The vendor-VPN stress test
Every OT engineer has had this request: a vendor wants a VPN straight to their equipment, today. Here’s what that does to a design, why Synapse won’t let you paper over it, and the pattern that gives the vendor access without giving away the plant.
Remote access is where a lot of OT networks quietly become indefensible. A turbine vendor, an inverter OEM, a protection-relay specialist: each one wants in, and the path of least resistance is a VPN that drops them straight onto the equipment. It works, the vendor is happy, and the zone model you spent days building no longer means anything. This worked example stages exactly that request and shows how Synapse treats it.
01The scenario
The wind farm already ships the safe version of vendor access: a remote workstation reaches a secure access broker in the OT DMZ over an encrypted, MFA-gated tunnel, and only the broker is allowed to reach into SCADA. The standard is happy with this. IEC 62443-3-3 SR 1.13 (remote access) shows satisfied.
Now the request lands: skip all that, just give the turbine vendor a VPN straight to the controllers. Let’s see what it costs.
02Inject the risk
In the top bar, flip the Vendor VPN risk toggle. Synapse adds an unsafe vendor VPN from the enterprise side straight into the Turbine Controlzone, bypassing the DMZ entirely. It carries RDP on port 3389, with no MFA and no encryption declared.
You don’t have to go looking for the damage. The studio jumps to the Check tab, selects the offending conduit, and flashes it red on the canvas. The consequences are made obvious on purpose.
03Read the four violations
One shortcut, four findings. This is the point: a single bad conduit doesn’t break one rule, it breaks the whole logic of controlled access at once.
- Remote access terminates in an OT zone: critical — the tunnel lands directly on the control network instead of a DMZ, so there’s no buffer between an outside party and live equipment.
- Remote access without multi-factor authentication: high — a single stolen credential is enough to reach the turbines.
- Remote access tunnel not declared encrypted: medium — the session, including that credential, would cross the network in the clear.
- Remote access without a session timeout: medium — a forgotten open session stays open, an unattended door into the plant.
Together these map onto SR 1.13 (remote access) and SR 2.6 (remote session termination), and you’ll see the coverage for both drop the moment the toggle is on.
04Why you can’t just click fix
Three of these four have a one-click fix. You can Require MFA, Encrypt tunnel, and Set 30-min timeout on the conduit, and those findings will clear. But the critical one, the tunnel terminating inside the OT zone, has no fix button, and that’s deliberate.
05The pattern that’s safe
The correct shape is the one the template already had before you flipped the toggle:
Untrusted▸VPN / firewall▸DMZ broker (MFA, recorded)▸scoped conduit▸OT
The vendor never terminates inside OT. They reach a secure access broker that lives in the DMZ, authenticate with MFA, and have their session recorded. From there a single narrow, scoped conduit carries only what they actually need into the OT zone. If the vendor’s machine is compromised, the blast radius stops at the broker, not the turbines. That’s the difference between access and exposure.
06Pull it back out
Flip Vendor VPN risk off again. The unsafe conduit and its flow are removed, the four findings clear, and SR 1.13 and SR 2.6 return to satisfied. The design is back to its safe baseline, and you’ve seen both states without leaving the page.
Recap
- One shortcut, four violations: an unsafe VPN breaks remote-access and session-termination requirements at once.
- Some fixes are settings, some are topology: MFA, encryption and timeouts are one-click; terminating outside OT is a design decision Synapse leaves to you.
- Safe remote access has a shape: untrusted → VPN → DMZ broker with MFA and recording → scoped conduit → OT. Never straight to the plant.
Want to take a checked design further? See how to turn it into a digital twin a cyber range can attack, in the rest of the guides.
Run the stress test
Load the wind farm, flip the Vendor VPN risk toggle, and watch the design react. Flip it back when you’re done.
Open the studio