implementing-conduit-security-for-ot-remote-access▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly.
| name | implementing-conduit-security-for-ot-remote-access |
| description | 'Implement secure conduit architecture for OT remote access following IEC 62443 zones and conduits model, deploying jump servers, MFA-enabled gateways, session recording, and approval-based workflows to control vendor and engineer access to industrial control systems without exposing OT networks directly. ' |
| domain | cybersecurity |
| subdomain | ot-ics-security |
| tags | - ot-security - ics - remote-access - iec62443 - jump-server - zero-trust - conduit - mfa |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-05 - GV.OC-02 |
Implementing Conduit Security for OT Remote Access
When to Use
- When replacing direct VPN connections from IT or vendors into OT control networks
- When implementing IEC 62443-compliant conduit architecture for remote access paths
- When deploying secure remote access for third-party vendor maintenance of ICS equipment
- When building approval-based access workflows for privileged OT system access
- When remediating audit findings about uncontrolled remote access to SCADA systems
Do not use for designing the overall Purdue Model segmentation (see implementing-purdue-model-network-segmentation), for deploying IT-only remote access solutions, or for configuring local console access to PLCs.
Prerequisites
- IT/OT DMZ (Level 3.5) deployed with dual-firewall architecture
- Jump server or privileged access management (PAM) platform (CyberArk, BeyondTrust)
- Multi-factor authentication (MFA) infrastructure for OT remote access users
- Session recording capability for compliance and forensic purposes
- Approval workflow system (ServiceNow, ticketing) for access requests
Workflow
Step 1: Design Conduit Architecture for Remote Access
# IEC 62443 Conduit Security Architecture for OT Remote Access
# All remote access terminates in DMZ - never passes through to OT directly
conduit_architecture:
remote_access_conduit:
conduit_id: "RA-001"
source_zone: "Enterprise IT (Level 4)"
destination_zone: "OT DMZ (Level 3.5)"
security_level_target: "SL3"
components:
external_gateway:
type: "VPN Concentrator"
location: "Enterprise DMZ"
ip: "10.200.1.10"
protocols: ["IPsec", "SSL-VPN"]
authentication: "MFA required (certificate + OTP)"
dmz_jump_server:
type: "Privileged Access Workstation"
location: "OT DMZ (Level 3.5)"
ip: "10.10.150.20"
os: "Windows Server 2022 (hardened)"
controls:
- "Local admin accounts disabled"
- "USB ports disabled"
- "Clipboard transfer disabled by default"
- "Session recording enabled (all keystrokes and screen)"
- "Maximum session duration: 4 hours"
- "Automatic logoff after 15 minutes idle"
- "Application whitelisting enforced"
ot_access_gateway:
type: "Industrial Remote Access Gateway"
location: "OT DMZ / Level 3 boundary"
ip: "10.10.150.25"
controls:
- "Only pre-approved destination IPs reachable"
- "Protocol-level filtering (RDP, SSH, VNC only)"
- "Time-limited sessions with automatic expiry"
- "Approval-based access (plant manager must authorize)"
data_flow:
- step: 1
description: "User authenticates via enterprise VPN with MFA"
source: "Remote user"
destination: "VPN concentrator"
protocol: "IPsec/SSL-VPN"
- step: 2
description: "User connects to jump server in OT DMZ"
source: "VPN tunnel"
destination: "DMZ jump server"
protocol: "RDP with NLA"
- step: 3
description: "From jump server, user accesses specific OT system"
source: "DMZ jump server"
destination: "Approved OT target"
protocol: "RDP/SSH/VNC"
condition: "Only after manager approval and within time window"
prohibited_flows:
- "Direct VPN tunnel from external to Level 1/2 OT devices"
- "Split tunneling allowing internet access during OT session"
- "File transfer from jump server to OT without scanning"
- "Persistent VPN connections (auto-reconnect disabled)"
vendor_access_conduit:
conduit_id: "VA-001"
source_zone: "Vendor External Network"
destination_zone: "OT DMZ (Level 3.5)"
security_level_target: "SL3"
workflow:
request:
- "Vendor submits access request via portal (24h advance)"
- "Request includes: purpose, target systems, duration, personnel"
- "Plant operations manager reviews and approves/rejects"
- "Time-limited credentials generated upon approval"
session:
- "Vendor connects via dedicated vendor VPN gateway"
- "MFA authentication (vendor receives OTP via SMS/app)"
- "Session lands on vendor-specific jump server (isolated from internal jump)"
- "All actions recorded (video + keystroke logging)"
- "OT engineer monitors vendor session in real-time"
termination:
- "Session auto-terminates at approved end time"
- "Credentials automatically revoked"
- "Session recording archived for 90 days"
- "Access log forwarded to SIEM"
Step 2: Implement Access Control and Monitoring
#!/usr/bin/env python3
"""OT Remote Access Conduit Manager.
