No products in the basket.
Secure remote access for industrial and OT networks: brilliant technology with one critical weakness Leave a comment
Every day, engineers across the UK and beyond are logging into PLCs, SCADA systems, RTUs, building management controllers, and industrial IoT devices without leaving their desks. They are doing it securely, through fully encrypted tunnels, often over a standard mobile data connection with a SIM card that cost less than a cup of coffee. For the industries that rely on this capability – water utilities, energy, manufacturing, building automation, and field services – it has quietly become one of the most important technologies of the last decade.
This article looks at how these remote access platforms work, how secure they really are, and – critically – at the one weakness that every operator of these systems needs to understand and plan for.
Because the technology is only as reliable as the connection underneath it.
What secure OT remote access platforms do
The traditional approach to accessing a remote industrial device – a PLC at a pumping station, an RTU at a substation, a BMS controller at a distant building – involved one of two things: sending an engineer to site, or maintaining a complex and expensive VPN infrastructure with static IP addresses, open firewall ports, and dedicated IT support to keep it running.
A new generation of platforms has replaced both options with something far simpler. The engineer installs a small hardware device at the remote site. That device connects to the internet – usually over an Ethernet connection or a cellular data SIM. When the engineer needs access, they open a piece of software on their laptop or phone, authenticate, and within seconds they have a fully encrypted connection to the devices behind that remote unit, as if they were physically on the same network.
No static IP address at the remote site. No open inbound ports. No complex VPN configuration. No dedicated server to maintain.
The platforms that deliver this are purpose-built for operational technology (OT) environments, meaning they understand industrial protocols, are designed to work in harsh conditions, and treat security as a foundation rather than an afterthought.
The main platforms
Tosibox (now Tosi)
Tosibox, recently rebranded as Tosi, is a Finnish company founded in 2011 and widely regarded as one of the pioneers of this approach. Their system is built around a hardware Lock (installed at the remote site) and a Key (a USB cryptoprocessor used by the engineer). The two devices are physically matched to each other before deployment – a process that exchanges public keys and creates a cryptographic trust relationship that cannot be replicated or spoofed.
The connection works through a patented MatchMaker service. Both the Lock and the Key make outbound-only connections to Tosibox’s cloud service. That service introduces them to each other, and then a direct peer-to-peer VPN tunnel is established between the two devices. The MatchMaker steps out of the data path entirely – it never sees the actual traffic. The tunnel uses AES-256 encryption with 2048 to 4096-bit RSA key exchange, and nothing passes between the engineer and the remote site unencrypted.
Because both devices connect outbound, the system works through any firewall, any NAT, and any internet connection – including standard dynamic-IP mobile data SIMs. There are no inbound ports to open and no static IP address required.
Ewon Flexy and Talk2M
Ewon, a brand of HMS Networks, takes a similar approach with their Flexy hardware range and Talk2M cloud service. The Talk2M platform acts as a relay – unlike Tosibox’s peer-to-peer model, Ewon routes traffic through its cloud infrastructure. The data is encrypted throughout, but the architecture means traffic passes through HMS’s servers rather than going directly between devices.
Ewon is extremely well established, particularly in European manufacturing and food production. The Flexy hardware is highly configurable and supports a wide range of industrial protocols. The Talk2M service offers good logging and access control capabilities, and the platform has a strong track record in regulated environments.
Secomea
Secomea is a Danish company with a strong footprint in the same OT remote access space. Their GateManager cloud platform connects site-level SiteManager hardware units to remote engineers using LinkManager client software. Like Ewon, Secomea routes connections through its cloud – a deliberate architectural choice that simplifies NAT traversal and makes the platform very predictable in complex network environments.
Secomea has a particularly strong reputation in the pharmaceutical, food and beverage, and building services sectors. Their audit logging and role-based access control features make them popular with organisations that need to demonstrate compliance.
Dispel
Dispel takes a more software-defined approach, built on zero trust network access principles. Rather than relying on a dedicated hardware appliance at the site, Dispel works through ephemeral, isolated cloud environments that spin up for each access session and are destroyed when the session ends. There is no persistent footprint at the remote site.
This approach is particularly well-suited to large enterprises with complex OT estates and strict security requirements. Dispel is widely used by US utilities and critical infrastructure operators.
BifrostConnect
BifrostConnect, based in Denmark, takes a distinctive approach with a portable hardware unit that plugs directly into industrial equipment. The unit creates an encrypted connection back to the BifrostConnect platform without needing to integrate with the site’s wider network infrastructure. This is particularly valuable in situations where the engineer needs access to a single piece of equipment in a constrained environment.
How secure are these platforms?
