Industrial Remote Access Security: VPN Is Not Built for OT

In April 2026, CISA issued advisory AA26-097a documenting Iranian-affiliated threat actors exploiting internet-connected industrial PLCs across US critical infrastructure. The advisory is direct: since March, the activity has caused operational disruption and financial loss. The entry point, in most documented cases, was remote access.

This is not an isolated incident. A 2026 OT cybersecurity report documents threat groups spending less time on passive reconnaissance and more time mapping control loops, learning how physical processes operate well enough to disrupt them. A 2026 state of industrial remote access study found vendor sprawl and weak credentials undermining OT security confidence across the sector. And across the public internet, 19.6 million OT devices and services were exposed to the internet in 2024, a 332% increase over the previous year.

The common thread is remote access. Specifically, the remote access architecture connecting IT staff, vendors, and operators to industrial environments that were built to be isolated.

What does industrial remote access security require?

Industrial remote access security requires that the remote connection cannot become a path for attackers to reach OT systems, regardless of whether credentials are compromised, software is vulnerable, or the remote access tool itself is exploited. This means the architecture must enforce isolation at the physical layer. Not through software controls that can be bypassed, but through hardware that makes lateral movement structurally impossible.

This is what distinguishes industrial remote access from enterprise remote access. In an IT environment, a compromised VPN session is a serious incident. In an OT environment, the same compromise can reach programmable logic controllers, SCADA systems, and engineering workstations that control physical processes.

VPN Was Built for IT. OT Networks Operate Differently.

VPN was designed to extend the corporate network to remote users. It creates an encrypted tunnel between two endpoints. Once authenticated, the user is inside the network. That model works in IT environments where endpoints are managed, patched, and monitored.

OT networks operate on different assumptions. They were designed to be air-gapped. Legacy protocols like Modbus, DNP3, and PROFINET were written before networked remote access was a consideration. PLCs and RTUs run firmware that cannot be patched on the same cycle as Windows endpoints. Engineering workstations run specialized software that interacts directly with physical equipment.

When VPN bridges these environments, it extends the IT network's attack surface into OT. A compromised VPN credential, a vulnerable VPN client, or an exploited VPN gateway gives an attacker a network path to systems that were never built to defend against it.

A 2026 threat intelligence report names SYLVANITE as one of several threat groups conducting large-scale initial-access operations specifically via VPN exploitation in industrial environments. The VPN is not incidental to the attack path. It is the attack path.

How Attackers Move from Remote Access to Operational Disruption

The attack pattern documented across 2025 and 2026 follows a consistent sequence.

Initial access is established through the remote access layer: a VPN credential stolen via phishing, a zero-day in a remote access gateway, or an unpatched RMM tool left exposed on the internet. Attackers with a foothold in the IT network look for OT connectivity. Where VPN or software-defined remote access connects IT to OT, they cross.

Once inside the OT network, attackers move laterally to engineering workstations and HMI systems. Threat intelligence reports document groups exfiltrating controller configuration files and alarm data, building enough operational understanding to cause targeted disruption rather than indiscriminate damage. In the PLC incidents documented in CISA AA26-097a, attackers manipulated data displayed on HMI and SCADA screens and interacted directly with project files.

The disruption is not necessarily the ransomware payload. In some cases, it is the knowledge that an attacker has mapped your control systems and can return.

What Hardware-Enforced Remote Access Removes from the Equation

Hardware-enforced, non-IP remote access severs the logical network connection between the remote user and the OT environment. No network packets cross. The remote operator sees pixels, a visual representation of the remote screen, and can send mouse and keyboard input. That is the complete extent of the channel.

There is no IP address for an attacker to pivot from. There is no network session to hijack. There is no software process holding session material that can be exploited. A compromised remote credential gives an attacker a view of a screen. It does not give them a network path to a PLC.

For OT environments, this matters in a specific way. The Zeroport Fantom Edge deploys at the OT perimeter, between the remote access channel and the industrial network. It enforces the isolation in hardware, not in software policy. The isolation is not a setting that can be misconfigured. It is the physical architecture of the connection.

NIS2's Article 21 implementing regulation requires physical or cryptographic channel isolation for remote access to critical infrastructure. Hardware-enforced non-IP remote access meets that requirement by design.

The CISA advisory and industry research all point to the same conclusion: the industrial remote access problem is not a patching problem. Organizations running VPN into OT networks are running an IT architecture in an environment it was not designed for. Every vendor remote session, every operator connection, every scheduled maintenance window creates a window through which the OT network is reachable from the internet.

The question is not whether that window will be used. It is whether the architecture forces attackers to cross a network boundary that can be exploited, or removes the boundary entirely by removing the network connection.

Book a Demo to see how Zeroport Fantom secures industrial remote access

‍