Systems integrators are high-value targets for attackers. A single compromised integrator gives adversaries backdoor access to dozens of industrial customers simultaneously. In 2023 and 2024, we observed at least three major integrators compromised through supply chain channels, each providing attackers with authenticated access to customer OT networks.
The attack chain is predictable: compromise the integrator's IT environment, harvest credentials and documentation, then use that access to deploy firmware updates, maintenance scripts, or remote access tools to customer facilities. Because the update appears to come from a trusted source, it bypasses many detection controls.
Why Integrators Remain Vulnerable
Integrators typically manage dozens of customer accounts from a central environment. That environment often contains network diagrams, credentials, default passwords, and firmware images for hundreds of deployed systems. A single breach provides a blueprint for attacking multiple customers with minimal additional reconnaissance.
Many integrators do not treat their own environments as OT-critical. They focus on hardening their customer deployments while leaving their internal networks vulnerable to basic attacks. We have observed integrators storing customer credentials in plaintext, sharing accounts across team members, and running outdated operating systems on machines that touch customer networks.
Vendor Management and Detection
- Credential segregation: Require your integrator to use unique, time-limited credentials for each customer engagement and environment.
- Firmware verification: Implement cryptographic verification of all firmware updates from integrators. Never apply updates without validating digital signatures.
- Network isolation: Deploy integrator remote access through dedicated jump hosts with logging and session recording. Do not grant direct VPN access to OT networks.
- Change documentation: Require integrators to provide detailed before-and-after documentation of all changes, including file hashes and configuration checksums.
Building a Supply Chain Risk Program
Your integrator is an extension of your OT environment. Treat their access with the same scrutiny you would treat an internal engineer. If you'd like to discuss vendor risk management or supply chain attack detection for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.