TL;DR: Fernwartung ist in vernetzten Produktionsumgebungen unverzichtbar, but uncontrolled third-party access expands OT attack surface and complicates NIS2 compliance, according to Imprivata’s analysis of vendor access, session monitoring, and auditability. The governance lesson is that visibility and time-bound approval are now core control requirements, not optional add-ons.
At a glance
What this is: The article argues that remote maintenance in manufacturing creates OT and compliance risk unless third-party access is tightly controlled, time-bound, and auditable.
Why it matters: It matters because IAM, PAM, and governance teams must treat vendor access in production as a regulated identity problem, not just a connectivity issue.
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
👉 Read Imprivata's analysis of secure remote maintenance and NIS2 in manufacturing
Context
Remote maintenance in manufacturing is no longer an edge case. Modern production environments depend on vendors, integrators, controllers, sensors, and service teams that need access to operational technology, so the identity problem is no longer limited to human users inside the enterprise perimeter.
The governance gap is that many organisations still treat remote access as a network connectivity issue instead of a privileged identity problem. In OT, the real requirement is controlled, observable, time-bound access to systems that can affect availability, production quality, and safety.
NIS2, BSI guidance, and IEC 62443 all point in the same direction: remote access in industrial environments must be explicitly authorised, centrally governed, and auditable. That makes vendor privileged access management a control model, not just a convenience layer.
Key questions
Q: What breaks when vendor remote access in OT is not tightly controlled?
A: Uncontrolled vendor access turns maintenance into an open-ended production risk. Without session-scoped approval, identity binding, and auditability, external users can reach sensitive assets longer than needed and create exposure that is difficult to detect, contain, or prove after the fact.
A: Manufacturing access can affect availability, safety, and product quality, not just data confidentiality. That means a vendor session is a privileged operational event, so organisations need stronger identity proof, tighter scope, and better visibility than they would typically require for ordinary enterprise remote access.
Q: What do security teams get wrong about remote maintenance governance?
A: Many teams focus on the connection method and ignore the identity and session controls behind it. The real control problem is whether the organisation can limit, observe, and later reconstruct what a vendor identity did inside a production environment.
Q: Who is accountable when a vendor session touches a production system outside the approved scope?
A: Accountability sits with the organisation that granted the access and the governance model that permitted it. In regulated environments, teams should be able to show who approved the session, what limits were set, and what evidence proves the vendor stayed within scope.
Technical breakdown
Vendor privileged access in OT environments
Vendor privileged access management, or VPAM, is a controlled access model for external service providers who need elevated reach into production systems. The technical difference from ordinary remote access is that access is session-scoped, identity-bound, and intended to expose only the minimum systems and commands required for a task. In industrial environments, that matters because the same session may touch PLCs, HMIs, engineering workstations, or maintenance interfaces. Without granularity, the access path becomes broader than the maintenance task itself.
Practical implication: replace broad vendor connectivity with task-scoped sessions tied to named identities and specific assets.
Why audit trails matter more in manufacturing than in IT
Auditability in OT is not just evidence collection after the fact. It is the ability to reconstruct who accessed which asset, when the session began and ended, what commands were issued, and whether the action stayed within approved scope. For manufacturing, that evidence supports incident response, change validation, and regulatory defence. Session recording, immutable logs, and central approval flow are therefore part of operational control, not just compliance paperwork. If the access path is invisible, it cannot be governed.
Practical implication: require session recording and central log retention for every privileged vendor connection.
How NIS2 changes the access-control baseline
NIS2 raises the bar by tying access control to cyber risk management, supply-chain oversight, and strong authentication. In practice, that means organisations must be able to show that third-party access is approved, limited, monitored, and attributable. The article also aligns this with BSI expectations for explicit approval and time limits, plus IEC 62443’s wider OT security model. The control logic is straightforward: if a vendor can touch production, the organisation must be able to prove exactly how that access was constrained.
Practical implication: map vendor access controls to NIS2 evidence requirements before the next audit cycle.
Breaches seen in the wild
- LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Vendor access is a privileged identity problem, not a remote-connectivity problem. The article’s core issue is that industrial environments now depend on external identities that can affect production states, not just data systems. Once a vendor session can change machine behaviour, the control model has to shift from network reachability to identity governance, approval, and observability. Practitioners should treat remote maintenance as a privileged workflow with OT consequences.
