Jan 16, 2024
8 min read

Why Third-Party Access to OT Environments Requires Added Security Controls

If you’re managing a business in 2024, chances are good that you’ve hired at least a few third-party vendors or technicians to help you keep things running smoothly. If you operate a large company, you may have dozens or even hundreds of such contractors on your payroll. These workers offer key services and skills that, whether for lack of expertise or lack of budget, can’t be performed by your in-house employees. But despite their very clear value, third-party users pose a significant security risk. This is especially true for industrial enterprises that allow third-party users to access critical infrastructure, industrial control systems (ICS), and operational technology (OT).

This blog will explore why organizations have come to rely so heavily on the services of third-party vendors and why it is vital to secure their access to internal resources and, in particular, to OT environments and critical systems.  

A Growing Dependence on Third-Party Support  

In today’s dynamic business landscape, reliance on external vendors and contractors has become a strategic imperative and not just a discretionary choice. Collaborations with third-party partners, technicians, and other specialists are now integral to the success and sustainability of industrial operations. The specific reasons for hiring external contractors will of course vary from company to company, but the many advantages of working with third parties include: 

Specialized Expertise 

Industrial processes have grown increasingly complex, necessitating a wide range of specialized skills and knowledge. External vendors and contractors are likely to bring with them a wealth of experience, honed by working with a variety of clients with different needs and expectations. This subject matter expertise can be instrumental in helping organizations optimize processes or overcome technical challenges that the in-house team lacks the experience or training to solve. 

Resource Optimization 

External support enables industrial enterprises to allocate their resources more effectively. Rather than maintaining an in-house team for every conceivable task, organizations can tap into the skills and resources of external vendors on a project-specific basis. This results in a leaner organizational structure, reducing overhead costs and enhancing overall efficiency. 

Flexibility and Scalability 

Industrial enterprises frequently encounter fluctuations in demand, project scope, and market conditions. Beyond resource optimization, external vendors provide a level of flexibility and scalability that is challenging to achieve with a fully internal workforce. Whether it's scaling up production during peak periods or downsizing during quieter ones, the ability to adapt quickly to changing circumstances can be a key competitive advantage. 

Cost Efficiency  

Collaborating with external vendors allows organizations to leverage economies of scale that may not be achievable with in-house operations. Because they serve multiple customers, vendors can spread costs across a broader base, leading to more cost-effective solutions and services. This cost efficiency is often reflected in competitive pricing, ultimately benefiting the client’s bottom line. 

Contract Requirements

It should now be much clearer why industrial enterprises depend so heavily on the services of external third parties. Still, it’s worth pointing out that sometimes the reason is even simpler. Manufacturers of specific OT systems or equipment often require that only members of their own workforce can service said equipment. Should an in-house technician attempt to access a system or perform a maintenance check, it could void the product warranty and create a host of additional problems. In cases like these, enterprises have literally no choice but to work with the vendor whose equipment they are operating.  

Why is Third-Party Access a Risk? 

There is no question that third-party collaborations bring tremendous value to businesses across industries. The problem is that allowing external vendors and contractors to access sensitive internal systems creates serious risks for the organization. This is because third-party users are not bound by the same internal security policies as direct employees, they are likely to be working on their own unmanaged devices, and perhaps most significantly, without the proper tools in place it is very difficult for IT and security teams to control or even monitor their actions inside the corporate network. And when third-party vendors have access to OT environments and critical infrastructure, they can pose not just a security risk but also an operational safety risk. 

Examples of how third-party relationships can expose organizations to added risk include: 

Over-Permissioned Access 

Even organizations that follow the principle of least privilege when granting access to employees may be more lax when extending access permissions to third-party vendors. Time is often of the essence when onboarding new contractors, and this can lead to their being given overly wide access to internal systems. But saving a bit of time by not configuring proper access policies for third parties can end up being very costly if this over-permissioned access leads to an operational shutdown or data breach.  

Malware and Ransomware 

When third-party devices are unmanaged and identity-based access with continuous authorization is not enforced, external vendors can introduce malware or ransomware into their clients’ infrastructure, potentially disrupting operations, causing financial losses, or resulting in ransom demands. 

Data Leakage 

Contractors may inadvertently or intentionally leak sensitive information, leading to intellectual property theft, corporate espionage, or exposure of critical data. 

Supply Chain Attacks 

If a vendor is compromised, attackers may use their access to target the critical infrastructure they serve, creating a pathway for larger-scale attacks. 

Social Engineering 

Malicious actors could exploit relationships with third-party vendors to gain unauthorized access to OT environments, posing a direct threat to safety as well as security. 

Inadequate Training 

Third-party vendors are often brought on-board because of their specialized skills, but this is not always the case. Contractors who lack the necessary familiarity with safety protocols or particular equipment increase the likelihood of accidents that could disrupt operations and even jeopardize physical safety. 

How to Secure Third-Party Access into OT Environments 

So, if businesses depend on third-party collaborations but such collaborations create inherent risks, what is the way forward? This is exactly the challenge Cyolo set out to solve, and it’s the reason our remote privileged access management (RPAM) solution includes the following features and functionalities: 

Agentless Deployment 

Agents are pieces of installed software that run in the background of our devices, and they’re necessary for the operation of many remote secure access solutions (VPNs are a perfect example). There’s nothing innately wrong with agents, but they can be problematic when it comes to third-party access security. The issue is that vendors likely work with many companies, and it’s unrealistic to expect them to download and then work via a different agent for each of their clients. In light of this, the ideal secure remote access solution will be agentless, with no software downloads or installations required for third-party users. 

Zero-Trust Access, Multi-Factor Authentication, and Continuous Authorization

Zero trust is a security framework that requires every identity (whether user or device) to be identified, authenticated, and continuously authorized in order to gain and maintain access to approved applications. Multi-factor-authentication (MFA) is an added layer of identity verification that usually accompanies zero-trust access. By enforcing zero-trust access with MFA for third-party vendors and contractors, organizations can better protect themselves against credentials theft, phishing, and other cyberattack vectors. 

Application-Level Access 

As noted above, over-permissioning external vendors with access they don’t actually need is a recipe for disaster. To prevent third parties from reaching data and systems beyond the scope of their work, the principle of least privilege should always be used to determine access permissions. In addition, access should be granted directly to applications and never to the full network. Restricting network-level access is key to preventing the spread of ransomware and other malware and also limits the damage that can be done should an unauthorized actor gain access. 

Access and Oversight Controls 

A major reason why third-party access is so risky is that organizations typically have little visibility into what these users are doing after being granted access. The solution here is to implement robust access and oversight controls that give IT and security teams the power to limit third-party access privileges (for instance, blocking the ability to copy-paste) and monitor third-party sessions in real-time. This is precisely what Cyolo offers, along with additional capabilities like supervised access and session recording and logging.   

The Future of Third-Party Access and Collaboration 

Third-party vendors and contractors are a crucial extension of the team for many if not most modern industrial enterprises, and their importance is not going to decline any time soon. Organizations must therefore take the necessary steps to mitigate the risks that third parties pose.  

The Cyolo RPAM solution was purpose-built to overcome the challenges of both third-party access and OT systems access. With Cyolo, security teams can regain control over the third-party users and devices inside their systems, allowing organizations to enjoy the numerous benefits of these relationships without the added risk. 

Jennifer Tullman-Botzer


Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.

Subscribe to Our Newsletter