Remote vendor access increases risk because it extends trust beyond the plant boundary and often relies on credentials that outlive the session. If those credentials are static or broadly reusable, they become a durable entry point into ICS and SCADA systems. The risk is not the vendor relationship itself, but uncontrolled privilege scope.
Why Remote Vendor Access Raises Operational Risk
Industrial networks rely on uptime, deterministic control, and tightly bounded trust zones. Remote vendor access disrupts that model because it brings outside credentials, outside devices, and outside operational assumptions into environments where lateral movement can have physical consequences. The biggest mistake is treating vendor access like ordinary remote IT support instead of a privileged control path into ICS and SCADA assets.
That risk is amplified when access is persistent, broadly scoped, or difficult to audit. NHIMG research shows that 92% of organisations expose non-human identities to third parties, which turns vendor pathways into a common supply chain exposure point. See Ultimate Guide to NHIs — Why NHI Security Matters Now and the OWASP Non-Human Identity Top 10 for the broader risk pattern. In practice, many security teams discover vendor access problems only after a maintenance exception has already become a standing pathway.
How Industrial Remote Access Fails in Practice
The core issue is not that vendors connect remotely, but that their access is often designed around convenience rather than identity precision. Industrial teams frequently grant VPN reach, shared accounts, or long-lived secrets that outlive the task. Once those credentials exist, they can be reused, forwarded, cached, or abused outside the intended support window. The better model is time-bounded, task-bounded access with strong accountability and fast revocation.
Current guidance suggests combining privileged access management with zero standing privilege, then issuing just-in-time access only for the specific maintenance action. That means the vendor proves who they are, the system proves what device or workload is connecting, and policy is evaluated at request time rather than through a static allow list. For identity assurance baselines, NIST SP 800-63 Digital Identity Guidelines remains relevant, while NIST Cybersecurity Framework 2.0 helps map access governance to broader risk management. NHIMG’s The 2024 ESG Report: Managing Non-Human Identities reinforces the scale of the problem: 72% of organisations have experienced or suspect a breach of non-human identities.
- Use per-session credentials with short TTLs instead of reusable accounts.
- Limit access to named assets, named time windows, and named maintenance objectives.
- Log every privileged action, not just the login event.
- Revoke access automatically when the task ends or the window expires.
- Separate remote support for observation, command, and file transfer wherever possible.
These controls tend to break down when vendors must support legacy PLCs or historian systems that cannot enforce modern identity, session isolation, or granular authorization.
Where the Standard Answer Breaks Down
Tighter remote access controls often increase operational friction, requiring organisations to balance safety against uptime and vendor responsiveness. That tradeoff is real in plants with 24/7 operations, distributed assets, or equipment that only the original supplier can service. Best practice is evolving, and there is no universal standard for every industrial stack, but the direction is clear: reduce standing trust, shorten credential lifetime, and make remote support demonstrably auditable.
Edge cases include emergency break-glass access, air-gapped environments with periodic vendor servicing, and shared engineering workstations that collapse separation between users and tasks. In those situations, the safest approach is to scope exceptions tightly, record the business justification, and review the access path immediately after use. NHIMG’s Ultimate Guide to NHIs and Top 10 NHI Issues are useful references when converting vendor access from a standing entitlement into a controlled exception. The industrial reality is that most incidents start with a legitimate maintenance need that was never properly time-boxed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived vendor credentials create the exact NHI lifecycle risk this control targets. |
| NIST CSF 2.0 | PR.AC-4 | Remote vendor pathways need least-privilege access and controlled authorization. |
| NIST Zero Trust (SP 800-207) | Zero Trust principles fit industrial remote access where implicit trust is too broad. |
Replace reusable vendor secrets with short-lived access and enforce automatic rotation or revocation.