The short answer is: extremely secure when deployed and maintained correctly.
The cryptographic foundations are robust across all of these platforms. AES-256 encryption, PKI-based authentication, and TLS-secured control channels are standard. Most platforms use certificate-based mutual authentication, meaning that both the remote device and the engineer’s client software must prove their identity before a tunnel is established. A compromised password alone is not enough to gain access.
The physical element matters too. Tosibox’s Key device stores the cryptographic material in a dedicated secure processor that cannot be extracted or copied. Even if the physical device is lost, the stored keys are protected by a user-defined password and cannot be used by a third party without it. Ewon and Secomea use certificate-based authentication bound to specific devices, similarly preventing credential reuse on unauthorised equipment.
None of these platforms require the remote site device to have a public IP address or open inbound ports. This means the device is essentially invisible to the public internet – it cannot be scanned, probed, or attacked by external parties. The attack surface is dramatically smaller than a conventional VPN endpoint.
Access control is granular. Administrators can define which engineers have access to which sites, which devices behind each remote unit are accessible, and for what period. Most platforms maintain full audit logs of all connection events. Some – Secomea and Dispel in particular – offer session recording.
Tosibox holds ISO 27001 certification. Ewon and Secomea are widely deployed in ISO 13849 and IEC 62443 regulated environments. These are not hobbyist tools dressed up for industrial use – they are enterprise security products that have been tested and audited in demanding operational contexts.
The weakness that nobody talks about
Here is the thing that every facilities manager, OT engineer, and systems integrator needs to understand about these platforms.
They are brilliant. They are secure. They genuinely transform the cost and practicality of maintaining remote industrial assets.
And they are completely dependent on the cellular connection at the remote site.
Every one of these platforms – Tosibox, Ewon, Secomea, Dispel, BifrostConnect – needs the remote device to have internet connectivity. When that connectivity is working, the engineer at their desk has full access to the site. When it fails, that access disappears entirely. At that point, there is only one option: get in a van and drive to the site.
This is not a criticism of the platforms themselves. It is simply physics. A VPN tunnel cannot exist without a network to run through. But it is a risk that is routinely underestimated, and it undermines the entire value proposition of these systems at the worst possible moments – which tend to be the same moments when remote access is most urgently needed.
A site connectivity failure and a site equipment failure are not independent events. Flooding, lightning strikes, power events, and physical damage can affect both the cellular infrastructure and the controlled equipment at the same time. Storm events that take down a water treatment works’ automation systems can also degrade the local cellular network. The situation where you most need remote access is often the situation where the connection is most likely to be impaired.
The platforms are designed to reconnect automatically when connectivity is restored. Tosibox’s MatchMaker re-establishes the VPN tunnel as soon as both endpoints are reachable. This is helpful for brief outages. It does not help when a site is genuinely offline for an extended period.
Connectivity resilience, part one: the SIM card
The most common deployment pattern for these platforms in remote or field locations is a single SIM card in the remote device, on whatever mobile network the installer happened to have available. This is the weakest possible connectivity foundation.
A single SIM on a single network means a single point of failure. If that network has an outage at a mast or core level, the site goes dark. If signal quality at the site is marginal and degrades further due to interference, weather, or network changes, the tunnel becomes unstable. If the SIM stops authenticating for any reason – billing issue, account error, carrier systems fault – the connection fails.
The solution is straightforward and comes in three levels.
Multi-network roaming SIM. A SIM capable of roaming across multiple UK networks provides meaningful resilience over a single-carrier SIM. Rather than being locked to one network, it will attach to whichever of the available networks provides the best signal at the site. If EE is congested or has a local issue, the SIM moves to Vodafone or Three. This alone eliminates a large proportion of connectivity failures at no significant extra cost. It requires no additional hardware and no changes to the remote access platform configuration.
Dual SIM with network diversity. The hardware platforms used with these remote access services – including Tosibox’s own Node range and the industrial cellular routers from manufacturers such as Teltonika that are used in conjunction with these services – commonly support dual SIM operation. The key is ensuring the two SIMs are on genuinely different networks, not two SIMs from the same carrier. SIM 1 on a roaming SIM covering EE and Vodafone, SIM 2 on Three or an independent MVNO, provides resilience against both carrier-level outages and device-level SIM faults. When the primary path fails, the router fails over automatically, re-establishes the connection to the MatchMaker or cloud relay service, and the VPN reconstitutes – typically within seconds.
