5 VPN Shortcomings That Put OT Security and Uptime at Risk

Secure Remote Access for OT Faces Growing Pains  

Remote connectivity has brought significant benefits to industrial organizations – from faster incident response to reduced operational costs. However, the expansion of remote access into operational technology (OT) environments has also introduced a rapidly growing attack surface for cyber threats targeting cyber-physical systems (CPS).

Ransomware, credentials theft, and supply chain attacks are no longer IT-only concerns. Today, they directly threaten uptime, safety, and physical operations.

But despite the escalating risks, many industrial organizations continue to rely on traditional secure remote access (SRA) solutions to provide remote connectivity to CPS and critical infrastructure.  

Analyst firm Gartner® acknowledged this problem in a recent report, entitled Innovation Insight: CPS Secure Remote Access Solutions. The report states, “Historical VPN and jump-server-based approaches have proven increasingly unsecure and complex to manage.”¹   

In other words: tools designed for IT settings are being stretched beyond their limits when deployed in OT environments, where both the priorities and the stakes are fundamentally different.

VPNs Are Under Attack and Increasingly Exploitable

VPNs have become a prime target for attackers. According to a 2023 survey on VPN risk, “nearly half of organizations reported they have been targeted by cyber attackers who were able to exploit a VPN vulnerability like outdated protocols or data leaks, with one in five experiencing an attack in the past year.”

Real-world incidents reinforce this finding. In 2024, Global Affairs Canada suffered a breach linked to a compromised VPN, exposing sensitive communications and personal files.

So far, compromised VPNs have led to fewer attacks on industrial organizations, although the infamous 2021 Colonial Pipeline incident was ultimately determined to have been the result of a leaked password that had access to a VPN. This case perfectly illustrates how attacks on VPNs used in an IT context can lead to physical consequences for OT assets and critical infrastructure. 

These incidents reveal a critical reality for OT leaders: a vulnerability in IT remote access can quickly cascade into physical disruption in OT environments.

Top 5 VPN Security Flaws – and How to Overcome Them With Cyolo

Security has never been the primary function of the VPN. As the word “private” in the name reflects, VPNs were designed to enable connectivity and online anonymity – not security, granular access control, or operational safety.

VPNs work by effectively tunneling into the corporate perimeter from outside. Once on the inside, users can access all applications and assets just as though they were at the office. This is unquestionably convenient; however, VPNs simply replicate the outdated castle-and-moat security model, which places defenses at network entry points but not throughout the entire network or connectivity cycle.

Even now that many VPNs require multi-factor authentication (MFA) as a layer of protection against unauthorized access, they remain far too vulnerable to cyberattacks and offer no visibility or control once a user is authenticated and granted access to the network. 

In OT environments, where physical safety and systems availability are the top priorities, reliance on VPNs use can result in potentially dangerous outcomes.

1. VPNs Provide All-or-Nothing Network-Level Access  

Once authenticated, VPN users are typically placed directly onto the network — effectively extending the perimeter. This creates a flat access model, where users (and attackers) can move freely across systems.

For OT environments, this is especially risky because:

• Critical assets (PLCs, HMIs, SCADA systems) may be exposed

• Lateral movement can disrupt production processes

• Safety systems may be unintentionally or maliciously impacted

This directly contradicts zero trust principles and IEC 62443 guidance, which emphasize segmentation and least privilege access. 

How Cyolo Helps: Application-Level Access  

The Cyolo PRO (Privileged Remote Operations) access solution enforces application-level access based on identity and context, ensuring users only access what they need – nothing more.

Application-level access not only plays a key role in limiting the “success” of cybercriminals but also serves as a safeguard against malicious employees, former employees whose access was never revoked, and well-intentioned employees who succumb to the greatest cybersecurity threat of all – human error. When every user and device is restricted to only the necessary level of access, the organization as a whole is safer and more secure. 

2. VPNs Lack Visibility, Monitoring, and Session Control 

VPNs focus on authentication but provide little to no visibility after access is granted.

This creates a dangerous blind spot for industrial organizations:

• No real-time monitoring of user activity

• No behavioral controls (e.g., blocking downloads or commands)

• Limited auditability for compliance and incident response

In OT environments, this lack of visibility means organizations cannot detect or respond to unusual activity (which could be malicious), nor can they block behaviors that might increase risk. Some VPNs may provide audit logs, but it is left to security teams to manually piece together activities into a complete picture of a user’s actions.

