Plants run on predictable processes and tight schedules. When remote access to PLCs is needed for troubleshooting, updates, or vendor support, the goal is simple: get experts connected quickly without risking safety, uptime, or compliance. With the right controls, remote work can be fast, auditable, and safe. This article explains how jump hosts, MFA, and session recording work together to provide reliable access for vendors and technicians—without interrupting production.
Build a Controlled Path with a Jump Host
A jump host (bastion) creates a single, well-governed entry point into the OT environment. Instead of allowing direct connections to PLCs, all remote sessions terminate on the jump host. From there, access to target assets is brokered under strict policy. Placing the jump host in an OT DMZ with tightly scoped firewall rules reduces exposure and keeps traffic predictable.
A well-implemented design breaks protocols at the boundary so no direct PLC sessions originate from the internet or an unmanaged device. Application allow-listing limits tools to approved engineering and HMI utilities. File movement is staged and scanned, and changes are time-bound to defined maintenance windows. This structure gives operations a clear view of who is connected, to what, and for how long.
Key functions of a well-designed jump host
- Single-entry gateway with least-privilege routing; no direct PLC exposure
- Time-bound access with approvals and just-in-time, temporary accounts
- Application allow-listing and controlled file transfer with malware scanning
- Comprehensive logging and session brokering integrated with SIEM
Require Strong Identity with MFA and Roles
Multi-factor authentication verifies the person behind the keyboard, not just a password. Use phishing-resistant options where possible (for example, FIDO2 security keys), and support TOTP or push-based factors for vendors. Assign each vendor and technician a unique identity—no shared accounts—so actions map to individuals.
Tie MFA to role-based access control. Roles should reflect tasks (read-only monitoring, logic updates, firmware maintenance) and be scoped to specific assets or network zones. Pair roles with time-boxed approvals and expirations so privileges do not linger. Redundant MFA services and high-availability directory components help avoid lockouts during planned or unplanned outages.
Keep work moving without lockouts
Operational readiness prevents access controls from slowing urgent work. Maintain a documented, sealed break-glass procedure with strong accountability for emergencies. Pilot MFA with a small group of vendors before broad rollout, and use grace periods during cutover. Align access requests with maintenance schedules so higher-risk tasks happen when process conditions are safe and production impact is minimal.
Record Sessions for Safety, Compliance, and Root Cause Analysis
Session recording provides a faithful record of what occurred during remote work. Screen capture paired with command and metadata logs supports audits, resolves disputes, and speeds investigations. Tamper-evident storage protects the record, and retention policies reflect regulatory and contractual requirements.
What to capture and how to use it
Record the full screen for interactive tools, CLI output and commands for terminal work, and connection metadata (user, time, source, target asset, tool used). Stream key events to your SIEM for correlation with process alarms and network telemetry. Use recordings in post-change reviews to confirm procedures were followed and to refine playbooks.
Operational Practices That Prevent Disruption
Technology controls succeed when paired with disciplined operations. Standard operating procedures should define when remote access is allowed, required approvals, pre-checks (backups, safe state confirmation), and rollback plans. Always back up PLC programs and device configurations before any change, and test updates on an offline unit or digital twin where possible.
Coordinate with vendors on clear communication paths, supported tools, and network prerequisites. Regularly test access end to end: identity verification, jump host connection, tool launch, file staging, and rollback. Work with an ICS cybersecurity company to validate network segmentation, firewall rules, and the jump host build against your process safety needs. An experienced ICS cybersecurity company can design vendor access workflows that meet safety and uptime requirements.
Putting It All Together
Jump hosts provide the controlled pathway, MFA verifies identity and scopes privileges, and session recording delivers visibility and accountability. Together, these measures let vendors and technicians solve problems quickly while protecting process integrity. With clear procedures and routine testing, plants gain responsive remote support without sacrificing safety or production targets.
