The "Open Door" Dilemma: Securing the Necessary Evil of Third-Party Access

In my role, I spend a lot of time on the road (or on Zoom or Teams) talking to industrial leaders, from Plant Managers in the Midwest to CISOs of global manufacturing firms.

Five years ago, the conversation was usually about "keeping the bad guys out." Today, the conversation has shifted to something much more complex: "How do I only let the good guys in?"

The reality of modern Operational Technology (OT) is that the "air gap" is gone. You rely on OEM vendors to maintain your turbines. You rely on specialized contractors to update your PLCs. You rely on supply chain partners for real-time data analytics.

Third-party remote access isn't a luxury anymore; it is a critical requirement for uptime. But it is also, without a doubt, the single biggest terrifying gap in your security architecture.

The "Flat Network" Trap

When I talk to prospects, the scenario is almost always the same. They tell me, "Vince, we give our vendor a VPN credential. They log in, fix the machine, and log out."

Then I ask the uncomfortable question: "Once they log in, what else can they see?"

Usually, the room gets quiet.

The problem is that most OT networks are still architected as "flat" networks. They were designed for communication efficiency, not security. Once a user (whether it’s an employee or a third-party contractor) passes through the firewall via a VPN, they generally have visibility into the entire subnet.

It is the equivalent of giving a plumber the master key to your entire office building just to fix a sink in the breakroom. If that plumber’s key gets stolen (or if the plumber decides to wander), you have zero control.

Why Firewalls Aren't Enough

The standard IT response to this is, "We’ll just segment the network with firewalls."

But anyone who has actually managed an OT environment knows that it is easier said than done.

1. Complexity: Creating internal firewall rules for every specific vendor and every specific machine is a management nightmare.
2. Fragility: One wrong rule change can block a critical safety message and trip the plant, or leave the network wide open (any/any pretty much solves any connectivity issue!).
3. Static Identity: Firewalls manage IP addresses, not people. They don't know if the traffic is coming from "John from Siemens" or a hacker who stole John’s laptop.

Because doing this "the right way" with legacy firewalls is so hard, we often see the "Shadow IT" workaround: A cellular modem plugged directly into a cabinet, or a rogue TeamViewer session left running on a workstation. These are invisible backdoors created purely out of frustration, and they have led to some of the most infamous OT hacks in history.

How We Fix the Conversation

When I talk to prospects about integrating third-party maintenance, I tell them we need to stop thinking about "Network Access" and start thinking about "Asset Access."

We have to move away from the idea that a vendor connects to "The Network." A vendor should connect to The Machine. And only that machine.

This is where BlastWave changes the game for sales and operations teams alike. We allow you to create a "Segment of One" without ripping and replacing your legacy switches or risking downtime with complex firewall rules.

Here is the workflow we propose:

1. Identity First: The contractor authenticates using biometric, passwordless MFA. We know exactly who they are before they send a single packet.
2. Invisible Doorway: They connect through a BlastWave gateway that cloaks the rest of the network.
3. Microsegmentation: The contractor sees only the specific HMI or PLC they are authorized to maintain. The rest of the flat network doesn't exist to them. If their laptop is infected with ransomware, it cannot spread laterally to your other systems.

The Bottom Line

You cannot operate a modern industrial facility without third-party support. But you also cannot afford to inherit the security risks of every vendor you hire.

You don't have to choose between uptime and security. You just have to choose a better architecture: one that invites the guest into the specific room they need, while keeping the rest of the house locked, dark, and invisible.

Let’s have a conversation about how to secure your supply chain without slowing down your operations. Click here for a demo of how we can help you secure your 3rd party remote access.

‍

— Vince Zappula, CRO, BlastWave