- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
techniques), verified against MITRE ATT&CK v19.1 via the official
mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly.
cybersecurity
ot-ics-security
ot-security
ics
remote-access
iec62443
jump-server
zero-trust
conduit
mfa
1.0
mahipal
Apache-2.0
PR.IR-01
DE.CM-01
ID.AM-05
GV.OC-02
T1078
T1190
T1059
T0816
T0836
Implementing Conduit Security for OT Remote Access
When to Use
When replacing direct VPN connections from IT or vendors into OT control networks
When implementing IEC 62443-compliant conduit architecture for remote access paths
When deploying secure remote access for third-party vendor maintenance of ICS equipment
When building approval-based access workflows for privileged OT system access
When remediating audit findings about uncontrolled remote access to SCADA systems
Do not use for designing the overall Purdue Model segmentation (see implementing-purdue-model-network-segmentation), for deploying IT-only remote access solutions, or for configuring local console access to PLCs.
Prerequisites
IT/OT DMZ (Level 3.5) deployed with dual-firewall architecture
Jump server or privileged access management (PAM) platform (CyberArk, BeyondTrust)
Multi-factor authentication (MFA) infrastructure for OT remote access users
Session recording capability for compliance and forensic purposes
Approval workflow system (ServiceNow, ticketing) for access requests
Workflow
Step 1: Design Conduit Architecture for Remote Access
# IEC 62443 Conduit Security Architecture for OT Remote Access# All remote access terminates in DMZ - never passes through to OT directlyconduit_architecture:remote_access_conduit:conduit_id:"RA-001"source_zone:"Enterprise IT (Level 4)"destination_zone:"OT DMZ (Level 3.5)"security_level_target:"SL3"components:external_gateway:type:"VPN Concentrator"location:"Enterprise DMZ"ip:"10.200.1.10"protocols:["IPsec","SSL-VPN"]authentication:"MFA required (certificate + OTP)"dmz_jump_server:type:"Privileged Access Workstation"location:"OT DMZ (Level 3.5)"ip:"10.10.150.20"os:"Windows Server 2022 (hardened)"controls:- "Local admin accounts disabled"- "USB ports disabled"- "Clipboard transfer disabled by default"- "Session recording enabled (all keystrokes and screen)"- "Maximum session duration: 4 hours"- "Automatic logoff after 15 minutes idle"- "Application whitelisting enforced"ot_access_gateway:type:"Industrial Remote Access Gateway"location:"OT DMZ / Level 3 boundary"ip:"10.10.150.25"controls:- "Only pre-approved destination IPs reachable"- "Protocol-level filtering (RDP, SSH, VNC only)"- "Time-limited sessions with automatic expiry"- "Approval-based access (plant manager must authorize)"data_flow:- step:1description:"User authenticates via enterprise VPN with MFA"source:"Remote user"destination:"VPN concentrator"protocol:"IPsec/SSL-VPN"- step:2description:"User connects to jump server in OT DMZ"source:"VPN tunnel"destination:"DMZ jump server"protocol:"RDP with NLA"- step:3description:"From jump server, user accesses specific OT system"source:"DMZ jump server"destination:"Approved OT target"protocol:"RDP/SSH/VNC"condition:"Only after manager approval and within time window"prohibited_flows:- "Direct VPN tunnel from external to Level 1/2 OT devices"- "Split tunneling allowing internet access during OT session"- "File transfer from jump server to OT without scanning"- "Persistent VPN connections (auto-reconnect disabled)"vendor_access_conduit:conduit_id:"VA-001"source_zone:"Vendor External Network"destination_zone:"OT DMZ (Level 3.5)"security_level_target:"SL3"workflow:request:- "Vendor submits access request via portal (24h advance)"- "Request includes: purpose, target systems, duration, personnel"- "Plant operations manager reviews and approves/rejects"- "Time-limited credentials generated upon approval"session:- "Vendor connects via dedicated vendor VPN gateway"- "MFA authentication (vendor receives OTP via SMS/app)"- "Session lands on vendor-specific jump server (isolated from internal jump)"- "All actions recorded (video + keystroke logging)"- "OT engineer monitors vendor session in real-time"termination:- "Session auto-terminates at approved end time"- "Credentials automatically revoked"- "Session recording archived for 90 days"- "Access log forwarded to SIEM"
Step 2: Implement Access Control and Monitoring
#!/usr/bin/env python3"""OT Remote Access Conduit Manager.
Manages approval-based remote access to OT systems through
secure conduit architecture with session recording, MFA
enforcement, and time-limited access windows.
