implementing-conduit-security-for-ot-remote-access
Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly.
Best use case
implementing-conduit-security-for-ot-remote-access is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly.
Teams using implementing-conduit-security-for-ot-remote-access should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-conduit-security-for-ot-remote-access/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-conduit-security-for-ot-remote-access Compares
| Feature / Agent | implementing-conduit-security-for-ot-remote-access | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Implementing Conduit Security for OT Remote Access
## When to Use
- When replacing direct VPN connections from IT or vendors into OT control networks
- When implementing IEC 62443-compliant conduit architecture for remote access paths
- When deploying secure remote access for third-party vendor maintenance of ICS equipment
- When building approval-based access workflows for privileged OT system access
- When remediating audit findings about uncontrolled remote access to SCADA systems
**Do not use** for designing the overall Purdue Model segmentation (see implementing-purdue-model-network-segmentation), for deploying IT-only remote access solutions, or for configuring local console access to PLCs.
## Prerequisites
- IT/OT DMZ (Level 3.5) deployed with dual-firewall architecture
- Jump server or privileged access management (PAM) platform (CyberArk, BeyondTrust)
- Multi-factor authentication (MFA) infrastructure for OT remote access users
- Session recording capability for compliance and forensic purposes
- Approval workflow system (ServiceNow, ticketing) for access requests
## Workflow
### Step 1: Design Conduit Architecture for Remote Access
```yaml
# IEC 62443 Conduit Security Architecture for OT Remote Access
# All remote access terminates in DMZ - never passes through to OT directly
conduit_architecture:
remote_access_conduit:
conduit_id: "RA-001"
source_zone: "Enterprise IT (Level 4)"
destination_zone: "OT DMZ (Level 3.5)"
security_level_target: "SL3"
components:
external_gateway:
type: "VPN Concentrator"
location: "Enterprise DMZ"
ip: "10.200.1.10"
protocols: ["IPsec", "SSL-VPN"]
authentication: "MFA required (certificate + OTP)"
dmz_jump_server:
type: "Privileged Access Workstation"
location: "OT DMZ (Level 3.5)"
ip: "10.10.150.20"
os: "Windows Server 2022 (hardened)"
controls:
- "Local admin accounts disabled"
- "USB ports disabled"
- "Clipboard transfer disabled by default"
- "Session recording enabled (all keystrokes and screen)"
- "Maximum session duration: 4 hours"
- "Automatic logoff after 15 minutes idle"
- "Application whitelisting enforced"
ot_access_gateway:
type: "Industrial Remote Access Gateway"
location: "OT DMZ / Level 3 boundary"
ip: "10.10.150.25"
controls:
- "Only pre-approved destination IPs reachable"
- "Protocol-level filtering (RDP, SSH, VNC only)"
- "Time-limited sessions with automatic expiry"
- "Approval-based access (plant manager must authorize)"
data_flow:
- step: 1
description: "User authenticates via enterprise VPN with MFA"
source: "Remote user"
destination: "VPN concentrator"
protocol: "IPsec/SSL-VPN"
- step: 2
description: "User connects to jump server in OT DMZ"
source: "VPN tunnel"
destination: "DMZ jump server"
protocol: "RDP with NLA"
- step: 3
description: "From jump server, user accesses specific OT system"
source: "DMZ jump server"
destination: "Approved OT target"
protocol: "RDP/SSH/VNC"
condition: "Only after manager approval and within time window"
prohibited_flows:
- "Direct VPN tunnel from external to Level 1/2 OT devices"
- "Split tunneling allowing internet access during OT session"
- "File transfer from jump server to OT without scanning"
- "Persistent VPN connections (auto-reconnect disabled)"
vendor_access_conduit:
conduit_id: "VA-001"
source_zone: "Vendor External Network"
destination_zone: "OT DMZ (Level 3.5)"
security_level_target: "SL3"
workflow:
request:
- "Vendor submits access request via portal (24h advance)"
- "Request includes: purpose, target systems, duration, personnel"
- "Plant operations manager reviews and approves/rejects"
- "Time-limited credentials generated upon approval"
session:
- "Vendor connects via dedicated vendor VPN gateway"
- "MFA authentication (vendor receives OTP via SMS/app)"
- "Session lands on vendor-specific jump server (isolated from internal jump)"
- "All actions recorded (video + keystroke logging)"
- "OT engineer monitors vendor session in real-time"
termination:
- "Session auto-terminates at approved end time"
- "Credentials automatically revoked"
- "Session recording archived for 90 days"
- "Access log forwarded to SIEM"
```
### Step 2: Implement Access Control and Monitoring
```python
#!/usr/bin/env python3
"""OT Remote Access Conduit Manager.
