More than a third of all data breaches last year started outside the organisation. Not through a phishing email. Not through an unpatched server. Through a vendor. A contractor. A service provider with legitimate credentials and too much access.
According to SecurityScorecard's 2025 Global Third-Party Breach Report, 35.5 percent of all breaches in 2024 originated from third-party compromises. In operational technology environments specifically, 73 percent of organisations grant third-party vendors remote access, with an average of 77 external parties holding that access at any given time.
Most of those organisations have no real-time view of what those vendors are doing once they are in.
Think about the last time you gave a vendor remote access to fix something. It took ten minutes to set up. It probably never got properly closed down. That technician, at that company, with those credentials, may still have a route into your environment right now.
Third-party access risk is the exposure created when vendors, contractors, or service providers are given remote access to your infrastructure and that access is not properly scoped, monitored, or revoked. In IoT and OT environments, this risk is amplified because the systems being accessed often control physical processes, not just data.
Unlike IT environments where a breach typically means data loss, a compromised session in an OT environment can mean production shutdown, equipment damage, or safety incidents. The access itself is legitimate. The problem is what happens to it after the session ends, or does not end.
Third-party access is now one of the leading breach vectors across industries. According to IBM's 2024 Cost of a Data Breach report, the average cost of a third-party breach exceeds 5 million dollars. Regulated sectors like healthcare and manufacturing face even higher exposure.
In OT environments specifically, the SANS 2024 State of ICS/OT Cybersecurity report found that external remote services were an initial attack vector in nearly one in four OT incidents. Sixty-five percent of OT environments had insecure remote access conditions in 2024, according to Dragos.
The pattern is consistent: the access was granted for a legitimate reason, the controls around it were insufficient, and an attacker used it as an entry point.
VPN grants network-level access. A contractor connecting via VPN is not accessing a single device or application. They are connecting to a segment of your network, with all the lateral movement potential that creates. If their credentials are compromised, the attacker inherits that same reach.
Claroty's Team82 analysis of 50,000 remote access-enabled devices on industrial networks found that 55 percent had at least four separate remote access tools running in their environments, with a third using six or more. Each tool is another potential entry point. Each credential is another thing to lose, share, or forget to revoke.
Seventy percent of third-party breaches involve overly permissive accounts, according to Censinet's analysis of 2024 breach data. The attacker does not force the door. They walk through it with credentials that were given out too broadly and never taken back.
The industries with the highest exposure are those where third-party access is operationally routine and the consequences of a breach extend beyond data.
In industrial automation and manufacturing, a compromised vendor session puts an attacker inside the control network. Ransomware attacks targeting the industrial sector spiked 87 percent year over year in 2024, making manufacturing the top ransomware target for four consecutive years, according to Dragos.
In energy and utilities, metering vendors, grid contractors, and maintenance teams all require periodic access to distributed systems connected over cellular. A compromised session at the network edge is not isolated to one site.
In security and surveillance, the system designed to protect a facility becomes the entry point. IP cameras and access control systems managed remotely by integrators, often over public-facing connections, create exactly the kind of persistent, under-monitored access attackers look for.
In healthcare, the Change Healthcare breach of 2024 exposed health and personal data for approximately 190 million individuals and disrupted claim processing nationwide, with UnitedHealth spending over two billion dollars in response. The initial access vector was a compromised vendor credential.
The core difference is scope. VPN grants access to a network. Zero Trust privileged access grants access to a specific resource, for a specific duration, with full inspection and recording throughout. The contractor gets what they need to do the job. Nothing more.
|
Traditional VPN access |
Zero Trust privileged access |
|
Network-level access granted |
Access scoped to specific resource only |
|
Credentials distributed to contractors |
Browser-based portal, no client software |
|
Sessions unmonitored |
Full session recording |
|
No time limits on access |
Time-bound sessions, auto-expiry |
|
Credentials rarely revoked |
Access closed automatically after session |
|
No audit trail |
Full log for compliance and incident review |
|
Requires VPN client on contractor device |
Works from any browser, no client needed |
For IoT and OT environments, there is an additional requirement: the solution must work for headless devices and constrained hardware where agent software cannot be installed. A laptop-centric Zero Trust tool does not translate to a factory floor or a cellular-connected energy meter.
The right architecture delivers browser-based privileged access. A contractor authenticates through a web portal, selects the specific system they need to reach, and runs the session in-browser via SSH, VNC, or RDP. The session closes when the time window ends. No VPN client to distribute. No persistent credentials. Full recording for audit and compliance.
This model also needs to be operationally simple. If granting a service technician two hours of access to a specific device requires IT intervention and a support ticket, teams will default back to the shared VPN password. The security model has to work for field conditions, not just security architects.
NIS2, which applies to essential and important entities across EU member states, treats third-party access and supply chain risk as explicit compliance requirements. An organisation granting broad VPN access to 20 contractors with no session logging has a regulatory exposure, not just a security one.
IXT includes Privileged Remote Access as part of its standard Zero Trust offering, powered by Zscaler ZTNA. It works for OT and IoT environments where agent software is not an option. Contractors access specific equipment through time-limited, browser-based sessions with full session recording and no VPN client required.
Because Zero Trust is built into IXT's cellular connectivity at the SIM level, security enforcement happens before traffic reaches the infrastructure. There are no exposed ports, no inbound connections, and no network-level access granted to external parties by default.
If you are managing IoT or OT devices over cellular and want to understand what this looks like in your environment, talk to the IXT team at ixt.io.
This article was written by the IXT Connectivity and Security team. IXT operates a full MVNO core network and Their focus is on network-level Zero Trust architecture, SIM-based identity, and secure device communication without relying on VPNs or endpoint agents.