Beacon (2)

Real Time Secure Remote Access

    • Secure, granular remote access, more precise than VPNs
    • Controlled per protocol + per activity + per seat unique to your environment
    • Ensures OT assets and network cannot be remotely manipulated outside of line of sight
    • Available as on-premises hardware solution or as a cloud service
    • Minimizes the attack surface and enables the most secure option for remote employees or 3rd party vendors to access endpoints within the OT network

Bayshore OTaccess:  Secure Remote Access for OT Networks

A flexible, OT-specific, secure private access solution for controlled access to designated OT assets and services, easy user management, and both capex and opex purchasing options. 



OTaccess is a cloud-hosted, software-defined network remote access product with support for encrypted microtunnels, two-factor authentication, Microsoft Active Directory users and groups, and specific endpoint access capabilities oriented around OT network security requirements.

OTaccess provides content-based in-session policy enforcement for certain defined rulesets, and the available list of policies will expand automatically with no user intervention required.

  OTaccess Software-defined networking tools VPNs
  Session Origination
Session Origination Outbound only via SSL from customer to policy engine Inbound- or outbound, depending on product/vendor Inbound through/to perimeter firewalls
  Session Types
Session Types Single-user to single-service permissions User-to-network permission defaults Network-to-network permission defaults
  Local-user or AD users/groups
Local-user or AD users/groups Yes Yes Yes
  Native OT protocol support
Native OT protocol support Yes, including deep inspection Port-level only n/a
  Native content-based policy enforcement
Native content-based policy enforcement Yes No n/a


OTaccess is a competitive alternative to both generic enterprise VPN products and software-defined networking tools.  It offers native policy controls for OT protocols and supports single pane of glass administration via a customer’s private cloud instance of the management portal. 

Native Policy Controls

  FINS Modbus OPCUA S7 SLMP RDP VNC HTTP/S sftp ssh telnet
Read-only X X X X X            
Read-write X X X X X            
  No SQL Injection1
No SQL Injection1               X      
  No XSS2
No XSS2               X      
  Single endpoint
Single Endpoint X X X X X X X X X X X



Figure 1:  OTaccess Services View

Figure 1:  OTaccess Services View

Figure 2:  OTaccess Client Software

Figure 2:  OTaccess Client Software

  1. Depends on specific web/app server in use
  2. Depends on specific web/app server in use

OTaccess Provisioning

Once you place an order or submit a purchase order to Bayshore, our team will begin the provisioning process for your dedicated OTaccess Cloud.  You’ll be given administrative credentials when it’s ready; while that’s in progress, you can install the OTaccess Endpoint Gateway software we’ll provide to you. 

Your next step is to create users and services.  Users can be locally authenticated within your OTaccess Cloud, or you can provide access to your AD server via LDAP.  AD server setup is useful because it uses the same proxy model as any other OTaccess service, so it’s good practice for learning how to use the web interface.

Finally you can provide the remote access client to the external users.  It will be pre-configured to point to your OTaccess Cloud. They can install it and, assuming their credentials are already valid, immediately gain access to any services for which their accounts are enabled.

OTaccess Use Cases



Note:  Beacon was the former name for OTaccess

Q:  How is OTaccess different from a VPN?

A:  OTaccess controls access by protocol, port, and user.  Before any access is permitted, OTaccess requires a service on an endpoint to have been exposed (defining both the target port and protocol/service) and a user has to have been given explicit permission to access that endpoint/service combination. 


Q:  What is the OTaccess transport architecture?

A:  The OTaccess Endpoint Gateway initiates a standard SSL tunnel from within your network to your provisioned cloud instance of the OTaccess management interface.  That tunnel is persistent by default, and only ever initiated from within your network to the external destination.  Authorized remote users initiate a connection request from their locations via the OTaccess client, which connects to your dedicated cloud instance, authenticates the user, and then maps their attempt connection to the known list of authorized endpoint/service destinations.  If those checks all succeed, the cloud instance of the OTaccess software proxies the remote user’s session into the OTaccess Endpoint Gateway which, in turn, proxies it again to the actual target endpoint.


Q:  Does OTaccess support AD integration via LDAP?

A:  Yes.  OTaccess can be configured to validate user and group credentials via your company’s AD server.  To use this feature, the AD server is exposed to your OTaccess cloud instance using a standard OTaccess tunnel, and the LDAP queries are submitted during each user authentication action.


Q:  Does OTaccess support 2FA?

A:  Yes.  OTaccess requests a mobile number for each user and uses SMS to submit an authorization code to that number each time the user authenticates themselves to the system.


Q:  Is OTaccess available in an appliance format I can deploy onsite?

A:  Not yet.  Our intention is to start with the cloud hosted version of OTaccess and to make a purely on-premise version available in 2019. 


Q:  Can I use OTaccess to enable persistent site-to-site OT protocol tunnels?
A:  Yes.  Contact us to discuss this use case in more detail. 


Q:  Can I get a trial or demo of OTaccess?

A:  You can subscribe for one month at the minimum subscription level, with no further obligation. 


Q:  When will OTaccess be available?

A:  OTaccess subscriptions are available now.

See Pricing and Availability

Yes! I want to learn how I can use OTaccess!