Beacon Security
Oil and GasSecure Remote Access

Secure Remote Access Deployment for an Oil and Gas Facility

January 15, 2025

Background

An oil and gas operator managing three production facilities with approximately 280 OT assets including SCADA servers, DCS controllers, PLCs, RTUs, HMIs, and engineering workstations identified a critical gap during an internal review. Remote access to plant systems was happening through direct RDP and SSH connections with no centralized control. Vendors, operators, and contractors connected directly to production systems using shared credentials, and nobody had visibility into who was connected or what they were doing.

The issue was escalated after a vendor accidentally modified a compressor pressure setpoint on a system outside their scope during an unmonitored RDP session. The change went unnoticed for several hours. Leadership treated this as a near-miss and authorized an immediate engagement.

Beacon Security was brought in to eliminate the exposure and deploy a governed remote access architecture.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

Direct RDP and SSH into Production Systems Vendors were connecting via RDP directly to operator HMIs and DCS engineering stations. A vendor troubleshooting one compressor train could freely navigate to adjacent systems, safety controllers, or SCADA servers through the same session. There were no boundaries.

14 Persistent VPN Tunnels with Shared Credentials Six vendor organizations and three internal support teams maintained 14 separate VPN tunnels into the plant network. Two of those tunnels belonged to vendors whose contracts had expired over a year earlier and were still active. One DCS vendor had shared the same login credentials across 11 engineers in three different offices.

Zero Session Recording or Monitoring No remote session had ever been recorded. The control room had no way to see active remote sessions, and when the compressor incident occurred, there was no forensic evidence to review. The vendor could only provide a verbal account from memory.

No Time Restrictions or User Segregation All tunnels were active 24/7. A first-time commissioning contractor had the same access level as a long-term DCS support engineer. No scheduling, no access windows, no tiered privileges.

Our Approach

Beacon Security designed and deployed a secure remote access solution positioned in the Level 3.5 DMZ, aligned with IEC 62443, across a 10-week engagement.

Phase 1: Discovery and Risk Mapping (Weeks 1-2)

We mapped the full remote access landscape for the first time:

  • Identified all 14 active VPN tunnels through firewall rule analysis and live connection monitoring
  • Found that 9 of 14 tunnels could reach safety-related systems
  • One historian maintenance tunnel had routing rules broad enough to reach 73 production systems
  • Confirmed 47 individuals across 9 organizations held valid credentials, including 11 people who had changed roles or left their companies

Phase 2: Architecture Design (Weeks 3-5)

The core principle was simple: no remote user gets a direct network path to any production system. Every session is brokered through a controlled gateway.

Gateway in Level 3.5 DMZ: A hardened, redundant remote access platform deployed in the demilitarized zone between enterprise IT and the plant control network. Remote users authenticate to the gateway. The gateway initiates a controlled session to the target. The user never touches the production network directly.

Four-Tier User Segregation:

  • Internal Operators: MFA authentication, read-only monitoring access by default, control actions require shift supervisor approval
  • Trusted Vendors: Individual credentials, access restricted to their contracted equipment only, permitted during scheduled maintenance windows
  • External/Untrusted Access: Two-person authorization required, single target system per session, live supervision mandatory
  • Emergency Break-Glass: Physical sealed credentials in the control room, automatic alerts to leadership, mandatory post-use review within 24 hours

Session Governance: Full screen and keystroke recording on every session. Secure file transfer with malware scanning. Automatic inactivity timeouts. Real-time monitoring dashboard visible in the control room. Instant session kill capability for operators.

Phase 3: Staged Deployment (Weeks 6-8)

Deployment was staged to protect vendor support continuity during a planned turnaround period:

  • Gateway deployed and validated in parallel with existing VPN tunnels
  • The four highest-risk tunnels (those reaching safety systems) were migrated first
  • Each vendor completed a supervised test session before their legacy tunnel was disabled
  • 48-hour observation period after each migration to confirm no issues
  • Two expired vendor tunnels were terminated immediately with no replacement needed

Phase 4: Vendor Onboarding and Handover (Weeks 9-10)

  • 47 individual credentials issued across all 9 organizations, replacing every shared account
  • Each engineer's access scope locked to their specific equipment and IP range
  • Access windows configured per vendor based on maintenance contracts
  • Control room operators trained on the live session dashboard, termination procedures, and break-glass protocol

Key Findings

Expired Vendor Tunnels Still Active Two VPN tunnels connected to vendors with expired contracts had been running for over 19 months after the last engagement. Neither appeared in any documentation.

Action: Terminated immediately during the discovery phase.

Unauthorized Access Attempt Blocked Within 60 days of go-live, the platform blocked a connection attempt using credentials that had been shared externally by a vendor employee who had since left the organization.

Action: Credential revoked, vendor notified, full access audit conducted.

Root-Cause Visibility for the First Time In the first quarter, session recordings provided clear evidence for two operational anomalies that were traced back to vendor configuration changes. Under the old model, these would have been unexplained.

Outcome

Every direct RDP and SSH connection from external networks into production systems was eliminated across all three facilities. All remote access now flows through the Level 3.5 DMZ gateway with full recording, monitoring, and access governance.

Deliverables Provided:

  • Secure remote access architecture aligned with IEC 62443
  • Redundant Level 3.5 DMZ gateway deployment
  • Four-tier user segregation model with per-vendor access policies
  • Session recording, live monitoring, and secure file transfer configuration
  • Individual credentials for 47 users across 9 organizations
  • Operations team training on monitoring, access management, and break-glass procedures

Results:

  • 14 legacy VPN tunnels permanently decommissioned
  • Active remote connection hours reduced by 78% through scheduled access windows
  • 3 unauthorized access attempts detected and blocked within 60 days
  • Full forensic audit trail established for every remote session
  • Architecture adopted as the standard across the operator's remaining production sites

Beacon Security designs and deploys secure remote access solutions for oil and gas and industrial environments. Contact us to discuss your remote access requirements.

Back to Case Studies
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

IT security tools were not built for Modbus, OPC, or safety-rated controllers. Get a dedicated OT cybersecurity team that understands industrial protocols, control system architecture, and the operational constraints of your environment.

Book an Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption