Blog - swIDch

How third-party remote access breaks OT network segmentation

Written by Admin | Jul 14 2026

 

No matter how precisely you segment your internal factory network or how heavily you fortify your firewalls, true immunity remains out of reach. Due to the continuous nature of critical industrial operations, there are always remote access channels deliberately left open for external machine manufacturers and maintenance partners to perform routine checks or emergency troubleshooting. Even if your internal security systems are flawless, failing to control the authentication of these open gateways provides attackers with an easy bypass route.

 

The reality of supply chain attacks bypassing enterprise walls

Modern advanced threats rarely waste energy trying to breach the heavily guarded perimeters of major industrial enterprises directly. Instead, they shift their crosshairs to more vulnerable third-party contractors in the form of supply chain attacks.

According to a joint cybersecurity advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA, this exact pathway was the core strategy of 'Volt Typhoon', one of the most dangerous state-sponsored cyber actor groups. Instead of targeting control systems directly, they compromised the remote access environments of third-party contractors and maintenance vendors linked to critical infrastructure. By exploiting a contractor's PC, they stole remote maintenance VPN credentials and administrator logons to infiltrate the core internal network, disguised as legitimate users.

Logging in with valid credentials makes technical detection or prevention nearly impossible, as internal security systems misidentify the intrusion as a trusted partner's access. No matter how thoroughly internal defences are constructed, traditional perimeter-based security is bound to fail against an attacker wearing the mask of a legitimate ally.

 

The structural risk of permanently open static credentials

Handing external partners static, permanently valid usernames and passwords leaves a latent security risk completely exposed. This was the secret that allowed highly sophisticated hacking groups like Volt Typhoon to remain undetected within major global control networks for months or even years. They didn't plant blatant malware; they simply forged 'legitimate administrative commands' using stolen static credentials to move freely inside the infrastructure.

Severing third-party remote access entirely is practically impossible if you wish to maintain operational continuity. Therefore, the only logical solution is to control the identity verification and the validity period of these incoming connections in a fundamentally different way. Building higher network walls cannot control legitimate access privileges initiated from a compromised contractor's PC.

 

Confining remote access validity to a single fleeting moment

The cornerstone of OT supply chain security for the latter half of the year must be the introduction of a dynamic verification layer that is valid exclusively at the exact millisecond a contractor attempts to log in.

Integrating a real-time, mathematically generated one-time dynamic identity code with existing static credentials alters the entire defensive landscape. Even if a contractor's admin account and password are fully exposed on the dark web, they become instantly useless data to an attacker because the required dynamic code expires the moment it is generated.

To ensure a partner's security management flaws do not translate into an operational shutdown risk for your factory, you must isolate the value of external privileges to the exact moment they are exercised. Transforming identities into dynamic, real-time assets is the only definitive way to secure your processes against uncontrollable third-party risks.

 

 

--------------------

 

swIDch will continue its quest to innovate and pioneer next-generation authentication solutions. To stay up-to-date with the latest trends sign up to our newsletter and check out our latest solutions.