THIRD-PARTY ACCESS TODAY VERSUS A DEFENSIBLE PATTERN
How does third-party OT access today compare to a defensible access pattern?
The most common pattern observed across OT environments is also the most exposed: the third-party vendor connects through an always-listening VPN concentrator into a flat OT LAN, where credentials persist beyond the work, the network path stays open between sessions, and no recording exists of what happened inside the zone. Lateral movement to a PLC is unaudited, because nothing was watching.
A defensible pattern looks structurally different. The vendor authenticates against an identity broker that requires multi-factor authentication and per-session approval. On approval, a session broker mediates the connection into the OT zone, records the session, and terminates it on a timer. Logs flow outward through a unidirectional channel to an audit vault; no inbound path is opened by the act of recording.
Figure 2. Common today vs. defensible pattern. Two-panel reference for third party access into operational technology, vendor-neutral. Panel A (top) shows the most exposed pattern still in production use (persistent VPN credentials, flat OT segment, no session boundary). Panel B (bottom) shows the defensible pattern this guide describes (identity broker, session broker, recorded session, one-way log export).
THREAT CONTEXT
What is the threat context that makes third-party OT access controls necessary?
The pattern in the previous section is not compliance theatre. It is an operational response to a concrete and escalating threat landscape. Three named actor groups illustrate the risk profile that third-party OT access must now defend against.
Sandworm (also tracked as APT44 and attributed by Mandiant and CISA to GRU Unit 74455) deployed the Industroyer2 and CaddyWiper malware against Ukrainian electricity substations in April 2022. Industroyer2 is specifically designed to manipulate electricity substation equipment (IEC 60870-5-104); CaddyWiper destroys data on Windows hosts. The intrusion chain relied on pre-existing access into the OT environment, which is exactly the exposure a flat vendor tunnel creates. Reference: CERT-UA advisory (April 2022); Mandiant APT44 profile (2024).
Volt Typhoon is a People's Republic of China state-sponsored group tracked jointly by CISA, NSA and Five Eyes partners. The 7 February 2024 CISA advisory AA24-038A documents the group's pre-positioning activity inside United States critical infrastructure, including energy, water and transport sectors, using compromised small-office and home-office (SOHO) devices and living-off-the-land (LOTL) techniques to avoid detection. The advisory describes the pattern as deliberate positioning for future disruptive or destructive effects, not espionage. Reference: CISA Advisory AA24-038A (7 February 2024).
CyberAv3ngers is a group of IRGC-affiliated cyber actors, per CISA Advisory AA23-335A. CISA Advisory AA23-335A (1 December 2023) documents the group's exploitation of internet-exposed Unitronics Vision series programmable logic controllers at multiple United States water utilities in late 2023. The attack vector was default credentials on devices reachable from the public internet – the low-end of the same exposure profile that unbrokered third-party remote access creates. Reference: CISA Advisory AA23-335A (1 December 2023).
LIVING OFF THE LAND AND THE CASE FOR SESSION BROKERING
What is living off the land (LOTL) and why does it make the case for session brokering?
Across these and similar intrusions, a recurring technique is the abuse of legitimate remote-access sessions and built-in operating system binaries, known as living off the land (LOTL). CISA Advisory AA24-038A and the joint guidance Identifying and Mitigating Living Off the Land Techniques (February 2024) both describe the pattern: an attacker who has obtained a foothold in a legitimate remote session can avoid detection by using tools that are already present and expected on the host. The direct structural response is session brokering with recording: if the only way a vendor session reaches the zone is through a broker that records what is entered and what is executed, LOTL behaviour generates evidence even when the tooling itself looks legitimate.
REFERENCE INCIDENTS FOR THE 'WHY SHOULD I CARE' QUESTION
What are the reference incidents that answer the "Why should I care?" question about OT access security?
Three publicly reported incidents answer the question in concrete terms. The 2021 Colonial Pipeline ransomware incident reached the billing systems through a compromised, unbranded VPN account with no MFA, and the operational fuel shutdown followed from the business decision to halt pipeline operations.
The 2023 SektorCERT disclosure of the coordinated attack against 22 Danish energy companies documents the value of sector-level detection and of disciplined remote-access control; the SektorCERT report itself is the primary Danish reference document on OT intrusion patterns and the value of collective defence. TRITON / TRISIS, first reported by FireEye and Dragos in December 2017, targeted a Saudi Arabian petrochemical safety instrumented system and is the reference incident for attacks reaching the safety-integrity layer, not only the control layer. References: CISA and FBI joint advisory on Colonial Pipeline (2021); SektorCERT rapport (November 2023); Dragos TRITON analysis (2017-2018).