Skip to main content
AirGapNetPhysical network isolation
← BlogField notesJanuary 20268 min read

SCADA vendor accounts: why "disabled" usually isn't

Every SCADA operator has a story about a vendor account that quietly stayed up after the last service call. Why VPN + jump host leaves the path live, and what a scheduled physical window changes.

The vendor account that was 'cleaned up' after a service call survives every incident retrospective. The line that does not exist between calls survives them too.

In this article

Section 01

The everyday situation

A SCADA system at a water treatment plant has a vendor maintenance account. The vendor visits twice a year for firmware updates and unplanned site calls. Between visits, the account is supposed to be disabled — and on the audit, the field shows it as disabled.

In practice, the field is often wrong. The vendor calls in for a small fix in March; the account is re-enabled to handle the request; the operator gets pulled into a different fire before the cleanup step; the account stays enabled for the next eleven months. The audit field says 'disabled' because nobody re-checked it.

Section 02

Why VPN + jump host leaves the path up

The standard controls — vendor VPN with restricted scope, jump host to gate the actual session, MFA on both — all keep the network path up between sessions. The vendor's home network can reach the VPN endpoint at any time. The jump host's IP is reachable from the corporate side at any time. The scope rules and credentials are the gate, and gates can be misconfigured.

When this fails, the failure mode is 'path was open and someone walked in'. The retrospectives invariably read like procedural lapses — credential rotation missed, rule change not pushed, access review skipped. The underlying issue is structural: the path is always there, and policy is what is keeping it closed.

Section 03

What a physical maintenance window changes

A hardware switch on the line to the SCADA controller flips the default. The line is broken. The vendor is told their window is Tuesday 03:00–05:00. At 03:00 the operator opens the line via SMS, the vendor performs the work, the relay closes itself at 05:00 — or earlier if the operator closes it sooner.

Between 05:00 Tuesday and 03:00 the next maintenance day, the vendor's home network has no path to the controller. The VPN endpoint still exists; the credentials still exist; the jump host still exists. None of them have anywhere to route, because the cable on the other end is not connected.

  • Default-closed

    The line to the controller is a relay state, not a firewall rule. Out-of-window means 'no route', not 'route blocked by policy'.

  • Auto-close is local

    The window closes on the device's own timer. No 'someone forgot to disconnect' state.

  • Per-controller, per-window

    Each protected line has its own schedule. A SCADA controller and a separate engineering workstation can be on different cadences.

  • Audit log is the ground truth

    Relay state log replaces the 'was the account disabled' field. Auditors check the device log, not the documentation.

Section 04

Where this is harder than it sounds

Two things to budget for. First, vendor expectations need to be reset — vendors who were used to ad-hoc access need to schedule windows. Most do, given a quarter's runway. The ones who balk are usually the ones whose access has been quietly oversized for years.

Second, emergency access. The window pattern works for planned maintenance, not for at-2-am-the-controller-is-misbehaving calls. The right pattern is to keep a documented out-of-band procedure that opens an emergency window — same physical mechanism, just opened by the on-call operator instead of the schedule. The relay log records the emergency open the same way it records a scheduled one.

Go from reading to running

See AirGapNet on your network.

We bring a real AGN1 to your bench and run one maintenance window on your equipment. 30 minutes on the call.

Book a demoMore articles