Every industrial and data-center estate we review carries a quiet inventory of remote access: the chiller vendor’s VPN from a 2019 project, the elevator company’s cellular modem, the BMS integrator’s remote desktop tool, the generator monitor phoning home. Each one was reasonable on the day it was installed. Nobody owns the set. In third-party incident statistics, this category is not a contributor; it is the leading vector into operational systems, year after year.
Count your tunnels. The real number is higher than the one you just said, and one of them still uses a shared password.
Why tunnels rot
Vendor access is provisioned by projects and orphaned by them too. The project ends, the account survives; the technician changes employers, the credential does not notice; the "temporary" modem becomes load-bearing. Shared logins defeat the audit trail, permanent connectivity defeats the principle that access should exist only while work exists, and the tools involved are exactly the ones attackers scan for by name.
The pattern that holds
- One brokered front door: every vendor session goes through a single gateway that grants access just-in-time, to the specific system, for the ticket that justifies it.
- Identity per human: named accounts, phishing-resistant login, and expiry dates inherited from the contract, not from memory.
- Sessions on the record: recorded, attributable, and reviewed the way you review privileged IT access, because that is what this is.
- A standing inventory: every remote path, owner, protocol and last-used date, walked quarterly, with the unused ones cut.
The elegant part: this program pays for itself in audit season. The same inventory and recordings that stop an attacker are the evidence your compliance team currently reconstructs by hand.
We inventory vendor tunnels without disrupting the work behind them. The count always surprises, and then it shrinks.