Setup- We have our OT network only accessible via VPN (this held within our network, no connection to the outside) in order to keep our OT network separate from our corporate network.
Issue- When our controls get into the PLC/NAT they are kicked off the network (Due to connecting to the OT VPN) and they are unable to access any online note/email. Is there any way to setup another way to secure our OT network like a zero trust, VM, or any other options. Thank you!
Split tunneling on the VPN?
Most OT network breaches come from the IT network. I’d look at allowing connections to a Remote Desktop on the corporate network (one way) from the OT network with additional security controls.
Check out OpenZiti (An open source project of NetFoundry, my employer for disclosure). It can enable zero trust access to your OT network from anywhere without the kind of routing issues I think you’re experiencing.
What you might want is an iDMZ type of arrangement with jump servers, assuming you have the resources to build.
Tempered.io if you have the budget.
Take a look at secomea. They are a defacto standard OT remote access Solution that is widely used within oil and gas (in Norway/Europe) and ticks alot of the Security checkboxes. Easy to setup, and easy to use.
When that said, using split tunnel as several have suggested is not a good security standard. While working on the OT network, you should only have network access to the minimum necessary. Another important point is to make sure your client pcs that connects to your Ot network has EDR installed at a minimum. You can use HIP to enforce this via Palo Alto GlobalProtect for example
We leverage bomgar / beyondtrust privileged remote access.
Look at the Purdue Model for ICS security, that’ll give you some good ideas on dos and don’ts. As above you really want some protocol breaks in there to reduce options for lateral movement. Hardened remote access boxes sitting in an iDMZ is a common approach
came here to say this
came here to say this
THANK YOU! I am currently looking into the security flaws to this but this seems like the best solution
came here to say this
Why would you still full tunnel in this day and age anyway. Would kill your bandwidth.
If you don’t use OpenZiti, the ‘free’ and open source zero trust networking alternative which uses strong identity and authenticate-before-connect (ABC) and more allowing you to close all inbound firewall ports.
Not a good reason but: risk management wrote it into security policy and nobody is willing to reconsider.
Looks like it’s time for risk management replacement 
best of luck!