Manages approval-based remote access to OT systems through
secure conduit architecture with session recording, MFA
enforcement, and time-limited access windows.
"""
import json
import sys
from datetime import datetime, timedelta
from typing import Dict, List, Optional
from enum import Enum
class AccessRequestStatus(Enum):
PENDING = "pending"
APPROVED = "approved"
REJECTED = "rejected"
ACTIVE = "active"
EXPIRED = "expired"
REVOKED = "revoked"
class RemoteAccessRequest:
"""Represents an OT remote access request."""
def __init__(self, requestor: str, requestor_type: str, purpose: str,
target_systems: List[str], duration_hours: int,
requested_start: str):
self.id = f"OT-RA-{datetime.now().strftime('%Y%m%d-%H%M%S')}"
self.requestor = requestor
self.requestor_type = requestor_type # "internal_engineer" or "vendor"
self.purpose = purpose
self.target_systems = target_systems
self.duration_hours = duration_hours
self.requested_start = requested_start
self.status = AccessRequestStatus.PENDING
self.created = datetime.now().isoformat()
self.approved_by = None
self.session_id = None
self.audit_trail = []
def approve(self, approver: str, conditions: str = ""):
"""Approve the access request."""
self.status = AccessRequestStatus.APPROVED
self.approved_by = approver
self.audit_trail.append({
"timestamp": datetime.now().isoformat(),
"action": "APPROVED",
"actor": approver,
"conditions": conditions,
})
def reject(self, rejector: str, reason: str):
"""Reject the access request."""
self.status = AccessRequestStatus.REJECTED
self.audit_trail.append({
"timestamp": datetime.now().isoformat(),
"action": "REJECTED",
"actor": rejector,
"reason": reason,
})
class OTConduitManager:
"""Manages OT remote access conduit security."""
def __init__(self):
self.access_requests: Dict[str, RemoteAccessRequest] = {}
self.active_sessions: Dict[str, dict] = {}
self.policy = self._load_policy()
def _load_policy(self) -> dict:
"""Load remote access policy."""
return {
"max_session_hours": 4,
"idle_timeout_minutes": 15,
"mfa_required": True,
"session_recording": True,
"clipboard_transfer": False,
"file_transfer": "scan_required",
"advance_notice_hours": 24,
"vendor_escort_required": True,
"prohibited_targets": ["SIS-*", "SAFETY-*"],
"allowed_protocols": ["RDP", "SSH", "VNC"],
"blocked_protocols": ["Telnet", "FTP", "SMB"],
}
def submit_request(self, request: RemoteAccessRequest) -> str:
"""Submit a new remote access request."""
# Validate against policy
violations = []
if request.duration_hours > self.policy["max_session_hours"]:
violations.append(
f"Duration {request.duration_hours}h exceeds maximum {self.policy['max_session_hours']}h"
)
for target in request.target_systems:
for prohibited in self.policy["prohibited_targets"]:
pattern = prohibited.replace("*", "")
if target.startswith(pattern):
violations.append(f"Target {target} is in prohibited list (safety systems)")
if violations:
print(f"[!] Policy violations found:")
for v in violations:
print(f" - {v}")
return ""
self.access_requests[request.id] = request
print(f"[+] Access request {request.id} submitted for approval")
return request.id
def list_pending_requests(self):
"""List all pending access requests for approval."""
pending = [r for r in self.access_requests.values()
if r.status == AccessRequestStatus.PENDING]
print(f"\n{'='*65}")
print("PENDING OT REMOTE ACCESS REQUESTS")
print(f"{'='*65}")
if not pending:
print(" No pending requests")
return
for req in pending:
print(f"\n Request: {req.id}")
print(f" Requestor: {req.requestor} ({req.requestor_type})")
print(f" Purpose: {req.purpose}")
print(f" Targets: {', '.join(req.target_systems)}")
print(f" Duration: {req.duration_hours} hours")
print(f" Start: {req.requested_start}")
print(f" Submitted: {req.created}")
def generate_audit_report(self):
"""Generate audit report of all remote access activity."""
