Why VPN and MFA Is Not Enough for OT: Evidence from the SANS State of ICS/OT Security Report

For many industrial organizations, securing remote access typically follows a familiar formula: deploying a Virtual Private Network (VPN), requiring multi-factor authentication (MFA), and considering the risk largely addressed. These controls are essential and form the backbone of secure connectivity in both IT and OT environments. However, operational technology systems involve safety-critical processes, unique engineering workflows, and specialized devices that demand a deeper level of validation than traditional remote access tools provide. VPN and MFA confirm who is accessing the environment, but they do not address what actions a user may perform, which devices they will interact with, or how their activity might affect physical operations. As industrial networks become increasingly interconnected and reliant on remote capabilities, identity verification alone is no longer enough.

The SANS State of ICS/OT Security 2025 Report highlights this gap particularly clearly. As Figure 1 illustrates, over the past 12 months, 22% of organizations have experienced an ICS/OT cybersecurity incident, with half of these incidents originating from external connectivity or remote access pathways. Another 38% involved ransomware, which frequently gains its foothold through remote-access mechanisms that bridge IT and OT environments. None of these findings suggest that identity controls are ineffective; rather, they highlight the importance of adding ICS-specific layers that extend beyond identity management. Even when a user’s identity is properly verified, OT operations must answer additional questions, such as which systems this user should be granted access to? What activity is appropriate? Are their actions safe for the process? Who approves and monitors their work? These are contextual decisions that VPNs and MFA alone cannot make, but they are critical in environments where system changes can impact physical equipment and human safety.

The survey also highlights an interesting contrast: organizations are improving in their ability to detect incidents, yet they still struggle with the speed and complexity of remediation. Nearly half of the respondents detect ICS/OT incidents within 24 hours, and more than 65% take containment action within the following day. These improvements reflect stronger monitoring, better SOC alignment, and increased collaboration between IT and OT teams. However, eradication and full restoration take much longer. The survey discusses that 22% of organizations require two to seven days to fully remediate an incident, 8% require one to three months, and 3% take over a year to return to a normal, validated operational state.

These lengthy remediation timelines are not a failure of remote access identity controls; instead, they highlight the complexity and time required to safely recover industrial systems. Unlike IT assets, ICS devices cannot be simply reimaged or replaced without conducting reconstitution activities. As Figure 2 shows and is described in the OT Disaster Recovery Quick Start Guide, alarm limits, base layer controller modes, advanced control modes, process sequences, and even controller logic may need to be reviewed and modified to align with the most current conditions for the process. The detailed considerations of remediation underscore why organizations need visibility not only into who performed remote actions, but also into what those actions were.

Cloud Adoption Introduces New Remote Access Pathways

Cloud adoption adds another dimension to the challenge. Only 17% of organizations report no cloud usage across their IT/OT footprint, meaning that 83% rely on some degree of cloud-connected capability. Whether through OEM support portals, predictive maintenance systems, analytics platforms, or enterprise historians, cloud connectivity is becoming embedded within industrial operations. Yet only 13% of organizations have fully integrated cloud activity into their monitoring and detection workflows.

This discrepancy does not reflect a weakness in VPN or MFA, but rather the reality that modern industrial architectures incorporate multiple remote access pathways that may not pass through those controls. Cloud services often rely on their own authentication, device interaction models, and support channels. As a result, an organization can enforce strong MFA on its primary VPN while still having additional vendor portals, embedded agents, or automation tools that offer remote access pathways that may not be known.

This growing complexity underscores the need for organizations to maintain a comprehensive inventory of all user-to-system and system-to-system remote access pathways, not just their primary remote access connections.

Unfortunately, 31% of organizations surveyed do not maintain a formal inventory of their remote access points. This is one of the most significant contributors to risk across modern industrial environments. Without a comprehensive inventory, security teams cannot enforce consistent policies or even ensure that all pathways are monitored. And remote access in OT is far broader than many initially assume. It includes vendor and OEM portals, cloud-based maintenance dashboards, remote diagnostics tools, portable engineering laptops, temporary contractor sessions, cellular field modems, and more. Many of these pathways were created for valid operational reasons but lack centralized governance. The survey clearly shows that organizations with complete remote access inventories demonstrate stronger preparedness, improved detection, and more cohesive IT/OT coordination. Visibility is fundamental to security, especially in OT, where remote actions have a direct impact on the physical world.

