Best Practices for Secure Remote Access to Industrial Control Systems (ICS)

Remote Access Best Practices

Before the internet, most industrial control system (ICS) environments were isolated, but today they are increasingly connected, making remote access essential yet a high‑value target for attackers.

Importance of Remote Access Connections for ICS

Remote access enables vendors and operators to troubleshoot, reprogram, and update equipment without travel, allowing a single technician to manage multiple sites efficiently. However, such connections have been exploited in notable attacks like Stuxnet (2014), the Ukraine power grid (2015), and the Oldsmar incident (2021).

Remote Access in the Purdue Enterprise Reference Architecture

Remote connections are defined as links from the Internet or corporate business network to the OT environment, providing access to devices at Purdue levels 3 and below. The architecture includes levels 5 (Enterprise Network) down to 0 (Field Devices), with the DMZ separating IT and OT zones.

Best‑Practice Architecture for Secure Remote Access via DMZ

Remote sessions should be terminated in a DMZ that hosts jump hosts, file servers, and authentication services, enforcing least‑privilege access and role‑based controls. OT users should first establish a VPN to the DMZ, then connect through a jump host using hardened remote desktop.

Authentication

Each remote user must have a unique named account, use multi‑factor authentication to the VPN, and a second authentication step with OT domain credentials on the jump host. All logins should be recorded, monitored, and locked after repeated failures.

Jump Host

Jump hosts enforce role‑based access, limit communication to authorized devices, and prohibit local software execution or data transfer, with all required tools pre‑installed on the host.

File Transfer

File transfers should occur through a dedicated file server in the DMZ with separate read‑only and write‑only directories scanned by antivirus before being moved to the OT network.

Direct Connection Practices

If a direct Internet‑to‑OT connection is unavoidable, it must be approved, use VPN with MFA, be limited to static IP addresses, and be subject to strict firewall rules and monitoring.

Preventing Unauthorized Remote Access

Administrators should audit for rogue connections such as cellular hotspots, dial‑up modems, or unauthorized ISP links, and enforce policies, education, and regular visual inspections.

Conclusion

Although secure remote access adds steps and may encounter resistance, it is essential to protect critical infrastructure. Recommended actions include applying patches, employee training, formal threat assessments, DMZ isolation, dedicated authentication servers, role‑based authorizations, full‑tunnel encryption, MFA, and using dedicated hardware/software for remote access.