Third-Party Remote Access in OT: The Soft Underbelly of Industrial Cybersecurity

“We trust our vendors. Plus, they’ve always had access. What's suddenly the problem?”

In many industrial environments, allowing third-party vendors, contractors, and OEMs to access sensitive OT environments has been standard practice for years. What began as occasional remote support has now evolved into a core operational dependency. Today, remote vendor access underpins maintenance, diagnostics, and uptime across manufacturing plants, energy facilities, and critical infrastructure.

But while the third-party access model is widely accepted, it also introduces significant risk. This is because, rather than breaking into OT environments, today’s attackers are increasingly exploiting the legitimate remote access pathways used by trusted third-party technicians.

The scale of this exposure is hard to ignore. Data from a 2025 Cyolo/Takepoint Research study shows that 88% of manufacturers allow remote third-party access into OT environments, and 60% grant such access to over 100 different external parties. At the same time, the just-released 2026 Marlink Cyber Intelligence Report for Remote Operations reveals that more than 50% of organizations rely on third-party remote access that isn’t centrally monitored.

This combination – widespread access with limited oversight – creates a perfect entry point for attackers and an enormous blind spot for industrial organizations.

And, unfortunately, the trouble doesn’t stop there. The same Marlink research finds that around 60% of assessed sites rely on shared IT/OT infrastructure, while over 70% contain undocumented or poorly secured connections to external networks. In other words, many organizations don’t just have remote access – they have remote access they can’t fully see or control.

The result is a simple but uncomfortable reality: critical systems are being accessed remotely without visibility into who is connecting, when they're connect, or what they’re doing once inside.

A Shift OT Cybersecurity: Why Identity Is the New Perimeter

Traditional OT security strategies focus on keeping threats out. Firewalls, segmentation, and air gaps were designed to create a strong perimeter. But in highly connected environments, the perimeter has become increasingly porous.

As a result, attackers have adjusted their tactics from exploiting systems to exploiting identities. Credentials, and especially those tied to remote vendor access, are easier to steal, harder to detect, and far more effective once obtained.

According to the Marlink report, approximately 69% of observed risks are linked to exposed or compromised credentials. Once attackers gain valid access, they don’t need to behave like intruders. They can move through the network using legitimate tools, blending into normal operations and evading traditional detection methods. In OT environments, where third-party access is both common and expected, this creates a dangerous blind spot. 

Why Third-Party Access Is So Hard to Control

The challenge of third-party access isn’t just technical. It’s operational.

Industries like manufacturing and mining depend heavily on vendors to run and maintain specialized equipment. When something breaks, the priority is to restore operations quickly and prevent costly downtime. Remote access makes that possible, but it also creates a dependency: vendors need fast, reliable access with minimal friction. This operational pressure frequently leads to access being prioritized over control.

At the same time, many organizations lack visibility into their own environments. The Marlink research shows that 30-40% of OT assets are initially unknown or undocumented, making it difficult to define the full attack surface. Compounding the problem, fewer than 25% of organizations have clearly assigned OT security ownership, leading to fragmented responsibility across IT, OT, and third-party stakeholders.

Under these conditions, it’s easy to understand why consistent control is almost impossible to enforce. Access decisions are often made locally, visibility remains incomplete, and accountability becomes unclear. Beyond this, vendor credentials may be shared for convenience, access may remain open longer than necessary, and monitoring may be limited or inconsistent.

Individually, each of these gaps could be manageable. But collectively, they create a system where control is fragmented and security is reactive rather than proactive.

This is exactly what attackers exploit. Instead of relying on a single vulnerability, they take advantage of how the various gaps in protection overlap. A shared credential here, an always-on connection there, and limited monitoring across the environment – combined, they create a path to move undetected toward critical systems and assets.

And crucially, many of these access paths are implicitly trusted. Vendor accounts often operate with fewer controls and less scrutiny than internal users, making them an ideal target. Once compromised, they provide attackers with legitimate, hard-to-detect access that appears indistinguishable from routine operational activity. 

Securing Third-Party Remote Access in OT Environments: What Good Looks Like

Strengthening third-party access security doesn’t mean blocking vendors from reaching OT systems. It means bringing their access under precise control.

Unsurprisingly, the shift starts with identity. Every individual accessing the OT environment needs a unique, verifiable identity with clearly defined permissions. This is a security best practice aligns with zero trust principles and standards like ISA/IEC 62443, where access is continuously validated and never implicitly trusted.

From there, access for third parties must become dynamic rather than persistent. Instead of standing permissions that remain open indefinitely, organizations should adopt just-in-time (JIT) access, where sessions are approved, time-bound, and automatically revoked when the job is done. This significantly reduces the window of opportunity for attackers.

Visibility is equally vital. If a vendor is connected to a critical system, that session should be observable in real time. OT and security teams need the ability to monitor activity, record sessions for auditing purposes, and intervene immediately if something looks wrong.

Finally, governance must be centralized. Remote access shouldn’t be fragmented across different tools, teams, or environments. Instead, it should be treated as a single, controlled layer – ensuring consistency, visibility, and accountability.

How to Improve OT Vendor Access Security Without Disrupting Operations

For most organizations, improving third-party access security doesn’t require a complete transformation. What it does require is tightening control where the impact will be most significant.

If you’ve read this far, you won’t be shocked to learn that the ideal starting point is moving from convenience-driven access to controlled, identity-based access. When every user has their own identity, actions become traceable. When access is time-bound, exposure is reduced. And when sessions are monitored in real time, security teams gain visibility and control over what is happening inside the OT environment.

Despite what might be expected, these changes don’t add friction. Quite the opposite, they ensure access is available when needed, while removing unnecessary risk and preserving operational speed. Over time, this approach transforms third-party remote access from a blind spot into a governed, observable process.

The Future of OT Security: From Implicit Trust to Continuous Verification

The broader shift in OT cybersecurity is clear. Security today is not about protecting a fixed perimeter but rather about controlling access in environments that are connected, distributed, and dynamic. Identity is the new control plane, and third-party access sits at its center.

Organizations that adapt effectively will move away from implicit trust and toward continuous verification. They will enforce the principle of least privilege, monitor access in real time, and treat vendor connectivity as a governed process rather than an operational shortcut.

In this modern model, third-party remote access becomes a controlled, observable, and accountable part of the operational environment, aligned with both security and business continuity.