Remote access has become a top initial-access vector for attackers targeting industrial environments, but unlike other OT risks, it can be reduced through deliberate action
Jonathon Gordon, Industry Analyst specializing in ICS/OT Cyber Security at Takepoint Research, argues that success depends on understanding the cultural divide between IT enforcement and OT operations, where blocking traffic remains a "dirty word."
His roadmap starts with assessing the actual footprint, prioritizing critical assets, and framing security investments as "Return on Mitigation" rather than ROI to resonate with engineers.
Remote access in operational technology is the operating model, not an edge case. Critical infrastructure like water plants and power stations run on specialized equipment maintained by vendors for decades, a long-term dependency that creates sprawling and often undocumented access points. A vendor focused on uptime might attach a 3G modem to a piece of equipment without a second thought, quietly opening a path from the internet into core operational systems. Multiply that decision across decades and vendors, and remote access becomes a primary source of OT risk.
Jonathon Gordon is an Industry Analyst specializing in ICS/OT Cyber Security at Takepoint Research, a leading advisory firm focused on this space, who has spent his career advocating for robust security practices in industrial environments. As an Advisory Board Member for Industrial Cyber, he brings a practitioner's view to a risk that has become both urgent and, in his view, uniquely manageable. He argues that while remote access has become a primary initial-access vector for attackers, it's also one of the few risks in industrial environments where security leaders can make meaningful, measurable progress.
"Remote access is one of the number one risks that can actually be significantly addressed by asset owners. You can limit the blast radius, take control, minimize those footprints, and manage it. It's quite different from other areas in these environments, which are a lot harder to address," says Gordon. The core challenge is less about technology and more about navigating organizational complexity. Mergers and acquisitions leave global companies with plants at wildly different maturity levels. Some assets connect directly to the internet; others use advanced OT-specific controls. Everyone involved has different priorities.
A puzzle of priorities: "You have the security team focused on making sure access is secure and compliant, the operations team that just wants vendors to get the work done, and the vendors themselves who have to learn a different platform at every client," Gordon says. "It's an interesting puzzle, but it's one that if an asset owner can sort it out, they can reduce that particular risk to an acceptable level."
Into the woods: Gordon’s roadmap starts with visibility, not tooling. "You can’t solve the problem until you know how many backdoors are in your network, which is why an assessment has to come first so you actually understand what’s happening in your environment," he says. That clarity is what makes prioritization possible. "The focus should be on the critical assets your business can’t function without, because if you try to look at everything at once, you can’t see the forest for the trees."
Building the business case requires speaking to an engineering mindset. Gordon introduces the concept of "Return on Mitigation," which reframes security investments around the value of risk being reduced rather than traditional ROI calculations. The approach repositions security away from being a perceived cost center and toward its role as an enabler for the people who keep the lights on and the water clean.
Speak their language: "Talking in terms of return on investment, people sort of glaze over. In particular when you're talking to operations folks and engineers who understand exactly what it is to buy capital equipment and then what the depreciation is over time."
Handle with care: Gordon is equally careful about how concepts like Zero Trust get applied in OT. "In operational environments, you can’t just start blocking things. The very idea of enforcing a new rule is considered a dirty word, which is why the focus has always been on visibility rather than control," he notes. Remote access, however, is a rare exception. "It’s one of the few areas where OT zero trust principles actually work, but they break down once you move deeper into the control network. If an operator has to hunt around for a password when an HMI is talking to a PLC, things can go wrong very quickly."
The path forward is deceptively simple in Gordon's view. It requires humility, collaboration, and a willingness to learn from the people closest to the operations. While decisions may originate in the boardroom, successfully securing the plant floor begins with those on the production line.
The real expertise lives with the people who operate these systems daily. "You need to go and speak to the folks on the production lines, in the plants, the folks that actually understand how the operational environment and technology work. They'll very quickly tell you what will work and what you're not allowed to do," concludes Gordon.