print(f"\n{'='*65}")
print("OT REMOTE ACCESS AUDIT REPORT")
print(f"{'='*65}")
print(f"Report Date: {datetime.now().isoformat()}")
print(f"Total Requests: {len(self.access_requests)}")
status_counts = {}
for req in self.access_requests.values():
status = req.status.value
status_counts[status] = status_counts.get(status, 0) + 1
print(f"\nRequest Status:")
for status, count in status_counts.items():
print(f" {status}: {count}")
print(f"\nDetailed Audit Trail:")
for req in self.access_requests.values():
print(f"\n {req.id} - {req.requestor} ({req.requestor_type})")
print(f" Status: {req.status.value}")
print(f" Targets: {', '.join(req.target_systems)}")
for entry in req.audit_trail:
print(f" [{entry['timestamp']}] {entry['action']} by {entry['actor']}")
if __name__ == "__main__":
manager = OTConduitManager()
# Vendor access request
vendor_req = RemoteAccessRequest(
requestor="John Smith - Siemens Field Service",
requestor_type="vendor",
purpose="Annual PLC firmware update for S7-1500 controllers",
target_systems=["PLC-REACTOR-01", "PLC-REACTOR-02"],
duration_hours=3,
requested_start="2025-03-15T08:00:00",
)
req_id = manager.submit_request(vendor_req)
if req_id:
manager.list_pending_requests()
# Simulate approval
manager.access_requests[req_id].approve(
approver="Plant Manager - Jane Doe",
conditions="OT engineer must shadow the vendor session",
)
manager.generate_audit_report()
```
## Key Concepts
| Term | Definition |
|------|------------|
| Conduit | IEC 62443 controlled communication path between security zones with defined security policies |
| Jump Server | Hardened intermediary server in the DMZ through which all remote OT access must transit |
| Session Recording | Capture of all screen activity, keystrokes, and commands during a remote access session for audit |
| Approval-Based Access | Workflow requiring plant operations manager authorization before remote access credentials are activated |
| Vendor Escort | Practice of having an internal OT engineer monitor vendor remote sessions in real time |
| Break-Glass Access | Emergency access procedure bypassing normal approval workflow for critical situations |
## Output Format
```
OT REMOTE ACCESS CONDUIT REPORT
==================================
Date: YYYY-MM-DD
CONDUIT STATUS:
Internal Access Conduit: [Active/Inactive]
Vendor Access Conduit: [Active/Inactive]
ACCESS REQUESTS (Last 30 Days):
Submitted: [count]
Approved: [count]
Rejected: [count]
Average Session Duration: [hours]
POLICY COMPLIANCE:
MFA Enforcement: [100%]
Session Recording: [100%]
Time-Limited Sessions: [compliance %]
Prohibited Target Attempts: [count blocked]
```Related Skills
triaging-security-incident
Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.
triaging-security-incident-with-ir-playbook
Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures.
triaging-security-alerts-in-splunk
Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.
testing-websocket-api-security
Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection attacks through WebSocket messages, insufficient input validation, denial-of-service via message flooding, and information leakage through WebSocket frames. The tester intercepts WebSocket handshakes and messages using Burp Suite, crafts malicious payloads, and tests for authorization bypass on WebSocket channels. Activates for requests involving WebSocket security testing, WS penetration testing, CSWSH attack, or real-time API security assessment.
testing-jwt-token-security
Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization bypass vulnerabilities during security engagements.
testing-for-broken-access-control
Systematically testing web applications for broken access control vulnerabilities including privilege escalation, missing function-level checks, and insecure direct object references.
testing-api-security-with-owasp-top-10
Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated and manual testing techniques.
securing-remote-access-to-ot-environment
This skill covers implementing secure remote access to OT/ICS environments for operators, engineers, and vendors while preventing unauthorized access that could compromise industrial operations. It addresses jump server architecture, multi-factor authentication, session recording, privileged access management, vendor remote access controls, and compliance with IEC 62443 and NERC CIP-005 remote access requirements.
performing-wireless-security-assessment-with-kismet
Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.
performing-ssl-tls-security-assessment
Assess SSL/TLS server configurations using the sslyze Python library to evaluate cipher suites, certificate chains, protocol versions, HSTS headers, and known vulnerabilities like Heartbleed and ROBOT.
performing-soap-web-service-security-testing
Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing.
performing-serverless-function-security-review
Performing security reviews of serverless functions across AWS Lambda, Azure Functions, and GCP Cloud Functions to identify overly permissive execution roles, insecure environment variables, injection vulnerabilities, and missing runtime protections.