The Colonial Pipeline ransomware attack in 2021. The SolarWinds compromise that rippled through utilities and government operators across the United States and Europe. The compromise of Ukraine's power grid through a vendor-supplied remote access tool. Each of these incidents shares a common thread: a third party, operating with legitimate access to critical systems, became the vector through which a high-consequence disruption was delivered.
Critical infrastructure operators — energy utilities, transmission system operators, water and wastewater authorities, telecom carriers, and the companies that manage the industrial systems underpinning all of them — have always understood that vendor relationships carry risk. What has changed is the magnitude and speed of that risk, and the degree to which regulators across every major jurisdiction are now holding operators accountable for how they manage it.
This is not a theoretical problem. The International Energy Agency has documented that cyber incidents targeting energy infrastructure tripled between 2020 and 2025, with supply chain and third-party vectors accounting for an increasing proportion of initial access. Operational technology environments that were once air-gapped from the broader internet are now routinely accessed remotely by equipment vendors, managed service providers, and engineering contractors — all of whom represent live, persistent points of third-party exposure.
Building a third-party risk management programme that actually works in this environment requires thinking well beyond the information security questionnaire. This guide sets out the framework that critical infrastructure operators need — one built around the specific risk dynamics of their sector, the regulatory obligations they face, and the AI-driven intelligence capabilities that make meaningful oversight possible at operational scale.
Explore how AI-driven vendor intelligence gives risk teams in critical sectors the continuous monitoring and governance workflow they need — without building a separate team for each vendor relationship.
Explore End-to-End Governance →Why Third-Party Risk in Critical Infrastructure Is Structurally Different
Every organisation with a vendor portfolio faces third-party risk. But for critical infrastructure operators, three characteristics make that risk fundamentally different in nature — and demand a correspondingly different governance approach.
The Convergence of IT and Operational Technology
In most enterprise environments, a vendor breach produces data loss, operational disruption, and reputational damage. In a critical infrastructure context, the same breach can produce physical consequences: equipment failure, safety incidents, service interruption affecting hospitals and emergency services, or cascading effects across interconnected infrastructure systems. This is the direct consequence of IT/OT convergence — the progressive integration of information technology systems with the operational technology that controls physical processes.
As OT environments have become more connected — both internally and through the remote access requirements of vendors and service providers — the third-party attack surface has expanded dramatically. An HVAC maintenance contractor with remote access to a building management system that happens to be on the same network segment as an industrial control system is, in practice, a third-party risk in your OT environment. So is the vendor who pushes firmware updates to thousands of smart meters across your distribution network.
Ecosystem Concentration and Cascading Failure
Critical infrastructure sectors are characterised by high vendor concentration — a relatively small number of OT equipment suppliers and software platforms serve a large proportion of the global installed base. This creates systemic risk that is qualitatively different from concentration risk in other sectors. When a widely-deployed ICS platform contains a critical vulnerability, the remediation challenge is not just your problem; it is simultaneously a problem for every utility operating the same equipment. When a shared managed service provider is compromised, the incident can affect multiple operators across the same national grid simultaneously.
This concentration also limits the practical exit options available when a vendor relationship becomes untenable. Unlike a SaaS subscription that can be cancelled and migrated within weeks, replacing a SCADA platform embedded across dozens of substations over a decade is a multi-year capital programme. Third-party risk programmes in critical infrastructure must account for this lock-in reality in both their assessment methodologies and their contingency planning.
Geopolitical Exposure and Hardware Provenance
In most sectors, vendor risk assessments focus primarily on financial stability, data security, and operational resilience. In critical infrastructure, hardware provenance — where equipment is manufactured, who owns the vendor, and what access to the supply chain foreign state actors may have — is itself a material risk dimension. Multiple governments have issued guidance or imposed restrictions on specific vendors supplying critical infrastructure on national security grounds. Any TPRM framework operating in this sector must include a structured approach to assessing the geopolitical risk profile of the vendor ecosystem, particularly for OT equipment with long deployment lifespans and embedded connectivity.
The Highest-Risk Third-Party Vendor Categories in Energy, Utilities, and Telecom
Not all vendor relationships in critical infrastructure carry the same risk profile. A coherent TPRM programme begins with an honest assessment of which vendor categories represent material exposure — and applies diligence effort accordingly.
OT and ICS Equipment Vendors
Suppliers of industrial control systems, SCADA platforms, distributed control systems (DCS), programmable logic controllers (PLCs), and remote terminal units (RTUs) sit at the highest risk tier. These vendors frequently require persistent remote access for maintenance, diagnostics, and software updates — and their products often have multi-decade operational lifespans, meaning vulnerabilities may persist long after vendor support has ended. Hardware provenance, firmware integrity, and vulnerability disclosure practices are the critical assessment dimensions here.
