The South Vector: How to Lock Down Vendor Maintenance Before It Locks You Out

In this episode of The Bottom Line Up Front, insights from a webinar presented by Cam Cullen, CMO for BlastWave, are distilled. The discussion centers on constructing a defensible architecture with a focus on remote access for third-party OT vendors, addressing vulnerabilities such as the “South Attack Vector” and the increasing role of AI agents. Key points include the breakdown of traditional air gapping, the rise of CVEs in OT systems and security devices, and practical controls for improving security, such as replacing passwords with cryptographic keys and implementing micro-segmentation. Additional highlighted vulnerabilities are showcased through cases like the Oldsmar facility and the Target breach. The discussion extends to securing AI and cloud edges, aligning with federal and military zero trust principles, and concludes with a phased implementation strategy for a zero trust OT environment.

• 00:00 Introduction
• 00:38 The Broken Air Gap and Remote Maintenance
• 01:33 Security Vulnerabilities and Exploits
• 02:31 Case Studies: Real-World Incidents
• 02:54 Practical Security Controls
• 03:55 Comprehensive Network Protection
• 04:04 Microsegmentation and Device-Level Security
• 04:51 Hardening Remote Access and Onsite Controls
• 05:21 AI, Cloud Edges, and Zero Trust Principles
• 05:50 Federal and Military Alignment
• 07:36 Implementation Playbook for Zero Trust OT Strategy
• 08:46 Conclusion and Call to Action

This episode is brought to you by ATP Gov. Visit us online at www.atpgov.com or follow us on LinkedIn.

ATP GOV: [00:00:00] Welcome to the Bottom Line Upfront, the podcast that cuts through the noise to deliver distilled insights from today’s most important technical webinars, presentations and demonstrations designed for federal and military IT leaders. Each episode breaks down complex technologies into mission ready takeaways, so you get the key points.

Fast. Whether it’s cybersecurity, cloud, architecture, or emerging defense technologies, we highlight what matters most and how trusted integrators like a TP gov can help implement and operationalize these solutions across your agency or command. No fluff. No filler, just the bottom line upfront. In today’s episode, we distill a webinar presented by Cam Cullen, CMO for blast wave on building a defensible architecture with a focus on remote axis for third party OT vendors, the South attack vector, and the emerging reality of AI agents.

Cam Cullen – Blastwave: The air gap is permanently broken. Uh, remote maintenance is very common in OT now, and it’s [00:01:00] almost a mandatory requirement in many scenarios. Especially as some of the OT systems become, call it more maintenance heavy and, and software updated by the manufacturers.

ATP GOV: As Cam mentions, we first have to understand air gapping is effectively broken.

Remote maintenance in the operational technology space isn’t optional anymore. It’s becoming a standard across sectors. With that, some old habits lingered, like shared credentials and sticky note passwords, which leave you wide open to social engineering and misuse. The other

Cam Cullen – Blastwave: thing to keep in mind. As we talk about remote access is that global CVEs just continue to explode and probably most troubling in this factor.

It’s not just the OT systems that are reporting CVEs, it’s actually the firewall and VPN companies that are supposed to be protecting your OT network, especially remote access.

ATP GOV: The CVE curve at the same time keeps climbing and critically, it’s not just OT [00:02:00] devices, it’s also firewalls and VPNs. They are seeing web exposed vulnerabilities that enable admin bypass or root access.

Exploit speeds have shrunk from weeks to hours, and AI accelerates reconnaissance and phishing at scale. So if your plan depends on catching every alert, expect fatigue and massive miss rates. More concerning

Cam Cullen – Blastwave: is it’s actually being exploited much faster. It used to take 30 days back in 2020 for these things to be exploited regularly.

Now we’re seeing in just hours,

ATP GOV: CAM talks about two incidents that prove the point. He reviews the old Smar water facility incident, which was remote access software misuse without multifactor authentication. And he talks about the target breach where a vendor’s HVAC credentials open the door for lateral movement and massive data theft.

These are completely different industries, but they have the same weak link, poorly secured, third party access. So let’s talk about what does work, and here are some practical controls according to. [00:03:00] You need to replace passwords with cryptographic keys tied to a mobile device or Fido token. Even if a laptop is compromised, possession and biometrics stand in the way.

Phishing emails asking to reset your password become irrelevant because there is no password. If we look at protocol, allow listing, we could permit only the exact industrial protocols and endpoints their roles required. Don’t put full tunneling in the hands of the vendors, so if someone logs in from a suspicious location, block

Cam Cullen – Blastwave: it.

We talked about north. For reconnaissance and what we do with network cloaking, we talked about employee remote access, basically attacks out from the west side of the house. We talked about segmentation and lateral movement and threat vectors from the inside where people are trying to move East West that they’re not supposed to.

And today what we’re essentially talking about is on the south. Which is you have maintenance users who are actually getting into the devices from remote, and what can they do from that perspective? If you can control all four of these directions of attack, it gives you the [00:04:00] ability to make sure that you have a 360 degree protection of your network.

