Episode 50 — Evaluate Third-Party Risk: Integrators, Remote Support, and Shared Responsibility

In this episode, we’re going to focus on third-party risk in OT, which is the risk that comes from relying on other organizations to build, maintain, or access your industrial systems. If you are new to cybersecurity, it can be tempting to think of security as something you do inside your own network, with your own rules, and your own people. OT environments rarely work that way, because vendors, integrators, contractors, and service providers often play direct roles in installation, configuration, troubleshooting, and lifecycle support. That involvement can be essential, because specialized systems require specialized expertise, and downtime pressures can make remote support the fastest path to restoring safe operation. At the same time, every third party introduces shared responsibility, meaning your security posture depends partly on their practices, their tools, and their people, even if you do everything right internally. Evaluating third-party risk is not about assuming outside partners are careless or malicious, it is about making the relationship explicit so access, changes, and accountability are managed rather than improvised. When you do this well, you reduce surprises, reduce uncontrolled pathways, and make it easier to respond calmly when something unusual happens. This topic matters because many OT incidents either begin with a third-party pathway or become harder to manage when third-party roles are unclear.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

A strong way to begin is to clarify what third-party risk includes in an OT setting, because it is broader than many beginners expect. A third party can be a systems integrator who designs and deploys a control system, a vendor who supplies controllers and provides ongoing support, a contractor who performs maintenance, or a managed service provider who monitors systems remotely. Third-party risk can involve direct access into OT zones, indirect influence through configuration templates and standard builds, or dependence on external services like support portals and update delivery. It can also involve the knowledge that third parties hold, such as proprietary configurations or specialized procedures that your internal team cannot easily reproduce. Beginners sometimes think risk only exists when a third party connects remotely, but risk also exists when third parties ship preconfigured devices, reuse credentials, leave undocumented changes, or provide tools that require broad privileges. In OT, where systems can run for years, these practices can create long-lived exposure, not because anyone intended harm, but because convenience and speed often win unless rules are explicit. Evaluating third-party risk means understanding how third parties touch your environment, what they can do, what evidence exists of what they did, and what controls limit their reach. The aim is to make dependency safe rather than invisible.

Systems integrators deserve special attention because they often shape the OT environment’s architecture, which can determine risk for years. An integrator may choose how networks are segmented, where remote access lands, how engineering workstations are configured, and what default accounts and services are enabled. Those choices can create strong boundaries that limit blast radius, or they can create flat, overly connected designs that make later security improvements harder. Integrators also commonly reuse templates across projects, which can be efficient but risky if the templates include weak defaults, shared credentials, or outdated components. Beginners might assume the customer always controls these decisions, but in many OT projects, customers rely heavily on integrator expertise, especially when timelines are tight. That reliance means you must evaluate integrators not only as installers but as designers who set the security posture through architecture and configuration. A practical evaluation asks whether the integrator documents the design, whether they follow controlled change practices, and whether they can explain how their choices limit unnecessary connectivity. It also asks whether they can support secure commissioning and handover, so the customer ends up with ownership and clarity instead of a black box. When integrators are evaluated thoughtfully, the OT environment starts life with fewer hidden weaknesses.

Remote support is often the most visible third-party risk because it creates a direct pathway into sensitive systems, sometimes at the exact times when operations are under stress. OT remote support can be lifesaving for uptime, but it can also become a permanent door if not controlled. A safe remote support model typically includes clear approvals, time-limited access, strong authentication like Multi-Factor Authentication (M F A), and monitoring that captures what actions occurred during a session. It also includes clear termination, meaning accounts and access paths are removed or disabled when the work is complete, rather than lingering indefinitely. Beginners sometimes assume remote support is either allowed or forbidden, but the realistic approach is shaping it so it is predictable and auditable. The evaluation of remote support should also consider where access lands, because access that lands deep inside a control zone increases exposure compared to access that terminates in a controlled boundary where additional checks can occur. It should also consider whether vendors use shared accounts or individual accounts, because shared accounts reduce accountability and make investigation harder. When remote support is managed well, it becomes a controlled conduit rather than a risky shortcut.

Shared responsibility is the core concept that ties third-party risk to realistic governance, because no single party owns all the controls. In OT, the customer might own network segmentation, access approvals, monitoring, and incident response, while the vendor owns product security, patch development, vulnerability disclosure, and support tooling. Integrators might own configuration practices during deployment and change documentation during upgrades. The problem is that if responsibility lines are not clear, gaps form, and gaps become risk. Beginners often assume responsibility is obvious, but in practice, each party may assume someone else is handling a control, such as who monitors remote sessions, who maintains account lists, or who validates firmware integrity. Evaluating third-party risk therefore includes defining responsibility for key control areas, like identity and access, change management, vulnerability management, logging, and recovery support. It also includes defining how responsibilities are verified, such as through evidence of access reviews or documentation of changes. This is not about creating bureaucracy, it is about preventing confusion during urgent events. When everyone knows who owns which controls, response becomes faster and safer.