Private APN vs standard data SIM. One question that often arises is whether these platforms require a private APN or a static IP SIM. The answer, for all of the platforms described above, is no. Tosibox’s MatchMaker model, Ewon’s Talk2M relay, and Secomea’s GateManager are all designed to work with standard dynamic-IP data SIMs operating behind carrier-grade NAT. Both devices make outbound connections, so the carrier’s IP assignment is irrelevant to whether the tunnel can be established. A standard multi-network data SIM is entirely appropriate and avoids the cost and complexity of private APN provisioning.
Connectivity resilience, part two: the antenna
This is the layer that is most often overlooked, and in many real-world deployments it is the most significant factor in connection quality and stability.
The remote access hardware from Tosibox, Ewon, Secomea, and the cellular routers paired with these platforms is typically supplied with a basic stub or whip antenna. These antennas are designed to work acceptably in good signal conditions – an office environment, a well-served urban location, or a cabinet near a window with reasonable line of sight to a local mast.
Industrial OT environments are frequently none of these things. Metal enclosures in substations, reinforced concrete plant rooms, underground chambers, rural locations well beyond urban mast coverage, and coastal or hilltop sites subject to interference – these are the real conditions in which remote access infrastructure has to operate. In these environments, the stock antenna that came in the box with the device may be providing 30% or 40% of the signal quality that would be achievable with the right external antenna properly installed.
The effect on the remote access platform is direct and measurable. A weak or unstable signal means higher packet loss, higher latency, more frequent connection drops, and slower reconnection after outages. Even if the tunnel technically remains established, working on a SCADA system through an unstable connection is painful and unproductive. Engineers who have experienced it tend to default back to site visits, which defeats the entire purpose.
The right external antenna, properly selected for the deployment environment, transforms this picture.
MIMO antennas are the correct choice for modern LTE and 5G deployments. All current cellular modems use multiple-input multiple-output technology, meaning they use multiple antenna paths simultaneously to increase throughput and resilience. A single-port stub antenna wastes this capability entirely. A proper MIMO antenna – one with two or more ports, matched to the router’s antenna connectors – uses the modem as it was designed to be used and delivers substantially better throughput and stability.
Location matters as much as specification. An external MIMO antenna mounted on the outside of a cabinet, on a pole above a roofline, or with a clear line of sight to the direction of the nearest mast will consistently outperform a high-specification antenna mounted inside a metal enclosure. Signal does not pass through steel. The antenna needs to be outside the shielding, with a low-loss cable run to the modem.
Band coverage. UK LTE deployments span a wide range of frequency bands, and different bands have very different propagation characteristics. Low-band signals (Band 20 at 800MHz, Band 8 at 900MHz) travel further and penetrate buildings and terrain more effectively. High-band signals (Band 1 at 2100MHz, Band 3 at 1800MHz, Band 7 at 2600MHz) carry more data but cover shorter distances and are more easily blocked. A rural site beyond the fringe of coverage needs an antenna that performs well at low frequencies. A dense urban site with abundant signal but heavy competition from other users may benefit from a directional antenna aimed at a specific mast. The antenna specification should match the deployment, not just the box.
Combining SIM and antenna strategy. The correct approach for a critical OT remote access deployment is to treat the SIM selection and the antenna installation as a single connectivity decision. A dual-SIM router on two different networks, with a quality external MIMO antenna in an appropriate location, provides a connectivity platform on which Tosibox, Ewon, Secomea, or any other remote access service will perform reliably. Doing one without the other leaves avoidable gaps.
Where the responsibility lies
The remote access platform vendors – Tosibox, Ewon, Secomea, and their peers – are responsible for their service. They ensure the MatchMaker works, the encryption is sound, the cloud relay is available, and the client software connects. They test their hardware for certification and reliability. They take responsibility for the remote access layer.
They do not take responsibility for the cellular connection.
That responsibility sits with the operator of the system – and in practice, with whoever specified and installed the connectivity infrastructure at the remote site. In many deployments, that is a systems integrator who focused on the remote access platform and treated the SIM as an afterthought. The result is a genuinely excellent remote access solution sitting on a fragile connectivity foundation.
Getting the connectivity right means choosing a SIM – or ideally two, on different networks – that provides genuine resilience at the site. It means selecting and installing an antenna that gives the cellular modem the signal quality it needs to maintain a stable connection in the actual operating environment, not just in ideal conditions. It means understanding the difference between a connection that works during commissioning and a connection that remains reliable through weather events, network changes, and the kind of conditions that tend to accompany equipment failures.
The platforms are brilliant. The connection underneath them needs to match.
Routerstore supplies a range of multi-network SIM solutions and MIMO antennas suited to industrial remote access deployments, including installations running Tosibox, Ewon, Secomea, and comparable platforms. If you are commissioning a remote access installation or reviewing the reliability of an existing one, speak to our team about the connectivity layer.