Time-bound approval is the control that separates maintenance from standing exposure. In manufacturing, the article shows why permanent or open-ended vendor access is structurally misaligned with operational risk. A session that outlives the maintenance task becomes a governance defect, not merely a bad configuration. The practitioner takeaway is that access duration and session scope are inseparable from risk acceptance in OT.
Auditability is now part of operational resilience, not a reporting afterthought. NIS2 and OT guidance converge on a simple point: if you cannot reconstruct remote activity, you cannot defend the production environment. That makes session recording, evidence trails, and central oversight foundational controls for regulated manufacturing. Teams that treat logs as optional will struggle to prove compliance and to investigate incidents with confidence.
Zero-trust remote access is becoming the default expectation for third-party production work. The article reflects a broader shift in the market toward identity-based control planes for external access across OT, IT, and supplier ecosystems. The practical implication is that organisations should evaluate whether their current remote-access model can prove identity, limit scope, and preserve evidence under regulatory scrutiny.
The named concept here is vendor access blast radius: the amount of production impact a third-party identity can create before the session is contained. In OT, blast radius is defined by what the vendor can reach, what the session can modify, and how quickly the access can be revoked or observed. Practitioners should assess vendor access by potential production consequence, not by convenience or connectivity model.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which helps explain why remote-access governance keeps failing at the identity layer.
- The next step is to pair lifecycle visibility with policy enforcement, using NHI Lifecycle Management Guide to tighten offboarding, revocation, and review paths.
What this signals
Vendor access blast radius: the field needs a better way to measure how much production damage a third-party identity can cause before containment. In practice, that means evaluating not only who can connect, but how far the session can move, what it can alter, and whether the evidence trail survives a regulatory review.
With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the same privilege-creep dynamics that affect machine identities can also undermine supplier access in industrial settings. That is why OT governance increasingly overlaps with identity lifecycle discipline.
Teams should expect remote-access controls to be assessed as part of resilience and supply-chain governance, not just local plant security. The practical shift is toward explicit approvals, evidence-rich sessions, and periodic review of vendor entitlements across all production zones.
For practitioners
- Inventory all third-party production access Map every external vendor, integrator, and service partner that can reach OT assets, then classify each path by asset sensitivity, privilege level, and business criticality.
- Enforce session-scoped approvals Require explicit approval before each vendor session begins, limit the session to the maintenance task, and close access as soon as the task is complete.
- Record and retain every privileged session Capture session recordings, command activity, and identity attribution so that incident response and audits can reconstruct exactly what happened on the plant floor.
- Align vendor access evidence to NIS2 controls Prepare proof of authentication, access limitation, and oversight for auditors by mapping remote-access workflows to the controls expected under NIS2 and OT guidance.
Key takeaways
- The article shows that remote maintenance in manufacturing is a privileged identity problem because vendor access can affect production outcomes, not just data access.
- The governance case is reinforced by regulatory and operational evidence, with NIS2, BSI guidance, and OT best practice all pushing toward explicit approval and auditability.
- The control most likely to reduce risk is session-scoped, identity-bound access with full recording, so organisations can limit blast radius and prove what happened.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 set the technical controls, and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Third-party privileged access depends on controlled lifecycle and revocation. |
| NIST CSF 2.0 | PR.AC-4 | Remote maintenance requires least-privilege access control and identity proofing. |
| NIS2 | Art. 21 | The article maps directly to access control, supply-chain, and authentication duties. |
Document vendor access governance so you can prove risk management and control effectiveness.
Key terms
- Vendor Privileged Access Management: A controlled access model for external suppliers who need elevated access to production or enterprise systems. It combines identity verification, approval, session restriction, and logging so third-party work can happen without giving vendors broad or permanent reach into critical assets.
- Session-scoped access: Access that exists only for a specific task and ends when the task ends. In industrial environments, session-scoped access matters because it limits how far a vendor can move through systems and ensures the organisation can revoke the path as soon as maintenance is complete.
- Audit trail: A record that shows who accessed what, when, and what happened during the session. For manufacturing and OT, an audit trail is more than compliance evidence. It is the foundation for incident reconstruction, accountability, and verifying whether privileged work stayed inside approved boundaries.
- Blast radius: The amount of operational damage a compromised or misused identity can create before it is contained. In OT, blast radius includes production impact, availability disruption, and the scope of systems a vendor identity can touch during a single remote session.
Deepen your knowledge
Vendor access governance and privileged session control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for industrial remote maintenance, it is worth exploring.
This post draws on content published by Imprivata: secure remote maintenance and NIS2 compliance in manufacturing. Read the original.
Published by the NHIMG editorial team on 2026-04-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
