Vendor Access in OT: How to Stay in Control Without Slowing Production

Do Your Vendors Hold the Keys to Your Kingdom?

It’s 2 a.m., a line is down, and you’re on the phone with an OEM who needs remote access to diagnose a fault on a single HMI. A VPN account from a past project is still active, so access is granted quickly. Another vendor joins using shared credentials “just to take a look.” By the time production is restored, four external users have logged in remotely.

When the line behaves unpredictably again the next morning, you and your team are left guessing. There’s no reliable record of who did what and no easy way to determine whether the curent issue is mechanical, operational, or tied to changes made during the previous night’s work.

Vendor access is a reality in modern manufacturing. Not just OEMs but also contractors, integrators, and other third-party specialists are essential to keeping operations running, especially when issues surface outside normal business hours. Remote access makes that support faster – and in many cases, it’s the only practical option.

The problem isn’t that vendors need access. It’s that vendor access often outlives its purpose, expands beyond its original scope, and fades from view once the immediate issue is resolved.

In many plants today, it’s still difficult to answer these basic questions: Who has access? What assets can they reach? When did they last log in? When these answers aren’t readily available, vendor access is already harder to manage than it should be.

Why Traditional Vendor Access Methods Break Down on the Plant Floor

Most vendor access problems in OT aren’t caused by bad intentions. Instead, they stem from access tools and processes that don’t align with how plants actually operate – under constant uptime pressure, dependent on legacy systems, and with little margin for delay.

Always-on VPNs are a good example. Even when a vendor only needs to work on a single machine, VPN access typically opens up far more of the plant network than necessary. That makes it harder to contain issues and increases the chance that changes spill beyond the specfic system being worked on. Plus, if problems show up later, recovery becomes more complicated, because multiple people may have had access to the same systems with no clear boundaries around what they were supposed to touch.

Shared credentials introduce a different but related risk. They’re fast and familiar during emergencies, but they erase accountability. When equipment behaves unexpectedly following vendor work, there’s no reliable way to know who was logged in or what actions were taken. This uncertainty slows troubleshooting and complicates audits.

Manual approval workflows don’t fare much better. During downtime, restoring production takes priority over process. Screenshots get texted, credentials get reused, and access is granted through whatever method is fastest. Controls that look reasonable in policy documents tend to disappear when an emergency hits.

In OT environments, access control isn’t measured by how strict a policy appears on paper. It’s judged by whether the plant can keep running safely and recover quickly when something goes wrong – and that’s exactly when traditional vendor access methods tend to fail.

What works better is an approach to vendor access that’s designed for real plant conditions, where access needs to be fast, targeted, and manageable under pressure.

What “Controlled Vendor Access” Actually Means in OT

Controlled vendor access starts by tightening the scope of access. Instead of connecting vendors to an entire network, access is limited to the exact asset they need to work on – one HMI, two PLCs, one application. Vendors get what they need to do the job, and nothing more. This alone reduces confusion during emergencies and limits the impact of both simple mistakes and more serious issues.

Access is also time-bound by default. Vendor access exists for a defined maintenance window or troubleshooting session and then expires automatically. This removes the need to remember to clean things up later, especially after a long outage or overnight service call.

Another core principle of controlled access is visibility. OT teams can see who connected, when, and for how long, without micromanaging vendor activity or slowing operations. When something changes unexpectedly, this context will prove invaluable.

Finally, control means the plant (not corporate IT) can instantly revoke access from any vendor. If something looks wrong or even just unusual, access can be shut off without waiting for a support ticket or approval chain. That immediacy matters when uptime is already under pressure.

A simple rule of thumb can help here:

The 2-Minute Rule:
If you can’t answer “Who accessed what and when?” in under two minutes, you don’t have sufficient control over vendor access in your plant.

Reducing Risk Without Slowing Production

At this point, a reasonable concern arises: all this control sounds great, but won’t it slow response times when every minute matters?

It’s fair to assume that more control could mean more delays – and that would likely be true if more control required extra approvals or manual steps. In practice, however, controlled access removes roadblocks and reduces confusion, especially during unplanned downtime. It actually becomes easier to get the right people connected at the right moment.

Let’s consider a simple example. Instead of forcing vendors to hunt for old VPN logins or wait hours for IT approvals, a plant using modern OT-focused access tools can grant time-limited access to a specific machine and get their vendor connected in minutes. A supervisor can see when the vendor connects and monitor the session as needed. And when the work is complete, access closes automatically. No scrambling, no shared credentials, and no standing privileges.

When access is clearly scoped, quick to approve, and automatically expires, vendors can connect faster, operators aren’t forced into access acrobatics, and plants avoid the risky shortcuts that pop up when controls don’t match real-world conditions.

What to Look for in a Vendor Access Approach

For OT security and plant leaders evaluating how vendor access is handled in their facilities today, a few practical questions help cut through the noise:

Can access be limited by asset instead of opening up the full network? Can approvals happen in minutes when production is down? Can access be shut off instantly by the plant team if suspicious activity is detected? Is there a clear access history when an audit or investigation comes up? And does it all work in legacy OT environments, not just modern applications?

If the answer to any of these questions is no, the solution is likely to create workarounds and risk instead of real control.

A First Step Toward Better Vendor Access Control

The good news is that most plants don’t need a major overhaul to improve vendor access. Even small changes to how vendor access is controlled can have an outsized impact on uptime and overall productivity.

By running a pilot program with one high-risk or high-impact third party – perhaps an OEM supporting a critical line – plants can experience the benefits of controlled access very quickly. The pilot approach keeps disruption low while establishing clearer boundaries, better visibility, and faster response when issues arise. Many plants are genuinely surprised by how much access has accumulated over time and how manageable it becomes once it’s brought under control.

Over time, stronger access control leads to fewer access-related delays, faster recovery during downtime, and less guesswork when something changes unexpectedly. Vendor access simply becomes a what it should have been all along – another managed part of day-to-day operations.