A vendor engineer calls the shift supervisor at 14:30 on a Tuesday. A robot cell in the body shop is rejecting parts at a rate that will put the line behind takt inside an hour. He needs five minutes of VPN access to check a PLC parameter. Nobody opens a PFMEA. Nobody reviews a control plan. A help-desk ticket is filed, credentials are issued, and a laptop somewhere in Stuttgart — or possibly a clone of that laptop — now has a tunnel straight into your OT backbone.

That is how the last six plant breaches I have reviewed started. Not with a zero-day. Not with a nation-state actor. A politely worded email and a VPN credential that had more privileges than it needed and less oversight than a €200 bracket supplier.

Remote access is a quality input, not an IT ticket

The recent Secomea advisory about ransomware crews targeting manufacturer VPNs should not surprise anyone who has spent time on both sides of this fence. I hold a CEH certification and have spent twenty years running quality systems in automotive and aerospace plants. From where I sit, the problem is structural. IT security owns the network. Quality owns the process. Nobody owns the intersection — and that intersection is where every remote vendor session lives.

We demand PPAP documentation from a supplier sending us a stamped bracket. We audit their process, their gauges, their scrap rate, their corrective action history. We send VDA 6.3 auditors to walk their floor. Then we hand VPN credentials to an external engineer who can modify the programme running a safety-critical machining centre, and the entire governance framework is a ServiceNow ticket and an email that says "access granted for 48 hours."

The bracket supplier can cause a dimensional defect. The VPN session can cause a line-down event costing €400,000 an hour, propagate ransomware across every controller on the floor, and destroy the traceability data you need for your next EASA audit. Which input carries more risk — and which one do you actually control?

The most dangerous supplier is the one your quality system does not recognise as a supplier.

The PFMEA nobody wrote for your OT network

In my current role at Airbus, and before that building a 900-employee greenfield quality organisation from scratch at SNOP, I have seen the same pattern in supplier quality and in cybersecurity. Failures cluster where ownership is ambiguous. The bridge between two well-governed domains is itself ungoverned.

Here is what happens to those VPN credentials. A vendor engineer receives them over email — sometimes over a personal account, because his company laptop is being reimaged. He shares them with a colleague because the job requires two people. The colleague saves them in a browser autofill on a machine that also handles his kid's homework. The credential sits in a password store that gets harvested in a phishing campaign targeting the supplier's domain, not yours. Six weeks later, your firewall logs show a login from an IP address in a country where you have no facilities. Nobody is watching, because that credential was supposed to expire in 48 hours but someone extended it with a follow-up ticket and forgot to close it.

This is not speculation. I have traced this exact failure mode in incident reviews. The mechanism is predictable. The prevention is straightforward. What is missing is the application of quality-systems thinking to a domain that has been siloed as an IT problem.

Write a PFMEA for your OT remote access the way you would for any process input with high severity. The failure modes are few: credential exfiltration, over-privileged access, session persistence beyond scope, lateral movement from OT to IT networks. Current controls: a firewall rule and hope. Recommended controls write themselves if you ask the question honestly.

What a supplier-grade control plan for access looks like

Treat every remote session the way you would treat a new supplier process. Documented approval, scoped access, time-boxed sessions, evidence of closure.

  • Scope by need, not convenience. A vendor checking a PLC parameter does not need layer-3 access to every controller on the subnet. Segment OT networks so remote sessions land in a demilitarised zone with jump-host access to specific assets. Broader access requires a change-control approval — same as any engineering change to a controlled process.
  • Time-bound credentials with automatic revocation. No VPN credential should outlive the work order it was created for. If the session runs four hours, the credential expires in five. No exceptions, no extensions by email.
  • Session recording for OT remote access. We record operator actions on critical workstations. We log every change to a controlled programme. A vendor modifying a robot programme over VPN should be subject to the same traceability. If you can reconstruct what an operator did on the line at 03:00 last Thursday, you should be able to reconstruct what a remote engineer did to your PLC at the same hour.
  • Quarterly access reviews as part of internal audit. Pull the VPN logs. Cross-reference every active credential against an open work order. Expire what does not match. Five minutes of work per quarter, and it catches the credential issued eleven months ago for a job that finished in week one.

The cost of implementing this is negligible against one ransomware event. The crews targeting manufacturer VPNs right now are not looking for sophisticated entry points. They are looking for the credential that was issued, forgotten, and never revoked — because they know that is the one nobody is watching.

Key takeaways

  • Treat every VPN credential as a supplier process input requiring a control plan, not an IT help-desk transaction.
  • Write a PFMEA for OT remote access covering credential exfiltration, over-privileged access, session persistence, and lateral movement — the failure modes are known and few.
  • Time-box every credential to its work order with automatic revocation; no exceptions, no email extensions.
  • Bring VPN access logs into your internal audit cycle. A credential with no open work order behind it is an open door with nobody watching it.

AS9100 and IATF 16949 will formalise this within two revision cycles. The standards bodies are already circling the gap between IT security and quality management, and the Secomea advisory is not the first signal — it is the loudest one so far. Plants that build supplier-grade governance for OT remote access now will absorb the change as a routine update. Plants that wait will learn the cost the same way I have seen plants learn every other unaddressed quality input: through a customer escalation, a line-down event, or an audit finding that arrives after the damage is already on the floor.