Introduction
In today’s connected OT, ICS and CPS world, critical infrastructure organizations have a need to extend remote access to employees, 3rd party contractors, and OEMs. But in the rush to support remote operations, many critical infrastructure operators have exposed their critical systems to a silent but severe risk: the user endpoint.
“Third-party access is the #1 blind spot in most remote access strategies.”1
“It’s also the #1 riskiest access channel in critical infrastructure environments: talking about the supply chain, your vendors, OEMs, and support partners.”
Laptops in the field. Mobile devices. Third-party vendor machines. These transient endpoints are often insecure, unmonitored, and outside the organization’s control. Yet they routinely connect to some of the most sensitive OT and ICS systems in the enterprise. The result? A massively expanded attack surface with weak points ripe for exploitation.
The Growing Risk of Insecure Endpoints
Remote access has become essential for many industrial environments—but it has also become the most exploited threat vector in these industrial environments. According to Takepoint Research, “71% of major OT cyberattacks leveraged remote services as the entry point.” 2 This should be a wake-up call.
These attacks often begin with a compromised or unmanaged endpoint. From there, adversaries exploit legacy access paths like VPNs or jump hosts to pivot into the network, moving laterally into critical systems. In OT environments, this can mean disrupting safety systems, shutting down pipelines, or triggering physical damage.
The bottom line? You can’t secure what you can’t control. And if your user endpoints are outside of your control, your entire infrastructure is likely exposed.
The Limits of Traditional Remote Access Solutions
Many critical infrastructure organizations still rely on IT-centric access tools designed for office workers, not industrial operators. Tools like VPNs, jump servers, remote desktops, and agent-based access all share one fatal flaw: they assume the endpoint is safe or try to make up for that assumption with some sort of device posture assessment.
- Virtual private networks (VPNs) create an encrypted network tunnel, giving the endpoint direct access to more than it needs—and giving attackers a straightforward inroad into your environment.
- Jump-server-based approaches have proven increasingly unsecure and complex to manage. They also often lack the granularity to provide access to a single device, providing access to the entire network instead.
- Agent-based tools require endpoint installs, which are difficult (or impossible) to deploy across uncontrolled third-party and vendor devices.
- IT-based remote privileged access management RPAM) solutions often depend on traditional remote protocols and network connectivity, which still expose internal systems to endpoint vulnerabilities and require extensive configuration and maintenance. These tools may work for light-touch OT/CPS access, are not useful if hands-on operations, maintenance or upgrades to equipment are needed.
Even when paired with MFA, these legacy methods still connect the endpoint directly to your critical systems. That connection is the problem.
The OT Impact: High Stakes for Critical Systems
In critical infrastructure environments, the consequences of endpoint-based attacks are not just IT disruptions—they’re real-world, operational failures.
- Imagine a field technician accessing a SCADA system from an infected laptop.
- Or a vendor connecting to a programmable logic controller (PLC) or HMI from a tablet.
These are not hypothetical scenarios. They are everyday risks in sectors like energy, manufacturing, water, and transportation. And they are precisely the vulnerabilities that sophisticated adversaries, including nation-states, are exploiting.
What Needs to Change
It’s time to stop thinking about access in terms of network perimeter defense and start thinking in terms of application-level isolation. The next evolution in secure access is clear:
- Don’t just restrict the connection. Break it.
- Don’t trust the endpoint. Eliminate exposure to the endpoint.
- Don’t assume users are inside your network. Make sure they never have to be.
This shift requires moving away from traditional tools and toward architectures designed specifically for OT and ICS environments—ones that enable access without network connectivity.
Conclusion: A New Access Paradigm
The security risks of unmanaged, insecure endpoints or any connected endpoints for that matter are too great to ignore. As attacks on critical infrastructure increase, continuing to rely on legacy access methods is no longer acceptable or necessary. Organizations need to rethink how access is provided to critical systems.
Disconnected access is the answer. And in our next post, we’ll explain exactly how Xona delivers this new paradigm—enabling users to access critical applications without ever establishing a network connection.
Because when the endpoint can’t connect, it can’t compromise.
Endnotes
- “Imprivata Study Finds Nearly Half of Organizations Suffered a Third-Party Security Incident in Past Year”, Imprivata, February 13, 2025.
- “New Study Reveals 92% of Industrial Sites at Risk from Unsecured Remote Access”, DeNexus, January 22, 2025.