The Workaround Problem: Why OT Security Friction Costs Industrial Programs Millions

When OT secure remote access is too hard to use, OT teams route around it — and the SANS critical controls for OT cybersecurity go unmet. Here's what that's costing your program. 

A few months ago, I was talking to a security director at a large electric utility. His team had just completed a major review of their remote access controls. They had done everything right — multi-factor authentication, session recording, access windows, vendor credentialing. On paper, it was a solid program. 

Then he showed me what was actually happening. 

Vendors who couldn't navigate the login process were texting plant operators for shared credentials. Engineers with corporate Microsoft accounts were getting locked out trying to reach assets tied to local Active Directory domains. Onboarding new contractors was a four-day back-and-forth between IT, OT, and legal. And the security team? They were drowning in alert noise — thousands of events per session, most of them irrelevant — while the genuinely risky sessions slipped by unreviewed. 

The security director had built a wall. But it created too much friction, and his team had quietly dug a dozen tunnels underneath it to keep hitting their operational KPIs. 

This is the workaround problem in OT security. And it's far more common than most security leaders want to admit. 

Why OT Secure Remote Access Friction Creates an Architecture Problem — Not a People Problem 

OT environments sit at the intersection of three sets of stakeholders who want fundamentally different things. The security team wants the tightest possible controls. The GRC team needs audit-ready evidence to prove those controls are working. The operations team needs production to keep moving. Each group is pulling in a different direction — and the tension between them creates friction. 

When security tools are too difficult to use correctly, people route around them. Workarounds replace processes. And the controls that looked air-tight on paper become decorative. 

The SANS Five Critical Controls for ICS/OT Cybersecurity — including secure remote access and defensible architecture — are exactly where this plays out. Industrial programs miss them not because they don't care, but because the friction makes compliance the harder path than the workaround. 

Up to 30% — reduction in OT cyber risk through secure remote access and defensible architecture — Dragos 2025 OT Cybersecurity Financial Risk Report 

$2–3 million — additional financial risk exposure per organization when those controls aren't met 

That 30 percent risk reduction isn't theoretical. It breaks down to 12 percent from secure remote access and 17 percent from defensible architecture. Two controls. Millions of dollars. And the main reason industrial programs don't have them implemented isn't awareness — it's friction. 

See how teams are reducing remote access risk. Read the SANS "Securing Remote Access in OT: A Critical Control for Modern Risk" Whitepaper → 

The Five Places Security Friction Undermines Remote Access in OT Programs 

1. Identity & Single Sign-On: The Multi-Domain Problem 

Ask any OT security engineer about identity management and they'll pause before answering. The problem isn't that organizations lack identity tools — it's that they have too many, and none of them were built to work together across the IT/OT divide. 

Corporate users come in through Entra ID. Vendors bring their own Microsoft tenants. Some sites still run local Active Directory. A contractor from an OEM shouldn't need to create yet another set of credentials just to access one system for four hours. But without a unified access layer, that's exactly what happens — and when it's too cumbersome, they find another way in. 

The Dispel Zero Trust Engine solves this with hybrid domain support. Vendors may optionally authenticate using their own SSO — their existing Microsoft credentials, and their existing MFA. The Dispel platform validates that authentication and carries it forward. For assets requiring local AD login, that layer is preserved too. No new accounts. No credential sharing. No friction that creates workarounds. 

2. Multiple Gates: Airport Security for OT 

One of the most useful analogies I've found for explaining layered access control: think about how an airport works. 

There's a gate agent who checks your boarding pass and verifies you're sitting in seat 10B. That check is tightly bound to your seat, your identity, your destination. It makes sense at the gate. But why would you let someone walk all the way to the gate before checking who they are? 

Traditional OT access control puts all the checking at the on-prem level — right in front of the asset. By then, an unauthorized user is already inside your environment. Dispel’s platform extends the first gate out into the cloud. Identity is verified before anyone enters the network perimeter. The on-prem gate still functions — it still validates the specific asset access — but the cloud gate stops problems before they reach the industrial environment. Defense in depth the way it was designed to work. 

3. Vendor Remote Access Onboarding: The Multi-Day Tax 

Every vendor cycle brings the same overhead: collecting credentials, setting up accounts, assigning permissions, coordinating across IT and OT teams. In large utilities and manufacturers, this process can take days. For a vendor making a routine maintenance call, that's a real cost — both operationally and in the workarounds that emerge when the process takes too long. 

The Dispel platform provides self-onboarding links that apply permissions and plant-level controls at the moment of access. Vendor access management workflows that once required days now complete in seconds. Administrators retain full control. Vendors get in and stay in the channels they're supposed to be in. 

4. Shared Accounts: Attribution Without Chaos 

Here's a scenario that plays out in real OT environments more than anyone wants to admit: a large OEM has a shared account for their service team, because creating individual accounts for every technician who might ever touch a system is genuinely impractical. The result? One login. Zero attribution. No audit trail. 

The Dispel platform’s secure shared account model solves this without eliminating the shared account. The plant administrator issues a one-time code to the specific technician using the shared account that day. The access event is tagged to that individual. Behavioral baselines are built over time. If that shared account starts doing things that technician has never done before, the system notices. 

You get the practicality of a shared account. You get the security of individual attribution. The GRC team gets their audit trail. No additional accounts required. 

5. Risk Scoring & Alert Noise: The Signal-to-Noise Problem 

Windows generates thousands of events per second that could theoretically flood a SOC. Most OT security tools amplify that noise rather than filtering it. Security teams spend their time triaging alerts instead of acting on the ones that matter. 

Dispel's approach is a combined stoplight risk score — a unified signal built from individual risk inputs that gives administrators a clear green, yellow, or red at the moment of access approval. Not 10,000 data points. One decision-ready score. A yellow score means: call Tom before approving. A green means: approve and move on. A red means: pull up the session recording and look closely at the session. Policy guides decisions rather than adding steps. 

What Gets Better When Friction Disappears 

When security friction is removed, something important happens: the sanctioned path becomes the easiest path. Teams stop building remote access workarounds not because policy forces them to, but because the right way to access a system is also the fastest way. 

The SANS critical controls get met — not because the security team enforced them harder, but because the tools that implement them stopped fighting the workflow. Vendor access becomes traceable. Alert noise becomes actionable signals. And the $2–3 million in additional risk exposure that comes with unmet controls starts to disappear. 

The goal isn't a more locked-down OT program. It's a program where security and operations run in the same direction. 

That's what the Dispel Zero Trust Engine was built for — not to sell a feature set, but to remove the friction that sits between a security team's intentions and an operations team's reality. When those two things align, industrial programs don't just get more secure. They get faster, more auditable, and easier to run. 

That's the right outcome for every stakeholder in the room. 

This is the first in a three-part series on OT Friction. Blog 2 examines Efficiency Friction and the real cost of downtime. Blog 3 covers GRC Friction and why audit season doesn't have to be a crisis.  

Learn how OT teams are improving compliance, protecting uptime, and modernizing access. Read the SANS whitepaper →