Managing third-party and vendor risk within your OT ecosystem

The days of "air gap" are well behind us. The Operational Technology (OT) ecosystem and the complex web of hardware and software that monitors and controls physical processes in your plant, utility, or facility-is no longer an isolated fortress. In fact with the arrival of IIoT, all forms of traditional barriers are now gone and the gap between a threat actor or a rogue insider and your crown jewels is now history.

The OT environment is now well connected to third-party vendors, maintenance contractors, system integrators, and equipment manufacturers (OEMs). While some of these connections are essential for remote diagnostics, maintenance, and efficiency, they do represent one of the most significant and often-overlooked attack vectors.

Managing the third-party and vendor risk (and risk exposure) isn't just an IT compliance exercise. Instead, it is a core requirement for ensuring operational resilience, uptime, and physical safety. There are many OT operators out there today, who have given third-parties additional privileges on their network. It is essential for such operators to understand the risks that emerge from such a situation and to take steps to counter and mitigate such risks. 

Before you move forward, don’t forget to read our incident assessment post on the Asahi Brewery cyberattack here.

Why OT vendor risk is something to ponder 

Treating OT vendor risk on the same lines as IT vendor risk is a critical mistake. The stakes are fundamentally different as is the context.

• Vendor relationships may introduce new risks through the adoption of practices specified by them. This could dilute the effectiveness of existing security measures or provide chances for a rogue insider to act.

• Impact: An IT breach may cause data loss. An OT breach on the other hand can lead to production downtime, catastrophic environmental damage, or severe safety incidents. You may also attract regulator attention in the form of fines.

• Access level: A vendor logging in to update a PLC (Programmable Logic Controller) or HMI (Human-Machine Interface) has "keys to the kingdom"-direct access to the industrial control process itself.

• Legacy systems: Many OT assets run with 20 year lifecycles and were never designed for remote connectivity. They often run unpatched, legacy operating systems, making them incredibly fragile.

• The "Trusted" Connection: The remote access connection (VPN, RDP) established by a "trusted" vendor is the perfect camouflage for an attacker. If the vendor's laptop is compromised, the attacker can bypass your perimeter defenses and walk right into your control network.

A framework for OT Vendor Risk Management (VRM)

A robust OT VRM program is built on a "trust, but verify" model. Shared below is a practical framework to get things started.

Identify and classify all vendors and privileges

You cannot secure what you don't know. The first step is a complete inventory.

• Who: List every third party that interacts with your OT environment. This includes OEMs, system integrators, maintenance contractors, and even suppliers of managed services (such as say a cloud-based historian).

• What: What specific assets does each vendor need to access and how critical is that access? (say vendor A accesses the turbine control PLC for diagnostics)

• How: How do they connect? (like for instance a shared VPN, a dedicated dial-up modem, an on-site contractor with a laptop.)

• Tiering: Classify vendors based on criticality and risk. A vendor with 24/7 remote access to your safety-instrumented system (SIS) is Critical. A vendor who only supplies spare parts with no network access is Low. Focus your resources on the critical and high-risk tiers.

• Know their history: Has any vendor breached security or governance norms in the past?

Have a governance touch point with all vendors

Ensure that you have a calendarized touchpoint with all vendors to review security and governance posture, state of risk suppression and to discuss any items that are open from previous such meetings.

Integrate OT security into procurement and contracts

Security must begin before a vendor is onboarded. Waiting until after the contract is signed is too late.

• Ask the a few essential questions: Move beyond standard IT questionnaires. Ask specific OT security questions:

  • "How do you secure your remote access tools and technicians' laptops?"

  • "Do you follow secure software development lifecycles (like IEC 62443-4-1) for your products?"

  • "Can you provide a Software Bill of Materials (SBOM) for your HMI/software?"

  • How do you comply with our security norms and mandates?

  • What was a IEC 62443-based assessment done by you at your sites?

• Document everything: Your contracts are your single greatest enforcement tool. Mandate specific security requirements, including:

  • The right to audit the vendor's security practices.

  • Strict requirements for incident notification (Notify us within 4 hours of a suspected compromise).

  • Compliance with multi-factor authentication (MFA) for all remote access.

Enforce granular, "Zero Trust" access control

The old model of giving a vendor a permanent VPN that grants them full, "flat" network access is no longer acceptable. Adopt a Zero Trust mindset, which assumes no user or connection is trusted by default.

• No More Shared VPNs: Each vendor, and each technician, must have a unique, auditable login.

• Least Privilege: A vendor should only be able to access the specific asset they are approved for, and nothing else. If they are there to service HMI-1, they should not be able to even see PLC-5.

• Just-in-Time (JIT) Access: Access should not be 24/7. Grant access for a specific, pre-approved maintenance window (Tuesday from 2 PM to 4 PM) and automatically revoke it afterward.

• Enforce MFA: This is a non-negotiable baseline. All remote access to the OT environment must require MFA.

Monitor, log, and audit all third-party activity

"Trust, but verify" is the mantra. You must have the ability to see exactly what your vendors are doing when connected to your network.

• Network visibility: Deploy an OT-aware network monitoring solution such as Shieldworkz. This allows you to baseline "normal" behavior and instantly alert on anomalies, such as a vendor accessing an unauthorized asset or using a dangerous protocol (like a firmware update).

• Session recording: For high-risk access, use tools that provide video recording or "over-the-shoulder" monitoring of the vendor's session. This creates an undeniable audit trail.

• Log Review: Regularly review access logs. Look for failed login attempts, access outside of approved hours, or attempts to scan the network.

• Do they use a media scanning solution: Basic security practices matter a lot and point to the level of security maturity of the vendor.

Plan for a vendor-caused incident

Your defenses might fail. A vendor will eventually get compromised. Your incident response (IR) plan must account for this scenario.

• Create a vendor incident playbook: Have a specific IR playbook titled "Third-Party Compromise." What are the immediate steps? The first step should be to immediately revoke all access for the compromised vendor.

• Test It: Include your critical vendors in your annual tabletop exercises. Pose the scenario: "Vendor A just called to say their remote access tool was compromised by ransomware. What do we do right now?"

Managing vendor risk isn't just about checklists and contracts; it's about building a secure ecosystem. Treat your vendors as partners in your defense, not as adversaries. You can start by asking one simple question of your team: "Who has remote access to our control network right now, and what are they doing?"

Have a joint compliance/governance model

Strive to get the vendor to adopt a common code of security principles and practices with ways to measure the same.

Finally, communicate your security expectations clearly and work with vendors to achieve your shared goal. ensuring the safety, reliability, and resilience of your critical operations.

Learn more about to get your OT security risk levels within acceptable limits within 5 weeks. Presenting Shieldworkz Launchpad, the only OT security program you need.