RESIDUAL RISKS: UNSOLVABLE BY TECHNOLOGY ALONE
What residual risks cannot be solved by technology alone in third-party OT access programmes?
The pattern in this guide is complete at the architectural level. It is not complete at the programme level. A set of residual risks sits outside what technology can address on its own; they require procedural, contractual, or organisational controls and should be named explicitly so they are not silently assumed away.
- Insider threat from vendor personnel. A technician with legitimate, approved access still has that access during the approved window, and the case includes a disgruntled or departing insider acting deliberately. Controls: background checks where allowed by national law, role separation within the vendor organisation, two-person rules for high-risk work, and contract clauses that require the vendor to report personnel changes.
- Geopolitical supply-chain risk. The vendor’s own national jurisdiction, ownership structure, and exposure to state pressure are not addressable through session controls. Controls: vendor due diligence, national origin of key components, alternative-supplier continuity planning. NIS2 Article 21(3) requires entities to take into account vulnerabilities specific to each direct supplier and service provider, and the overall quality of their products and practices.
- Social engineering against asset-owner personnel. A well-designed session architecture can still be defeated by a phone call that causes a site operator to approve a session that should not have been approved. Controls: security awareness training, separation of approval authority from the requester’s chain of contact, out-of-band verification for unexpected requests.
- Contractual enforceability at the moment of breach. A service-level agreement without enforceable remedy is not a control. Controls: clause drafting that creates specific obligations with measurable breach conditions, liability caps calibrated to the actual potential harm, and jurisdiction clauses that allow enforcement in the asset owner’s home forum.