By Carolyn Crandall, Chief Marketing Officer, Xona Systems
Carolyn brings more than 30 years of cybersecurity strategy and product marketing experience to OT and ICS secure remote access. She has authored research and analysis on session visibility for industrial cybersecurity, identity-based access for critical infrastructure, and third-party vendor access governance, and has led marketing for cybersecurity companies across deception, identity, and OT security categories.
Only 13% of OT environments record sessions today, and auditors are increasingly asking why. The SANS ICS/OT survey data is consistent with what compliance leaders see during NERC CIP, TSA, and IEC 62443 reviews: most organizations can prove a remote session occurred, but not what happened during it.
Session visibility and recording for OT/ICS remote access is the ability to observe, supervise, log, and preserve evidence of user activity during remote sessions involving industrial systems. In practical terms, it means knowing who connected, when access occurred, what systems were reached, what actions were taken during the session, and whether those actions can be reviewed later in a form that is useful for investigations, audits, and operational review.
This matters because OT and ICS environments depend on remote access for maintenance, support, engineering changes, vendor interventions, and troubleshooting, yet many of those access paths were built for connectivity rather than accountability. VPNs, jump hosts, traditional RDP workflows, and fragmented remote access tools may establish a connection, but they often leave a structural gap between authentication and evidence. Teams may know a user logged in, but not what happened after the session began.
A mature visibility program requires three related but different capabilities working together. Logging establishes who connected and when. Monitoring helps detect or observe activity in real time. Recording preserves what actually happened during the session, including commands, screens, and actions that can later be searched, replayed, or investigated. In OT/ICS, that distinction matters because uptime-sensitive systems, vendor workflows, and legacy environments all make it risky to rely on metadata alone.
What Challenges Do Organizations Face When Managing Session Visibility and Recording in OT/ICS?
The session visibility gap rarely appears all at once. It builds gradually through architectural assumptions, inherited tools, and competing operational priorities. In many organizations, remote access methods were chosen for speed and convenience, not for auditable control. That leaves security and operations teams with a patchwork of tools that authenticate users but do not document what they do once connected.
Several root causes show up repeatedly. Legacy remote access tools such as VPNs, jump servers, and standard remote desktop tools were designed to establish access, not to capture session content. Tooling is often fragmented across IT, cloud, and OT environments, which creates seams where visibility breaks down. Teams may also over-rely on endpoint or network logs that capture connection metadata but not the content of user actions. In OT/ICS, that problem is compounded by legacy systems that cannot support agents and by third-party workflows that are broad in access but thin in oversight.
Storage and governance concerns also play a role. Full session recording raises practical questions about retention, indexing, retrieval, and review. Without a clear policy and platform for handling that data, many organizations default to limited logging instead of full visibility. The result is a familiar blind spot: remote access exists, but the organization cannot reliably reconstruct what happened inside the session afterward.
Logging vs. Monitoring vs. Recording
| Capability | What it Does | Why it Matters in OT/ICS |
| Logging | Captures access events and metadata: who connected, when, from where, to what system. | Establishes that access happened and supports baseline audit and access reviews. |
| Monitoring | Observes or alerts on activity in real time during the session. | Helps teams respond while activity is happening, not only after the fact. |
| Recording | Preserves the content of the session including commands, screens, and actions for later replay, search, and review. | Provides session-level evidence that metadata alone cannot recreate. |
A mature OT/ICS visibility strategy needs all three. Logging shows that access happened. Monitoring helps teams respond while it is happening. Recording preserves what actually occurred.
How Xona addresses this
Xona is built around mediated remote access for OT/ICS, which helps close the gap between authentication and accountability rather than simply creating a connection path.
Its approach is well suited to environments where session oversight, recording, and user attribution need to be applied consistently across internal users, vendors, and contractors.
Because Xona operates at the access layer rather than relying on endpoint agents, it aligns better with legacy and industrial environments where agent-based coverage is incomplete or operationally impractical.
How Does Session Visibility and Recording Support Zero Trust and Cyber Resilience in OT/ICS?
Zero Trust is often discussed as an identity and access model, but its practical value depends on what happens after access is granted. Session visibility and recording strengthens Zero Trust by extending control beyond the login event and into the live session itself. Instead of simply verifying identity and opening a path, organizations can observe, govern, and preserve the actual behavior that occurs during remote access.
