以下为本文档的中文说明securing-remote-access-to-ot-environment保障 OT 环境远程访问安全是一个专注于工业控制系统ICS和运营技术OT网络远程访问安全加固的高专业度技能。OT 环境涵盖电力能源、石油化工、水处理、交通运输和制造业等国家关键基础设施其安全需求与传统的企业 IT 系统存在本质区别。使用场景包括为工业设施设计和部署安全的远程运维访问方案、对工控网络的边界实施严格访问控制和流量监控、审计和评估现有 OT 远程访问架构的安全漏洞和改进空间。核心特点包括深入阐释 OT 安全与 IT 安全的五个根本差异可用性优先于机密性系统停机比数据泄露后果更严重、实时性和确定性通信要求微秒级延迟影响生产质量、专有的工控协议Modbus/TCP、DNP3、PROFINET、OPC UA 等缺乏内置安全机制、长生命周期设备PLC/RTU 通常运行 10-20 年无法升级和物理安全与环境安全的特殊考量提供多种经过验证的远程访问安全架构方案包括安全跳板机Jump Box/Bastion Host的堡垒机架构、专用加密 VPN 网关连接方案、遵循零信任原则的网络访问ZTNA架构涵盖工控核心协议的安全加固技术措施如 Modbus/TCP 的深度包检测DPI和功能码白名单提供多因素认证MFA/RSA SecurID和基于角色的访问控制RBAC实施指南提供遵从 IEC 62443 系列工业通信网络安全标准的审计检查清单。该技能对于工业控制系统安全工程师而言是不可或缺的参考资料。Securing Remote Access to OT EnvironmentWhen to UseWhen implementing or upgrading remote access architecture for OT environmentsWhen onboarding vendors who require remote access to OT systems for support and maintenanceWhen implementing CIP-005-7 R2 requirements for remote access management including MFAWhen replacing legacy direct VPN access to OT networks with a secure jump server architectureWhen responding to an incident involving unauthorized remote access to industrial control systemsDo not usefor securing IT-only remote access without OT components, for configuring VPN for corporate workers (see general VPN guides), or for physical access control to OT facilities.PrerequisitesDMZ infrastructure (Level 3.5) between corporate IT and OT networksJump server/bastion host platform (CyberArk, BeyondTrust, or hardened Windows/Linux server)Multi-factor authentication solution (Duo, RSA SecurID, YubiKey, smart cards)Session recording capability for audit trail complianceFirewall rules permitting remote access only through the DMZ intermediate systemWorkflowStep 1: Design Secure Remote Access ArchitectureImplement a defense-in-depth remote access architecture with an intermediate system in the DMZ that prevents any direct network connectivity between external users and OT systems.# OT Remote Access Architecture# Key principle: NO direct connection from external networks to OT systemsarchitecture:external_access_point:location:Internet-facing firewallservice:VPN gateway (IKEv2/IPsec or SSL VPN)authentication:Certificate MFA (CIP-005-7 R2.4)controls:-Source IP allowlisting for vendor access-Time-based access windows-Bandwidth rate limitingdmz_intermediate_system:location:Level 3.5 DMZplatform:CyberArk Privileged Access Security or hardened jump serverfunction:Session broker - terminates external connection, initiates new internal connectioncontrols:-All sessions terminate at jump server (no pass-through)-Session recording with keystroke logging-Clipboard and file transfer restrictions-Session timeout after 30 minutes inactivity-Concurrent session limits per userot_internal_access:location:Level 3 / Level 2 OT networkmethod:Jump server initiates RDP/SSH/VNC to OT systemscontrols:-Firewall allows only jump server IP to reach OT-Protocol restricted (RDP 3389, SSH 22, VNC 5900)-Destination-specific per user rolevendor_access:description:Third-party vendor remote accessadditional_controls:-Vendor account disabled by default; enabled on request-Time-limited access windows (enable/disable per session)-OT operator must co-attend vendor sessions-Real-time session monitoring by OT security-No persistent credentials - one-time access tokens# Network flow:# User - VPN - Firewall - DMZ Jump Server - Internal FW - OT System# (Two separate authenticated connections; no direct routing)Step 2: Configure Jump Server with Privileged Access ManagementDeploy and harden the jump server in the DMZ with session management, recording, and role-based access controls.#!