When a maintenance technician logs in from home to check on a CNC machine, or a vendor connects remotely to calibrate equipment, most manufacturers don’t think twice about it. Remote access to plant floor systems has become routine — and that routineness is exactly what attackers count on.
Remote access is now one of the top entry points for ransomware attacks against manufacturers. The 2021 Colonial Pipeline attack started through an unused VPN account. The Oldsmar water treatment facility breach happened through remote desktop software. Closer to home, manufacturers across Northwest Arkansas have faced similar exposure, often without realizing it until something goes wrong.
The answer isn’t to block remote access — modern manufacturing operations depend on it. The answer is to apply Zero Trust principles specifically to remote access and operational technology (OT) environments. This post focuses on that specific problem: not Zero Trust as a broad philosophy, but Zero Trust as a practical approach to remote access in manufacturing facilities.
Why Traditional VPNs Are No Longer Enough
For years, VPNs were the gold standard for remote access. You connect to the VPN, you’re “inside” the network, and you can reach what you need. The problem is that model assumes everyone inside the perimeter is trustworthy.
What happens when:
- A vendor’s laptop is compromised before they connect?
- An employee’s home network is infected with malware?
- An attacker steals valid VPN credentials through phishing?
- A former employee’s account isn’t properly deprovisioned?
In each case, a traditional VPN gives that threat actor broad access to your internal network. Once inside, lateral movement is straightforward — especially if your OT and IT networks aren’t properly segmented.
Zero Trust flips this model. Instead of “trust, then connect,” it’s “verify first, then grant minimum required access, then verify continuously.”
The Core Zero Trust Principles Applied to Remote Access
| Traditional VPN | Zero Trust Remote Access |
|---|---|
| Authenticate once, access broadly | Authenticate continuously, access narrowly |
| Trust based on network location | Trust based on identity + device health + context |
| Vendor gets full network access | Vendor gets access only to their specific system |
| No visibility into what user does | Full session logging and anomaly detection |
| Single factor authentication common | MFA enforced for every session |
| Flat access after login | Least-privilege access controls enforced |
The goal isn’t to make remote access harder for legitimate users — it’s to make it much harder for attackers to exploit legitimate access.
Step 1 — Audit Who Has Remote Access Right Now
Before you can improve remote access security, you need to know the current state. Most manufacturers are surprised by what this audit reveals.
Inventory every remote access method in use:
- VPN connections (and who has credentials)
- Remote Desktop Protocol (RDP) endpoints
- Vendor-specific remote tools (TeamViewer, AnyDesk, Splashtop)
- Cloud management consoles for OT equipment
- Remote monitoring tools for PLCs, SCADA, HMIs
For each connection, document:
- Who uses it (employee, vendor, contractor)
- What systems they can reach
- Whether multi-factor authentication is enforced
- When access was last reviewed
- Whether the account is still actively needed
In our experience working with NWA manufacturers, this audit typically turns up 3-5 access paths nobody knew existed — including accounts for vendors who no longer work with the company, legacy RDP sessions left open for convenience, and remote tools installed by contractors that were never removed.
Step 2 — Separate OT and IT Remote Access Paths
One of the highest-impact Zero Trust moves for manufacturers is creating distinct, separate remote access paths for IT systems and OT/plant floor systems.
IT remote access (ERP, email, file servers, business apps) should run through your standard enterprise tools — MFA-enforced VPN or a Zero Trust Network Access (ZTNA) solution.
OT remote access (PLCs, SCADA, HMIs, CNC equipment) needs a separate, more tightly controlled path with:
- A dedicated jump server or secure remote access gateway (vendors like Claroty, Fortinet, or Cisco offer OT-specific solutions)
- Session recording for all OT remote sessions
- Approval workflows for vendor access — no self-service, every session is explicitly authorized
- Time-limited access windows — a vendor doesn’t have standing access; they get a 2-hour window when they actually need it
- No direct internet exposure for OT systems — ever
This separation means that even if your IT network is compromised, attackers don’t automatically have a path to your plant floor systems.
Step 3 — Implement Zero Trust for Vendor Access Specifically
Third-party vendor access is one of the highest-risk remote access scenarios in manufacturing. Vendors may have dozens of customers, their security practices vary widely, and you have limited visibility into the security posture of their devices.
