To avoid security risks, a VPN connection must have robust features such as multi-factor authentication, encryption, firewall, centralized user access management 

In addition, there is the scope of the VPN connection. Access to (decentralized) systems or central infrastructure areas must be carefully released so that the door and gate are not unintentionally left open.

OT Security

From an OT security perspective, a VPN should be able to handle various protocols such as OPC UA, Modbus, and DNP3 to enable seamless communication between different devices and systems 

IT Security

From an IT security perspective, a VPN should have centralized management and monitoring capabilities to ensure that all network traffic is secure.

Multiple facilities and locations

When it comes to a VPN for multiple users, facilities, and sites, proper network segmentation is key to preventing cyberattacks from spreading throughout the network.

Detection of VPN access anomalies

This is also essential. By detecting anomalies in users, access times, duration, data volume and activities, it is possible to determine early on whether there is a potential risk that requires action.

Multi-Factor Authentication

First and foremost, a secure VPN should have user authentication and authorization to ensure that only authorized personnel can access the network. However, this is not done with username and password, further authentication is mandatory, common is the use of an authenticator app for entering a 2nd code.

Role-based access management

Access permissions of functions must be able to be subdivided and differentiated according to roles. With this basic requirement, both centralized user management with corresponding roles and privileged access to assets and systems via PAM can be implemented cleanly.

Centralized management of users

Ideally, the user management for the accesses via VPN is done by the central user management system of the company (e.g. Azure AD). With synchronization (e.g. Azure-Sync), the users of the software that performs the access management over VPN are automatically synchronized and updated.

This eliminates the need to manually track and regularly review user roles and permissions

Industrial Firewall

In addition, a VPN should have an industrial firewall to block unauthorized access and protect against cyber threats.

Access definition at the level destination IP address, port and protocol are absolutely essential for managing multiple users, assets and sites.

Access to plant must be simple, intuitive and fast

Despite all the security precautions, remote access via a VPN connection should be as intuitive, simple and fast as possible for employees as well as external service providers. As many end devices as possible with operating systems used by users for remote access should be supported.