Field notes · Case F-21 · Cyber

The vendor tunnel

Ask a facility how many remote paths lead into its control systems and write the number down. The audit will find more. It always finds more.

Every industrial and data-center estate we review carries a quiet inventory of remote access: the chiller vendor’s VPN from a 2019 project, the elevator company’s cellular modem, the BMS integrator’s remote desktop tool, the generator monitor phoning home. Each one was reasonable on the day it was installed. Nobody owns the set. In third-party incident statistics, this category is not a contributor; it is the leading vector into operational systems, year after year.

Count your tunnels. The real number is higher than the one you just said, and one of them still uses a shared password.

Why tunnels rot

Vendor access is provisioned by projects and orphaned by them too. The project ends, the account survives; the technician changes employers, the credential does not notice; the "temporary" modem becomes load-bearing. Shared logins defeat the audit trail, permanent connectivity defeats the principle that access should exist only while work exists, and the tools involved are exactly the ones attackers scan for by name.

The pattern that holds

The elegant part: this program pays for itself in audit season. The same inventory and recordings that stop an attacker are the evidence your compliance team currently reconstructs by hand.

We inventory vendor tunnels without disrupting the work behind them. The count always surprises, and then it shrinks.