That matters in OT/ICS because resilience depends on reducing uncertainty during both routine maintenance and abnormal events. When session evidence is available, teams can investigate with more precision, determine whether procedures were followed, and separate operator error from suspicious activity more quickly. Without that evidence, investigations often rely on memory, fragmented logs, vendor testimony, or incomplete reconstructions that slow response and increase ambiguity.
Session visibility also supports resilience by making privileged activity defensible. Compromised credentials, insider misuse, vendor abuse, and lateral movement are all harder to investigate when organizations lack session-level evidence. Metadata may suggest that something unusual happened, but without recording, teams often cannot prove what actions were taken or how far the activity extended.
How Xona addresses this
Xona extends control into the live session by combining identity-based access with real-time session oversight and full recording.
Its model aligns with Zero Trust because the session becomes a governed control point, not just a network connection.
Xona's identity-correlated records help ensure that session evidence is tied to a specific authenticated user, approved access path, and target asset, which improves both accountability and resilience during investigations.
Xona Active Defense (v5.5). Active Defense extends session-layer governance into enforcement. The platform consumes signed risk signals from integrated OT security partners (Forescout, Nozomi Networks, Dragos) and acts on them inside the live session, then sends signed session events back into those platforms to close the loop. Enforcement is graduated rather than binary: alert the operator, pause the session, require supervisor approval for the next action, terminate the session, or quarantine the user pending review. The actions execute at the gateway, so the asset side does not require endpoint changes, agent rollouts, or protocol modifications. That structure lets defenders intervene during a privileged session without breaking the operational workflows the session was opened to support.
Figure 1: Signed event loop with OT NDR partners
Figure 1: Signed event loop between OT NDR partners and the Xona gateway. Risk signals come in, the Centralizer takes graduated action, and signed session events flow back out to the NDR and SIEM. The locks mark the cryptographic boundary on both halves of the loop.
When to use each enforcement action
The five graduated actions inside Active Defense are not a menu of equivalents. Each maps to a distinct trigger condition and a distinct operational fit. The point of graduated enforcement is to keep response proportionate to risk so that legitimate work does not get killed when the better answer is
a brief hold, and so that confirmed misuse does not get only an alert when the better answer is quarantine. The decision logic below reflects how the action ladder is used in practice across our customer deployments.
| Action | Trigger Conditions | Operational Fit |
| Alert | Anomaly detected but legitimate work is the likely explanation. Off-hours access from a known engineer, unusual command frequency on a system under active maintenance, or a vendor reaching an asset slightly outside the change-window envelope. | SOC review queue. The session continues; the analyst confirms or escalates after the fact. Used most often for first-tier signals where false-positive cost is high and operational disruption cost is even higher. |
| Pause | Anomaly with unclear intent. The session is briefly held while the user receives an in-session notification requiring acknowledgment, or while the SOC pulls additional context. | Useful when the right answer is "slow this down for ten seconds and look again," not "stop this work entirely." A vendor reaching an unexpected asset, a command sequence that does not match the work order, or a session approaching a known sensitive operation. |
| Require Supervisor Approval | High-risk action requested inside an otherwise legitimate session. Maintenance on a critical asset outside the change window, a configuration write to a safety-instrumented system, a command that would alter setpoints during production. | Operationally aligned with the supervisor-oversight model already in place at most plants. The supervisor receives the in-session approval prompt, reviews the action in context, and approves or denies in real time. The session continues without re-authentication if approval is granted. |
| Terminate | Confirmed bad actor or active misuse. Credentials assessed as compromised, insider misuse confirmed, vendor session contradicting an approved work order, or a command pattern matching a known-bad signature. | Used when the right answer is to end the session cleanly and preserve the recording for forensic review. The asset side is not disrupted beyond the session close; protocol containment at the gateway means there is no half-open path left behind. |
| Quarantine | Active threat. The session is isolated, the user identity is locked, and the connected asset path is held pending review. | The most aggressive action and the rarest in practice. Reserved for confirmed lateral-movement signals, ransomware-adjacent behavior, or risk signals from the integrated NDR partners that cross the threshold for immediate containment. The signed session record goes to the SIEM and back to the NDR for correlated investigation. |
The pattern in customer deployments is that the action distribution is heavily front-loaded. Alert handles most first-tier signals. Pause and require-supervisor-approval handle the next tier where intent is uncertain or risk is elevated. Terminate and quarantine are reserved for confirmed misuse. The decision logic is owned by the customer's SOC and operations teams in their runbook; Active Defense provides the enforcement primitives that the runbook compiles down to.
What Should a Modern OT/ICS Secure Remote Access Approach Include?
