Nearly every publicly reported OT intrusion of the last five years touched remote access at some point. Treating that pathway as a first class collection target is one of the highest leverage moves a CTI program can make.
Look at the public post mortems of the last five years of OT intrusions. Ukraine, Oldsmar, Colonial (adjacent), the various water utility events, the Volt Typhoon activity against critical infrastructure. They differ in actor, motive, and impact. They agree on one thing: the initial access almost always involved remote access of some kind. VPN, jump host, vendor portal, contractor laptop, exposed HMI.
Why it keeps happening
Remote access to OT exists because operations demand it. Field technicians need to reach substations. Vendors need to service equipment they built. Contractors need short term access for projects. Removing it is not on the table. Governing it well is.
What CTI can contribute
A CTI program can raise the cost of this front door without asking operations to change how they work:
- Track breaches of the specific remote access products in use (vendor VPNs, jump host software, secure remote access platforms).
- Track public credential exposure for domains that touch OT.
- Monitor honeypots exposing the same product versions to catch active exploitation attempts.
- Feed a PIR that asks: which of our remote access dependencies have been publicly reported as compromised or exploited in the last quarter?
Each of these produces something a security leader can act on: an accelerated patch, a credential rotation, a temporary vendor access pause, a firewall rule tightening.
What to watch inside the environment
From the internal side:
- Remote access sessions outside normal windows.
- Sessions from geographies that do not match the account owner.
- Concurrent sessions on the same account.
- Jump host to OT segment traffic that speaks control protocols directly, rather than going through the expected engineering workstation path.
ThreatSpire ties remote access indicators, vendor breach intel, and honeypot telemetry into a single actor and evidence view so that a spike on one signal quickly surfaces the other two if they exist. The front door will keep existing. The point is to notice when someone is standing at it.

