Top 10 Audit Controls to Request from Your OT Vendor
Protect your industrial assets in 2026. Discover the 10 essential audit controls to demand from your OT vendors to ensure safety, security, and compliance.
The New Reality of Industrial Third-Party Risk
In the industrial landscape of 2026, the perimeter of your facility no longer ends at the physical fence line. It extends deep into the digital supply chain, through the remote access tunnels and software updates provided by your Operational Technology (OT) vendors. Every vendor, integrator, or maintenance contractor who connects to your Industrial Control Systems (ICS) represents a potential gateway for threat actors. As cyber-physical attacks become more sophisticated, the old model of “trusting” your partners based on their reputation is no longer sufficient. You must move to a model of “verify through audit” to protect your plant’s uptime and the safety of your personnel.
The challenge, however, is that standard IT-centric audit questionnaires often miss the mark in an OT environment. Requesting a SOC 2 report from an IT service provider is common practice, but when auditing a vendor that manages your Programmable Logic Controllers (PLCs) or Distributed Control Systems (DCS), you need far more granular evidence. You need to know how they manage ladder logic, how they secure their remote access sessions, and how they handle vulnerability disclosures for proprietary firmware. This article outlines the ten non-negotiable audit controls you must request from your OT vendors to move from passive oversight to active risk management.
By enforcing these requirements, you shift the burden of security transparency onto the vendor, ensuring that they prioritize your operational security as highly as their own product features. Whether you are dealing with Original Equipment Manufacturers (OEMs) or third-party service integrators, these controls provide a standardized, defensible framework for evaluating their security maturity. This is not just about checking boxes for an internal audit; it is about building a resilient industrial architecture where every external touchpoint is documented, monitored, and strictly controlled.
10 Essential Audit Controls for Industrial Partners
1. Granular Remote Access Logs & Session Recording
Persistent “always-on” VPN tunnels are an invitation for disaster in any modern industrial network. You must demand that vendors provide logs for every remote access session, documenting exactly when access was granted, who accessed which system, and exactly what changes were made. Even better, require that they utilize a jump server with session recording capabilities so that you have a visual audit trail of all engineering activities. This allows you to verify that vendor access was limited to the duration of the task and restricted to the specific assets required for the maintenance window.
2. Multi-Factor Authentication (MFA) Enforcement
The days of sharing a single “admin” credential between a vendor’s technicians are over. Your audit request must mandate that the vendor enforces multi-factor authentication for every account that touches your industrial environment, without exception. This requirement should extend to their internal development environments as well, if they are involved in pushing code or configuration updates to your controllers. If a vendor cannot demonstrate the technical capability to support MFA, they should not be granted remote access to your critical control infrastructure under any circumstances.
3. Documented Change Management for Industrial Logic
Unlike IT software, where “move fast and break things” is a common mantra, OT logic changes can have fatal physical consequences. Request the vendor’s documented change management policy, specifically looking for evidence of pre-deployment testing in a staging environment. They must provide proof that any modification to PLC logic, HMI screens, or setpoints underwent a formal review and approval process before being applied to your production system. This ensures that a faulty update does not inadvertently cause a process failure or safety shutdown.
4. Vulnerability Disclosure & Patch Management Roadmap
You need to know how your vendors handle the discovery of vulnerabilities in their own products. Ask them for their formal Vulnerability Disclosure Policy (VDP) and evidence of how they communicate patches to their customers. A mature vendor will provide a clear roadmap for firmware updates, including how they prioritize critical security flaws versus functional improvements. This control prevents you from being caught off guard by a zero-day exploit that the vendor knew about but failed to communicate, giving you the lead time needed to mitigate risk.
5. Proof of Least-Privilege Access Architecture
A vendor should only have the permissions necessary to perform their specific contractual duties, nothing more. Demand an organizational chart or access matrix that shows how they implement the principle of least privilege for their employees who have access to your site. This includes verifying that their technicians are assigned unique credentials rather than shared accounts, and that their access rights are periodically reviewed and revoked immediately upon the termination of their employment or the end of a project contract.
6. Secure Supply Chain & Software Bill of Materials (SBOM)
Modern OT equipment often relies on hundreds of third-party software libraries, some of which may be outdated or contain known vulnerabilities. Require your vendors to provide an SBOM for the software components running on their hardware, which gives you visibility into the components that make up your industrial systems. This allows you to track and manage risks associated with the entire software supply chain, ensuring that you are not running critical infrastructure on a platform composed of insecure, abandoned, or malicious code.
7. Physical and Digital Security Training Records
Human error remains one of the primary drivers of industrial cyber incidents, often stemming from technicians who do not understand the unique safety implications of the OT environment. Ask for evidence of their internal security training programs, specifically looking for modules focused on ICS/OT risks. Their technicians should be trained on the “Do No Harm” principle, understanding how to navigate a plant floor without accidentally bumping a cable or initiating a command that could disrupt a running process.
8. Incident Response and Reporting Obligations
When an incident occurs within the vendor’s network that could potentially impact your infrastructure, you need to know immediately. Demand a contractual obligation that requires the vendor to notify you within a defined, short window (e.g., 24 hours) if they detect a breach that involves any of your data, credentials, or remote access configurations. Furthermore, ask to see their incident response plan to ensure they have a structured process for containing the threat and communicating with their clients during a crisis.
9. Network Segmentation & Zoning Compliance (IEC 62443)
If the vendor is involved in integrating their equipment into your wider network, they must demonstrate an understanding of the Purdue Model and IEC 62443 zone/conduit requirements. Request their design documentation to verify that their equipment is configured to operate within its designated security zone and that communication with other zones is strictly limited to necessary protocols. This prevents the vendor from accidentally creating a bridge that could allow a threat to move laterally from your IT network into your OT environment.
10. Backup and Disaster Recovery Verification
Never assume that the vendor’s “automatic backups” are actually working or that they are recoverable in a real-world disaster. Require the vendor to provide evidence of successful, periodic recovery tests for their proprietary configurations and project files. You should have access to a copy of these “golden backups” stored offline or in a secure, air-gapped location, ensuring that even if the vendor goes out of business or their systems are wiped by ransomware, you can restore your operations.
Building a Culture of Vendor Security
Implementing these ten controls is a significant step forward, but the ultimate goal is to foster a collaborative culture where security is a shared responsibility rather than a source of tension. Start by incorporating these audit requirements into your procurement process, making it clear that adherence to these standards is a mandatory part of doing business with your organization. This approach forces vendors to mature their own security posture, which ultimately creates a safer, more reliable industrial ecosystem for everyone involved.
By regularly reviewing these controls and engaging in honest conversations with your partners about their security challenges, you move beyond the “checkbox” mentality. You become a leader in industrial resilience, ensuring that while the threats of 2026 are complex, your plant remains protected by a robust, well-vetted, and strictly controlled digital architecture. Remember, an audit is not a one-time event; it is a cycle of continuous improvement that verifies that your vendors remain as committed to your uptime as you are.
