What is Third Party Risk Management (TPRM)?
Third Party Risk Management (TPRM) is the process by which organisations identify, assess, mitigate and monitor the risks posed by external parties – such as suppliers, service providers and consultants. In OT environments, these risks are often technical, operational and cyber-related in nature.
In an OT context, TPRM means screening and monitoring suppliers that have (remote) access to industrial systems, supply components or maintain software.
🧠 Core functions of TPRM
- Identification – Knowing who your third parties are (including sub-suppliers)
- Classification – Risk assessment based on access, impact and dependency
- Due diligence – Pre-contractual review of security, integrity and compliance
- Contractual agreements – Recording requirements regarding security, audits and notification duties
- Monitoring – Periodic evaluation, for example through questionnaires, audits or scans
- Exit strategy – Plans for the safe termination of services
🔐 Cyber risks from third parties
| Cyber risk | Example in an OT context |
|---|---|
| Supply chain risk | Compromised update via an external software supplier |
| Uncontrolled Remote Access | External engineer with permanent VPN access to SCADA |
| Unpatched components | Supplier delivers hardware with old, vulnerable firmware |
| Insufficient logging | Activities of external users are not recorded |
| Shadow IT | External party uses unauthorised tools or scripts |
Many OT attacks arise indirectly via third parties, as seen with 3CX, Kaseya, or maintenance providers using outdated credentials.
✅ Security measures within TPRM
| Measure | Explanation |
|---|---|
| Supplier Security policy | Minimum security requirements for external parties |
| Risk classification | Risk estimate per supplier based on role/access |
| Access Control & Jump Server | Limit and log external access via controlled routes |
| ISAE 3402 or SOC 2 report | External assurance over security and process controls |
| Monitoring and anomaly detection | Oversight of third-party behaviour on the network |
| Contractual obligations | Record DPIAs, audit rights, incident notification duties |
🔁 TPRM and relevant standards
| Standard | Relevance to TPRM |
|---|---|
| ISO 27001 & 27036 | Guidelines for supplier security and chain management |
| IEC 62443-2-4 | Requirements for integrators and maintenance parties in industrial environments |
| NIS2 | Mandates supplier assessment in vital sectors |
| ISAE 3402 | Objective audit of processes at external service providers |
📦 TPRM in IT vs. OT
| TPRM in IT | TPRM in OT |
|---|---|
| Cloud suppliers, SaaS services | PLC/SCADA integrators, installers, hardware vendors |
| Contractual security obligations | Physical access, firmware integrity |
| Continuous pen tests or audits | Periodic field audits or FATs/SATs |
| IAM and certificate management | Patch management, firmware policy, access via Jump Server |
In OT, third parties are often physically and digitally interwoven with critical processes – this requires extra strict oversight.
📌 In summary
Third Party Risk Management is crucial in OT for managing supplier risks. It is not only a matter of policy, but also of Monitoring, technical access control and demonstrable duty of care.