
Regulatory Playbook
NIST SP 1800-45 Implementation Playbook
Is Your OT Remote Access Actually Secure Or Just Convenient?
Most operators believe their remote access into OT is under control. The reality NIST and CISA keep documenting is different: vendor VPNs with no MFA, jump hosts with no session logging, flat networks where a remote login lands directly on a PLC, and contractor credentials nobody revoked after the contract ended.
NIST SP 1800-45, published by the NCCoE in June 2026, is the first practice guide to give Water and Wastewater utilities a vendor-tested answer: how to secure remote access without improvising authentication, segmentation, and logging from scratch. It was built and lab-validated using three real product stacks - TDI ConsoleWorks, StrongDM with Cisco Duo, and Q-Net Security Q-Boxes - and maps directly to NIST CSF 2.0.
Shieldworkz translated that guidance into a control-by-control playbook your engineering team can execute without re-deriving the design from scratch - giving CISOs, OT architects, and auditors a real picture of where remote access stands today, not a best guess.
Why This Playbook Matters
Generic remote access policy doesn't survive contact with OT. You can't apply office VPN session rules to an engineer mid-maintenance window. You can't bolt modern MFA onto a 20-year-old HMI without a jump host in between. And you can't take a vendor's word that their cloud remote-access platform is secure - the contract has to require encryption, access control, and vulnerability management in writing.
This playbook operationalizes all fifteen remote access controls in NIST SP 1800-45 Table 3 - each with implementation steps, common mistakes, validation methods, and quantifiable success criteria - and labels every recommendation by source, so auditors can trace each claim back to NIST or to a named complementary standard.
Why Download It Now
Threat actors don't wait for budgets to clear. CISA has tracked hacktivists brute-forcing exposed VNC and HMI services as recently as 2025. Iran-linked actors compromised internet-exposed PLCs across multiple U.S. states. In a documented 2024 incident, attackers manipulated water utility HMIs to push pumps past safe limits, disabled alarms, and locked operators out by changing passwords.
Regulators and underwriters are tightening expectations at the same pace. Sanitary Survey reviews increasingly ask cybersecurity questions; boards and cyber-insurers expect a defensible answer, not a verbal assurance. This playbook gives your team an architecture selection guide, a control checklist, an audit-ready evidence map, and a phased rollout plan - in one document traced directly to NIST SP 1800-45.
Key Takeaways From the Playbook
All fifteen NIST SP 1800-45 remote access controls are operationalized in the playbook, each with a quantifiable target:
Encryption of Communications: 100% of sessions encrypted end-to-end, zero deprecated TLS/SSL fallback, quarterly cipher audits.
Restrict Access to Authorized Users/Systems: Zero accounts without a current, named business justification; annual reconciliation against HR and vendor rosters.
Authenticate All Remote Users and Systems: Zero shared or generic accounts; every session attributable to a uniquely identifiable principal.
Multi-Factor Authentication: MFA enforced at the application layer for 100% of interactive sessions, with zero standing exemptions.
Session Logging: Centrally retained, tamper-resistant logs for every session; full session retrieval under 15 minutes.
Regular Updates to Remote Access Services: Faster patch cadence for the remote-access path; critical CVEs remediated within 14 days.
Least Privilege: Access scoped to specific asset groups, not facility-wide; zero entitlements unused beyond 90 days.
DMZ Termination: Every session terminates in a protected, dual-firewall DMZ - never a direct path into OT.
Inventory Management: A current, tested map of every asset reachable via remote access, refreshed within 30 days.
Temporal Access Restriction: Time-bound, work-order-linked grants; same-day revocation for terminated employees.
Endpoint Security: Current anti-malware or EDR required on every device; jump hosts for non-compliant vendor devices.
Third-Party Contract Requirements: Signed security addenda on file for 100% of active third-party remote access relationships.
Change & Configuration Management: Quarterly drift audits against an approved baseline; zero unapproved configuration changes.
Maintenance Coordination: 100% of sessions matched to a pre-scheduled calendar entry or a documented, escalated exception.
Operational Access Restriction: Default-deny posture at every boundary; zero unscoped any-any firewall rules.
How Shieldworkz Supports Your OT Security Journey
Shieldworkz covers the full spectrum of industrial cybersecurity - from initial assessment through continuous monitoring. Our OT security platform delivers passive asset discovery and remote-access-aware detection without risking live processes. Our global OT SOC provides 24/7 coverage, and OThello Assess compresses weeks of manual assessment into sub-24-hour cycles.
This playbook reflects how we run every engagement: evidence-first, clearly scored, and accountable at every control layer. Whether you're preparing for a Sanitary Survey, meeting NIS2 or IEC 62443 obligations, or building remote access security from the ground up, Shieldworkz has the expertise to close the gaps this playbook surfaces.
Download the Playbook & Book Your Free Consultation
The NIST SP 1800-45 Implementation Playbook is free. Fill in the form to get your copy instantly - plus a complimentary 30-minute consultation with our OT security experts to score your environment against the fifteen NIST controls.
Download your copy today!
Get Your Free NIST SP 1800-45 Secure Remote Access Checklist
Ensure every critical control is in place to protect remote access across your OT, ICS, and SCADA environments.
