Owning the Vendor Risk

OT vendor risk governance starts with a direct reality: industrial organizations cannot eliminate vendor access, they can only govern it. Cyolo reported that 72% of OT, engineering, IT, and cybersecurity professionals cite third-party access as the top reason remote access must be secured. These relationships are not edge cases. Plants depend on OEMs, PLC programmers, integrators, and support teams whose access is often persistent or semi-persistent.

Scale expands the risk. McKinsey's industrial supply chain research shows the average auto manufacturer has roughly 250 tier-one suppliers and about 18,000 suppliers across the full value chain. Black Kite's 2025 third-party breach report found an average of 5.28 downstream victims per third-party breach, more than double 2024. Check Point Research reported manufacturing ransomware rose 56% in 2025, while Waterfall Security documented a 146% year-over-year increase in OT sites experiencing physical-consequence cyberattacks.

According to Sygnia's industrial assessments from 2022 to 2025, vendor laptops and site-to-site tunnels were the easiest OT entry path in roughly 40% of cases because they were trusted by design and lightly governed. Tosi's 2026 State of OT Security Report reinforces this: vendor access management was the weakest capability area, and the lowest-scoring question was how quickly access could be granted or revoked.

This mirrors the maturity mirage covered in Article 3. Atlas Systems found mature third-party risk programs cover 90 to 95% of vendor populations, while immature programs cover around 40%. Mitratech's 2025 TPRM study and TechTarget's February 2026 analysis describe the structural reason: ownership is fragmented across security, procurement, legal, operations, and vendor management.

NIST SP 800-161 Revision 1, updated in November 2024, explicitly includes OT service providers in cyber supply chain risk management and frames governance at the enterprise tier. IEC 62443 extends this into industrial specifics: Part 2-4 defines security program requirements for service providers, and Part 4-1 addresses secure product development lifecycle requirements including SBOM expectations.

In September 2025, CISA, the FBI, and the U.K. NCSC jointly endorsed IEC 62443 for OT vendor risk governance. NERC CIP-013 has long required approved supply chain risk plans for vendor and contractor access in the U.S. electric sector. Under NIS2, Article 21 requires MFA and supply chain security controls, while Article 23 sets 24-hour early warning expectations for significant incidents.

The standards converge on the same model: vendor governance is an executive function with technical and contractual controls, not a procurement checkbox.

The OT vCISO framework runs as a lifecycle. Onboarding starts with risk-based tiering. Vendors with engineering-level OT access get stricter due diligence than vendors with no operational reach. Continuous monitoring keeps risk current. Bitsight's 2025 State of Cyber Risk found only one in three organizations continuously monitors all third-party relationships. Offboarding remains the weakest stage, where access often persists after contracts end.

Strong contract controls are specific and enforceable: MFA, unique technician accounts, time-bound and scope-limited access, logging with retention, endpoint hygiene requirements, incident notification timelines, right-to-audit clauses, and subcontractor flow-down obligations. These controls are well known, but still missing from many agreements.

Visibility remains the precondition, as established in Article 5. Without an inventory of vendor pathways and what they touch, governance cannot operate. The OT vCISO integrates legal, procurement, security, and operations into one accountable program.

Board conversations should focus on continuity, financial impact, and governance confidence. IBM's 2025 Cost of a Data Breach report puts supply chain or third-party-involved breaches at $4.91M average cost, with industrial-sector breaches at $5.00M. Jaguar Land Rover's September 2025 event disrupted manufacturing and cascaded through suppliers. American Water's October 2024 incident was viewed as credit-negative by Moody's.

The board question is no longer whether vendor risk exists. The question is whether leadership has a credible governance answer when regulators, investors, and auditors ask how third-party OT pathways are being controlled.

Visibility, legacy governance, and vendor risk governance now complete the architecture base layer. They define what exists, how non-replaceable assets are defended, and how access pathways are governed. This builds directly on Part 6: Governing Legacy OT Risk and the broader accountability model from Article 2.

Companion series continue the operating model: Fusion Center Blueprint for operational architecture, Proving the Program for validation under adversarial conditions, and Shadow Current for attack-path perspective.

Learn more about the OT vCISO role in the executive brief: The Missing Leadership Layer in Industrial Cybersecurity.