/usr/bin/env python3OT Remote Access Session Manager. Manages authorized remote access sessions to OT environments including session creation, monitoring, recording, and termination. Integrates with PAM solutions for credential vaulting. importjsonimporthashlibimportsysfromdataclassesimportdataclass,field,asdictfromdatetimeimportdatetime,timedeltafromenumimportEnumclassSessionState(str,Enum):PENDING_APPROVALpending_approvalAPPROVEDapprovedACTIVEactiveTERMINATEDterminatedEXPIREDexpiredDENIEDdeniedclassUserRole(str,Enum):OT_OPERATORot_operatorOT_ENGINEERot_engineerVENDORvendorSECURITY_ ANALYSTsecurity_analystdataclassclassRemoteAccessSession:session_id:struser_id:struser_role:strsource_ip:strtarget_system:strtarget_ip:strprotocol:strpurpose:strstate:strSessionState.PENDING_APPROVAL mfa_verified:boolFalseapproved_by:strcreated_at:strstarted_at:strended_at:strmax_duration_minutes:int120recording_path:stractions_logged:listfield(default_factorylist)classOTRemoteAccessManager:Manages remote access sessions to OT environment.def__init__(self):self.sessions{}self.active_sessions{}self.access_policies{}self.audit_log[]defdefine_access_policy(self,role,allowed_targets,protocols,max_duration):Define access policy for a user role.self.access_policies[role]{allowed_targets:allowed_targets,allowed_protocols:protocols,max_duration_minutes:max_duration,requires_co_attendance:roleUserRole.VENDOR,requires_approval:roleUserRole.VENDOR,}defrequest_session(self,user_id,user_role,source_ip,target_system,target_ip,protocol,purpose):Request a new remote access session.# Generate unique session IDsession_idhashlib.sha256(f{user_id}{target_ip}{datetime.now().isoformat()}.encode()).hexdigest()[:16]# Check access policypolicyself.access_policies.get(user_role)ifnotpolicy:returnNone,No access policy defined for roleiftarget_systemnotinpolicy[allowed_targets]:self._audit(ACCESS_DENIED,user_id,target_system,fTarget not in allowed list for role{user_role})returnNone,fTarget{target_system}not authorized for role{user_role}ifprotocolnotinpolicy[allowed_protocols]:self._audit(ACCESS_DENIED,user_id,target_system,fProtocol{protocol}not allowed for role{user_role})returnNone,fProtocol{protocol}not authorizedsessionRemoteAccessSession(session_idsession_id,user_iduser_id,user_roleuser_role,source_ipsource_ip,target_systemtarget_system,target_iptarget_ip,protocolprotocol,purposepurpose,max_duration_minutespolicy[max_duration_minutes],created_atdatetime.now().isoformat(),)# Vendor sessions require approvalifpolicy.get(requires_approval):session.stateSessionState.PENDING_APPROVALelse:session.stateSessionState.APPROVED self.sessions[session_id]session self._audit(SESSION_REQUESTED,user_id,target_system,purpose)returnsession_id,Session createddefapprove_session(self,session_id,approver_id):Approve a pending vendor session.sessionself.sessions.get(session_id)ifnotsession:returnFalse,Session not foundifsession.state!SessionState.PENDING_APPROVAL:returnFalse,Session not in pending approval statesession.stateSessionState.APPROVED session.approved_byapprover_id self._audit(SESSION_APPROVED,approver_id,session.target_system,fApproved session{session_id}for{session.user_id})returnTrue,Session approveddefactivate_session(self,session_id,mfa_token):Activate an approved session after MFA verification.sessionself.sessions.get(session_id)ifnotsessionorsession.state!SessionState.APPROVED:returnFalse,Session not approved# Verify MFA (simplified - real implementation calls MFA provider)session.m fa_verifiedTruesession.stateSessionState.ACTIVE session.started_atdatetime.now().isoformat()session.recording_pathf/recordings/{session_id}_{datetime.now().strftime(%Y%m%d)}.mp4self.active_sessions[session_id]session self._audit(SESSION_ACTIVATED,session.user_id,session.target_system,fMFA verified, recording to{session.recording_path})returnTrue,Session activedefterminate_session(self,session_id,reasonmanual):Terminate