Manages approval-based remote access to OT systems through
secure conduit architecture with session recording, MFA
enforcement, and time-limited access windows.
"""
import json
import sys
from datetime import datetime, timedelta
from typing import Dict, List, Optional
from enum import Enum
class AccessRequestStatus(Enum):
PENDING = "pending"
APPROVED = "approved"
REJECTED = "rejected"
ACTIVE = "active"
EXPIRED = "expired"
REVOKED = "revoked"
class RemoteAccessRequest:
"""Represents an OT remote access request."""
def __init__(self, requestor: str, requestor_type: str, purpose: str,
target_systems: List[str], duration_hours: int,
requested_start: str):
self.id = f"OT-RA-{datetime.now().strftime('%Y%m%d-%H%M%S')}"
self.requestor = requestor
self.requestor_type = requestor_type # "internal_engineer" or "vendor"
self.purpose = purpose
self.target_systems = target_systems
self.duration_hours = duration_hours
self.requested_start = requested_start
self.status = AccessRequestStatus.PENDING
self.created = datetime.now().isoformat()
self.approved_by = None
self.session_id = None
self.audit_trail = []
def approve(self, approver: str, conditions: str = ""):
"""Approve the access request."""
self.status = AccessRequestStatus.APPROVED
self.approved_by = approver
self.audit_trail.append({
"timestamp": datetime.now().isoformat(),
"action": "APPROVED",
"actor": approver,
"conditions": conditions,
})
def reject(self, rejector: str, reason: str):
"""Reject the access request."""
self.status = AccessRequestStatus.REJECTED
self.audit_trail.append({
"timestamp": datetime.now().isoformat(),
"action": "REJECTED",
"actor": rejector,
"reason": reason,
})
class OTConduitManager:
"""Manages OT remote access conduit security."""
def __init__(self):
self.access_requests: Dict[str, RemoteAccessRequest] = {}
self.active_sessions: Dict[str, dict] = {}
self.policy = self._load_policy()
def _load_policy(self) -> dict:
"""Load remote access policy."""
return {
"max_session_hours": 4,
"idle_timeout_minutes": 15,
"mfa_required": True,
"session_recording": True,
"clipboard_transfer": False,
"file_transfer": "scan_required",
"advance_notice_hours": 24,
"vendor_escort_required": True,
"prohibited_targets": ["SIS-*", "SAFETY-*"],
"allowed_protocols": ["RDP", "SSH", "VNC"],
"blocked_protocols": ["Telnet", "FTP", "SMB"],
}
def submit_request(self, request: RemoteAccessRequest) -> str:
"""Submit a new remote access request."""
# Validate against policy
violations = []
if request.duration_hours > self.policy["max_session_hours"]:
violations.append(
f"Duration {request.duration_hours}h exceeds maximum {self.policy['max_session_hours']}h"
)
for target in request.target_systems:
for prohibited in self.policy["prohibited_targets"]:
pattern = prohibited.replace("*", "")
if target.startswith(pattern):
violations.append(f"Target {target} is in prohibited list (safety systems)")
if violations:
print(f"[!] Policy violations found:")
for v in violations:
print(f" - {v}")
return ""
self.access_requests[request.id] = request
print(f"[+] Access request {request.id} submitted for approval")
return request.id
def list_pending_requests(self):
"""List all pending access requests for approval."""
pending = [r for r in self.access_requests.values()
if r.status == AccessRequestStatus.PENDING]
print(f"\n{'='*65}")
print("PENDING OT REMOTE ACCESS REQUESTS")
print(f"{'='*65}")
if not pending:
print(" No pending requests")
return
for req in pending:
print(f"\n Request: {req.id}")
print(f" Requestor: {req.requestor} ({req.requestor_type})")
print(f" Purpose: {req.purpose}")
print(f" Targets: {', '.join(req.target_systems)}")
print(f" Duration: {req.duration_hours} hours")
print(f" Start: {req.requested_start}")
print(f" Submitted: {req.created}")
def generate_audit_report(self):
"""Generate audit report of all remote access activity."""
