SANS Five Critical Controls: How Secure Remote Access Cuts OT Risk Without Slowing Operations
Ben Burke, COO, Dispel
Ben Burke, COO, Dispel
Ben Burke, COO, Dispel
Jan 27, 2026
Jan 27, 2026
Jan 27, 2026
min read
min read
min read
Article
Article
Over the past decade, I’ve watched industrial environments change in ways that would have been unthinkable when many of our plants, pipelines, and substations were first designed.
Systems that once operated in isolation are now deeply interconnected. Control rooms connect to cloud platforms. Field devices feed analytics engines. Engineers, OEMs, and service providers access systems from anywhere in the world.
That connectivity has unlocked enormous operational value.
It has also quietly turned remote access into one of the most consequential control points in industrial cybersecurity.
Remote access today is not a convenience.
It is how operations scale.
It is how uptime is protected.
It is how expertise reaches the edge.
And increasingly, it is how adversaries enter.
This tension between operational necessity and cyber risk now defines modern OT security.
Understanding the SANS Five Critical Controls
The SANS Institute’s Five ICS Cybersecurity Critical Controls exist to help industrial teams focus on what actually reduces risk in real environments. They are not theoretical best practices. They are a prioritized roadmap built from decades of field experience and global incident data.
At a high level, the controls are:
ICS Incident Response – preparing to detect, contain, and recover from OT-specific attacks
Defensible Architecture – designing enforceable zones, conduits, and industrial DMZs
ICS Network Visibility and Monitoring – protocol-aware monitoring of OT environments
Secure Remote Access – controlling and observing all external connectivity
Risk-Based Vulnerability Management – focusing on vulnerabilities that materially impact operations
While each control matters, two consistently dominate risk discussions with owners and operators:
Control 2: Defensible Architecture
Control 4: Secure Remote Access
They are inseparable.
Defensible Architecture: The Foundation of Risk Reduction
Defensible architecture is not about drawing clean diagrams. It is about designing environments that reliably support segmentation, visibility, logging, and enforcement.
I once worked with a large energy operator whose network had grown organically for more than twenty years. New facilities were added. Vendors came and went. Legacy systems remained in service far longer than anyone expected.
On paper, the architecture looked reasonable. In practice, no one could confidently answer which access paths were still active or which assets were exposed.
Before improving monitoring or access controls, they simplified the foundation—standardizing DMZ design, enforcing segmentation, zones and conduits, and clarifying communication paths. Only then did other security controls begin to function as intended.
Architecture is rarely glamorous.
But without it, everything else becomes guesswork.
See how teams are reducing remote access risk [Read SANS A Critical Control for Modern Risk Whitepaper]
Secure Remote Access: Where Operations and Risk Converge
If architecture is the foundation, secure remote access is the busiest intersection. According to the SANS State of ICS/OT Security 2025 Report, remote access remains one of the top three initial access vectors in OT incidents globally.
More importantly, the Dragos 2025 OT Cybersecurity Financial Risk Report analysis based on independent insurance industry data from Marsh McLennan shows that:
Secure Remote Access alone reduces organizational cyber risk by more than 12%
Defensible Architecture delivers an average risk reduction of ~17%
Together, these two controls drive roughly 30% risk reduction
That is a staggering return for addressing just two controls.
Secure remote access is not simply about restricting connectivity. Done properly, it enforces identity, context, accountability, and continuous visibility. Every session is authenticated, authorized, recorded, and constrained by least privilege.
When that discipline is applied consistently, risk collapses.
When it isn’t, remote access becomes the shortest path into critical control systems.
Why the Gap Persists
If the risk is well understood, the obvious question is: why do so many organizations still struggle to close it?
The answer is not awareness.
It is operational friction.
The SANS State of ICS/OT Security 2025 data makes this clear. Nearly half of OT incidents originate from unauthorized external access, yet fewer than 15% of organizations have fully implemented advanced controls like session recording or OT-aware access governance.
The most common blockers are familiar:
limited time
limited staff
constrained budgets
legacy system limitations
In other words, the challenge is not knowing what to do.
It is implementing controls without disrupting operations.
I see this repeatedly. Teams want stronger governance but face approval bottlenecks. They want better visibility but worry about destabilizing legacy assets. They want to standardize vendor access but inherit years of site-specific workarounds.
Security stalls not because the goal is unclear, but because the path feels disruptive.
Where Organizations Are Seeing Real Risk Reduction
The organizations making measurable progress are not chasing perfect security. They are choosing approaches that respect OT reality.
