OT calls out. OT never receives

That’s not a product feature. It’s an architectural principle – and it should be the starting point for every conversation about remote access to critical infrastructure in 2026.

The Purdue model was created in 1994 – not as a security model, but as an integration architecture for describing information flows across production and business. Cybersecurity didn’t exist as an industrial concept at that time.

The Purdue hierarchy remains an important architectural reference – its defense-in-depth logic is reflected in IEC 62443 and NIST SP 800-82. But it rests on two assumptions that no longer hold: that OT communication is hierarchical and sequential, and that levels 0-2 are physically isolated from the outside world. IIoT broke the first. Vendor remote access broke the second.

VPN isn’t the villain. The implementation is.

VPN technology isn’t structurally insecure. The problem arises when the tunnel terminates in the IT network with broad access – and the user can then move laterally toward OT zones that aren’t sufficiently segmented.

Colonial Pipeline (2021) illustrates this: an inactive VPN account with no MFA. OT wasn’t directly compromised – operations were shut down proactively. The root cause was identity management, not VPN technology (source: CISA/FBI Joint Advisory AA21-131A).

The typical VPN implementation in OT creates a connection path from the internet to the IT network – and from there, the distance to OT depends on segmentation quality. Which in most industrial facilities is lower than assumed.

A new architectural principle: OT Island Model

Picture the OT network as an island. Isolated, protected, controlled. The digital outside world exists around it. But the island decides when and how connections are established.

OT Island Model is a conceptual description of an outbound-initiated remote access architecture. The OT device initiates an outbound connection to a controlled platform. No inbound ports are opened. A vendor reaches only the agreed asset, within the agreed time window, via approved protocols. Full session recording is enforced.

This eliminates three structural weaknesses of conventional remote access: inbound exposure, lateral movement, and the absence of an audit trail.

It is consistent with what CISA and ENISA recommend – and critically, what the EU Machinery Regulation (2023/1230) requires from January 2027: logging of all intervention in safety software for a minimum of five years, as a CE marking condition.

The Machinery Regulation isn’t a reporting requirement. It’s a market access requirement. A machine that cannot document this logging cannot legally be placed on the EU market from January 2027. Vendors without logging cannot sell machines in the EU. That argument lands in procurement conversations in a way a security pitch doesn’t always manage.

What the model doesn’t solve:

Zero Trust is a direction for OT security, not a state that can be achieved uniformly across a facility. PLCs and RTUs from the early 2000s don’t support certificate-based authentication. Levels 0-1 with legacy hardware require compensating controls: network isolation, passive anomaly detection, and strong access control on the interfaces that can be protected.

But the starting point – the paradigmatic shift – is that remote access to OT isn’t about opening a door. It’s about building a controlled exit.

OT calls out. OT never receives.

by Emilie Lerche Fenger, BifrostConnect .

#RemoteAccessAsItShouldBe