Does stronger security inevitably create more friction?
In a recent blog, we posed that question alongside several other long-held beliefs about OT remote access.
A consistent conclusion emerged across all the assumptions we explored: many of today's remote access strategies were shaped by decisions that were perfectly rational when they were made. But as industrial environments continue to evolve, it's worth revisiting whether those same approaches still offer the right level of visibility, control, and operational fit.
After writing that article, I kept coming back to three additional topics that deserve the same kind of scrutiny:
Is Zero Trust practical in OT environments?
Does strong authentication solve the challenge of third-party access?
And, if VPNs have served organizations well for years, when does application-level access become the better choice?
The answers to these questions will of course look different for every organization. But as industrial enterprises modernize their approach to secure remote access (and perhaps to OT security more broadly), it's increasingly important to reevaluate past decisions in light of current needs.
Few cybersecurity concepts generate stronger reactions in industrial environments than Zero Trust.
For some teams, the term has become shorthand for large transformation projects, complex architectures, and IT-driven initiatives that don't reflect the realities of running a plant.
I recently spoke with an engineer at an Energy-from-Waste (EfW) organization who told me his team gets a planned maintenance window only once every two years. When downtime is that limited, the idea of a major infrastructure overhaul isn't just expensive — it's often practically impossible.
Viewed through this lens, skepticism about Zero Trust is understandable.
Yet many industrial organizations have already taken important steps toward Zero Trust, whether or not they use that term to describe them.
Remote access provides a good example. As remote access has turned into a business necessity, organizations have steadily introduced stronger controls around how users authenticate, what they can access, and how their activity is monitored. Identity-based authentication, role-based access policies, session monitoring, and network segmentation have all become increasingly common in OT environments.
Taken together, these changes embody many of the core principles associated with Zero Trust, even if they were adopted independently rather than as part of a formal security initiative.
Given this reality, perhaps the real question isn't whether Zero Trust is practical in OT. It's whether your organization is already applying Zero Trust principles — and whether a few additional controls could reduce risk without adding unnecessary operational complexity or clashing with key OT priorities.
This same philosophy shapes Cyolo's approach to secure remote access for OT. Rather than requiring organizations to rebuild their infrastructure from scratch, the Cyolo PRO (Privileged Remote Operations) access solution helps them apply practical Zero Trust principles around the systems they already rely on.
In practice, this means strengthening identity controls, improving visibility into remote sessions, applying more granular access policies, and increasing accountability for privileged users — without compromising the stability, safety, and continuity that industrial operations demand.
Strong authentication has become one of the biggest success stories in OT cybersecurity.
Multi-factor authentication (MFA) is now widely recognized as an essential safeguard for remote third-party access, and with good reason. It significantly reduces the risk of compromised credentials and gives organizations greater confidence that the person requesting access is who they claim to be.
But authentication answers only one question: Who is requesting access?
Other vital considerations remain.
Once a vendor is connected, which systems should they be able to access? Do they need visibility into an entire network segment or just a single application? How long should that access remain active? Should the session be monitored or recorded? And if circumstances change, how quickly can access permissions be modified or revoked?
As remote vendor access has grown more widespread, the ability to answer these questions with certainty is now just as important as verifying a user's identity. For many organizations, that means building on MFA with more granular access controls, stronger identity governance, and greater visibility into privileged activity.
Cyolo PRO was designed to support this next phase. Rather than replacing existing authentication investments, it complements them with application-level connectivity, session visibility, and continuous accountability throughout every remote session.
Strong authentication remains an essential first step for securing third-party connections. But as organizations seek greater visibility, control, and accountability, many are discovering that authentication delivers the greatest value when paired with more granular access policies and stronger oversight.
VPNs have been the backbone of remote access for decades. They're familiar, widely supported, and capable of connecting users to remote networks with relative ease.
But as remote access demands expand, it may be time to ask: Does every remote user really need network-level access to do their job?
For many years, the answer was often yes. Engineers, operators, and third-party vendors frequently needed broad visibility into industrial environments to troubleshoot systems, perform maintenance, and respond to operational issues.
Today, by contrast, remote sessions are typically far more focused. A vendor may only need to service a single application, update one engineering workstation, or troubleshoot a specific HMI. In cases like this, granting access to an entire network segment likely provides far more connectivity than the task actually requires.
Most VPNs authenticate a user and then place them on a network segment. From there, additional controls are needed to limit what resources they can access.
Application-level access starts from a different premise. Instead of granting access to a network, it connects users directly to the specific applications or systems required for the task at hand.
This distinction becomes increasingly significant as organizations support a growing mix of employees, vendors, contractors, and third-party specialists across multiple facilities. By limiting access to exactly what's needed, organizations can simplify least-privilege enforcement, reduce unnecessary network exposure, and improve visibility into remote activity.
It also makes it easier to answer questions that security, operations, and compliance teams are asking more frequently:
Who accessed this engineering workstation?
Which application did they use?
When did the session begin and end?
What systems were they actually authorized to access?
These questions were once unique to highly regulated industries, but they're becoming standard for organizations across sectors. Answering them consistently requires a level of visibility and control that traditional VPNs weren't designed to provide on their own.
Even if VPNs have served an organization well in the past, it's worth reconsidering whether granting users access to an entire network segment still makes sense when they only need access to a single application or system.
None of the assumptions explored in this article were unreasonable at the time they were adopted. Strong authentication dramatically improved remote access security, VPNs gave organizations a practical way to connect remote users, and skepticism toward large-scale Zero Trust initiatives is understandable in environments where uptime, safety, and operational continuity always come first.
What has shifted is the broader OT landscape.
Remote access is now a core part of industrial operations, threats are constantly evolving, and regulatory pressure is rising. Organizations today need more visibility and control than traditional approaches are able to provide.
OT security leaders are revisiting long-held assumptions not because they were wrong, but because the challenges facing their organizations continue to change.
In the end, the most effective OT security programs aren't built through sweeping transformations. They take shape through practical improvements that strengthen security while respecting the operational realities that make OT unique.
Author
Jennifer Tullman-Botzer has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. She joined Cyolo in 2021 and currently serves as director of content marketing.