Secure Remote Access

Secure Remote PLC and HMI Support Architecture: A Practical Design

This guide maps a defensible support path from the remote engineer to an HMI, engineering workstation, or PLC without treating the production network as one trusted zone.

PLC data point configuration on an Orenda Box

Key takeaways

  • Design a support path for each job: viewing an HMI, collecting diagnostics, changing an application, and programming a PLC do not need the same access.
  • Use an intermediary access zone, managed workstation, or service-specific proxy instead of making the production cell broadly reachable.
  • Separate connectivity from permission to change the process; local operating and safety procedures remain authoritative.
  • Limit identities, targets, protocols, duration, and privileges, then test revocation and failure behavior.
  • Remote support is not appropriate for every safety-critical, air-gapped, latency-sensitive, or unsupported legacy environment.

A secure remote PLC and HMI support architecture routes an identified user through a controlled access layer to a narrowly defined workstation, application, or device in a segmented OT zone. PLCs and HMIs should not be the first internet-facing endpoint, and observation should be separated from engineering changes. Safety, local authorization, recovery, and access removal remain operating responsibilities even when the connectivity is well protected.

The design goal is not “remote control of the plant.” It is a small number of support paths, each built for a specific job: view an HMI, collect diagnostics, update an application, or perform an authorized controller change.

Why does PLC and HMI support need its own architecture?

A PLC can directly affect equipment and process state. An HMI can expose alarms, setpoints, modes, and operator actions. Engineering workstations contain specialized tools, project files, credentials, and drivers that may be difficult to patch on an ordinary IT cadence. These assets have different consequences from a standard office application.

The NIST Guide to Operational Technology Security frames OT security around unique performance, reliability, and safety requirements. That means a remote access control should be evaluated not only for confidentiality and authentication, but also for what happens to production during latency, disconnection, software failure, maintenance, or a mistaken command.

Secure connectivity cannot decide whether it is safe to force an output, change a setpoint, download logic, or reboot an HMI. Those decisions belong to the site’s operating, safety, and change-control process.

What should the end-to-end support path look like?

A practical path is:

Remote engineer → identity and access layer → constrained transport → OT access zone or site gateway → managed support target → selected HMI or PLC service

Every arrow is a boundary with an owner and an allowed-flow definition. The user should not receive a general route merely because the final target sits on a private network.

LayerRequired decisionUseful controlFailure question
Remote endpointWho may use it, and is it managed?Unique identity, multifactor authentication, device policy, separate privileged accountCan a lost or compromised laptop be removed quickly?
Identity and accessWhich job and resource are allowed?Role and target policy, revocation, optional expiry for temporary accessDoes failure deny new access without disturbing local control?
Transport and access zoneHow does traffic cross into OT?Narrow routes, application proxy, constrained VPN, or gateway in a boundary zoneWhat stays operational when the link or service is unavailable?
Support workstation or proxyWhere do tools and files live?Hardened jump host, controlled desktop, service-specific proxyIs there a maintained backup and local recovery path?
HMI or PLC targetWhich exact protocol and privilege are needed?Firewall allowlist, least-privilege account, read/write separationCan an erroneous or interrupted action affect the process?
Operations procedureWhen may the work occur?Named local coordinator, backups, rollback, communications planWho stops work and restores the safe state?

This layered model aligns with the zones-and-conduits way of thinking in the ISA/IEC 62443 series. Referencing the standard does not make a design certified; it gives teams a structured way to assign risk, boundaries, and lifecycle responsibilities.

Should users connect to an HMI, a workstation, or the PLC?

Choose the least consequential target that completes the job.

