Every OT environment we assess has vendor remote access. Every one. Integrators need to troubleshoot. OEMs need to update firmware. Equipment vendors need to pull diagnostics. It is operationally unavoidable.
It is also, across the facilities we have reviewed, the single most common contributing factor to OT incidents. In our 2025 engagement data, 34% of intrusions involved vendor remote access as an initial or contributing vector.
What we actually find
A typical list of vendor remote-access pathways at a mid-size facility, as we discover them in discovery:
- A site-to-site VPN to the controls integrator, terminating directly into the OT network
- A PC in the engineering office with a teamviewer-like tool that the OEM uses on request
- A cellular modem attached to a PLC chassis by the equipment vendor during commissioning
- A shared VPN credential that five different integrators have
- An SSH-tunneled connection to a historian for the analytics vendor
- A "temporary" remote desktop connection that was enabled 3 years ago and never disabled
Usually, the facility's documentation lists two of these. The other four surface during discovery.
The common failure modes
- Shared credentials. Five people with "the vendor password."
- Permanent access. Access that was granted in 2021 and never revisited.
- Broad network reach. Vendor VPN tunnels that deposit the vendor on a subnet where they can reach far more than their device.
- No session recording. When the vendor's actions matter for post-incident analysis, there's no record.
- MFA optional or absent. A stolen credential walks right in.
What good vendor remote access looks like
Four properties, all simultaneously:
- Per-vendor credentials. One integrator, one set of credentials. When a person leaves the integrator, the credential is revoked.
- Jump host architecture. Vendors authenticate to a bastion host. From the bastion host, they reach the specific target system. No direct VPN into the OT network.
- MFA. No exceptions. If the vendor cannot do MFA, the vendor uses a workstation in your facility, in person or supervised.
- Session recording and time-boxed access. Recordings retained per policy. Access active only during approved windows or engagement-limited.
Implementing this requires specific tooling — there are several vendor-privileged-access products that do this well — and process work with each integrator to transition them to the new model. The operational lift is moderate. The risk reduction is substantial.
The conversation with your integrator
If you raise vendor remote access with your integrator and they resist, pay close attention. Integrators who push back on jump-host architecture, MFA, or per-person credentials are revealing something about their operational maturity. Those are the integrators you want to supervise most closely.
Most integrators, in our experience, are glad to move to a more structured model. The ones that existed before the modern approach adopted it grudgingly. The ones that started after have never operated any other way.
The takeaway
Inventory your vendor remote-access pathways. All of them. Then rationalize them down to a single auditable channel. This is one of the highest-leverage projects any OT-operating facility can undertake, and the return is measurable in risk reduction.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.