Industrial cybersecurity leaders are raising concerns about third-party vendor and contractor access to operational technology (OT) networks, citing critical governance gaps and calling for zero-trust and comprehensive vendor risk management practices.
A recent survey by Secomea, The State of Industrial Remote Access 2026, found a disconnect between organizations' confidence in remote access security and the reality of their audit capabilities. Only 43% of respondents reported maintaining complete audit trails of vendor sessions, revealing significant visibility gaps, particularly among enterprises managing large numbers of external vendors . Overconfidence in security is often accompanied by weaknesses in vendor oversight, credential management, and accountability . The survey identified that organizations managing between 21 and 100 vendors faced substantially higher risk of incidents, suggesting vendor-related threats frequently result from internal governance failures rather than vendor actions alone [1].
Background
Securing third-party access is a growing challenge for industrial operators dependent on external vendors for maintenance, updates, and technical support. Traditional methods such as Virtual Private Networks (VPNs) enable broad network access without enforcing least-privilege principles and provide limited session visibility, making them inadequate for restricting lateral movement or facilitating forensic investigations in compromised environments[2].
Industry analysts and sources recommend implementing zero-trust security, network micro-segmentation, identity and access management (IAM), and secure remote access tools to enhance vendor access governance. These methods support compliance with standards and frameworks like IEC 62443 and NIS2, which require stronger controls and monitoring of third-party access[3].
Details
The Secomea report shows nearly 70% of organizations now use shared IT/OT governance models-where IT and OT teams cooperate on security and operational matters-which closely correlates with better operational efficiency, improved auditability, and reduced incident rates. In contrast, organizations with weak IT and OT alignment reported nearly triple the rate of vendor-related security incidents [1].
Industry-wide, session visibility remains insufficient. Fragmented use of access tools-including VPNs, OEM utilities, privileged access management (PAM) solutions, and newer OT-focused platforms-has diminished control and hindered effective oversight [1].
Zero-trust adoption has demonstrated measurable benefits in the study. Organizations applying all five core zero-trust principles achieved levels of auditability and visibility not attainable through technical tools alone, enabling more efficient vendor onboarding and stronger security postures [1].
Industrial cybersecurity experts corroborate these findings, advocating for Zero Trust Network Access (ZTNA), micro-segmentation, IAM, and industrial demilitarized zones (IDMZ) as essential strategies for reducing supplier and supply chain risk. Continuous monitoring, contextual logging, and vendor-provided Software Bills of Materials (SBOMs) are cited as important controls for managing risks across first-party, third-party, and open-source software in industrial environments[4].
Outlook
The industry is moving toward integrated zero-trust frameworks that unify access governance across IT and OT domains and enforce per-connection, least-privilege access. Greater alignment with regulatory requirements such as IEC 62443 and NIS2 is expected to drive further investment in governance-focused vendor access controls and enhance auditability throughout industrial systems.
