DEGRADED MODE OPERATIONS: WHEN THE BROKER IS UNAVAILABLE
How should degraded mode operations be handled when the session broker is unavailable?
Patterns C and D depend on a broker mediating between the vendor and the OT zone. WAN outages, central-broker failures, and configuration changes inevitably mean the broker will be unavailable at moments when work is required, including emergencies. An access architecture that fails closed in every degraded scenario is also an architecture that prevents emergency response. The discipline is to define explicitly what degrades gracefully and what never bypasses, and to write that boundary into the operational runbook before the first outage. For sites that must keep operating during WAN or broker loss (island-mode operation), define a pre-authorised local break-glass path that is itself identity-bound, time-limited, and logged, so continuity never becomes an ungoverned backdoor.
Controls that may degrade gracefully in a documented degraded mode: MFA may temporarily fall back to single-factor where the second factor depends on the unavailable service, provided that the resulting session is logged and tagged as degraded; access decisions may temporarily fall back to a cached policy with a defined maximum cache age (typically 24 to 72 hours); session recording targets may temporarily fall back to local storage if the central evidence vault is unreachable, provided the recordings are exported on broker recovery. Each of these is a documented break-glass step, not a permanent state.
Controls that shall never bypass, regardless of degradation.
- Audit trail. The fact that a degraded-mode session occurred, who initiated it, and what they did must be captured even when the central monitoring stack is unreachable; storage is local until exfil is restored.
- Identity. A degraded-mode session shall still be tied to a named individual by some local mechanism (badge, station-resident TOTP, supervisor co-presence).
- Approval. A break-glass session shall require explicit authorisation by a designated role; absence of the broker is not absence of approval.
- Time-bounding. Degraded sessions shall expire automatically; degraded mode must not be a stable operating state.
- Anchors. NIST SP 800-82 Rev. 3 Β§6.2.10 (remote access OT overlay) recommends mechanisms to manage the removal of access on a configurable schedule and to support emergency disconnect; NIST SP 800-53 Rev. 5 AC-17(9), per the NIST SP 800-82 Rev. 3 OT overlay, defines a documented disconnect-or-disable capability that extends OT baselines. Both anchors imply that degraded modes must be designed in, not improvised under pressure.
COMPENSATING CONTROLS FOR LEGACY EQUIPMENT
What compensating controls apply to legacy equipment including serial connections and air-gapped systems?
OT estates contain equipment that pre-dates modern remote-access architecture. Serial links (RS-232, RS-485), Modbus RTU, proprietary fieldbus protocols, engineering workstations on Windows XP or Windows 7 (and servers on Windows Server 2003 or 2008), and vendor support tools that presume a flat network are common in installations with 15- to 25-year operating horizons. The principles in this guide apply, but the specific implementation patterns described in Figures 2 through 6 require supplementary controls when the underlying equipment cannot natively support session brokering, MFA, or modern transport security.