ATP GOV: Cam also talks about microsegmentation at the device level. In the world of ot, this means least privilege for contractors reaching only the safety controllers and process maintenance on the systems that they are supposed to be touching. There’s no east-west roaming inside of your OT network.

Cam Cullen – Blastwave: Maintenance contractors was hacked and a hacker gained access to Vnet work and it basically messed up 26 of their site. With someone like this is actually very dangerous because their refrigeration systems can basically turn them into bombs if they are manipulated. If you’re familiar with happened into, uh, Lebanon, the ammonium nitrate explosion they had in their port.

Bunch of different security solutions caused ’em to realize they had really a huge attack surface and very little ability to stop attacks because they didn’t even know necessarily what system was at each site.

ATP GOV: Cam also emphasizes the importance of hardening remote desktop and jump server options when you don’t trust endpoints.

Router [00:05:00] access through a controlled jump server with file transfer limits and session recording where required. And finally, onsite controls still matter. If a vendor is physically present, USB use and local console actions must obey the same least privileged rules. This means that remote access risk also includes on-prem maintenance behaviors.

Cam expands the conversation to also address artificial intelligence and cloud edges. He talks about how agencies are exploring cloud SCADA or Gen AI analytics and urges that we need to put guardrails at the edge, putting in controlled agents in front of your cloud and AI clusters, enforcing one-way ingestion and allowing only specific commands or protocols if and when you decide to permit control.

Think data diode patterns before bidirectional integration. Now if we put this under the lens of federal and military alignment, this approach aligns with zero trust principles identity. We’re talking about passwordless, multifactor [00:06:00] authentication, device possession and biometrics, networking, microsegmentation and cloaking and data.

One way ingestion. This model supports RMF and NIST CSF Control families focus on access control, boundary protection, and supply chain risk management. Using Blast Wave as part of your zero trust stack supports RMF and NIST CSF Control families focus on access control, boundary protection and supply chain risk management for critical infrastructure.

And ICS. Now for conus and OCONUS operations, location aware, access and protocol allow listing are practical steps to reduce the attack surface during vendor support. Windows CAM also provided us with a federal military alignment guide or cheat sheet Focus on password list MFA. Mobile and Fido, and roles based policies on the device side, find your authentication to a possession factor and validate the origin and location on the network side.

Focus on microsegmentation per device, block, EastWest movement, and cloak. [00:07:00] Non-essential services. Create protocol, allow list. Along with one way ingest for AI cloud until controls mature. And finally, in the visibility and automation category, apply session recording wherever you can, as well as SIM and SOAR integration for audit and remediation.

Kim reminds us to always review our RMF Artifacts Compliance hooks in at every level in the OT space, whether it’s in your SSP, your controls, inheritance, your supply chain vendor, off-boarding SOPs, privileged access and tick a line remote access policies. At a TP gov, we put together an implementation playbook for a zero trust OT strategy.

And here’s what it looks like in phase one. We would do an assessment. We’d inventory touchpoints and current VPN firewall exposure. We’d list the protocols actually needed, define password list MFA, enrollment with device binding and biometrics, and then take a look at the interactive clients and specific OT devices that [00:08:00] exist in the environment.

And then assess if we need to harden those servers with session recording. After that, you have to set up a pilot. You deploy to one site, enforce vendor device level micro segmentation with a solution like blast wave, adopting protocol, allow list, and then test location awareness policies. At the same time, we need to gate any cloud and gen AI analytics behind a one way ingest agent, all the while measuring failed authentication attempts.

Block lateral movement. Look at meantime to provision and offboard the vendors. And finally, it’s all about scale and sustainment. We need to roll out to additional plants and bases. Standardize your vendors onboarding via invitation, link workflows, eliminate passwords, integrate all the logs with enterprise sim and update any outstanding RMF packages.

So what is the bottom line up front? If vendors can reach your operational technology stack? So can adversaries, because in the end you don’t wanna wait for an incident to tell you that your vendor access is too open. Kill the [00:09:00] passwords, lock down the protocols and force lease privilege per device, then add a cloud and AI guardrails.

That’s how you keep maintenance mission ready without opening the gates. So let’s get your South vector locked down today. Be sure to reach out to atp gov today at www.atpgov.comoremailinfoatatpgov.com, or check us out on social media on LinkedIn. Thanks for listening, and be sure to subscribe to the bottom line upfront wherever you get your podcast.

And stay tuned for more distilled insights from the front lines of tech and national security. So until next time, stay secure. Stay mission ready.

The Bottom Line Up Front, is ATP Gov’s podcast that cuts through the noise to deliver distilled insights from today’s most important technical webinars, presentations and demonstrations designed for federal and military IT leaders. Each episode breaks down complex technologies into mission ready takeaways, so you get the key points.

Fast.

Whether it’s cybersecurity, cloud, architecture, or emerging defense technologies, we highlight what matters most and how trusted integrators like ATP Gov can help implement and operationalize these solutions across your agency or command.

No fluff. No filler, just the bottom line up front.