They focus on:
Just-in-time access instead of standing credentials
Ephemeral sessions that expire automatically
Session recording and replay for accountability and forensics
Deployment models that minimize disruption
One global manufacturer reduced vendor onboarding time from days to minutes by eliminating static IT accounts and leveraging self-onboarding access. Standing credentials disappeared. Approval workflows aligned with how plants actually operate.
Risk declined not because controls increased, but because friction decreased.
The IT/OT Divide Is a Risk Signal
Remote access is where IT security priorities and OT operational realities collide.
Security teams are measured on preventing incidents.
Operations teams are measured on uptime, safety, and output.
When access models slow response or create administrative drag, teams route around them. Unapproved tools appear. Exceptions multiply. Governance erodes quietly.
This divide is not cultural, it is a risk signal.
The organizations that succeed treat it as such. They design access models that are fast enough for OT and controlled enough for security, aligning incentives instead of forcing trade-offs.
From Risk Reduction to Operational Freedom
Remote access is no longer optional.
But unmanaged risk should be.
The organizations leading in OT security are not chasing controls in isolation. They are reducing friction, embedding security into workflows, and treating secure remote access as the critical control it has become.
When that happens, something powerful emerges:
Teams move faster
Vendors onboard safely
Modernization accelerates
Risk declines
Confidence returns
That is Operational Freedom, earned through measurable risk reduction, not performative controls.
And it is quickly becoming the standard for modern industrial operations.
Over the past decade, I’ve watched industrial environments change in ways that would have been unthinkable when many of our plants, pipelines, and substations were first designed.
Systems that once operated in isolation are now deeply interconnected. Control rooms connect to cloud platforms. Field devices feed analytics engines. Engineers, OEMs, and service providers access systems from anywhere in the world.
That connectivity has unlocked enormous operational value.
It has also quietly turned remote access into one of the most consequential control points in industrial cybersecurity.
Remote access today is not a convenience.
It is how operations scale.
It is how uptime is protected.
It is how expertise reaches the edge.
And increasingly, it is how adversaries enter.
This tension between operational necessity and cyber risk now defines modern OT security.
Understanding the SANS Five Critical Controls
The SANS Institute’s Five ICS Cybersecurity Critical Controls exist to help industrial teams focus on what actually reduces risk in real environments. They are not theoretical best practices. They are a prioritized roadmap built from decades of field experience and global incident data.
At a high level, the controls are:
ICS Incident Response – preparing to detect, contain, and recover from OT-specific attacks
Defensible Architecture – designing enforceable zones, conduits, and industrial DMZs
ICS Network Visibility and Monitoring – protocol-aware monitoring of OT environments
Secure Remote Access – controlling and observing all external connectivity
Risk-Based Vulnerability Management – focusing on vulnerabilities that materially impact operations
While each control matters, two consistently dominate risk discussions with owners and operators:
Control 2: Defensible Architecture
Control 4: Secure Remote Access
They are inseparable.
Defensible Architecture: The Foundation of Risk Reduction
Defensible architecture is not about drawing clean diagrams. It is about designing environments that reliably support segmentation, visibility, logging, and enforcement.
I once worked with a large energy operator whose network had grown organically for more than twenty years. New facilities were added. Vendors came and went. Legacy systems remained in service far longer than anyone expected.
On paper, the architecture looked reasonable. In practice, no one could confidently answer which access paths were still active or which assets were exposed.
Before improving monitoring or access controls, they simplified the foundation—standardizing DMZ design, enforcing segmentation, zones and conduits, and clarifying communication paths. Only then did other security controls begin to function as intended.
Architecture is rarely glamorous.
But without it, everything else becomes guesswork.
See how teams are reducing remote access risk [Read SANS A Critical Control for Modern Risk Whitepaper]
Secure Remote Access: Where Operations and Risk Converge
If architecture is the foundation, secure remote access is the busiest intersection. According to the SANS State of ICS/OT Security 2025 Report, remote access remains one of the top three initial access vectors in OT incidents globally.
More importantly, the Dragos 2025 OT Cybersecurity Financial Risk Report analysis based on independent insurance industry data from Marsh McLennan shows that:
Secure Remote Access alone reduces organizational cyber risk by more than 12%
Defensible Architecture delivers an average risk reduction of ~17%
Together, these two controls drive roughly 30% risk reduction
That is a staggering return for addressing just two controls.
Secure remote access is not simply about restricting connectivity. Done properly, it enforces identity, context, accountability, and continuous visibility. Every session is authenticated, authorized, recorded, and constrained by least privilege.