an active session.sessionself.active_sessions.pop(session_id,None)ifnotsession:sessionself.sessions.get(session_id)ifnotsession:returnFalsesession.stateSessionState.TERMINATED session.ended_atdatetime.now().isoformat()self._audit(SESSION_TERMINATED,session.user_id,session.target_system,reason)returnTruedefcheck_expired_sessions(self):Terminate sessions that have exceeded their maximum duration.nowdatetime.now()expired[]forsid,sessioninlist(self.active_sessions.items()):starteddatetime.fromisoformat(session.started_at)if(now-started).total_seconds()session.max_duration_minutes*60:self.terminate_session(sid,maximum_duration_exceeded)expired.append(sid)returnexpireddef_audit(self,event_type,user_id,target,detail):Write to audit log.self.audit_log.append({timestamp:datetime.now().isoformat(),event:event_type,user:user_id,target:target,detail:detail,})defgenerate_report(self):Generate remote access session report.report[]report.append(*70)report.append(OT REMOTE ACCESS SESSION REPORT)report.append(fDate:{datetime.now().isoformat()})report.append(*70)# Session summarytotallen(self.sessions)activesum(1forsinself.sessions.values()ifs.stateSessionState.ACTIVE)report.append(f\ Total Sessions:{total})report.append(fActive Sessions:{active})# Active sessions detailifself.active_sessions:report.append(\ ACTIVE SESSIONS:)forsid,sinself.active_sessions.items():report.append(f [{sid[:8]}]{s.user_id}({s.user_role}))report.append(f Target:{s.target_system}({s.target_ip}))report.append(f Started:{s.started_at})report.append(f MFA:{Verifiedifs.mfa_verifiedelseNOT VERIFIED})return\ .join(report)if__name____main__:managerOTRemoteAccessManager()# Define policiesmanager.define_access_policy(UserRole.OT_ENGINEER,[HMI-01,HMI-02,EWS-01,HISTORIAN-01],[RDP,SSH],max_duration240,)manager.define_access_policy(UserRole.VENDOR,[DCS-EWS-01],[RDP],max_duration120,)# Request vendor sessionsid,msgmanager.request_session(vendor_honeywell_01,UserRole.VENDOR,203.0.113.50,DCS-EWS-01,10.30.1.20,RDP,DCS firmware update per change request CR-2026-0045)print(fSession request:{msg}({sid}))ifsid:manager.approve_session(sid,ot_manager_01)manager.activate_session(sid,123456)print(manager.generate_report())Key ConceptsTermDefinitionIntermediate SystemSystem in the DMZ that terminates external connections and brokers new connections to OT, preventing direct network access per CIP-005Jump ServerHardened bastion host in the DMZ used for remote access sessions to OT systems with session recording and access controlsSession RecordingCapture of all remote access session activity (screen, keystrokes, commands) for security audit and incident investigationPrivileged Access Management (PAM)System for vaulting credentials, controlling access, and auditing privileged sessions to critical OT systemsCo-AttendanceRequirement for an OT operator to monitor vendor remote access sessions in real timeTime-Limited AccessVendor accounts enabled only for specific maintenance windows and automatically disabled after the window closesTools SystemsCyberArk Privileged Access Security: Enterprise PAM with session management, credential vaulting, and recording for OT remote accessBeyondTrust Privileged Remote Access: Purpose-built remote access solution with session recording and granular access policiesClaroty Secure Remote Access (SRA): OT-specific remote access solution with protocol-aware session controlsDuo Security: MFA provider supporting push notifications, hardware tokens, and biometrics for OT access verificationOutput FormatOT Remote Access Security Report Active Sessions: [N] Pending Approval: [N] Sessions Today: [N] MFA COMPLIANCE: All sessions MFA verified: [Yes/No] Sessions without MFA: [N] VENDOR ACCESS: Active vendor sessions: [N] Co-attended: [N] Recorded: [N]