Skip to main content
AirGapNetPhysical network isolation
← BlogField notesApril 20267 min read

How to retire the always-on vendor VPN

The vendor account that opens one CNC in practice has line-of-sight to the whole subnet. A field guide to replacing the permanent integrator tunnel with a scheduled physical window.

The vendor account that opens one CNC in practice has line-of-sight to the whole subnet. Time-boxing that path at the cable layer fixes a class of incidents that segmentation alone cannot.

In this article

Section 01

The everyday situation

A press-line vendor needs SSH access to one PLC, twice a quarter, for firmware updates. An imaging vendor needs RDP to one MRI controller during a service call. A robotics integrator needs remote diagnostics access to a cell on the shop floor during commissioning.

In each case, the actual scope is one machine for one task. The way the access is delivered is almost always larger — a vendor account on the OT VPN with a route into the whole subnet, scoped by firewall rules that everyone agrees are 'roughly right' and nobody has audited in a year.

Section 02

Why the scope creeps

OT segmentation projects assume the vendor's home network is trustworthy. It usually is — until it isn't. The pattern that drove most of the OT-targeted ransomware events of the last several years is the same: integrator's laptop gets a foothold from a phishing email; their VPN client to the customer's OT subnet now serves as a pivot; the attacker walks across the subnet at their leisure.

On-site escort solves this — one technician, one device, one closed door. But escort doesn't scale. A multi-site operator with fifteen plants and a quarterly maintenance cadence cannot physically watch each window, and the integrators cannot fly an engineer to each visit. So the operational pressure is always toward leaving the path up.

Section 03

The middle ground

A physical switch on the line to the one device the vendor needs gives you a way out. The line is broken by default. The operator opens a window for the duration of the planned work — manually via SMS, or on a recurring schedule that matches the vendor's contract — and the line closes itself when the timer expires.

The vendor's home network can be exactly as trustworthy or untrustworthy as it was; for the 89 hours a week outside the window, none of that matters, because there is no path. The pivot route does not exist as a route.

  • Per-device, not per-subnet

    One AGN1 sits on the line to one machine. The vendor reaches that machine; the rest of the OT subnet does not exist from their side.

  • Auto-close is local

    The window close runs on the relay, not on a scheduled task in some management tool. No 'someone forgot to disconnect' state.

  • Audit log per window

    Open command, open time, close time. The compliance review does not have to reconstruct intent — it reads the log.

  • Vendor experience is unchanged

    They connect during the agreed window. The fact that the line does not exist outside the window is the customer's problem to schedule, not the vendor's to notice.

Section 04

What this looks like at scale

A multi-site operator running this pattern across 15 plants ends up with a per-device map of which lines exist during which windows. The number of always-on vendor paths drops from 'whatever segmentation drift left behind' to 'zero'. Annual audits stop arguing about whether the vendor account on PLC-04 should be there, because the line to PLC-04 only exists during scheduled work — and the relay state log says so.

This is not a replacement for vendor identity controls. The vendor still needs an account, still needs MFA, still gets the same scoped access they had inside the window. What changes is that outside the window, the access discussion is moot — there is no network to gate access on.

Go from reading to running

See AirGapNet on your network.

We bring a real AGN1 to your bench and run one maintenance window on your equipment. 30 minutes on the call.

Book a demoMore articles