A modern OT/ICS remote access approach should begin with identity-bound, time-bound access. Every session should be attributable to an individual user, a specific purpose, and a defined window of approval. Shared accounts and persistent access undermine both auditability and operational control from the start. If identity is weak, session visibility becomes less valuable because the organization cannot reliably tie activity to a person or an authorized workflow.
The architecture should also mediate access rather than exposing internal networks broadly. In OT/ICS, remote users should not receive open-ended connectivity to industrial systems simply because they need to perform support or maintenance tasks. A modern model places control at the access layer so session monitoring, recording, and policy enforcement can be applied consistently across protocols, users, and environments. This is especially important for vendors and contractors, who often represent the highest-risk remote sessions while receiving the least session-level oversight.
Organizations should also expect more than video capture. Useful session recording should support replay, search, user attribution, and correlation with surrounding identity and governance events. Teams should be able to answer practical questions without manual reconstruction: who requested access, who approved it, what systems were reached, what happened during the session, and whether that evidence can be retrieved quickly in response to an incident or audit.
Operational fit matters as much as security control. If the solution is too fragile, too hard to manage, or too disruptive to industrial workflows, coverage gaps will persist. OT/ICS environments need a model that improves control without requiring invasive endpoint changes or constant administrative overhead.
How Xona addresses this
Xona combines identity-based remote access, session monitoring, recording, and governance in a model designed for OT/ICS rather than adapted from general-purpose IT remote access.
Its protocol-aware, access-layer approach helps organizations apply session visibility consistently without depending on agents on managed and unmanaged endpoints.
Xona also supports searchable and exportable session evidence, which makes recordings more useful for investigation, governance, and audit than static or isolated capture methods.
How Does a Modern Approach Improve Safety, Reliability, and Access Control in OT/ICS?
In OT/ICS, session visibility and recording is not only a security control. It is also an operational safeguard. When something goes wrong during a maintenance window, a vendor intervention, or a patching cycle, the absence of session evidence forces teams to reconstruct events from memory and partial logs. That slows root-cause analysis, increases finger-pointing, and can extend outages from hours into days.
A modern approach improves reliability by preserving a timestamped record of what was done, by whom, and in what sequence. That matters when multiple engineers touch a critical system, when a vendor introduces a change that affects performance, or when a production issue emerges after a routine session that appeared harmless at the time. With session recordings, teams gain a precise operational history rather than a patchwork of assumptions.
Safety and access control also improve because controlled sessions reduce ambiguity around privileges and actions. When access is time-bound, supervised, and reviewable, organizations are in a stronger position to support third-party maintenance without granting broad, persistent exposure. That creates a better balance between operational continuity and security governance, especially in critical environments where remote access must exist but cannot be trusted blindly.
Root-cause analysis without guesswork
When something goes wrong on the asset side after a remote session, the absence of session evidence is what makes the post-incident review hard. A failed maintenance task, an unintended state change, a misconfigured PLC, a setpoint drift discovered hours after the technician disconnected: each of these turns into a forensic exercise built on memory, partial network logs, vendor recollection, and ticket commentary. The recovery clock keeps running while the investigation argues about what actually happened.
Session recordings collapse that exercise. The replayable record shows which user authenticated, which asset they reached, which commands they sent, and the screen state at each step. Root-cause analysis becomes a five-minute replay rather than a two-day reconstruction. Recovery accelerates because the team can isolate the actual change rather than testing hypotheses against partial evidence. Inter-party disputes between vendor, operator, and compliance compress because the evidence is the same artifact for everyone in the conversation. Regulatory posture improves because the audit trail is producible on demand rather than reconstructed under deadline pressure.
Supervisor oversight without leaving the SOC
Real-time supervision is one of the operational features OT/ICS teams care about most and one of the least-marketed capabilities in the secure-remote-access category. A senior engineer or operations lead can observe a vendor's live session as it happens, intervene if needed by sending an in-session message, pausing the session, or taking control, and never has to physically visit the asset or schedule on-site supervision time. The supervisor sees what the technician sees in the same moment, with the session record building underneath the live view.
The operational benefits land in the places that actually move the cost-of-operations needle. Decisions get made faster because the supervisor is already watching when the question arises rather than getting paged in afterward. Truck rolls drop because supervision no longer requires physical presence at the site. Inter-time-zone supervision gaps close because supervisors in any location can attend any session. Commissioning windows, vendor maintenance cycles, and contractor onboarding all benefit from this directly: the senior person whose oversight makes the work safer can be present without being physically present.