print(f"\n{'='*65}")
print("OT REMOTE ACCESS AUDIT REPORT")
print(f"{'='*65}")
print(f"Report Date: {datetime.now().isoformat()}")
print(f"Total Requests: {len(self.access_requests)}")
status_counts = {}
for req in self.access_requests.values():
status = req.status.value
status_counts[status] = status_counts.get(status, 0) + 1
print(f"\nRequest Status:")
for status, count in status_counts.items():
print(f" {status}: {count}")
print(f"\nDetailed Audit Trail:")
for req in self.access_requests.values():
print(f"\n {req.id} - {req.requestor} ({req.requestor_type})")
print(f" Status: {req.status.value}")
print(f" Targets: {', '.join(req.target_systems)}")
for entry in req.audit_trail:
print(f" [{entry['timestamp']}] {entry['action']} by {entry['actor']}")
if __name__ == "__main__":
manager = OTConduitManager()
# Vendor access request
vendor_req = RemoteAccessRequest(
requestor="John Smith - Siemens Field Service",
requestor_type="vendor",
purpose="Annual PLC firmware update for S7-1500 controllers",
target_systems=["PLC-REACTOR-01", "PLC-REACTOR-02"],
duration_hours=3,
requested_start="2025-03-15T08:00:00",
)
req_id = manager.submit_request(vendor_req)
if req_id:
manager.list_pending_requests()
# Simulate approval
manager.access_requests[req_id].approve(
approver="Plant Manager - Jane Doe",
conditions="OT engineer must shadow the vendor session",
)
manager.generate_audit_report()
Key Concepts
| Term | Definition |
|---|---|
| Conduit | IEC 62443 controlled communication path between security zones with defined security policies |
| Jump Server | Hardened intermediary server in the DMZ through which all remote OT access must transit |
| Session Recording | Capture of all screen activity, keystrokes, and commands during a remote access session for audit |
| Approval-Based Access | Workflow requiring plant operations manager authorization before remote access credentials are activated |
| Vendor Escort | Practice of having an internal OT engineer monitor vendor remote sessions in real time |
| Break-Glass Access | Emergency access procedure bypassing normal approval workflow for critical situations |
Output Format
OT REMOTE ACCESS CONDUIT REPORT
==================================
Date: YYYY-MM-DD
CONDUIT STATUS:
Internal Access Conduit: [Active/Inactive]
Vendor Access Conduit: [Active/Inactive]
ACCESS REQUESTS (Last 30 Days):
Submitted: [count]
Approved: [count]
Rejected: [count]
Average Session Duration: [hours]
POLICY COMPLIANCE:
MFA Enforcement: [100%]
Session Recording: [100%]
Time-Limited Sessions: [compliance %]
Prohibited Target Attempts: [count blocked]
How to use implementing-conduit-security-for-ot-remote-access on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add implementing-conduit-security-for-ot-remote-access
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches implementing-conduit-security-for-ot-remote-access from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate implementing-conduit-security-for-ot-remote-access. Access the skill through slash commands (e.g., /implementing-conduit-security-for-ot-remote-access) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.8★★★★★48 reviews- ★★★★★Michael Bansal· Dec 28, 2024
implementing-conduit-security-for-ot-remote-access has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Chen Farah· Dec 20, 2024
implementing-conduit-security-for-ot-remote-access is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Amelia Torres· Dec 20, 2024
implementing-conduit-security-for-ot-remote-access reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Noah Smith· Nov 19, 2024
We added implementing-conduit-security-for-ot-remote-access from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Michael Gill· Nov 19, 2024
Keeps context tight: implementing-conduit-security-for-ot-remote-access is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Chen Kapoor· Nov 11, 2024
Solid pick for teams standardizing on skills: implementing-conduit-security-for-ot-remote-access is focused, and the summary matches what you get after install.
- ★★★★★Daniel Ghosh· Nov 11, 2024
I recommend implementing-conduit-security-for-ot-remote-access for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Rahul Santra· Nov 7, 2024
We added implementing-conduit-security-for-ot-remote-access from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Pratham Ware· Oct 26, 2024
implementing-conduit-security-for-ot-remote-access fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Noah Jain· Oct 10, 2024
implementing-conduit-security-for-ot-remote-access fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
showing 1-10 of 48