Zero standing privilege
Access exists only inside a bounded window; before and after, privilege is zero.
Dedicated section belowThe OT island principle
OT initiates outbound; OT does not accept inbound.
Dedicated section belowDefence in depth
No single control is load-bearing; six layers wrap the asset, including session evidence and monitoring so that misuse is detected and answered, not only prevented.
Dedicated section belowMinimum viable controls scale to context
The same five common control gates (identity, authorisation, session evidence, kill-switch, supply-chain assurance) apply across every pattern, but the implementation depth scales with maturity.
Cross-cuttingVerification over assumption
Every claim in this guide is anchored in a verifiable clause; every implementation should be acceptance-tested.
Cross-cuttingPrinciples 1, 2, and 3 each anchor a dedicated section later in this guide. Principles 4 and 5 are cross-cutting and applied throughout the patterns and methodology.
| Pattern | Where it applies | Primary control |
|---|---|---|
| A Β· Large OT, customer station | Utility, pharma, large-scale industrial β station owned and managed by customer | Enterprise IAM + jump host + PAM wraps the existing station |
| B Β· Large OT, vendor laptop | Large-site commissioning β vendor laptop enters the network | NAC + vendor DMZ + OT-IDS contain an untrusted device |
| C Β· Small OT, customer station | Small water utility, district heating β station present, no IT staff | Control sits at the station: local identity + offline MFA + recording + log export |
| D Β· Small OT, vendor laptop | Hardest case: small utility plus vendor-owned device with no enterprise infra | Hardware broker at the boundary: scoped access + session evidence + log export |
Inventory every active third-party remote-access path into OT
Verify default credentials have been changed
Enable session logging on existing remote-access channels
Identify the assets that fall under each of Patterns A through D
Plan migration of any always-on tunnel toward time-bounded access
The detailed phase plan is in section Implementation priority.
Scope note β IEC 62443-2-1:2024
This guide is one element of a complete cybersecurity programme. Per IEC 62443-2-1:2024, asset owners are required to maintain a Cybersecurity Management System (CSMS) covering risk analysis, access control, supplier governance, and incident response. This guide addresses third-party access; readers building a complete OT cybersecurity programme should treat it as one chapter, not the whole book.