June 4, 2025
December 3, 2025
 —  
Blog

Wakey-wakey! — When the Third-Party Maintenance Call Comes at 2 A.M. for OT Support

Wakey-wakey! — When the Third-Party Maintenance Call Comes at 2 A.M. for OT Support

I’ve heard from support teams about enough 2 a.m. crisis calls with plant managers to know the exact moment panic sets in. It usually sounds like this:

“Hey, the vendor needs to log in right now. The Level-2 historian just crashed, we’re bleeding product, and the only guy who can fix it is in Germany.… But if we open the firewall, security goes into a panic.  What do we do?”

We all know the two horror stories that live rent-free in every OT leader’s head:

1. Oldsmar Water Treatment (Feb 2021)

An attacker used a dormant TeamViewer account (shared password, no MFA, zero segmentation) belonging to a former employee and a third-party contractor. In under five minutes, they pushed sodium hydroxide levels to lethal concentrations. The only reason nobody died is that an operator happened to be watching the screen in real time.

2. Target (2013)

The attackers didn’t breach Target directly. They phished the credentials of an HVAC contractor who had remote access to the corporate network for… wait for it… billing and refrigeration monitoring. From there, they pivoted to the POS environment and walked out with 40 million credit cards.

Both incidents have the same DNA:

  • Third-party remote access
  • Re-used or weak passwords
  • Zero network segmentation between IT and OT (or crown jewels)
  • No real-time visibility into who was doing what

Fast-forward to 2025, and the situation is actually worse, not better.

Remote maintenance isn’t a “nice-to-have” anymore; it’s the only way to keep a global supply chain running. OEMs, system integrators, and specialty contractors need access at 3 a.m. on a Sunday when the line is down. Denying access isn’t an option. Opening the firewall the old way is career suicide.

So here’s the new reality we live in:

  • 41–49 % of industrial sites now allow some form of remote maintenance (SANS 2025)
  • Roughly half of all OT incidents start with unauthorized remote access (SANS 2025)
  • The average ransomware payout in manufacturing is now north of $2.5 million, and downtime costs can hit $50 k per hour

The math is brutal.

The Only Answer That Actually Works

We stopped believing you have to choose between uptime and security years ago. The fix is embarrassingly simple when you look at it the right way:

1. Passwordless MFA for every human

Certificates or hardware-bound keys. No shared accounts. Ever.

2. Segmentation that actually segments

Not VLANs. Not firewall rules that get punched full of holes the first time a vendor screams. Real per-session, identity-based microsegmentation that follows the user, not the IP.

3. Cloaking the asset itself

Make the OT device invisible to the internet in the first place. If a hacker can’t see it, they can’t target it. (Yes, this is a shameless plug, but it’s also the truth.)

When you put those three together, the 2 a.m. call becomes boring instead of terrifying:

  • The German engineer authenticates with his YubiKey → temporary encrypted tunnel opens directly to the historian
  • The session is fully recorded and terminates automatically after 30 minutes of inactivity
  • The historian never exposes a single port to the outside world
  • The plant manager sleeps. The CISO sleeps. I sleep.

The Bottom Line

Third-party remote access isn’t going away.

The bad guys already know this and are licking their chops.

You can keep pretending the old way (shared passwords + occasional firewall hole) is “good enough,” or you can give your vendors, your plant, and your security team the one thing they actually agree on: secure, instant, invisible access.

I’ll take the second option every time.

Because the next time your phone rings at 2 a.m., I’d much rather be telling you “It’s handled” than “I’m so sorry.”

P.S. If you want to see precisely how passwordless + cloaking works in your environment (without touching a single PLC), join our webinar tomorrow or drop me a note. The demo still makes grown OT engineers laugh out loud in under 90 seconds.

— Cam Cullen, CMO, Blastwave

Download Infographic (PDF)
Cam Cullen
Cam Cullen
Chief Marketing Officer
view All Posts
Latest Posts
Network Cloaking
Protecting What Matters: A Note of Gratitude This Thanksgiving
Network Segmentation
The Fence or the Force Field? Top 5 Benefits of Segmenting Your OT Network
Network Cloaking
What the API Cybersecurity Conference Revealed About the Future of OT Security — And Why Zero Trust for Outsiders Can’t Wait
Network Segmentation
The Real, Dirty Reasons Your OT Network Isn't Segmented
Authors
No items found.
Tags
No items found.
Follow Us
Subscribe

Our Privacy Policy applies.

<< Previous article in
OT Secure Remote Access
OT Secure Remote Access
Network Cloaking
Network Segmentation
Next article in
OT Secure Remote Access
>>

Experience the simplicity of BlastShield to secure your OT network and legacy infrastructure.

Schedule a Demo
BlastWave Honored with Hyer 2025 Breakthrough Culture Award: A Testament to Our People-First Philosophy
In The News
BlastWave Honored with Hyer 2025 Breakthrough Culture Award: A Testament to Our People-First Philosophy
Are Our Critical Systems Prepared for the Next Cyber Threat?
In The News
BlastWave Honored with Hyer 2025 Breakthrough Culture Award: A Testament to Our People-First Philosophy
Are Our Critical Systems Prepared for the Next Cyber Threat?
Blog
Protecting What Matters: A Note of Gratitude This Thanksgiving
eBook
AI-Resistant OT Cybersecurity Simplified
AI-Resistant OT Cybersecurity Simplified
eBook
AI-Resistant OT Cybersecurity Simplified
Company

Our Privacy Policy applies.

Privacy Policy | Cookie Policy | © 2025 BlastWave, Inc. All Rights Reserved