The Vulnerability of Traditional VNC

As highlighted in our Zero Trust VNC Remote Desktop infosheet, traditional VNC is inherently insecure. It relies on a single, shared eight-character password. It lacks native user identities, meaning there is no single sign-on or individual accountability. Furthermore, the protocol is unencrypted, leaving traffic vulnerable to interception or modification.

Exposing VNC via a traditional virtual private network merely extends the corporate perimeter to remote workers or third-party vendors, granting broad network access that violates the principle of least privilege required by NIS2.

Achieving Compliance with Zero Trust

Agilicus AnyX transforms how operators access VNC resources. It acts as an identity-aware proxy, applying a zero-trust architecture to legacy protocols.

  • Unified Authentication: Users authenticate using their native identity provider via strong OpenID Connect. There are no shared accounts or weak VNC passwords to disseminate. Access is granted through single sign-on with multi-factor authentication.
  • Precise Authorisation: Unlike a virtual private network, access is granular. Permissions are assigned per user and per VNC resource. As demonstrated in our recent webinar on VNC and RDP access and this demonstration video, authorisation can be restricted to read-only access, or even partitioned to share only a specific subset of a display (or split a large display into multiple smaller ones) to different users.
  • Encrypted Transport: The VNC protocol is encapsulated and converted to HTTPS over WebSockets, ensuring strong SSL/TLS encryption end-to-end, meeting NIS2 encryption mandates.
  • Seamless Access: Access is clientless, operating entirely within a standard web browser. It functions reliably regardless of incoming firewalls or cellular carrier-grade NAT, requiring no inbound open ports.

Case Study: Securing Rockwell Automation PanelView

Consider an environment utilising Rockwell Automation PanelView graphic terminals. Under NIS2, allowing remote vendor access via port-forwarding or a shared virtual private network poses an unacceptable risk. By deploying the Agilicus Connector on the local network, the PanelView’s VNC interface is isolated. The Connector establishes an outbound-only, encrypted tunnel to the Agilicus AnyX platform. Vendors access the HMI through a web portal, authenticating with their own corporate credentials. The VNC password is automatically injected by AnyX, keeping it hidden from the vendor. This provides a perfect, identity-centric audit trail without modifying the local firewall or the HMI itself.

Conclusion: A Seamless Path to Compliance

NIS2 compliance does not require ripping and replacing functional operational technology equipment. By abstracting access controls away from the legacy asset and into the Agilicus AnyX platform, organisations can secure VNC remote desktop access, enforce multi-factor authentication, and implement precise authorisation. This approach not only satisfies regulatory requirements but also simplifies operations, providing secure, seamless access to the systems that power critical infrastructure.