How Xona addresses this
Xona's real-time session monitoring supports active oversight during remote access rather than limiting visibility to after-the-fact review.
Its ability to record and review full session activity helps reduce ambiguity during outage investigation, maintenance review, and vendor accountability questions.
Xona's controlled access model is especially relevant where organizations need to support remote operations without accepting the open-ended exposure of VPN-based access.
Where Does Session Visibility and Recording Fit Within the Organization's Identity and Security Ecosystem?
Session visibility and recording should be treated as part of a broader access governance architecture. Identity providers, MFA, approval workflows, and policy engines determine who should be allowed to connect. Segmentation and boundary controls help determine what should be reachable. Session visibility and recording adds a separate but essential layer: it shows how that access was actually used.
This distinction matters because organizations often assume that SIEM, endpoint telemetry, or VPN logging already provides adequate visibility. In practice, those tools are only as strong as the data they receive. A SIEM can correlate logs, but it cannot reconstruct privileged actions if session content was never captured. Endpoint agents can provide useful signals, but they are not a reliable foundation for OT/ICS session oversight where legacy systems, unmanaged devices, and third-party access paths are common.
A stronger model connects identity assurance, governed remote access, session evidence, and downstream integrations. That allows teams to preserve session truth while still feeding supporting systems such as SIEM platforms, ticketing systems, and compliance workflows. It does not replace those systems. It makes them more useful by providing the session-level evidence they cannot generate on their own.
What auditors expect from session evidence by framework
Different compliance frameworks ask similar questions in different vocabulary. The table below maps the most common OT/ICS frameworks to the session-evidence fields auditors typically request. Phrasing reflects what session evidence typically supports in audit defense, not a guarantee that any single framework names each field by these labels. Consult your registered entity, regulator, or compliance lead on how each control applies to your specific assets.
| Famework | User Identity Field | Session Sope Field | Timestamps and integrity | Recording metadata | Reference control |
| NERC CIP-007 R5 + R5.3 | Per-user identity tied to authorized session | Asset and protocol scope per session | Session start/end timestamps, signed event log | Session recording with replay | R5.3 compensating evidence |
| TSA SD-02F + SD-01G (oil and gas pipeline) | Per-user identity for vendor and contractor sessions | Asset access scope per session | Session timestamps with retention policy | Recording for incident review | TSA security directive evidence |
| IEC 62443 SR 2.8 (Auditable events) | Authenticated user identity per access event | Session scope tied to the asset and zone | Auditable event timestamps with integrity | Session recording where applicable | SR 2.8 audit log evidence |
| NIST SP 800-82r3 | Authenticated user identity for OT remote access | Session scope per asset | Session timestamps in audit log | Recording recommended for privileged sessions | Audit logging guidance |
| FDA 21 CFR Part 11 | User identity tied to verified electronic signature | Session scope per regulated record | Tamper-evident timestamps | Session recording for regulated workflows |
Electronic records integrity
|
The pattern holds across frameworks: auditors look for who, what, when, with what integrity, and where to find the record. Session evidence typically supports each of these fields when produced at the access path rather than reconstructed from disparate logs after the fact.
Recording storage and governance: retention, indexing, redaction
Session recording raises practical governance questions that most OT/ICS programs do not answer until the first audit, the first incident, or the first legal request makes them urgent. Retention windows, indexing approach, redaction policy, storage architecture, and cost implications all need a defensible default before the first session is recorded, not after.
Retention windows vary by framework and asset class. NERC CIP audit cycles typically drive 12 to 36 months of retained session evidence to cover the audit-prep envelope and the look-back period auditors evaluate. TSA compliance windows for designated owner-operators run on similar cycles, with retention often aligned to the security directive review period. IEC 62443 audit support is typically scoped to the entity's own audit cadence, which most operators set at 12 to 24 months. FDA 21 CFR Part 11 environments often require longer retention tied to the regulated record's lifecycle. Federal and DoD-adjacent environments tie retention to the system security plan and the data classification of the asset being accessed.
Indexing is the property that turns recorded sessions from passive evidence into a usable investigation surface. Per-user, per-asset, and per-session metadata indexes make it possible to answer "show me every session that touched HMI-04 in the last 90 days" in seconds rather than hours. Full-text search of session events (commands, file paths, application names) extends that capability into the content layer of the session itself.
