Secure Remote Access for Cyber-Physical Systems (CPS)

General BASCPSremote accessOT securityIEC 62443
May 29, 2026|9 min read

Secure remote access for cyber-physical systems (CPS) means giving outside technicians the minimum access they need to do a specific task, for a defined window, with every action recorded. Persistent VPNs, port-forwarded HMIs, and shared vendor credentials all fail that test — they grant flat network reach to physical control equipment that can't be undone after the session ends. A defensible CPS remote-access design layers four things: identity-bound access (no shared accounts), time-boxed sessions, protocol-level restriction at the perimeter, and a full audit trail that can be replayed after an incident.

What Counts as a Cyber-Physical System

A cyber-physical system is any system where software directly controls a physical process. In the building world that's the HVAC sequence running on a JACE, the lighting controller on a Niagara station, the chiller plant logic on a Distech AS, the access-control panel deciding which doors unlock at 6 a.m. In industrial settings it's the PLCs running a packaging line or the SCADA system monitoring a water treatment plant.

What unites them: a write to a register or a BACnet Present_Value moves something physical. That single property is why CPS remote access can't be modeled the same way as IT remote access. A compromised RDP session into a finance laptop is a data-loss event. A compromised session into a building's chilled-water plant can be a property-damage event, a comfort-complaint event, or in critical infrastructure a safety event.

Why Traditional Remote Access Falls Short

The tools most buildings and plants use today were not designed with CPS exposure in mind:

Industry guidance has converged on the same set of countermeasures. NIST SP 800-82 (Guide to Operational Technology Security) explicitly recommends layered remote access controls, brokered through dedicated access servers, with multi-factor authentication and session logging. IEC 62443 describes the same idea through its zone-and-conduit model: remote access is a conduit crossing the zone boundary, and the conduit itself has security requirements distinct from the zone it enters.

For a deeper walk through the 62443 framing, see IEC 62443 Security Zones for Building Automation.

Architecture Patterns That Work

1. Brokered Access Through a Hardened Intermediary

Vendors never connect directly to a CPS device. They authenticate to a broker (a managed access platform, a hardened jump host, or a ZTNA gateway), the broker authorizes the specific target, and the broker proxies the protocol traffic. The vendor's endpoint never sees the BAS network directly. NIST SP 800-207 (Zero Trust Architecture) generalizes this pattern: trust is evaluated per-request, not per-network-segment.

2. Identity-Bound, Not Credential-Bound

Each technician authenticates with their own identity, ideally federated through their employer's identity provider so account lifecycle (offboarding, role changes) flows automatically. Shared accounts — one set of credentials for everyone at a contractor — are the single most common gap in BAS remote access audits.

3. Time-Boxed Sessions With Explicit Approval

Access is granted per task, not permanently. A two- to twenty-four-hour window covers most field work; anything longer should require a fresh approval. When the window closes, the session terminates and the route disappears. There is no standing access for a contractor between visits.

4. Protocol Restriction at the Perimeter

The conduit carrying the remote session should only pass the protocols the technician actually needs — BACnet/IP on UDP 47808, Niagara Fox/Foxs, Modbus/TCP, the controller's HTTPS UI. Everything else (SMB, RDP to adjacent IT hosts, outbound east-west traffic from the vendor endpoint) is denied by default. For BACnet specifically, see BACnet Firewall Rules: Ports to Open and Block.

5. Full Audit Trail of Actions, Not Just Logins

A login record alone isn't enough. The audit trail should capture which device the technician reached, which writes they issued (the BACnet WriteProperty calls, the Modbus FC06/FC16 transactions), and ideally a session recording for tools that don't expose protocol-level logs. After an incident, the question is "what changed and who changed it," and that answer has to be reconstructable from logs the building owner controls.

Step-by-Step: Designing CPS Remote Access

  1. Inventory the access actually needed. List each external party (HVAC contractor, fire-alarm vendor, controls integrator, energy analytics platform) and the specific equipment each one touches. Most sites discover the list is longer than they expected.
  2. Define zones and conduits. Group CPS equipment by criticality and protocol family. The chiller plant is one zone; the lighting network is another; the BBMD-bridged supervisory network is the conduit between them. Apply IEC 62443 zone thinking even if you're not pursuing certification.
  3. Pick a brokered access mechanism. Options range from a self-built bastion + identity provider + protocol firewall, through managed remote access platforms designed for OT, to commercial ZTNA products extended to OT networks. The right choice depends on how many sites, how many technicians, and how much engineering capacity you have to maintain the system.
  4. Enforce default-deny at the conduit. The broker should only allow the specific protocol and the specific destination required for the session. A technician requesting access to a JACE doesn't get a route to the MS/TP routers behind it unless that's the task.
  5. Log every action centrally. Send audit data to a system the building owner controls — not just the vendor's own platform. The logs should survive a vendor relationship ending.
  6. Test the off-ramp. When you offboard a contractor or rotate a credential, verify the access actually disappears. A surprising number of organizations discover months later that the offboarded vendor's VPN profile still works.

Common Pitfalls

When to Escalate

Bring in dedicated OT security expertise — either internal or an outside firm — when any of the following are true:

A practical next step before bringing in outside help is to walk through a structured self-assessment of the current setup. See How to Run a BAS Cybersecurity Audit for the checklist most building owners use as a starting point.

Source Attribution

The guidance in this entry draws on the following publicly available sources:

Additional patterns and field guidance from SiteConduit's work with building owners and integrators.

CPSremote accessOT securityIEC 62443third-party access

Was this article helpful?

Related Articles

Need to do this remotely? SiteConduit provides secure Layer 2 remote access to BAS networks with protocol-level controls. Join the waitlist.

SC

SiteConduit Technical Team

Idea Networks Inc.

SiteConduit builds managed remote access for building automation. Our knowledge base is maintained by BAS professionals with hands-on experience deploying and troubleshooting BACnet, Niagara, Modbus, and Facility Explorer systems.