The Missing Layer: ICS-Specific Remote Access Controls

What the 2025 report makes increasingly apparent is that the real gap in OT remote access is not identity validation; it is the absence of ICS-specific controls that provide the engineering context necessary for safe operations. Figure 3 highlights critically low adoption rates of several essential mechanisms: only 13% fully implement session recording and replay, 11% enforce ICS-specific device or protocol awareness, 8% require real-time session approvals, and 23% implement mandatory jump-host–based session brokering. These numbers suggest that most organizations have robust identity controls but often lack deeper layers that govern what occurs during remote sessions.

Session recording and replay, for example, enable the reconstruction of automation configuration and programming activities, analysis of incidents, compliance with regulatory requirements, and resolution of vendor disputes. This level of transparency becomes essential when industrial processes are involved, because a single configuration change may have safety consequences. Real-time access approvals ensure that remote actions are coordinated with on-site personnel, maintenance windows, and operational needs. This prevents unexpected or unsafe activity, even when the individual’s identity has been validated. Device- and configuration-aware controls add another layer by ensuring that only authorized and properly maintained engineering workstations interact with critical assets.

Similarly, ICS-specific protocol mediation allows organizations to restrict which applications or industrial protocols are allowed during the session. Finally, session brokering through enforced jump hosts, aligned with the Purdue Model’s OT DMZ structure, provides organizations with a monitored, controlled chokepoint for all remote access. Despite its importance, only 23% of organizations implement this architecture. 

Detection Gaps Persist, Especially in Distributed OT Environments 

Detection of remote access misuse also remains an essential capability. Only 13% of organizations report full visibility across the ICS Cyber Kill Chain, and the most significant detection gaps appear at remote or unmanned facilities. These sites rely heavily on remote access due to geographic distribution, yet often lack sufficient monitoring. Common indicators of misuse include unexpected after-hours sessions, unusual cloud-originated access, sudden configuration changes to HMIs or PLCs, unauthorized firmware activity, direct access to Level 1 devices, historian anomalies, or irregular authentication attempts on engineering workstations. These signals require tools that understand ICS behaviors and can distinguish between normal engineering activity and potential threat behavior. Identity controls cannot provide this level of insight on their own.

To help practitioners address these challenges, SANS offers a structured pathway that equips teams to both design and validate secure remote access architectures. ICS410: ICS/SCADA Security Essentials lays the foundation by teaching OT practitioners and defenders how to build secure OT environments aligned to the Purdue Model, incorporate session brokers and jump hosts, inventory remote access pathways, apply ISA/IEC 62443 requirements, harden engineering workstations, and design ICS-specific least privilege workflows.

Once the architecture is established, ICS612: ICS Cybersecurity In-Depth provides hands-on practice with real industrial equipment. Students work with live PLCs, HMIs, and Engineering Workstations in hands-on labs to set up a remote access server and then walk through an attack sequence that demonstrates remote access misuse leading to a Level 1 compromise. Students capture and analyze OT network traffic, leverage Network Security Monitoring (NSM) tools to identify malicious engineering actions, and recognize abnormal process conditions. Where ICS410 provides the blueprint, ICS612 puts the blueprint into action and stress-tests it under real-world attack scenarios. 

Final Takeaway: VPN + MFA Is Necessary, But Not Sufficient 

The conclusion from the 2025 SANS data is clear: remote access is now one of the most significant and impactful components of industrial cybersecurity. VPN and MFA are essential, but they represent only the identity layer of a much more complex risk landscape. Industrial operations require controls that incorporate engineering context, protocol awareness, operational approvals, and comprehensive visibility into user actions.

The organizations that demonstrate the highest preparedness share common characteristics: complete remote access inventories, ICS-specific access controls, integrated IT/OT monitoring, engaged engineering teams, and regular exercises that reflect the realities of industrial operations. These organizations treat remote access not as an IT service, but as a safety-critical function that demands engineering-grade rigor. 

VPN + MFA remains a vital part of secure remote access. But industrial organizations must build on this foundation with ICS-aware access control to achieve true defensibility. By leveraging the architectural principles taught in ICS410 and validating them with the hands-on experience of ICS612, practitioners can transform remote access from a top concern into a well-governed, transparent, and resilient element of modern ICS operations.

Ready for more insights? Download your version of the SANS State of ICS/OT Security 2025 Report here.  

Learn more about SANS’S ICS/OT Security Curriculum here.