Zero Trust Network Access (ZTNA) is a secure remote access service. It verifies remote users and grants them access to the right resources at the right times based on identity and context policies. This is part 3 in our blog series about ZTNA for operational technology (OT). Check out Part 1 for why ZTNA beats out always-on VPNs for OT remote access and Part 2 for how ZTNA reduces the attack surface by restricting access methods and verifying remote users’ security posture.

Video cameras are everywhere, including in facilities with the strictest physical access controls. Even if you trust an individual to enter a sensitive area, you still need to monitor their activities once they’re in the door. Seeing a suspicious activity, you can step in to stop it. And if problems crop up after the visit, reviewing a recording can help pinpoint what went wrong.

Monitoring and recording activities are equally critical when it comes to remote users accessing your OT networks. It’s not enough to verify the identity of remote employees, vendors, and contractors. Neither is it enough to know who is connected to what OT/ICS assets. You also need to know what users are doing during remote access sessions. Most organizations lack that visibility today, a shortcoming for cybersecurity compliance, governance, the ability to stop and recover from breaches, and incident investigation.

Conveniently, Cisco Secure Equipment Access (SEA) gives you an all-in-one solution to grant remote access, enforce access controls, and monitor and record remote session activity. Here are three ways you can take advantage of Cisco SEA to actively control OT remote access.

1 – Monitor, join, and terminate active sessions

See a list of all active sessions on the Cisco SEA console. By clicking on the session between ‘User A’ and ‘Asset B’ you can watch session activities as they happen, including commands sent to the asset. Watching a vendor configure an OT/ICS asset can be helpful for training, for example. And if you see something suspicious, like an attempt to change the code or a variable in a programmable logic controller (PLC), you can terminate the session with a click and disconnect the remote user. Remote session termination is required by ISA/IEC62443-3-3 FR2.

2 – Maintain a complete log of past sessions

Cybersecurity best practices require maintaining a detailed history of all past sessions, useful for security audits, forensic investigations, and regulatory compliance. The EU’s NIS2 Directive, for example, requires a full audit trail for every event that affects critical infrastructure and OT security standards such as ISA/IEC62443-3-3 require records of all login attempts. Cisco SEA logs both system-generated and user-generated events. For example, review how remote users authenticate, including usernames, time, device posture, and session activities. Or see who added new users or new assets to the system.

3 – Record sessions to see what happened

Optionally record sessions for selected assets, simply by selecting the asset on the console and checking a box. Recordings enrich your audit trail and can be particularly helpful for troubleshooting. If an asset like a robot arm, wind turbine, or highway sign stops working, for example, you might discover that a vendor recently upgraded the software or made a typo in a new configuration. Faster troubleshooting helps you put the asset back into production sooner.

Keep it simple, with an all-in-one solution for secure equipment access

Summing up, Cisco SEA gives you a single interface to protect your ICS and OT assets with ZTNA. Require all remote users to authenticate through a single point. Control which assets they can access and at what times. And do what a video camera does by monitoring all remote session activities and recording data for security audits.

Learn more about Cisco Secure Equipment Access here.


Ruben Lobo

Director, Product Management

Cisco Industrial IoT