Support jobPreferred targetTypical boundaryAvoid by default
Observe status or alarmsRead-only dashboard, historian, or published HMI viewApplication-level access to one named serviceRouting the user to the whole cell network
Diagnose an HMI applicationManaged HMI support workstation or controlled desktopRemote desktop to one host, then local application accessInstalling general remote-control software on every operator station
Collect controller diagnosticsApproved engineering workstation with limited downstream reachRemote desktop or jump host plus exact PLC protocol rulesGiving a vendor laptop a direct plant-subnet route
Change PLC logic or firmwareManaged engineering workstation under a change windowSeparate privileged role, backup, local coordinator, and rollbackTreating remote login as permission to make a process change
Support many customer machinesPer-machine or per-resource access policyRepeatable gateway and target templateOne shared VPN account across customers

Read-only should describe both the application behavior and the downstream permissions, not just a label in a portal. Some protocols or accounts may not provide meaningful read/write separation. If the target cannot enforce the intended boundary, publish a safer intermediary such as a historian view or managed engineering workstation.

How should the remote endpoint and identity be controlled?

Use a unique identity for each person. Separate normal use from privileged engineering activity, and require multifactor authentication suited to the risk. Define whether vendors may use their own laptops or must connect to a managed support workstation. If unmanaged endpoints are accepted, document the compensating restrictions rather than silently treating them as trusted.

Keep engineering packages, license files, controller projects, and firmware on the managed workstation when practical. That reduces uncontrolled copies and makes compatibility easier to maintain. Disable unneeded clipboard, drive, printer, and file-transfer functions where the remote desktop technology supports it, but preserve a controlled route for approved project updates and diagnostic exports.

CISA and its partners’ Guide to Securing Remote Access Software explains how legitimate remote tools can also be abused by threat actors. Inventory every remote access agent, remove unapproved tools, and detect connections that fall outside the approved architecture. A secure gateway does not help if an old unattended remote-control agent remains active on the HMI.

Where should the site gateway or jump host sit?

Place the site-side access component in a deliberate boundary zone with only the interfaces, routes, and services it needs. It may be an industrial edge device, remote access gateway, or managed workstation. It should not be a dual-homed shortcut that silently bypasses firewall policy.

For application access, proxy the named application where possible. For remote desktop, expose the controlled workstation rather than the controller network. For legacy PLC engineering protocols, permit only the workstation-to-controller flows proven necessary during testing. Discovery broadcasts and dynamic ports require special attention; do not widen a rule to “any” merely because the vendor documentation is incomplete.

The 2026 NIST NCCoE OT remote access build architecture demonstrates that organizations can assemble remote access architectures from identity, authorization, segmentation, and implementation components. Its water-sector examples are not a universal blueprint, but they provide a current primary reference for examining trust boundaries and practical deployment choices.

How should PLC changes be handled remotely?

Create a different procedure for process-affecting work than for observation. Before a logic download, firmware update, force command, or significant setpoint change:

  1. Name the remote engineer and the local coordinator.
  2. Confirm the target controller, running process, and approved work window.
  3. Capture the current project, configuration, firmware details, and a recoverable backup.
  4. Define the expected change and how it will be validated.
  5. Confirm communications and a local stop condition.
  6. Apply the change through the privileged path.
  7. Verify controller state, alarms, HMI behavior, and process response.
  8. Remove temporary privilege or access when the work is complete.
  9. Store the change record in the organization’s normal maintenance system.

Do not assume the remote access product supplies this workflow. Request approval, process authorization, change evidence, and safety sign-off may live in a maintenance, ticketing, or quality system. The access layer should enforce the connectivity decision it actually knows; it should not be credited with controls implemented elsewhere.

How should vendor access differ from employee access?

Outside technicians usually need a smaller target set and a clearer end condition. Scope access to the machine, application, workstation, or service involved in the support case. Make it revocable, and use expiry when the maintenance window has a known end. Standing access may still be justified for contracted support, but it needs a named internal owner and periodic review.

Avoid shared supplier accounts. If a vendor needs a proprietary tool, decide whether it runs on the managed site workstation or the supplier endpoint. Define who may transfer files, how those files are scanned and validated, and who owns controller project backups.

The international Principles of OT Cyber Security stresses that OT decisions should account for business continuity and the consequences of compromise. Apply that lens to vendor convenience: reducing travel is valuable, but it does not justify an unexplained permanent route to a consequential control system.

What should be verified before production rollout?