"""importjsonimportsysfromdatetimeimportdatetime,timedeltafromtypingimportDict,List,OptionalfromenumimportEnumclassAccessRequestStatus(Enum):PENDING="pending"APPROVED="approved"REJECTED="rejected"ACTIVE="active"EXPIRED="expired"REVOKED="revoked"classRemoteAccessRequest:"""Represents an OT remote access request."""def__init__(self,requestor:str,requestor_type:str,purpose:str,target_systems:List[str],duration_hours:int,requested_start:str):self.id=f"OT-RA-{datetime.now().strftime('%Y%m%d-%H%M%S')}"self.requestor=requestorself.requestor_type=requestor_type# "internal_engineer" or "vendor"self.purpose=purposeself.target_systems=target_systemsself.duration_hours=duration_hoursself.requested_start=requested_startself.status=AccessRequestStatus.PENDINGself.created=datetime.now().isoformat()self.approved_by=Noneself.session_id=Noneself.audit_trail=[]defapprove(self,approver:str,conditions:str=""):"""Approve the access request."""self.status=AccessRequestStatus.APPROVEDself.approved_by=approverself.audit_trail.append({"timestamp":datetime.now().isoformat(),"action":"APPROVED","actor":approver,"conditions":conditions,})defreject(self,rejector:str,reason:str):"""Reject the access request."""self.status=AccessRequestStatus.REJECTEDself.audit_trail.append({"timestamp":datetime.now().isoformat(),"action":"REJECTED","actor":rejector,"reason":reason,})classOTConduitManager:"""Manages OT remote access conduit security."""def__init__(self):self.access_requests:Dict[str,RemoteAccessRequest]={}self.active_sessions:Dict[str,dict]={}self.policy=self._load_policy()def_load_policy(self)->dict:"""Load remote access policy."""return{"max_session_hours":4,"idle_timeout_minutes":15,"mfa_required":True,"session_recording":True,"clipboard_transfer":False,"file_transfer":"scan_required","advance_notice_hours":24,"vendor_escort_required":True,"prohibited_targets":["SIS-*","SAFETY-*"],"allowed_protocols":["RDP","SSH","VNC"],"blocked_protocols":["Telnet","FTP","SMB"],}defsubmit_request(self,request:RemoteAccessRequest)->str:"""Submit a new remote access request."""# Validate against policyviolations=[]ifrequest.duration_hours>self.policy["max_session_hours"]:violations.append(f"Duration {request.duration_hours}h exceeds maximum {self.policy['max_session_hours']}h")fortargetinrequest.target_systems:forprohibitedinself.policy["prohibited_targets"]:pattern=prohibited.replace("*","")iftarget.startswith(pattern):violations.append(f"Target {target} is in prohibited list (safety systems)")ifviolations:print(f"[!] Policy violations found:")forvinviolations:print(f" - {v}")return""self.access_requests[request.id]=requestprint(f"[+] Access request {request.id} submitted for approval")returnrequest.iddeflist_pending_requests(self):"""List all pending access requests for approval."""pending=[rforrinself.access_requests.values()ifr.status==AccessRequestStatus.PENDING]print(f"\n{'='*65}")print("PENDING OT REMOTE ACCESS REQUESTS")print(f"{'='*65}")ifnotpending:print(" No pending requests")returnforreqinpending:print(f"\n Request: {req.id}")print(f" Requestor: {req.requestor} ({req.requestor_type})")print(f" Purpose: {req.purpose}")print(f" Targets: {', '.join(req.target_systems)}")print(f" Duration: {req.duration_hours} hours")print(f" Start: {req.requested_start}")print(f" Submitted: {req.created}")defgenerate_audit_report(self):"""Generate audit report of all remote access activity."""print(f"\n{'='*65}")print("OT REMOTE ACCESS AUDIT REPORT")print(f"{'='*65}")print(f"Report Date: {datetime.now().isoformat()}")print(f"Total Requests: {len(self.access_requests)}")status_counts={}forreqinself.access_requests.values():status=req.status.valuestatus_counts[status]=status_counts.get(status,0)+1print(f"\nRequest Status:")forstatus,countinstatus_counts.items():print(f" {status}: {count}")print(f"\nDetailed Audit Trail:")forreqinself.access_requests.values():print(f"\n{req.id} - {req.requestor} ({req.requestor_type})")print(f" Status: {req.status.value}")print(f" Targets: {', '.join(req.target_systems)}")forentryinreq.audit_trail:print(f" [{entry['timestamp']}] {entry['action']} by {entry['actor']}")if__name__=="__main__":manager=OTConduitManager()# Vendor access requestvendor_req=RemoteAccessRequest(requestor="John Smith - Siemens Field Service",requestor_type="vendor",purpose="Annual PLC firmware update for S7-1500 controllers",target_systems=["PLC-REACTOR-01","PLC-REACTOR-02"],duration_hours=3,requested_start="2025-03-15T08:00:00",)req_id=manager.submit_request(vendor_req)ifreq_id:manager.list_pending_requests()# Simulate approvalmanager.access_requests[req_id].approve(approver="Plant Manager - Jane Doe",conditions="OT engineer must shadow the vendor session",)manager.generate_audit_report()
Key Concepts
Term
Definition
Conduit
IEC 62443 controlled communication path between security zones with defined security policies
Jump Server
Hardened intermediary server in the DMZ through which all remote OT access must transit
Session Recording
Capture of all screen activity, keystrokes, and commands during a remote access session for audit
Approval-Based Access
Workflow requiring plant operations manager authorization before remote access credentials are activated
Vendor Escort
Practice of having an internal OT engineer monitor vendor remote sessions in real time
Break-Glass Access
Emergency access procedure bypassing normal approval workflow for critical situations