Redaction matters because session recordings can incidentally capture sensitive information that should not be exposed during legal or compliance review: customer PII visible on a vendor's shared screen, credentials typed into a non-injection workflow, personal information surfaced in an asset's display. A defensible governance policy redacts those items before playback for legal or compliance review while preserving the unredacted master for forensic use under appropriate access controls.
Storage architecture is typically on-premises for air-gapped facilities and hybrid for facilities with sanctioned cloud connectivity. Active Defense's signed event loop is the structural property that makes either model defensible: the session events carry cryptographic signatures that establish tamper-evident retention, so the storage layer does not have to be the only line of integrity defense. Cost implications track the usual three knobs: storage tier (hot, warm, cold), recording resolution and frame rate, and recording duration. Reasonable defaults compress these into a manageable storage footprint while preserving the evidence quality auditors and investigators will actually need.
Consult your registered entity, regulator, or compliance team for retention requirements specific to your jurisdiction and asset class. The defaults above are operational starting points, not regulatory determinations.
How Xona addresses this
Xona fits this control layer by combining identity-correlated access, full session evidence, and exportable records that can support audit, investigation, and external system integration.
Its model complements SIEM, ticketing, and governance systems rather than trying to replace them.
This makes Xona particularly relevant for organizations that need a defensible bridge between access authorization and provable session accountability in OT/ICS.
Key Takeaways
- Session visibility and recording for OT/ICS remote access is about more than connection logs. It is about preserving evidence of what actually happened during a privileged session.
- Logging, monitoring, and recording are different capabilities, and OT/ICS organizations need all three working together for meaningful visibility.
- Legacy remote access methods often create a structural gap between authentication and accountability, especially for vendor and contractor access.
- Session evidence supports cyber resilience, incident response, operational troubleshooting, compliance readiness, and legal defensibility.
- A modern OT/ICS access model should combine identity-bound access, controlled session paths, live oversight, searchable recording, and governance integration.
- Vendor and contractor onboarding compresses from weeks to a single day with identity-bound, session-recorded access.
Frequently Asked Questions
What is session visibility and recording for OT/ICS remote access?
It is the ability to observe, supervise, log, and preserve evidence of user activity during remote sessions involving industrial systems.
Why is session visibility important in OT/ICS?
It improves accountability, supports incident investigation, and helps organizations understand what happened during remote access to critical systems.
What is the difference between logging, monitoring, and recording?
Logging captures access events and metadata, monitoring helps observe or alert on activity in real time, and recording preserves the content of the session for replay, investigation, and review.
Why are VPN logs not enough for OT/ICS remote access?
VPN logs typically show that a connection occurred, but they do not show what a user did after access was established.
How does session visibility support Zero Trust in OT/ICS?
It extends control beyond the login event by preserving session-level evidence tied to identity, policy, and user behavior.
Why is vendor access a major blind spot?
Vendor and contractor sessions are often high-risk, broadly privileged, and minimally monitored, which makes them a common source of exposure.
How does session recording help with operational incidents?
It creates a precise record of what was done during maintenance, troubleshooting, or patching, which speeds root-cause analysis and reduces ambiguity.
Where does session recording fit in the security stack?
It fits alongside identity, remote access, and governance controls by providing session-level evidence that other tools can use but cannot recreate.
How does session visibility complement OT NDR (Claroty xDome, Nozomi Guardian, Dragos Platform)?
OT NDR vendors do excellent work at the network layer. Session visibility adds the next signal: what a human did during a privileged session. NDR detects anomalous network behavior across assets, segments, and protocols, then alerts when a flow looks unusual relative to baseline. Session visibility records who initiated the privileged session, which asset they reached, what commands or actions they executed, and produces a replayable record tied to a verified identity. The two signals reinforce each other during investigation: NDR points to the time window, session visibility supplies the human attribution. Both belong in a mature OT security architecture. Neither replaces the other.
What is Xona Active Defense?
Xona Active Defense (v5.5) is the platform's session-layer enforcement layer. It consumes signed risk signals from integrated OT security partners (Forescout, Nozomi Networks, Dragos) and applies graduated response actions inside the live session: alert, pause, require supervisor approval, terminate, or quarantine. The signed event loop sends session activity back into those partner platforms for correlated investigation.
How OT IAM and Session Visibility Work Together. OT IAM enforces who can access what. Session visibility records what they actually did. Together, they make access defensible end-to-end. Identity-based access controls the path; session recording captures the activity. Use one without the other and your defensibility model has gaps; use both and audit-prep, incident response, and vendor governance compress dramatically. See the companion pillar: Identity-Based Access for OT and ICS.