VPNs also lack important supervisory/oversight controls such as session recording and supervised access.  

How Cyolo Helps: Full Visibility and Real-Time Control 

Cyolo PRO offers full visibility and oversight for the entirety of all remote connections. This includes: 

• Continuous authorization (not just point-in-time authentication)

• Just-in-time (JIT) access

• Supervised access and session recording with Session Intelligence

• Granular activity controls (e.g., block file transfers)

• Real-time session termination

• Logging and auditing for compliance

These controls ensure that remote access is not just secure at the point of entry but throughout the entire session lifecycle. 

3. VPNs Depend on Internet Connectivity

VPNs require internet connectivity, making them unsuitable for:

• Air-gapped environments

• Highly segmented OT networks

• Remote or safety-critical sites with limited connectivity

This creates operational limitations in many OT settings and may force risky workarounds.

How Cyolo Helps: Works Across Any Environment

Cyolo PRO facilitates secure access to every type of environment – cloud-connected/online, cloud-averse, on-premises, and fully air-gapped/offline.

This flexibility is essential for real-world OT deployments, where connectivity constraints are common.

4. VPNs Expose Insecure OT Protocols 

OT systems operate atop a range of insecure protocols that were originally designed for closed, isolated environments – not for exposure to the outside world.

Many industrial protocols, such as Modbus and DNP3, have no built-in security, which leaves them at-risk for exploitation by malicious users connected through a VPN. The same dangers exist due to weaknesses in remote protocols (like RDP or SMB), frequently encapsulated in VPN tunnels. 

How Cyolo Helps: Secure Protocol Access with Granular Controls

Unlike a VPN, Cyolo PRO can securely connect industrial protocols:

• Applies application-layer controls instead of network exposure

• Uses outbound-only connections (port 443)

• Eliminates the need to open inbound ports

This reduces attack surface while enabling secure use of legacy OT protocols.

5. VPNs Struggle to Support Third-Party Access

Industrial enterprises tend to rely heavily on support from third-party vendors, including OEMs, contractors, and other specialists. It is of course crucial that these vendors can easily access the systems they’ve been hired to work on. But VPNs make it difficult to enable and secure third-party access because they:

• Require agent installation

• Create operational friction

• Provide little oversight of vendor activity

These factors often lead to either overly permissive access or insecure workarounds.

How Cyolo Helps: Secure, Agentless Third-Party Access

Securing third-party access is one of the primary challenges Cyolo PRO was designed to solve. The solution is agentless, allowing third parties to connect quickly with no downloads needed. Admins also face less of a burden as they can add new users to the correct access policies with only a few clicks. 

Cyolo PRO enables:

• Agentless access for rapid onboarding

• Policy-based access control

• Full visibility into vendor activity

Third parties pose a heightened risk because they typically work on unmanaged devices and are not beholden to internal security policies and best practices. With its access, connectivity, and supervisory controls, Cyolo PRO allows organizations to monitor and oversee third-party connections from the initial access point through to the session termination. 

Cyolo: Built for OT – Not Adapted from IT

VPNs solve yesterday’s problem: connecting remote users to a network.

But in OT environments, the challenge is different – organizations must securely control, monitor, and govern access to critical systems without introducing operational risk. This is where VPNs and other traditional access solutions fall short.

Cyolo redefines secure remote access for OT by going beyond connectivity to deliver a complete access security model built for cyber-physical systems.

Cyolo PRO provides:

• Granular, least-privilege access to specific OT assets – not entire networks

• Full visibility into every session, user action, and access event

• Real-time control to enforce security policies and stop risky activity instantly

In OT, access without visibility is risk – and access without control is exposure.

By combining secure access, continuous visibility, and precise control, Cyolo PRO addresses the core limitations of VPNs while aligning with modern zero trust principles and OT security requirements.

Just as importantly, it does this without compromising performance. Cyolo PRO ensures fast, reliable connectivity that reduces latency, improves user experience, and supports operational productivity.

The result is a fundamentally stronger approach to remote access that not only boosts security but also maximizes uptime and enables industrial organizations to operate with confidence.

¹ Gartner, Innovation Insight: CPS Secure Remote Access Solutions, Katell Thielemann, Abhyuday Data, Wam Voster, 18 April 2024.  

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.  

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.