When that discipline is applied consistently, risk collapses.
When it isn’t, remote access becomes the shortest path into critical control systems.
Why the Gap Persists
If the risk is well understood, the obvious question is: why do so many organizations still struggle to close it?
The answer is not awareness.
It is operational friction.
The SANS State of ICS/OT Security 2025 data makes this clear. Nearly half of OT incidents originate from unauthorized external access, yet fewer than 15% of organizations have fully implemented advanced controls like session recording or OT-aware access governance.
The most common blockers are familiar:
limited time
limited staff
constrained budgets
legacy system limitations
In other words, the challenge is not knowing what to do.
It is implementing controls without disrupting operations.
I see this repeatedly. Teams want stronger governance but face approval bottlenecks. They want better visibility but worry about destabilizing legacy assets. They want to standardize vendor access but inherit years of site-specific workarounds.
Security stalls not because the goal is unclear, but because the path feels disruptive.
Where Organizations Are Seeing Real Risk Reduction
The organizations making measurable progress are not chasing perfect security. They are choosing approaches that respect OT reality.
They focus on:
Just-in-time access instead of standing credentials
Ephemeral sessions that expire automatically
Session recording and replay for accountability and forensics
Deployment models that minimize disruption
One global manufacturer reduced vendor onboarding time from days to minutes by eliminating static IT accounts and leveraging self-onboarding access. Standing credentials disappeared. Approval workflows aligned with how plants actually operate.
Risk declined not because controls increased, but because friction decreased.
The IT/OT Divide Is a Risk Signal
Remote access is where IT security priorities and OT operational realities collide.
Security teams are measured on preventing incidents.
Operations teams are measured on uptime, safety, and output.
When access models slow response or create administrative drag, teams route around them. Unapproved tools appear. Exceptions multiply. Governance erodes quietly.
This divide is not cultural, it is a risk signal.
The organizations that succeed treat it as such. They design access models that are fast enough for OT and controlled enough for security, aligning incentives instead of forcing trade-offs.
From Risk Reduction to Operational Freedom
Remote access is no longer optional.
But unmanaged risk should be.
The organizations leading in OT security are not chasing controls in isolation. They are reducing friction, embedding security into workflows, and treating secure remote access as the critical control it has become.
When that happens, something powerful emerges:
Teams move faster
Vendors onboard safely
Modernization accelerates
Risk declines
Confidence returns
That is Operational Freedom, earned through measurable risk reduction, not performative controls.
And it is quickly becoming the standard for modern industrial operations.
Reduce remote access risk without slowing operations.
Learn how OT teams are improving compliance, protecting uptime, and modernizing access.
Read the SANS whitepaper →
Ready to Simplify OT Secure Remote Access?
See how Dispel helps industrial teams standardize connectivity and protect critical environments—without added complexity.
Ready to Simplify OT Secure Remote Access?
See how Dispel helps industrial teams standardize connectivity and protect critical environments—without added complexity.
Over the past decade, I’ve watched industrial environments change in ways that would have been unthinkable when many of our plants, pipelines, and substations were first designed.
Systems that once operated in isolation are now deeply interconnected. Control rooms connect to cloud platforms. Field devices feed analytics engines. Engineers, OEMs, and service providers access systems from anywhere in the world.
That connectivity has unlocked enormous operational value.
It has also quietly turned remote access into one of the most consequential control points in industrial cybersecurity.
Remote access today is not a convenience.
It is how operations scale.
It is how uptime is protected.
It is how expertise reaches the edge.
And increasingly, it is how adversaries enter.
This tension between operational necessity and cyber risk now defines modern OT security.
Understanding the SANS Five Critical Controls
The SANS Institute’s Five ICS Cybersecurity Critical Controls exist to help industrial teams focus on what actually reduces risk in real environments. They are not theoretical best practices. They are a prioritized roadmap built from decades of field experience and global incident data.
At a high level, the controls are:
ICS Incident Response – preparing to detect, contain, and recover from OT-specific attacks
Defensible Architecture – designing enforceable zones, conduits, and industrial DMZs
ICS Network Visibility and Monitoring – protocol-aware monitoring of OT environments
Secure Remote Access – controlling and observing all external connectivity
Risk-Based Vulnerability Management – focusing on vulnerabilities that materially impact operations
While each control matters, two consistently dominate risk discussions with owners and operators:
Control 2: Defensible Architecture
Control 4: Secure Remote Access
They are inseparable.
