Remote Access to Critical Infrastructure Is Not an IT Tool, but a “Safety-Critical Control”

Remote Access to Critical Infrastructure Is Not an IT Tool, but a “Safety-Critical Control”

BifrostConnect Blog

BifrostConnect's Blog

Remote Access to Critical Infrastructure Is Not an IT Tool, but a “Safety-Critical Control” that should...

Remote Access to Critical Infrastructure Is Not an IT Tool, but a “Safety-Critical Control” that should...

… work not only in day-to-day operations, when the water is still, but also when incidents hit.

 

Remote access is essential in critical infrastructure. Water utilities, energy companies, and industrial operators depend on it to maintain, troubleshoot, and recover systems that are often geographically dispersed and operationally fragile.

 

The problem is not that they use remote access. The problem is the assumptions it is built on and used with.

 

If you look across incident investigations, you’ll see the same pattern over and over again: remote access is a frequent entry point into OT environments. Not only for approved people, but also for the wrong people, and increasingly through automated threat actors.

 

This is not simply because organisations are negligent, but because the architecture behind many organisations’ remote access tools and surrounding infrastructure was designed for normal operations and not for failure, not for local breakdowns, and definitely not for larger external incidents.

 

From where I’m sitting as a commercial person gone flat-out OT cybersecurity nerd over the past five years – something is changing. But as always, change driven by a core mission of “protecting” is waking up too slowly, and is constantly left behind by change driven by an ambition to gain power…

 

That means anyone is a target if they have data or systems worth protecting – privately, their own, or others’. It doesn’t matter if you believe you are insignificant or that your company is too small to be of interest. Looking at the Danish utility sector, it is estimated that thousands of attempted intrusions are knocking on its doors every single day, and in 2024–2025 we have seen several smaller water facilities successfully compromised.

 

But how do you prevent this going forward? And what do you actually do WHEN you get hit – either by a direct threat to your organisation, or by a larger external incident affecting your infrastructure and uptime?

 

One thing the EU is a frontrunner in is rules, standards, and guidance. And no matter what industry you are in, or what kind of data you handle, you almost certainly have some form of regulatory framework, standard, certification, or even law guiding best practice for keeping data safe, employees safe, supply stable, and society running.

 

What standards and regulation are agreeing on in regards to remote access:

Whether viewed through the Cyber Resilience Act (CRA), IEC 62443, NIS2, DORA, CER, or national guidance such as the UK NCSC’s OT connectivity principles and Denmark’s industry specific laws such as Energy’s Law on Strengthened Preparedness – the direction is consistent.

 

= Assume compromise and design accordingly.

 

Different frameworks use different language, but they all agree on four universal best practices when it comes to remote access:

 

  • Connectivity must be limited, scoped, and auditable
  • Trust must not be implicit or permanent
  • The impact of compromise must be contained
  • Controls must continue to function under abnormal conditions

And that is enabled through:

 

  • MFA: no access without at least two factors
  • Encryption: data must be unreadable to others during transit
  • Logging: you must be able to see exactly who did what, and when
  • Isolation: remote access must land in a controlled environment before reaching sensitive systems
 

The role of sector-specific laws:

 

While general frameworks provide the direction, sector-specific laws act as an overlay that increases pressure and expectations.

 

They typically introduce:

 

  • stricter implementation requirements
  • accelerated incident reporting timelines
  • sector-specific testing and oversight
  • dedicated regulators with deep operational insight

Different angles, but same message.

 

 
In short: NIS2 tells you that you must do it (the law). IEC 62443 and NIST explain how to do it technically. Sector-specific regulation defines how little tolerance there is for failure in your industry.

 

Resilience is not only about surviving disruption. It is about retaining control while it happens, and remote access that only works during normal operations does not support resilience. In a crisis, it can become a single point of failure – or worse, an uncontrolled entry point affecting organisations, employees, and society.

 

Where traditional remote access still falls short Today:

 

Despite converging best practices across laws, standards, and frameworks, many OT environments still rely on:

 

  • Permanent VPN connections directly into OT networks
  • Shared vendor accounts with limited accountability
  • Network-level access instead of asset-level access
  • Logging that disappears during an incident
  • Dependence on central cloud services to revoke access

 

These setups may be operationally efficient – when everything is calm and steady. They do not align with modern OT security, resilience, or regulatory expectations.

 

Let’s reframe “remote access”:


In critical infrastructure, remote access should be treated like any other safety-critical control:

 

  • Temporary, session-based access
  • Individual identity with enforced authentication at the endpoint
  • Access scoped to a specific system, not an entire network
  • Session recording and evidence-grade auditability
  • Independence from the production network and the internet

This is not about compliance theatre (you cannot get a NIS2 certificate!!). It is about retaining control when assumptions fail.

 

One final question to test your own organisations remote access:

 

Many remote access architectures in OT are inherited from IT assumptions that do not hold in critical infrastructure.

 

So ask yourself this 1 question:

 
Does your vendor’s MFA, remote access, and session recording still work if your IT infrastructure is down – or do you need people flying in while trying to contain an incident and keep unaffected systems running in island mode?
 

Resilience is not built by assuming everything works as planned. It is built by assuming that, at some point, it won’t.

 

We believe remote access should reflect that.

 

by Emilie Lerche Fenger, BifrostConnect.

 

#RemoteAccessAsItShouldBe

About the Author:

Emilie Lerche Fenger is the Head of Sales and Marketing at BifrostConnect, where she leads the company’s commercial strategy and cybersecurity aligned market positioning. With eight years of experience working with remote access and critical infrastructure, she focuses on understanding real operational challenges, shaping thought leadership and driving strategic initiatives that support NIS2 readiness and resilient IT OT collaboration.

🔗 LinkedIn profile

Discover How You Can Establish Zero Trust Access to Your Equipment

Get in touch with one of our experts today.