Turn Off the Lights When You Leave: Why Ad-Hoc Access Is the Future of OT Security

Imagine a door in your building that is always left ajar. It leads straight into the engine room, where your PLCs control the water supply, the turbines spin, or the production line keeps pace.  You know that vendors regularly need to come in and service the equipment, so the door just stays open. All the time. Even at three in the morning, when nobody is watching.

That is exactly how traditional remote access to OT systems works today. VPN connections that stay on 24/7. RDP sessions that never get closed. Shared passwords sent over email. And when something goes wrong, the answer is far too often: “We don’t know what happened.”

That is not good enough. Not technically, and not from a regulatory standpoint…

The Attack Surface That Never Sleeps:

When a remote access connection is permanently active, it is also permanently vulnerable. It can be scanned, targeted, and exploited, regardless of whether anyone is actually using it. The Colonial Pipeline attack in 2021 exploited a legacy VPN account with reused credentials and no multi-factor authentication. The result was a five-day shutdown of the largest fuel pipeline on the U.S. East Coast.

And that is not an isolated case. The Oldsmar water treatment attack in Florida used an unsecured TeamViewer connection with shared logins. The 2023 Danish energy sector attack compromised 22 energy companies through firewall vulnerabilities. The pattern is the same: permanently open access paths give attackers time and opportunity.

Flip the Model:

Ad hoc access is built on a single principle: the connection does not exist until it is actively created. When the session ends, the access path disappears. There is no sleeping tunnel, no open port, no dormant connection for an attacker to exploit.

Think of it as the difference between a door that is always open and a door that only materializes the moment you need it, then vanishes again afterward. It may sound like science fiction, but it is precisely the architectural approach that modern OT security demands.

In practical terms, ad hoc access means that a vendor cannot maintain a foothold between sessions. A compromised password cannot be used to establish a dormant connection. An attacker cannot scan an access path that simply does not exist. And lateral movement from the access point is constrained to the specific endpoints defined in the session scope.

NIS2 Demands Forensic Accountability:

With the NIS2 Directive and the Danish implementation act, the requirements for documenting vendor access are no longer optional best practice. They are law. When an incident occurs, the organization must issue an early warning to the competent authority within 24 hours and a full incident notification within 72 hours.

The regulator will ask one central question: “What did the vendor do during that maintenance session?”

If the answer is “We don’t know” because no session recording, no identity logging, and no time-stamped audit trails exist, then the organization has a serious compliance problem. This applies regardless of whether a security incident has actually occurred.

The SAMSIK guidance from June 2025 further specifies the requirements through a hierarchy of mandatory, recommended, and optional measures for each of the ten NIS2 Act § 6 provisions. Vendor access falls squarely under supply chain security, which NIS2 Art. 21(2)(d) explicitly addresses.

The Four Building Blocks of Secure Ad Hoc Access:

What does this look like in practice?

A robust ad hoc access architecture rests on four core principles.

• Individual identity and MFA per session: No shared passwords. No generic “vendor” accounts. Every session requires the specific technician to authenticate with multi-factor. A compromised password alone can never establish a session.
• Time-limited and scoped access: The vendor gets access to exactly the devices, ports, and applications required for the task, and only within the approved time window. When the window expires, access closes automatically. No “forgotten” connections left lingering.
• Full session recording: Everything the vendor does during the session is recorded. Not just metadata showing that a session took place, but a complete video and keystroke log documenting the actual actions. It is the difference between knowing someone was inside and knowing exactly what they did.
• No persistent attack surface: This is the most fundamental property: between sessions, there is no inbound connection, no open port, nothing to attack. The attack surface shrinks from 24/7 to only the minutes or hours when a session is actually active.

Small Utilities Are Not Exempt:

An important point is that these principles do not only apply to large energy companies with dedicated SOC teams and enterprise infrastructure. NIS2 requirements apply equally to a water utility with two IT staff and a power company with 500 employees. Documented identity, MFA, session logging, time-limited access, and incident reporting are requirements across all organization sizes.

The challenge for small OT organizations is that the classic security tools (Active Directory, jump servers, PAM solutions, SIEM systems) often presuppose infrastructure they simply do not have. The answer is architecture-based security: access control that is built into the access path itself, rather than layered on top of existing infrastructure.

Think Like an Attacker, Then Close the Door:

If you take one thing away from this blog post, let it be this: any connection that exists permanently is a connection that can be attacked permanently.

Ad hoc access does not eliminate all risk. A compromised vendor laptop with legitimate credentials still poses a threat during an active session. But it removes the persistent inbound attack surface that exists between sessions, and that is precisely where the majority of opportunistic and persistent threats operate.

Turn off the lights when you leave. Close the door. Better yet, make sure the door does not exist when it is not needed.

Want to learn more about how ad hoc access can be implemented in your OT environment? Read our complete Best Practice Guide for 3rd Party Access Control in OT, or contact us for a chat about how it can work with your current setup Today.