Uncontrolled vendor access turns maintenance into an open-ended production risk. Without session-scoped approval, identity binding, and auditability, external users can reach sensitive assets longer than needed and create exposure that is difficult to detect, contain, or prove after the fact.
Why This Matters for Security Teams
Vendor remote access in OT is not just another privileged path. It often bypasses the normal assumptions behind OWASP Non-Human Identity Top 10 and creates a standing trust relationship with an outside party. If that access is not session-scoped, identity-bound, and tightly monitored, the vendor can reach engineering workstations, HMIs, historians, PLC adjacencies, or jump hosts long after the maintenance need has ended. That expands blast radius, weakens accountability, and makes incident reconstruction far harder.
NHIs are often part of the same risk pattern. The Ultimate Guide to NHIs shows that 92% of organisations expose NHIs to third parties, which is a useful signal for why vendor paths become governance problems rather than simple connectivity issues. In OT, the operational cost of a mistake is higher because availability, safety, and recovery time all matter at once. In practice, many security teams discover the weakness only after a vendor account outlives the maintenance window or a remote session was never fully logged, rather than through intentional access design.
How It Works in Practice
A tightly controlled OT vendor workflow should treat remote access as a temporary, auditable exception. The vendor identity should be known in advance, tied to a named person or approved service account, and mapped to a narrow scope of assets and tasks. Current guidance suggests combining Ultimate Guide to NHIs — Key Challenges and Risks with zero trust controls so access is granted only when a request is approved, the session is active, and the purpose is explicit.
Practitioners usually need four controls working together:
- Session-scoped approval through PAM so access exists only for the maintenance window.
- Strong identity binding so the vendor cannot reuse shared credentials or anonymous jump paths.
- JIT credential issuance with short TTLs, so secrets expire automatically after the task.
- Full session recording and command-level audit logs for post-incident verification.
Operationally, this aligns with the idea that identities are not just users but all entities that access systems, which is why the 52 NHI Breaches Analysis remains relevant to OT environments where shared accounts, stale tokens, and weak offboarding often coexist. A good model also separates remote entry from direct control-plane access: the vendor may connect to a broker or bastion, but not move freely across the OT enclave. If the platform cannot enforce least privilege, short-lived access, and monitored termination, the session becomes effectively permanent even if the calendar says otherwise.
These controls tend to break down when vendors rely on shared laptops, unmanaged credentials, or always-on tunnels because the organisation loses reliable identity, context, and revocation.
Common Variations and Edge Cases
Tighter vendor control often increases coordination overhead, requiring organisations to balance safety against maintenance speed and plant uptime. That tradeoff is real in OT, especially for emergency support, rotating shift coverage, and legacy equipment that cannot integrate cleanly with modern IAM. Best practice is evolving, and there is no universal standard for every industrial stack, but the direction is clear: minimise standing trust and force every remote action to justify itself at runtime.
One common edge case is break-glass access. In urgent restoration scenarios, a vendor may need immediate entry before normal approvals are complete. That exception should still be time-boxed, heavily monitored, and reviewed after the fact. Another edge case is multi-tier support chains, where the original vendor subcontracts part of the work. Unless the organisation explicitly re-authorises each delegate, the access chain becomes opaque and audit evidence becomes weak.
OT also complicates revocation. A credential can be disabled in IAM while a VPN, remote desktop, or jump host session remains active elsewhere. That is why current practice should pair offboarding with network termination and session kill capability. For deeper background, Ultimate Guide to NHIs — Standards is useful for governance framing, while OWASP Non-Human Identity Top 10 helps teams map the identity and secrets failure modes that usually sit underneath vendor access failures.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Vendor access often relies on secrets that outlive the maintenance window. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access is central to constraining external OT vendors. |
| NIST Zero Trust (SP 800-207) | Zero trust is the right model for untrusted vendor pathways into OT. |
Broker every vendor session, verify identity continuously, and deny implicit network trust.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
