Third-Party Vendor Access: The Shadow Current to Your OT

According to research from the Ponemon Institute, 73% of organizations permit third-party access to operational technology environments, with an average of 77 third parties granted such access per organization. And if you're among the 25% of organizations with especially complex operations? You're likely managing the flow from more than 100 third parties.

Each vendor connection creates a shadow current channel that bypasses every perimeter defense you've built. These aren't theoretical attack paths. They're active streams, maintained and monitored by someone outside your organization, flowing directly to your most critical systems.

Third-party access isn't a security convenience you can simply shut off. For most industrial enterprises, remote vendor access has become what one industry survey describes as "a universal and fundamental requirement"—so essential that operations can't function without these flows. Equipment manufacturers monitor system health remotely. Managed service providers handle IT infrastructure. Contractors perform maintenance. Service providers support specialized applications.

The access is extensive because the need is real. Over 60% of manufacturers rely on remote access specifically for equipment maintenance, according to multiple industry studies. And it's not just occasional support calls. The Ponemon research reveals that 43% of organizations allow both on-site and remote access for third parties, while another 30% permit on-site access only. Remote access—continuous streams from outside your perimeter—is now the majority use case.

The problem isn't that vendor access exists. It's that these shadow current channels operate largely outside your visibility and control, flowing constantly through your infrastructure.

The supply chain has emerged as one of the most effective attack vectors in cybersecurity. According to Verizon's 2025 Data Breach Investigations Report, 30% of breaches now involve a third party—representing a 100% increase from the 15% previously reported. IBM's Cost of a Data Breach Report 2025 identifies supply chain compromise as the second most prevalent attack vector after phishing, accounting for 15% of all breaches.

The flow is accelerating. Cyble threat intelligence shows supply chain attacks doubled in 2025, averaging 26 attacks per month compared to 13 per month from early 2024 through March 2025. And SecurityScorecard data reveals that 75% of recorded third-party breaches occurred through entities in the victim's software and technology supply chain.

Attackers have learned a fundamental truth: it's easier to compromise your vendor and ride their access stream directly into your environment than to fight your defenses.

Third-party access chains vulnerabilities across organizational boundaries. And those credential shadow currents that often flow through shared or vendor-managed credentials expand the attack surface beyond what your security team can directly control.

Legacy systems create an especially dangerous combination with vendor access. Those 30-year-old systems that can't be easily secured or monitored often require ongoing vendor support, creating permanent third-party shadow current channels to your least defensible infrastructure.

The visibility gap is staggering. According to Ponemon Institute research, 73% of organizations lack an authoritative OT asset inventory. If you can't track what systems you have, you certainly can't see what vendors are accessing them or monitor the flow through these channels. The same research reveals that 35% of organizations give vendors too much privileged access—but even that understates the problem, since it only counts organizations aware enough to recognize the issue.

Most concerning: only 44% of organizations report being concerned or highly concerned about the risks of third-party access to OT. There's a massive disconnect between the actual risk (30% of breaches involve third parties) and the perceived concern (44% worried about it).

SolarWinds demonstrated the catastrophic potential of supply chain attacks. When attackers compromised SolarWinds' Orion platform, they gained access to 18,000 customer organizations. Research on the incident revealed that 32% of the victims were industrial organizations, and affected companies experienced an average 11% drop in revenue during the breach period.

The Kaseya ransomware attack showed how quickly supply chain compromise cascades downstream. Attackers compromised approximately 50 to 60 managed service providers, which in turn affected between 800 and 1,500 downstream businesses. Swedish grocery chain Coop had to close approximately 800 stores for a week when their MSP was hit. The ransom demand reached $70 million.

These weren't sophisticated zero-day attacks requiring months of development. They were straightforward compromises of trusted third parties who already had legitimate access streams flowing directly to critical systems.

Third-party shadow currents present a unique challenge. They originate outside your control but flow directly to your critical systems. Operations genuinely depend on vendor access, which means you can't simply dam these channels.

But you can manage their flow. CISA recommends MSP customers manage supply chain risks by understanding network security expectations, coordinating risk management across security, legal and procurement groups, and using risk assessments to prioritize cyber investment. The key is treating vendor access as what it actually is: a critical attack surface that requires active management.

Best practices include role-based access control to ensure vendors have strictly defined rights, time-restricted access permissions that limit the flow to specific windows, and mandatory multi-factor authentication for any third-party connection. Network segmentation becomes especially powerful when you can separate vendor access points from core operational systems—creating controlled channels rather than unrestricted streams.

Monitoring is essential. If you're managing the flow from 77 different third parties on average, you need continuous visibility into what those vendors are actually doing once connected. SIEM systems for real-time monitoring, granular logging for forensic analysis, and proactive session monitoring create the transparency that most organizations currently lack.

Third-party access will appear in almost every shadow current map—because it's fundamental to operations and inherently risky. Pen tests rarely include third-party access paths in their scope, which is why they miss major shadow current channels. And when we discuss organizational silos, you'll see how third-party shadow currents flow right through org chart boundaries, connecting vendor management, procurement, security and operations in ways your structure doesn't reflect.

Third-party shadow currents are unique: they originate outside your control but flow directly to your critical systems. You can't eliminate vendor access—operations depend on it—but you can map these channels, monitor their flow, and control what passes through them.