Secure remote O&M without flat networks

Remote operations and maintenance (O&M) should be simple: an engineer needs to do one job on one device, for a short window, and leave a clean record. In practice, flat site-to-site VPNs hand out the keys to an entire subnet. Access lingers, exceptions pile up, and audits become guesswork.

ALL_Blog_Secure remote O&M without flat networks

Here’s a practical way to run remote O&M the way it should work — just-in-time access to a single device, for a single task, with proof — using a Zero Trust “device passport”, session recording and automatic expiry.

 

What a typical O&M flow looks like today (and why it hurts)

 

  • Engineers connect via a shared VPN or jump host. It’s quick, but it lands them on a flat network where they can see far more than the single RTU, meter concentrator or IED gateway they came to fix.



  • “Temporary” firewall rules linger. Someone opens an any/any to push a firmware file and forgets to close it. Weeks later, nobody’s sure what’s still open.

 

  • Audit trails are thin. VPN logs show “user connected for 42 minutes”, not which device, which protocol, or what policy allowed it. Incident reviews take days.

 

  • Contractors amplify the risk. Shared credentials and borrowed laptops make accountability hazy, especially during outages.



Result: larger blast radius, slower troubleshooting, and weak evidence for NIS2/IEC 62443.

 

The Zero Trust alternative: a “device passport” for O&M

 

Swap the flat tunnel for named identities, least-privilege flows and per-session access.

 

  • Device identity (the passport). Each asset carries a strong identity bound to its SIM/eUICC and inventory record. Policies attach to that identity — not to a subnet.



  • User identity with MFA. Every engineer and contractor has a named account; no shared logins.



  • Least-privilege flows.  Approve only the protocols and destinations the device needs. Everything else is denied by default.:

  •  

    IEC-104/DNP3 → named SCADA masters

  • DLMS/COSEM → MDM FQDN

  • MQTT → broker FQDN

     

     



  • Per-session maintenance. When O&M is needed, issue a short-lived authorisation for one device and one protocol. The “door” opens just for that job, then closes automatically.

 

  • Audit by default. Every session records who, what, when and which policy — streamed to your SIEM for fast investigations.

 

 

Step-by-step: how a just-in-time O&M session works

 

  1. Request
    The engineer selects the device (by asset ID) and the task (“push DLMS/COSEM firmware”, “read-only IEC-104 diagnostics”). They authenticate with MFA.

  2. Policy check
    The system verifies: user role, device posture, allowed protocol/destination, change window, and location constraints. If everything matches, it issues a short-lived token.

  3. Session open (thin lane, not a tunnel)
    A narrow, policy-enforced path opens only between the engineer and the target device, only for the approved protocol and only for the approved endpoint.

  4. Do the work
    The engineer completes the task. Commands outside policy (wrong port, different host) are blocked. Optional “record” mode captures session metadata or payload per your policy.

  5. Auto-expiry
    The session closes when the job is done or the timer runs out (e.g., 30 minutes). No standing access remains. Any exceptions created for the window revert automatically.

  6. Evidence
    A tamper-evident log lands in your SIEM: who requested, who approved (if required), device ID, protocol, start/stop time, policy applied, anomalies detected. You can actually use this in an audit.

 

Why this works better for utilities

 

  • Smaller blast radius. No flat subnet exposure. One key opens one door, briefly.

  • Faster, safer change windows. Engineers don’t chase jump hosts or shared credentials; access is quicker and narrower.

  • Real audit, not guesswork. Session-level records map cleanly to NIS2 and IEC 62443 controls.

  • Cleaner contractor workflows. Named identities and expiring sessions remove the need for permanent accounts.

  • No internet exposure. Traffic stays on private routes (private APN or direct to SCADA/MDM/cloud), with default-deny outside approved flows.

 

Implementation notes (what to standardise)

 

  • Identity at provisioning. Bind SIM/eUICC to device identity in the warehouse; attach a baseline policy before field deployment.

  • Protocol policies by device type. Meters: DLMS/COSEM → MDM FQDN. Substations: IEC-104/DNP3 → named masters. DER gateways: MQTT → broker FQDN.

  • Access windows. Define sensible default durations (e.g., 15–60 minutes) and require a reason code for extensions.

  • Break-glass with extra logging. Emergency access uses a separate, more visible path with heightened recording and post-hoc review.

  • SIEM integration. Stream session events (who/what/when/policy) and policy breaches to your SOC for correlation with OT alerts.

  • eUICC + multi-IMSI. Keep sessions reliable by steering to healthy networks and swapping profiles remotely where needed.

 

Typical O&M jobs, re-imagined

 

  • Substation protection tweak. Approve a named contractor for IEC-104 to one IED for 30 minutes. Session auto-expires; evidence lands in SIEM.

  • AMI concentrator firmware. Open a scoped policy for DLMS/COSEM to the MDM for the change window. When done, policy reverts automatically.

  • DER commissioning. Bind identity at scan; allow MQTT to the broker only during commissioning; path closes on sign-off.

 

Remote O&M shouldn’t require exposing a whole site. With a Zero Trust “device passport”, per-session access and automatic expiry, you give engineers exactly what they need — one device, one job, one window — and you keep the proof.