Secure Third-Party Access with OT Best Practices You Can Trust

Third-party vendors are essential to keeping Operational Technology (OT) environments running efficiently and reliably, especially in critical infrastructure sectors. Partners like GE, Siemens, and your Managed Services Provider (MSP) often serve as an extension of your team. But without the right guardrails, they can also become one of the most significant OT cybersecurity threats.

These vendors typically have deep, privileged access:

• Modifying control system configurations
• Adjusting firewall rules
• Supporting real-time critical operations

That level of involvement brings value, but it also introduces risk if not properly managed and importantly continuously monitored.

In many cases, issues arise not from bad intent but from a lack of alignment and communication. A vendor might connect to the control network without going through the proper channels. Another might install a remote access tool for convenience, without approvals or security controls. Legacy infrastructure you believe was shutdown may be left behind, unpatched, and unmonitored.

This blog explores how third-party vendors can impact your OT security and the best practices you can follow to stay secure, compliant, and in control.

How Vendors Introduce Risk—And What Happens When They Do

• Undefined boundaries around critical infrastructure
  OT environments require strict segmentation between business and control systems. However, ProArch has repeatedly observed this security boundary being bypassed often unintentionally when vendors make changes without proper oversight or coordination.
  

  ---

  A vendor once added a remote access rule that granted full access from the business network into the OT environment—without alerts, approvals, or oversight. The issue went undetected until a new Managed Service Provider reviewed the firewall and identified the risk. This highlights the critical need for strict controls and continuous monitoring of vendor activity in OT environments to prevent hidden vulnerabilities.
• Decisions made in isolation
  Most vendors are brought in to address specific issues within the confines of their own systems. But without understanding how their work fits into the larger architecture, their actions can have unintended ripple effects.
  

  ---

  We’ve seen systems go down or become exposed simply because a vendor wasn’t aware of what else depended on the change they made.
• One change = An exposed attack surface
  We’ve seen vendors take well-intentioned shortcuts—like installing remote access tools (e.g., TeamViewer), dropping “any-any” firewall rules, or completely bypassing the OT firewall by connecting systems like CEMS or FactoryTalk directly to the business network. These actions may simplify connectivity in the moment, but they can quietly open dangerous doors into your critical OT environment.
  

  ---

  Without these important controls in place, well-meaning actions become silent entry points for attackers—the kind that eventually make headlines. What seems like a quick fix today can become tomorrow’s incident response.
• Legacy infrastructure left behind and unsupported
  Even after a project ends, risk can stick around. In one case, a vendor-installed system failed mid-operation—no backups, no replacement plan, and no documentation.
  

  ---

  The equipment had been left running unpatched for years, and when it failed, both the function and data were lost. No one realized how critical or unsupported it was until it broke.

Worried your OT environment might have security gaps?

Contact Us

Best Practices for Managing OT Third-Party Vendors

Bringing in third-party vendors to support OT systems isn’t optional—it’s the norm. But without strong controls and expectations, vendors can easily become the weakest link in your security chain. Here’s what needs to be locked down:

1. Define and Enforce Network Boundaries – In critical infrastructure, firewalls and security controls must clearly define the boundary between internal OT systems and vendor-accessible zones. This segmentation reduces exposure and limits lateral movement in the event of a breach. Set the expectation early—make it clear to vendors that bypassing security controls is not acceptable, even when installing or upgrading systems.
2. Use an Electronic Security Perimeter (ESP) – According to NERC CIP regulations, entities must define Electronic Security Perimeters (ESPs) around BES Cyber Systems. These perimeters determine how vendors and personnel should access critical systems—typically through a monitored and controlled Electronic Access Point (EAP). This process ensures all connections are compliant, auditable, and aligned with NERC CIP access control requirements.
3. Work with Vendors Who Understand OT – This isn’t traditional IT—your vendors need to understand the unique demands of Operational Technology, including emissions monitoring, plant uptime, and continuous operations. When it comes to managed services, choose partners with a proven track record in OT security, not just generic IT experience. The difference could determine whether your plant stays online—or ends up in an incident report.
4. Continuously Monitor Network Activity – Visibility into your environment can’t end at deployment. Continuous network monitoring not only strengthens security by discovering unmanaged assets, detecting unusual vendor behavior, and flagging shadow access, but also provides valuable operational insights that help optimize performance and maintain system health. This ongoing visibility is crucial for effective risk management and ensuring smooth, reliable operations.
5. Maintain an Accurate Asset Inventory – You can’t protect what you don’t track. Maintaining a dynamic, up-to-date inventory that clearly identifies vendor-managed assets is essential—not only for security but also for audits, incident response, and patch management. Point 4 offers a practical way to help you achieve this critical visibility.
6. Enforce Secure Remote Access – Follow NERC CIP-003-9 standards by establishing secure, auditable remote access channels. Every session must be monitored, logged, and tied to a verified identity. No exceptions. Pay close attention to the new Requirement Section 6.3. It mandates the ability to detect both known and suspected malicious communications—inbound and outbound—for all interactive remote access to BES Cyber Systems. This means you need a way to detect even the vendors you trust, not just malicious traffic.
7. Demand Regular Vulnerability Reports – If a vendor has a footprint in your environment, they should be delivering regular vulnerability reports. This ensures you’re not blindsided by risks that slipped through change windows or software updates.
8. Apply Zero Trust to Vendor Access – I’ve always liked the saying, “Trust but verify.” When it comes to vendors, use Zero Trust principles to isolate vendor access, limit privileges, and enforce least privilege rules—especially for those who only need temporary or limited access.
9. Prioritize Patch Management and High Availability – Vendors often operate with a project-based mindset—focused on short-term delivery, not long-term resilience. That’s why it’s critical to explicitly define requirements for patching windows, uptime expectations, and system redundancy. Redundancy isn’t just a luxury—it’s what enables non-impactful upgrades and seamless patching. Don’t assume high availability will be built in unless it’s clearly requested, documented, and budgeted for.

Third-Party Risk Is Real. Oversight Isn’t Optional.

Most vendors aren’t malicious—they’re simply focused on their specific deliverables. The problem? OT environments aren’t isolated. A vendor might configure a system, wrap up the project, and move on—without considering the broader impact on your overall operations.

This project-based mentality—“in and out, job done”—doesn’t work for critical infrastructure, and it certainly doesn’t set you up for long-term manageability. A missed patch, a poorly configured remote access tool, or an unmanaged asset can leave behind security and operational gaps that persist long after the vendor is gone.

If you’re not explicitly asking for high availability or long-term support, chances are, you’re not getting it. And if you think you are—double-check your contract.

Meet ProArch’s Power Industry Experts

Talk to our Experts

Mike Spoont

President and MD
Industry Solutions

Luke Bixby

VP of Industry Solutions

Why ProArch’s OTIMS Stands Apart

At ProArch, we’ve seen this story repeat itself—across power plants, manufacturing lines, and critical infrastructure. Vendors come in, deliver a project, and move on—often leaving behind unseen risks and unmanaged systems.

That’s why ProArch’s OTIMS (Operational Technology Insights & Managed Services) focuses on what really matters:

• Real-time asset visibility
• Vendor accountability
• Enforceable security and compliance standards

In OT environments, every connection, firewall rule, and exception must be understood, validated, and continuously monitored. It’s not just about what your vendors are doing—it’s about what they’re leaving behind.

You don’t just need a set of rules—you need a partner who enforces them, manages change, and keeps your operation secure long after the last technician leaves.

ProArch’s OTIMS delivers visibility, control, and compliance. Learn more.