Secure Remote Maintenance for Machines & Plants

Secure remote maintenance for machines and plants means technicians reach distributed controllers and HMIs in a controlled way, without exposing the plant to the internet and without permanent third-party agents running on the controller. The proven design rests on four building blocks - an encrypted site connection via WireGuard, a browser gateway (Apache Guacamole) for clientless RDP, VNC and SSH, role-based access control (RBAC), and a complete, tamper-evident audit of every session. On top of that sits clean separation of OT and IT. The result is remote maintenance that is maintainable, auditable and NIS2-ready, operated on your own EU infrastructure instead of a vendor cloud.

This page is the entry point to our remote-access knowledge cluster. It links every in-depth article and shows how the blocks combine into one platform.

The four building blocks of secure remote maintenance

1. Site connectivity with WireGuard. Each site builds an outbound, encrypted connection to a central gateway. WireGuard is a lean, modern VPN protocol that has been part of the mainline Linux kernel since version 5.6 (2020) and uses modern cryptography (Curve25519, ChaCha20-Poly1305). Inbound ports at the plant stay closed; the controller is never directly reachable from the internet. See the article on WireGuard site connectivity and our WireGuard expertise.

2. Browser gateway with Apache Guacamole. The gateway terminates remote maintenance and serves RDP, VNC and SSH sessions straight in the browser - over HTML5, with no client, no plugin, no software installed on the technician's device. Apache Guacamole is an open-source project of the Apache Software Foundation (Apache License 2.0); the current release is version 1.6.0 (published on 22 June 2025). We cover the basics in What is Apache Guacamole and VNC in the browser. Why this replaces classic VPN clients on every laptop is explained in Remote maintenance without a VPN client.

3. Role-based access control (RBAC). Not everyone may do everything. Through RBAC and multi-factor authentication, each technician is restricted to exactly the machines and protocols their job requires - time-limited, per site, per device. How this looks in practice is described in RBAC and audit for remote access.

4. Complete audit. Every session is logged: who, when, which machine, how long - including optional session recording. That creates accountability towards auditors, insurers and in the event of a claim. Tamper-evident logs are at the same time a core NIS2 requirement.

Separating OT and IT cleanly

Industrial remote maintenance rarely fails on the technology; it fails on missing segmentation. The international standard IEC 62443 describes the zones-and-conduits model for this: machines and controllers sit in an OT zone reachable only through clearly defined, monitored conduits. Remote access is explicitly treated as a controlled pathway, not a convenience feature - with deny-by-default and full session logging.

The gateway sits exactly on that boundary. It receives the maintenance request, checks identity and role, and only allows the released connection into the OT zone. Direct reach-through from the office network or the internet to the PLC is thereby ruled out. Known vulnerabilities in the deployed components belong under systematic watch - that is what our CVE monitoring provides, and a security audit validates the architecture before go-live.

Decision guide: own platform, vendor router or consumer tool

There are three fundamental ways to handle remote maintenance of distributed plants:

Vendor routers (Ewon with the Talk2M cloud, IXON, Secomea) install quickly and are practical for single machines. But they tie you to the vendor's hardware and cloud platform. Consumer tools such as TeamViewer or AnyDesk are built for office support: they install a permanent agent on the controller, route sessions through the vendor cloud, and offer neither the fine-grained RBAC nor the tamper-evident audit that OT environments need.

An own platform costs more planning up front but pays off across multiple sites, under NIS2 obligations and wherever sovereignty and provability matter. If you need a multi-tenant operator portal for many customers or sites, find the details in Multi-tenant operator portal.

Sovereignty: no third-party cloud tunnel to the plant

With vendor-locked solutions the maintenance tunnel runs through a third party's cloud - making its availability, its security posture and its business model your dependency. A sovereign platform reverses that: the tunnel to the plant terminates on your own EU infrastructure, the stack is open source (WireGuard under GPLv2, Guacamole under Apache 2.0), and there is no path that must traverse an external SaaS provider. If you want to orchestrate connectivity yourself, you can also use overlay solutions such as NetBird or Headscale instead of plain WireGuard - both open source, both self-hostable.

NIS2 and the legal side

Germany's NIS2 implementation and cybersecurity strengthening act (NIS2UmsuCG) entered into force on 6 December 2025, transposing EU Directive (EU) 2022/2555. It affects around 29,500 companies across 18 sectors and requires, among other things, risk management, access control, multi-factor authentication, logging and reporting paths for significant security incidents (24-hour early warning, 72-hour notification, final report after one month). Violations can draw fines of up to 10 million euros or 2 percent of global annual turnover; management can be held personally liable.

For remote maintenance, the four building blocks above are therefore not only best practice but cover core NIS2 expectations: encrypted connections, RBAC with MFA and complete audit. How to set up remote access in a concretely NIS2-compliant way is deepened in NIS2-compliant remote access. This article is general information and not legal advice. We are engineers, not lawyers - the legal assessment of an individual case belongs in qualified hands.

How WZ-IT does this in practice

We build sovereign remote maintenance and remote management platforms that combine exactly these blocks - proven in production. For ABCO Water Systems in Australia we operate secure remote access to distributed water treatment plants including HMI operation in the browser (ABCO Water Systems case study). For nextGYM GmbH we implemented the remote management of a distributed IoT fleet (nextGYM case study). The continuous operation of such platforms is described in our Managed Operations section.

If you want to build or replace secure remote maintenance for your machines and plants, our remote management platform is the direct entry point. We are happy to discuss your case in a free initial consultation.

Related articles in the cluster

• What is Apache Guacamole
• VNC in the browser
• Remote maintenance without a VPN client
• NIS2-compliant remote access
• RBAC and audit for remote access
• WireGuard site connectivity
• Multi-tenant operator portal