A Virtual Private Network (VPN) creates a secure, encrypted connection over the
Internet between a user or device and another network. It protects the confidentiality and integrity of data while
enabling secure communication across untrusted networks.
VPNs are commonly used to:
Provide secure remote access for employees
Connect geographically separated sites
Protect sensitive industrial and corporate communications
Secure access to OT/ICS environments
Figure – Virtual Private Networks provide encrypted communication across untrusted networks.
VPN Appliance
A VPN appliance is a dedicated network device designed to establish and manage VPN connections
securely.
It functions as a secure gateway by combining multiple security services into a single device.
Common Features
Firewall protection
VPN encryption
User authentication
User authorisation
Load balancing
Secure remote access
Traffic routing
These devices are commonly deployed at the edge of corporate and industrial networks.
Key VPN Appliance Capabilities
Centralised Management
Provides a single interface to:
Configure VPN connections
Manage users
Apply security policies
Monitor VPN status
Deploy firmware and security updates
Benefit: Simplifies administration across multiple sites and users.
Multi-platform Support
VPN appliances support:
Windows
Linux
macOS
Android
iOS
Industrial HMIs
Engineering workstations
Benefit: Secure access from almost any authorised device.
Network Compatibility
Industrial VPN solutions are designed to integrate with:
Existing network infrastructure
Industrial Ethernet
Legacy systems
Industrial protocols
Enterprise applications
This enables secure communications without major infrastructure changes.
TLS VPN (Transport Layer Security VPN)
A TLS VPN (formerly SSL VPN) provides secure remote access using standard
HTTPS (TCP Port 443).
Rather than requiring a dedicated VPN client, users often connect through a standard web browser.
Advantages
Browser-based access
Minimal client installation
Easy deployment
Strong encryption
Widely supported
Typical Industrial Uses
Remote operator interfaces
Engineering portals
SCADA web interfaces
Maintenance dashboards
Vendor support portals
Ideal when installing VPN software on the client device is impractical.
VPN Architectures
1. Site-to-Site (LAN-to-LAN) VPN
A Site-to-Site VPN securely connects two or more Local Area Networks (LANs) over the public
Internet.
Office A LAN
│
VPN Gateway
│
==========================
Encrypted VPN Tunnel
==========================
│
VPN Gateway
│
Office B LAN
Characteristics
Connects entire networks
Always-on connection
Transparent to end users
Uses VPN gateways at both ends
Creates the appearance of one private network
Common Uses
Multiple office locations
Industrial plants
Remote substations
Manufacturing facilities
Corporate WAN connectivity
2. Remote Access VPN (RAS)
A Remote Access Service (RAS) VPN connects a single remote user securely to a private network.
Reduces the need for dedicated leased communication links
Supports secure industrial remote maintenance
Enables secure access to OT/ICS environments
Considerations in Industrial Control Systems (ICS)
When deploying VPNs in operational technology (OT) environments:
Enforce multi-factor authentication (MFA) where possible.
Apply least privilege access controls.
Restrict VPN access to authorised users and devices.
Log and monitor VPN sessions.
Keep VPN appliances patched and updated.
Avoid exposing PLCs or critical assets directly to VPN users.
Terminate VPN connections within a secure industrial DMZ where practical.
Key Takeaways
A VPN provides a secure encrypted tunnel over the Internet, protecting confidentiality and integrity for remote access and site connectivity.
A VPN appliance is a dedicated VPN gateway providing firewalling, authentication, authorization, encryption, and centralised management.
A TLS VPN enables browser-based VPN access using HTTPS, with minimal client installation—ideal for secure web access to industrial applications.
A Site-to-Site VPN connects entire LANs through VPN gateways using an always-on encrypted tunnel for office-to-office or plant-to-plant connectivity.
A Remote Access VPN (RAS) connects individual users to a corporate network, requiring user authentication and commonly used by remote workers and field engineers.
Standards References
ISA/IEC 62443-3-3 – Defines technical security requirements for secure communication, including remote access and network segmentation.
ISA/IEC 62443-2-1:2024 – Recommends policies and procedures for secure remote access as part of an Industrial Automation and Control Systems (IACS) Security Program.
ISO/IEC 27001 – Includes controls for secure network communications, remote access, encryption, and access management within an Information Security Management System (ISMS).