Build a representative test cell or use a controlled maintenance period. Verify:

  • exact user, role, resource, source, destination, port, and protocol mappings
  • authentication, access removal, and optional expiry behavior
  • employee and vendor endpoint requirements
  • PLC suite discovery, online monitoring, upload, download, and file-transfer behavior
  • HMI viewing and administrative functions as separate tests
  • gateway, jump-host, and remote client patch responsibilities
  • unauthorized access attempts to adjacent VLANs and devices
  • latency, packet loss, reconnect, and interrupted-transfer behavior
  • internet, DNS, identity service, relay, gateway, and jump-host outages
  • controller and HMI behavior when the remote session disappears
  • backup restoration and the local recovery path
  • how responders disable remote access without stopping the control process

Run negative tests. A good result is not only that the engineer can reach the intended PLC; it is also that the same identity cannot reach a neighboring controller, a read-only role cannot perform a write, and removing access prevents a new session.

For transport options, compare VPN, jump server, and ZTNA for OT. For sites with double NAT or carrier-managed connectivity, review industrial access behind NAT without port forwarding.

Use the industrial remote-access rollout checklist to turn the selected architecture into site ownership, commissioning tests, and a repeatable operating process.

What are the limitations and when is remote support not a fit?

Remote support may be the wrong choice for a required air gap, safety-instrumented functions, work that needs direct physical observation, unsupported serial-only equipment, or processes where latency and disconnection create unacceptable consequence. Some firmware or recovery operations require local presence even when normal diagnostics work remotely.

A jump host can fail, an external identity service can become unavailable, and a gateway update can introduce incompatibility. Preserve local operation and an independent recovery method. Do not make remote connectivity part of a closed-loop control path.

This architecture does not prove IEC 62443 certification, zero-trust compliance, safe PLC logic, or regulatory compliance. Products also differ in event detail, retention, session monitoring, and recording. If those are requirements, specify and test them directly instead of assuming they follow from “secure remote access.”

Where might Orenda fit?

Orenda Connect can be evaluated as a resource-level path to approved apps, devices, servers, and industrial systems without broad network-level access. Orenda Box can host local operational applications and connect to machine data near the equipment. For third parties, Orenda vendor access is target-scoped and revocable, with optional expiry.

Those capabilities can support one layer of this architecture; they do not replace the site’s safety review, local authorization, PLC backup, change control, managed engineering workstation, or recovery procedure. Orenda does not imply built-in approval workflow, comprehensive per-human audit history, or session recording. Use a pilot to validate the exact protocol, gateway placement, trust boundaries, access removal, outage behavior, and evidence requirements before applying the design to production control assets.

Frequently asked questions

Should a remote engineer connect directly to a PLC?

Direct access is rarely the best default. A managed engineering workstation or narrowly controlled gateway can contain tools and restrict the path, although the final design depends on the protocol and vendor support model.

Is viewing an HMI the same risk as programming a PLC?

No. Read-only visualization and diagnostics generally have different consequences and required privileges from logic downloads, firmware changes, or force commands. They should use separate roles and procedures.

Can vendor PLC access be permanent?

It can be technically possible, but standing access increases exposure and should have a documented owner and review cadence. For occasional support, revocable access with optional expiry is usually easier to govern.

Does secure remote access make a PLC change safe?

No. Secure connectivity cannot validate process safety, logic correctness, maintenance timing, backups, or local readiness. Change control and operating procedures are separate requirements.

Sources and further reading

  1. Guide to Operational Technology (OT) Security, SP 800-82 Rev. 3 — NIST
  2. Cybersecurity for the Water and Wastewater Sector: Build Architecture, SP 1800-45 — NIST NCCoE
  3. Guide to Securing Remote Access Software — CISA, NSA, FBI, MS-ISAC and INCD
  4. Principles of Operational Technology Cyber Security — CISA and international partners
  5. ISA/IEC 62443 Series of Standards — International Society of Automation

Related Orenda resources

Published and maintained by Orenda. Product-specific statements are checked against current Orenda documentation; external technical guidance is linked above. Read our editorial policy.

Back to blog