Hermes OSIndustrial Intelligence Platform
Back to the library

OT Cybersecurity

Access Control

Identity, remote access, and least privilege in OT.

Cybersecurity

Overview

Access control in OT governs who can touch controllers, HMIs, and engineering tools — identity, least privilege, and supervised remote access.

Engineering purpose

Make every privileged action attributable and every remote session supervised, because unattributed access is unauditable risk.

How it works

Jump hosts concentrate remote access behind MFA and session recording; role separation distinguishes operator from engineering rights; credential hygiene eliminates the default passwords that remain the commonest entry point.

  • Remote access goes through a jump host with MFA and session recording — vendor VPN boxes bypass all three.
  • Shared accounts destroy accountability; engineering and operator roles need separate identities and rights.
  • Default and vendor passwords on controllers and HMIs are the most common real-world entry point.

Common faults

Vendor VPN appliances bypassing the jump-host path; shared engineering accounts destroying attribution; default credentials on controllers and panels; dormant accounts of departed staff retaining access.

Diagnostic checks

  1. 1Audit who currently holds remote access and when each account was last used.
  2. 2Verify default credentials are changed on every reachable device.
  3. 3Audit current remote-access holders and last-use dates — dormant privileged access is the easiest finding with the highest payoff.

Safety notes

Emergency access procedures must be designed in advance; improvised break-glass during an incident becomes the permanent backdoor.

Commissioning notes

Enumerate every reachable device, change every default credential, and document the approved remote-access path before connecting anything to wider networks.

Related concepts

Jump hosts and MFA, session recording, role separation, credential hygiene, break-glass procedures.

access control · mfa · password · remote access · jump host · vpn · unauthorized · احراز هویت · دسترسی · رمز · غیرمجاز

Related articles

Network Segmentation

Zones, conduits, and DMZ design per IEC 62443.

Security Monitoring

Detection of anomalies and intrusions on OT networks.

Audit & Logging

Audit trails, log collection, and compliance evidence in OT.

When Hermes Brain uses this article

Cited for remote-access architecture, unauthorized-access concerns, account and credential policy in OT environments.