Another major component of third-party risk is credential and identity management, because third parties often need privileged access. If a vendor uses a shared account across multiple customers, compromise of that account could affect many environments. If an integrator reuses credentials across projects, a weakness becomes a repeatable pathway. If a contractor’s account is not removed after the project ends, lingering access becomes a quiet exposure that can be exploited later. A good evaluation asks how accounts are created, how authentication is enforced, how privileges are limited, and how accounts are reviewed and revoked. It also asks how third parties verify their own staff identities when they request access, because social engineering can occur on both sides. Beginners sometimes think the biggest risk is a password being guessed, but the more common risk is credentials being mishandled, reused, or phished, especially when remote access is involved. Identity practices also affect investigation, because if you cannot tie activity to a specific person, you cannot confidently explain what happened. In OT, confidence matters because incorrect assumptions can lead to unsafe corrective actions. Strong third-party identity practices reduce both likelihood and confusion.

Change management and documentation are another area where third-party risk often shows up, because third parties frequently make changes during commissioning, maintenance, and troubleshooting. In OT, a small configuration change can have a big effect, and undocumented changes can create fragile systems that are hard to recover. Evaluating third-party risk includes assessing whether third parties follow your change processes, whether they document what they changed, and whether they provide rollback plans and baseline snapshots when appropriate. It also includes assessing whether they respect maintenance windows and coordination requirements, because uncoordinated changes can create safety hazards and operational disruption. Beginners sometimes think security is only about blocking bad access, but in OT, controlling change is a major security function because change can be the mechanism of harm. A third party might make a change for legitimate reasons that accidentally weakens segmentation or disables logging, creating increased exposure. Without documentation, those weaknesses can persist unnoticed. A practical approach is to ensure third-party changes are visible, approved, and recorded in a way that supports later troubleshooting and recovery.

Vendor vulnerability and patch handling is another shared area that affects third-party risk evaluation. Third parties often discover vulnerabilities first or release patches on their schedules, and customers must decide how to apply those patches within OT constraints. Evaluating third-party risk includes understanding how vendors communicate vulnerabilities, how quickly they provide fixes, and whether they support compensating mitigations when patching is delayed. It also includes assessing whether vendors provide clear guidance about which versions are affected and what operational impacts patches might have. Beginners sometimes assume patching is always immediate, but in OT, patch timing must consider safety and uptime, so the quality of vendor information matters a lot. If a vendor provides vague or late information, customers may be unable to prioritize effectively. If a vendor provides clear, timely information and supports staged rollout, customers can reduce risk without creating instability. This is why third-party evaluation should include communication practices, not just technical product features. A vendor who is excellent at support but poor at vulnerability transparency can increase long-term risk.

Third-party risk also includes the tools and methods third parties use, because their tools can create exposure even when access is authorized. A vendor may require remote management software, file transfer tools, or diagnostic utilities that have broad privileges. An integrator may use configuration tools that can touch many systems at once, which increases blast radius if misused or compromised. Evaluating risk includes understanding whether those tools are necessary, how they are controlled, and whether their activity can be monitored. It also includes understanding whether third parties bring their own laptops and media, which can introduce additional vectors. Beginners might assume the only thing that matters is who logs in, but in practice, what they use after they log in matters just as much. Tooling also affects evidence, because if tools do not produce logs or if logs are not shared, customers may lack visibility into actions taken during support. In OT, lack of visibility can turn a minor support session into a long investigation because nobody can prove what changed. When third-party tools are evaluated and controlled, support remains efficient without becoming a blind spot.

An effective evaluation of third-party risk should also consider how relationships behave under stress, because stress is when mistakes and shortcuts happen. During outages, production pressures, and safety incidents, third parties may request urgent access and rapid changes, and the organization may be tempted to bypass normal controls. If the relationship is not structured ahead of time, urgent moments can lead to risky improvisation, such as granting broad access without monitoring or allowing undocumented changes. A practical evaluation therefore includes defining emergency processes, including who can authorize emergency access, what minimum controls still apply, and what documentation is required afterward. Beginners sometimes believe emergencies justify any shortcut, but in OT, emergencies are exactly when you need disciplined processes, because the consequences of mistakes are higher. A strong third-party relationship supports discipline by having pre-agreed expectations and communication channels. It also supports rapid response by making approvals and access predictable instead of ad hoc. When these expectations are established, urgency becomes manageable rather than chaotic. This is how shared responsibility becomes a strength rather than a weakness.

Finally, evaluating third-party risk is about turning dependency into a controlled partnership where both sides understand the rules of safe operation. You cannot eliminate third parties in most OT environments, and trying to do so would often reduce reliability and support. What you can do is reduce unnecessary access, enforce clear identity and accountability, require documented changes, ensure vulnerability communication, and establish monitoring and evidence practices that keep work visible. You can also align on incident response coordination so both parties know how to communicate, how to preserve evidence, and how to restore systems safely. For beginners, the most important takeaway is that third-party risk is not solved by mistrust, it is solved by clarity, controls, and repeatable processes. When you evaluate integrators, remote support models, and shared responsibility lines with this mindset, you reduce the chance that convenience becomes exposure. You also make it easier to handle real-world events without confusion, because everyone knows what they can do, what they must document, and what boundaries must be respected. That is what mature OT third-party risk management looks like, and it is one of the most practical ways to strengthen security while keeping operations stable.

Episode 50 — Evaluate Third-Party Risk: Integrators, Remote Support, and Shared Responsibility
Broadcast by