Remote access keeps OT environments running, but it also concentrates risk. Many incidents do not start with a sophisticated Programmable Logic Controller (PLC) exploit. They start at the “front door”: vendor VPNs, jump hosts, shared support accounts, and rushed identity checks during outages. According to the SANS State of ICS/OT Security 2025 findings, about half of ICS/OT incidents begin with unauthorised external access, often through third-party remote maintenance.

This 20-minute talk shows how to secure OT remote support without breaking production. Using a simple “front door path” diagram (Vendor → Remote Access → Jump Host → Engineering/HMI), we cover two repeatable failure areas: 1) remote access pathways that become broader or more permanent than intended, and 2) identity/support workflows that expand access under operational pressure. For each, we pair the risk with practical controls that work in legacy OT environments: time-boxed vendor access, least-privilege support identities, and a safety-aware “normal vs emergency” access lane that preserves availability while improving accountability.

We close with three high-fidelity monitoring signals you can implement even in legacy OT environments: authentication anomalies, interactive remote logons, and privilege/role changes. I’ll map these signals to common jump-host and remote-access setups, and include one worked example from Windows event logs (e.g., 4624/4625, RDP logon type 10, 4728/4732). We finish with an actionable OT access plan that attendees can apply immediately.