Through hundreds of proof of concepts with major operators in utilities, oil and gas, manufacturing, nuclear, and chemical industries, I’ve had a front-row seat to how industrial environments actually work … Across different countries, in different industries, and vastly different maturity levels — from organizations with dedicated OT security teams and six-figure tooling budgets to plants where the OT guy is also the security guy and the compliance officer.
The geography changes. The industry changes. The maturity level changes. One thing never does: every single one had an unsecured remote connection – sometimes more than one – sitting quietly on their network. And every single time I pointed it out, the room reacted the same way. No alarm. No embarrassment. Just a calm, almost bored explanation:
“Oh yes, that’s vendor X — they’ve been connecting remotely to monitor our DCS for years.”
“That’s our trusted system integrator; they need it for remote maintenance.”
As if naming it made it safe … As if the fact that everyone in the room already knew about it meant someone had already decided it was fine.
Nobody had.
What makes it even more striking is that the same people had just spent thirty minutes on advanced threat scenarios, sophisticated attacks, and complex, highly unlikely vectors — while an unsecured connection with unrestricted network access didn’t make the list.
Secure Remote Access (SRA) doesn’t appear often on the priority list.
But it appears constantly in the news — just under a different label: “unauthorized access,” “internet connection exploited,” “compromised credentials.”
| MAJOR INCIDENT, YEAR | CAUSE OF ATTACK |
|---|---|
| Colonial Pipeline, 2021 |
A VPN account belonging to a former employee, never deprovisioned. No MFA. |
| Aliquippa Water Authority, 2023 |
A PLC exposed to the internet. Default password. |
| Jaguar Land Rover, 2025 |
A third-party contractor’s VPN credentials stolen four years earlier. Still valid. No MFA. |
| Poland’s Energy Sector, 2025 |
Exposed and valid VPN credentials reused across sites for initial access. |
Recent research from Forescout’s Vedere Labs reinforces the need for tangible improvements in securing remote access. There are more than 1.8 million Remote Desktop Protocol (RDP) servers and more than 1.6 million Virtual Network Computing (VNC) servers exposed on the internet globally. Today.
This isn’t hyperbole. The data is conclusive. And too much of it is exposed to critical vulnerabilities:
- 18% of exposed RDP servers run end-of-life Windows versions; an additional 42% run Windows 10, which reached end of support last October.
- 19,000+ RDP servers remain vulnerable to BlueKeep (CVE-2019-0708) — a critical remote code execution flaw.
- Nearly 60,000 VNC servers have authentication disabled — 670+ of those have direct access to OT/ICS control panels.
The Secure Remote Access Blind Spot
Remote access exists in almost every industrial environment. Vendors use it to maintain systems, integrators rely on it to troubleshoot controllers, and manufacturers connect to monitor equipment.
So, connections get opened.
Over time they become part of the environment — rarely reviewed, rarely controlled, and often trusted simply because they’ve always been there.
That’s the blind spot.
Organizations spend enormous effort analyzing sophisticated threats and hypothetical attack paths, while the most direct path into the network is often the one that was intentionally created.
Why Traditional Remote Access Falls Short
In many environments, remote access was never designed with security in mind. It was designed to solve operational problems.
- A vendor needed to troubleshoot a controller
- An engineer needed to check a system alarm
- A system integrator needed to update a configuration
Consequently, the easiest solution was deployed, usually a VPN or a remote desktop gateway.
The problem is that these technologies provide network access, not controlled system access.
Once connected, the user often inherits the same trust as someone physically inside the plant. Access is broad, sessions are rarely monitored, and credentials are often shared or long-lived.
In other words, the connection is authenticated, but the activity behind it is largely invisible.
Three Questions That Define Secure Remote Access
The problem with remote access is rarely the connection itself.
It’s the lack of control around it.
Every remote session should answer three simple questions:
- Who is actually connecting?
Not the vendor’s name or a shared account, the real identity of the person accessing the system. - What are they allowed to access?
Not the entire network, but the specific asset they need to work on. - What are they doing once they are connected?
Whether their activity is visible, controlled, and recorded.
In many industrial environments, these questions are surprisingly difficult to answer.
And that’s exactly where the risk begins.
What Secure Remote Access Changes
SRA changes a simple but critical assumption:
Access is no longer granted to the network.
It is granted to an identity for a specific asset for a limited amount of time.
The vendor no longer connects to the environment and navigates freely. The session is initiated, verified, and restricted to the system that actually requires maintenance.
Access becomes:
- Temporary instead of permanent
- Granular instead of broad
- Visible instead of implicit
The connection still exists. Operations still get the support they need.
But the organization finally knows who is connecting, what they can reach, and what they are doing while they are there.
Closing the Gap
Remote access is not going away.
If anything, industrial environments are becoming more dependent on it as operations grow more distributed and expertise becomes more specialized.
Vendors will continue to connect.
Integrators will continue to troubleshoot systems remotely.
Maintenance will continue to happen from outside the plant.
The question is no longer whether remote access should exist.
The question is whether it is controlled.
Because in most of the incidents that make the news, the attacker didn’t need to break in.
They simply used a door that was already open.
How Forescout Can Help
Our latest offer, Forescout Secure Remote Access, is a flexible, secure remote access approach designed to support different users, needs, and operational scenarios. Forescout SRA replaces broad remote connectivity with a controlled access layer that governs how users connect to critical systems, what they can reach, and what can happen during the session.
You cannot control remote access that you do not know exists. Forescout SRA helps uncover hidden and unmanaged connections, so shadow access no longer sits outside governance.
Remote access is not just a connection. Forescout SRA brings request, approval, duration, and audit into one governed workflow, so teams can enforce policy and support compliance end-to-end. Authentication is only the starting point. Forescout SRA combines identity-based access with controlled, isolated sessions to protect critical assets after access begins — and supports on-prem, cloud, and hybrid deployments with options for appliances, virtual machines, and containers on existing hardware.