Manufacturing access can affect availability, safety, and product quality, not just data confidentiality. That means a vendor session is a privileged operational event, so organisations need stronger identity proof, tighter scope, and better visibility than they would typically require for ordinary enterprise remote access.
Why Manufacturing Access Needs a Different Control Model
Manufacturing third-party access is not just a remote support problem. A vendor session can change PLC logic, adjust recipes, stop lines, or alter quality thresholds, so the security impact extends into availability and safety. That is why standard enterprise remote access patterns are too loose: they assume the main risk is data exposure, while factory access can directly affect production outcomes. Guidance from the OWASP Non-Human Identity Top 10 reinforces that machine and service identities need tighter governance because privilege often expands faster than teams realise. NHIMG research also shows why this matters operationally: in the Ultimate Guide to NHIs, 92% of organisations expose NHIs to third parties, which broadens supply chain exposure far beyond normal user access. In practice, many security teams discover the weakness only after a maintenance window has already become an incident, rather than through intentional control design.
How It Works in Practice
Manufacturing environments usually need a layered control set that treats every vendor session as a privileged operational event. That means strong identity proof at the point of entry, tightly scoped entitlements, and session-level visibility across remote access, jump hosts, and OT-adjacent tooling. The practical goal is to make access specific, time-bound, and observable rather than persistent and broadly trusted. PCI DSS v4.0 is not an OT framework, but its emphasis on restricting access to sensitive systems and monitoring privileged activity is directionally useful for manufacturing zones that support regulated production or payment-adjacent processes. NHIMG’s 52 NHI Breaches Analysis shows how quickly over-permissioned identities turn into compromise paths when credentials are reused or poorly governed.
- Use just-in-time access instead of standing vendor accounts, with automatic expiry after the task or window ends.
- Bind access to named assets, named applications, and named actions, not to a generic “plant support” role.
- Require step-up approval for high-risk actions such as logic changes, firmware updates, or quality parameter overrides.
- Record sessions with enough detail to reconstruct what was changed, when, and by whom.
For vendor tools that act autonomously, current guidance suggests applying the same discipline to secrets, API tokens, and machine identities that would be used for human privileged access. These controls tend to break down when legacy PLCs, shared engineering workstations, or always-on vendor tunnels prevent per-session enforcement because the environment cannot support short-lived authorization or reliable logging.
Common Variations and Edge Cases
Tighter third-party control often increases operational overhead, requiring organisations to balance faster maintenance against stronger containment. That tradeoff is especially visible in plants that run 24/7, rely on specialist OEM support, or still depend on legacy systems that cannot handle modern federation or per-request policy checks. In those cases, best practice is evolving rather than settled, and teams often combine compensating controls such as supervised vendor sessions, air-gapped support accounts, and temporary network paths. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks notes that 97% of NHIs carry excessive privileges, which is a useful reminder that over-broad access is not an edge case but a common failure mode. For organisations aligning to Ultimate Guide to NHIs — Standards, the practical standard is to minimise trust first, then preserve maintainability with strong approval workflows and session oversight. The main exception is emergency response: when safety or uptime requires break-glass access, the control objective shifts from prevention to rapid containment, forensic traceability, and post-event revocation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers excessive privilege and credential governance for third-party identities. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust access decisions fit vendor sessions that must be limited and verified. |
| NIST AI RMF | Useful where manufacturing tools or support workflows include autonomous software agents. |
Set governance for any autonomous workload that can act in production and require human-defined limits and accountability.