A Zero Trust approach to vendor access includes:
- Dedicated vendor accounts — never share credentials with vendors; each vendor gets their own account tied to their identity
- Just-in-time access — access is provisioned when needed and automatically expires; no standing access
- Session-specific MFA — vendors authenticate with MFA for every session, not just during initial setup
- Device posture checks — if possible, verify that the vendor’s device meets minimum security requirements before allowing connection
- Scoped permissions — the HVAC vendor can reach the HVAC control system, not your production line controls
- Session monitoring and recording — full logging of vendor sessions for audit and incident response purposes
For manufacturers with significant vendor remote access, purpose-built tools like Claroty xDome, Cyolo, or Axonius can automate much of this workflow and integrate with your existing identity provider.
Step 4 — Enforce MFA on Every Remote Access Path
If there’s one single action that blocks the largest number of remote access attacks, it’s enforcing multi-factor authentication on every account that can access your systems remotely.
This sounds obvious, but many manufacturers still have gaps:
- VPN configured to require MFA, but vendor accounts exempted “for convenience”
- MFA enforced on the VPN but not on the internal RDP sessions it connects to
- Older OT management consoles that don’t support MFA (requiring compensating controls)
- MFA set up but not enforced — users can bypass it
Where to enforce MFA for remote access:
- VPN authentication
- Remote desktop gateways
- Cloud management portals
- Industrial remote access platforms
- Jump servers / bastion hosts
- Any web-based management console with external access
For OT systems that don’t natively support MFA, place them behind a gateway or bastion host that does enforce MFA, so users authenticate with MFA before they can even reach the legacy system.
Step 5 — Monitor and Respond to Remote Session Anomalies
Zero Trust isn’t just about controlling who gets in — it’s about continuously monitoring what they do once they’re connected.
Key monitoring capabilities for remote access:
- Session logging — record all remote sessions, especially OT access. Know who connected, when, for how long, and what they accessed.
- Anomaly detection — alert when a user connects at unusual hours, from an unusual location, or accesses systems outside their normal pattern
- Failed authentication alerts — multiple failed MFA attempts may indicate a credential stuffing attack
- Concurrent session detection — if a vendor account is connected from two different IP addresses at the same time, that’s a red flag
- Automatic session timeout — idle sessions should terminate automatically; don’t leave connections open indefinitely
Many SIEM tools (Splunk, Microsoft Sentinel, Elastic) can ingest remote access logs and alert on anomalies. If you don’t have a SIEM, at minimum configure alerts from your VPN and remote access platforms directly.
Common Mistakes NWA Manufacturers Make with Remote Access Security
Leaving default credentials on remote access tools. TeamViewer, AnyDesk, and similar tools are often installed quickly and left with weak or shared credentials. Audit every instance.
Not removing access when relationships end. When a vendor or contractor relationship ends, their remote access should be terminated the same day. Build this into your offboarding process.
Allowing vendor connections over uncontrolled channels. If a vendor calls and asks to use a screen-sharing tool you haven’t approved, that’s a social engineering risk. Establish which remote access tools are approved and enforce that policy.
Treating OT remote access like IT remote access. Plant floor systems have different availability requirements and different attack surfaces. They need a tailored approach, not the same VPN configuration as your office users.
Underestimating the risk of supply chain compromise. The SolarWinds attack showed that attackers will compromise vendors to get to their customers. Even if your direct security is excellent, a compromised vendor with legitimate access is a serious threat.
What This Looks Like in Practice
A realistic Zero Trust remote access architecture for a mid-size NWA manufacturer might look like this:
- IT users connect via a ZTNA solution (like Zscaler Private Access or Cloudflare Access) that enforces MFA, checks device health, and grants access only to the specific applications they need — not broad network access
- OT vendors connect through a dedicated industrial remote access gateway with approval workflows, session recording, and time-limited access windows
- Employees needing OT access authenticate through the same gateway with separate credentials from their IT accounts, with access scoped to their specific systems
- All sessions are logged centrally and reviewed weekly; anomalies trigger immediate alerts to your IT team or MSP
This doesn’t require replacing your entire infrastructure. Most manufacturers can implement this incrementally over 6-12 months, starting with the highest-risk access paths first.
Getting Started
The best first step is the audit described in Step 1 above. You can’t secure what you don’t know exists. Once you have a clear picture of your current remote access landscape, prioritize based on risk:
- Eliminate unused accounts and access paths immediately
- Enforce MFA on all active remote access
- Separate OT and IT remote access paths
- Implement vendor access controls
- Add monitoring and alerting
Each of these steps reduces your exposure significantly, even before you’ve implemented a full Zero Trust architecture.
Ready to lock down remote access to your plant floor systems? Get in touch.