4 OT Remote Access Assumptions Worth Reconsidering

Why It's Time to Reconsider Some OT Remote Access "Best Practices"

Some of the most persistent security gaps in OT are the hardest to spot because they don't stem from poor decisions or obvious mistakes. More often, they grow out of assumptions that made sense when they were adopted and simply remained in place as the environment evolved.

Most OT remote access practices were born from legitimate operational needs. VPNs provided a relatively simple way to support infrequent requests for remote access. Shared vendor accounts reduced friction when contractors urgently needed access to troubleshoot equipment or restore production after an unexpected outage. Exception processes gave teams flexibility during downtime and maintenance events. At the time, these were practical solutions to real problems.

The issue is that the role of remote access has changed dramatically, but the policies and practices governing remote access use have not always followed pace. What was once an occasional requirement is now a fundamental part of how industrial organizations operate. In 2026, OEMs regularly troubleshoot equipment from across the country, and engineers support multiple facilities without ever leaving their desks.

At the same time, cyber threats have evolved, regulatory expectations have expanded, and critical OT environments have become increasingly distributed.

Taken together, these shifts raise an important question: Are your organization's remote access practices still aligned with today's operational realities — or are they being trusted primarily because they've “always been there?”

Several questions and assumptions tend to surface when conversations like this arise. Let's examine four of the most common.

1. Does Stronger Security Inevitably Create More Friction?

OT leaders have good reasons to be skeptical of solutions that claim to boost security without adding friction. They've seen too many security projects introduce lengthy approval processes, complicated workflows, or production delays.

This is one reason industrial organizations have historically accepted tradeoffs in favor of operational efficiency and responsiveness. If a process helps engineers get their jobs done quickly, then adding more controls can feel like solving one problem while creating another.

But framing security and productivity as opposing goals creates a false choice.

The best access controls don't make legitimate work harder. On the contrary, they make it easy for users to reach the resources they need, while giving security teams visibility and control over who has access and what they're doing with it.

In practice, some organizations find that stronger security becomes possible only after they simplify the user experience. When access requests, approvals, authentication, and auditing are spread across multiple systems, complexity tends to increase for everyone involved. Consolidating those processes can improve both usability and oversight.

The goal isn't to add more steps. It's to create an access model that's both secure and operationally sustainable. After all, the most effective security controls are the ones that become part of the way people work — not the ones they work around.

2. Does Vendor Access Need to Be Persistent to Be Practical?

Industrial organizations have always depended heavily on third-party expertise. OEMs, system integrators, and specialized contractors often possess knowledge that simply doesn't exist in-house. When a critical asset fails or a control system behaves unexpectedly, vendors are frequently the fastest path to resolution.

In the early days of industrial remote access, persistent vendor access was likely the most practical way to connect the right expert to the right system at the right time. Maintaining a standing VPN connection or long-lived account reduced administrative overhead and allowed third-party technicians to connect immediately when needed. And at a time when fewer systems, users, and vendors required remote connectivity, the benefits of persistent access often outweighed the risks.

But today, the scale of remote access needs in industrial environments looks very different. More vendors support more systems across more sites than ever before, and standing access has a tendency to grow alongside that complexity.

Plus, in many environments, vendor accounts remain active long after projects conclude. Permissions granted for one task are rarely revisited, meaning a vendor who once supported a single production line may eventually have access to multiple systems across multiple sites.

Without a process for regularly reviewing, reducing, and removing permissions, access that was once justified may continue long after the original need has disappeared. And as third-party relationships expand and OT environments become even more connected, every unnecessary account, permission, or standing connection creates additional exposure.

This is leading many organizations to rethink a long-held assumption: Does vendor access need to be persistent to be practical?

There’s no question that vendors still need fast, reliable access to support critical operations. But allowing that access to stay active indefinitely is no longer the best approach. Capabilities such as just-in-time access, temporary approvals, and session-based permissions enable vendors to obtain access when it is needed without maintaining large numbers of standing accounts and long-lived connections.

By aligning permissions with specific tasks and timeframes, organizations can reduce unnecessary exposure while preserving the responsiveness that operations depend on.

3. Do Legacy Systems Limit Our Ability to Improve Security?

Few realities shape OT security strategies more than legacy infrastructure.

Most industrial organizations depend on legacy systems that were designed long before the emergence of modern cybersecurity challenges like ransomware and AI-driven threats. Because these systems often remain essential to production, safety, and maintenance operations, replacing them is rarely straightforward.

Even when modernization is technically feasible, the cost, downtime, testing requirements, and potential for unintended consequences can leave organizations wondering whether the benefits outweigh the risks. As a result, many assume meaningful security improvements must wait until a future date when legacy systems can be more easily upgraded or replaced.

But that isn't always the choice they have to make.

Increasingly, OT security teams are finding that some of the most effective security improvements can happen around legacy systems rather than within them.

Identity-based access controls, privileged access management, session monitoring, and application-level access policies can often be implemented without modifying the underlying assets themselves. Rather than asking a decades-old control system to support modern cybersecurity requirements, organizations can place modern controls around it, limiting who can connect, what they can access, and how their activity is monitored.

This approach reduces risk while preserving the stability and reliability that long-serving legacy systems provide.

4. If We've Never Had a Problem With Our OT Remote Access Policies, Why Change?

This is perhaps the most understandable assumption of all.

When a process has supported years of reliable operations, revisiting it can feel unnecessary. If a VPN has worked for a decade without causing significant issues, or a long-standing access workflow helps teams get their jobs done efficiently, changing it may feel like introducing risk rather than reducing it.

But cybersecurity risk doesn't always reveal itself through failure. Shifts in the threat landscape, new business requirements, and changing regulatory expectations can gradually alter the risk profile of an approach that was once perfectly adequate.

So, a remote access process doesn't have to be completely broken to warrant review. The more useful question is whether it provides the visibility, control, and accountability the organization needs today.

Past success is valuable. But by itself, it can’t tell you whether a particular process or solution is prepared for tomorrow's challenges.

Reassessing OT Remote Access for Today’s Reality

At first glance, the four challenges highlighted here may seem unrelated. One is about third-party vendor access. Another is about legacy systems. Another focuses on usability and operational efficiency.

But they all point to the same underlying issue: Many of the assumptions guiding today’s access decisions were formed when industrial environments were less connected, remote access was less common, and accountability requirements were far less demanding.

Today’s OT security leaders don’t need to determine whether past decisions were right or wrong, but they do need to recognize when the conditions that shaped those decisions have changed.

As remote access becomes increasingly essential to industrial operations, organizations require greater visibility into who can access critical systems, what they can access, and how that access is being used. They also need security controls that support uptime, enable third-party collaboration, and work seamlessly alongside the legacy infrastructure that remains central to many OT environments.

The organizations making the most progress aren't necessarily the ones adopting every new technology or chasing every cybersecurity trend. More commonly, they're the ones willing to revisit long-held assumptions and ask whether those approaches still align with current operational realities.