OT security often prioritizes internal segmentation while exposed remote access points face constant, unmonitored attack attempts, creating a high-probability path to compromise that many risk models undervalue.
Ilan Barda, Founder and CEO of Radiflow, frames remote access as the most active and least controlled attack surface in industrial environments, driven by operational needs and vendor mandates.
The fix centers on treating remote access as a first-class risk by enforcing least-privilege access, monitoring all activity, and giving CISOs clear ownership to prioritize protections based on business criticality.
Most OT security strategies are built around the wrong problem. Teams harden internal networks, refine segmentation, and chase vulnerabilities, while the most exposed parts of the environment sit largely unprotected. Remote access points connect critical systems directly to the outside world, attract constant attack attempts, and often operate with minimal monitoring. The result is a skewed risk model that prioritizes unlikely internal scenarios while ignoring the far more probable path of external compromise.
To better understand the threat we spoke to Ilan Barda, Founder and CEO of OT cybersecurity firm Radiflow. Barda has spent more than a decade advising organizations on the realities of securing industrial networks, drawing on a career that includes leadership roles at Nokia Siemens Networks and as CEO of Seabridge. Barda says that in many cases, companies heavily underestimate the probability of an attack coming from the outside.
"When you have an external access point, the number of attempts that can be made against it is basically endless. In most cases, nobody is monitoring those attempts. That makes it very likely that someone will eventually find a way in," says Barda. In effect, attackers are given unlimited time to experiment against a largely unattended target.
A double-edged sword: The risk associated with remote access points is compounded by the fact that they’re often required to do business. "It’s driven by operations in terms of setting up these kinds of access points, and that's why you have quite a lot of them," says Barda. Operational teams and third-party vendors use them to streamline tasks and keep systems running, posing a core challenge to OT security fundamentals.
An offer you can't refuse: Commercial contracts further complicate matters. "Most of the big automation vendors now mandate remote access in their maintenance contracts," Barda says. "You can’t really object to it. If you buy their equipment, you must set up that access."
But Barda stresses that even with these contractual obligations, organizations retain the power to secure their networks. The solution lies in modern tools capable of securing these connections without disrupting vendor workflows, alongside a zero-trust approach that turns the focus from simple visibility to active enforcement.
Less is more: Barda advises that remote access be restricted to the least authorization required for any given party. "If a vendor only needs to read data, enforce that they can only read the data. Don't just assume they will stick to their assigned task," he says.
Assume the worst: Since remote access is both a vital business enabler and a glaring security risk, the key is to treat it with a higher degree of scrutiny. "For data flows coming from remote access gateways, the recommendation is to alert the operator on everything. Assume anything happening there needs to be reviewed and approved. Don't assume any of that activity is normal."
Barda says asset owners themselves must drive the solution, as top-down regulation often moves too slowly and provides only high-level guidance. Giving CISOs a clear mandate to execute security from a central viewpoint creates a single, prioritized picture of risk across both OT and IT.
Don't wait for a hero: "The regulator cannot do the job for the asset owner. They will just give you very basic guidelines, so don't expect them to enforce the details. You can and should look into best practices and frameworks, but you must take ownership of handling it in the right way," Barda says.
Ultimately, Barda advocates for re-centering the entire security conversation on business impact, urging leaders to prioritize what’s truly at stake over purely technical vulnerabilities. "Take into account your business importance, business criticality, and start going backwards from there," he concludes. "That will ensure you're protecting the right priorities."