Defensible Architecture: The Foundation of Risk Reduction
Defensible architecture is not about drawing clean diagrams. It is about designing environments that reliably support segmentation, visibility, logging, and enforcement.
I once worked with a large energy operator whose network had grown organically for more than twenty years. New facilities were added. Vendors came and went. Legacy systems remained in service far longer than anyone expected.
On paper, the architecture looked reasonable. In practice, no one could confidently answer which access paths were still active or which assets were exposed.
Before improving monitoring or access controls, they simplified the foundation—standardizing DMZ design, enforcing segmentation, zones and conduits, and clarifying communication paths. Only then did other security controls begin to function as intended.
Architecture is rarely glamorous.
But without it, everything else becomes guesswork.
See how teams are reducing remote access risk [Read SANS A Critical Control for Modern Risk Whitepaper]
Secure Remote Access: Where Operations and Risk Converge
If architecture is the foundation, secure remote access is the busiest intersection. According to the SANS State of ICS/OT Security 2025 Report, remote access remains one of the top three initial access vectors in OT incidents globally.
More importantly, the Dragos 2025 OT Cybersecurity Financial Risk Report analysis based on independent insurance industry data from Marsh McLennan shows that:
Secure Remote Access alone reduces organizational cyber risk by more than 12%
Defensible Architecture delivers an average risk reduction of ~17%
Together, these two controls drive roughly 30% risk reduction
That is a staggering return for addressing just two controls.
Secure remote access is not simply about restricting connectivity. Done properly, it enforces identity, context, accountability, and continuous visibility. Every session is authenticated, authorized, recorded, and constrained by least privilege.
When that discipline is applied consistently, risk collapses.
When it isn’t, remote access becomes the shortest path into critical control systems.
Why the Gap Persists
If the risk is well understood, the obvious question is: why do so many organizations still struggle to close it?
The answer is not awareness.
It is operational friction.
The SANS State of ICS/OT Security 2025 data makes this clear. Nearly half of OT incidents originate from unauthorized external access, yet fewer than 15% of organizations have fully implemented advanced controls like session recording or OT-aware access governance.
The most common blockers are familiar:
limited time
limited staff
constrained budgets
legacy system limitations
In other words, the challenge is not knowing what to do.
It is implementing controls without disrupting operations.
I see this repeatedly. Teams want stronger governance but face approval bottlenecks. They want better visibility but worry about destabilizing legacy assets. They want to standardize vendor access but inherit years of site-specific workarounds.
Security stalls not because the goal is unclear, but because the path feels disruptive.
Where Organizations Are Seeing Real Risk Reduction
The organizations making measurable progress are not chasing perfect security. They are choosing approaches that respect OT reality.
They focus on:
Just-in-time access instead of standing credentials
Ephemeral sessions that expire automatically
Session recording and replay for accountability and forensics
Deployment models that minimize disruption
One global manufacturer reduced vendor onboarding time from days to minutes by eliminating static IT accounts and leveraging self-onboarding access. Standing credentials disappeared. Approval workflows aligned with how plants actually operate.
Risk declined not because controls increased, but because friction decreased.
The IT/OT Divide Is a Risk Signal
Remote access is where IT security priorities and OT operational realities collide.
Security teams are measured on preventing incidents.
Operations teams are measured on uptime, safety, and output.
When access models slow response or create administrative drag, teams route around them. Unapproved tools appear. Exceptions multiply. Governance erodes quietly.
This divide is not cultural, it is a risk signal.
The organizations that succeed treat it as such. They design access models that are fast enough for OT and controlled enough for security, aligning incentives instead of forcing trade-offs.
From Risk Reduction to Operational Freedom
Remote access is no longer optional.
But unmanaged risk should be.
The organizations leading in OT security are not chasing controls in isolation. They are reducing friction, embedding security into workflows, and treating secure remote access as the critical control it has become.
When that happens, something powerful emerges:
Teams move faster
Vendors onboard safely
Modernization accelerates
Risk declines
Confidence returns
That is Operational Freedom, earned through measurable risk reduction, not performative controls.
And it is quickly becoming the standard for modern industrial operations.
Reduce remote access risk without slowing operations.
Learn how OT teams are improving compliance, protecting uptime, and modernizing access.
Read the SANS whitepaper →
Ready to Simplify OT Secure Remote Access?
See how Dispel helps industrial teams standardize connectivity and protect critical environments—without added complexity.
Products
Industries
Resources
Products
Industries
Resources
Products
Industries
Resources