Managed Service Providers and Remote Access Suppliers
MSPs providing IT/OT support, network operations centre (NOC) services, or field maintenance coordination hold some of the most privileged access in the vendor ecosystem — and are a primary adversarial target precisely because compromising an MSP provides simultaneous access to multiple downstream operators. The 2021 Kaseya incident, in which a ransomware attack on a single MSP affected thousands of downstream clients globally, illustrates this vector vividly. Access governance, privileged access management controls, and incident response capability at MSPs warrant proportionate scrutiny.
Engineering, Procurement, and Construction Contractors
Major capital projects — transmission line upgrades, generation asset construction, network rollouts — involve large EPC contractors and their subcontractor chains who require temporary but deep access to plant systems and sensitive project data. The cybersecurity posture of engineering contractors is rarely at enterprise grade, and the complex subcontracting structures typical in large infrastructure projects make fourth-party risk particularly difficult to manage. Project completion dates add time pressure that can erode vendor due diligence discipline.
Cloud and SaaS Platform Providers
Energy and utility operators have accelerated cloud adoption for grid management analytics, customer information systems (CIS), asset performance management, and outage management. Each SaaS platform represents a data exposure risk; cloud providers hosting operational analytics or grid topology data represent a higher-consequence variant. Sub-processor chains — the third parties your cloud vendor relies upon — extend the exposure further, often invisibly. GDPR, CCPA, and sector-specific data localisation requirements add a regulatory compliance dimension that must be managed alongside the operational risk.
Telecommunications and Connectivity Providers
For distributed infrastructure operators — electricity distribution networks, pipeline monitoring systems, water treatment facilities across a region — telecommunications vendors providing MPLS, fibre, private LTE, and satellite connectivity are embedded directly in operational resilience. A telecommunications outage affecting supervisory control communications is operationally equivalent to a system failure. Yet telco vendors are frequently managed as commodity suppliers rather than material risk relationships. Given that multiple telecoms providers globally have disclosed significant security incidents in recent years, this is a category that warrants systematic re-evaluation in most risk programmes.
The Regulatory Landscape: What Critical Infrastructure Operators Must Now Demonstrate
Third-party risk governance in critical infrastructure has moved from a best-practice recommendation to a regulatory obligation across every major jurisdiction. Understanding what regulators are specifically requiring — and the consequences of non-compliance — is essential for programme design.
Europe: NIS2 and DORA
The NIS2 Directive, effective across EU member states from October 2024, represents the most comprehensive critical infrastructure cybersecurity regulation in the world. For essential entity operators — including energy, transport, water, digital infrastructure, and health — NIS2 mandates explicit supply chain risk management requirements: vendors and service providers to critical systems must be assessed for their own security practices, contractual security obligations must be enforceable, and operators must be able to demonstrate ongoing vendor monitoring rather than point-in-time assessment. Enforcement powers under NIS2 include fines of up to €10 million or 2% of global annual turnover for essential entities, with member state regulators able to impose temporary bans on management functions in serious cases.
The EU's Digital Operational Resilience Act (DORA), applying to financial market infrastructure including payment systems, central counterparties, and trading venues, imposes similarly detailed third-party risk requirements — ICT vendor registers, mandatory contractual provisions, concentration risk assessments, and regulatory oversight of critical ICT third parties. Where critical infrastructure intersects with financial infrastructure — as it does in electricity market operations, pipeline tariff regulation, and telecommunications wholesale — DORA obligations may apply in addition to sector-specific requirements.
North America: NERC CIP and CISA
In North America, the North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP) standards — particularly CIP-013 on supply chain risk management — impose specific obligations on bulk electric system operators to develop, implement, and maintain supply chain risk management plans. These plans must address: software integrity and authenticity, vendor remote access security, vendor communications and notification processes, and the transition from existing vendor relationships that cannot meet CIP-013 requirements. NERC audits of compliance with CIP-013 have increased in frequency and rigour since the standard's implementation.
CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) include third-party monitoring provisions that are increasingly referenced in federal contracting requirements and enforcement guidance for critical infrastructure operators receiving federal support or operating regulated assets. CISA's supply chain risk management guidance documents, developed in collaboration with sector-specific agencies, provide detailed implementation frameworks that inform both regulatory expectations and industry best practice.
Asia-Pacific and Emerging Markets
Regulatory convergence on critical infrastructure third-party risk is a global phenomenon. Australia's Security of Critical Infrastructure Act and its accompanying rules establish a recognised risk management programme obligation for designated critical infrastructure assets, with sector-specific standards that include supply chain and third-party requirements. Singapore's MAS Technology Risk Management Guidelines impose detailed third-party risk obligations on financial institutions operating critical payment infrastructure. India's CERT-In has published guidelines addressing third-party and supply chain risk for critical information infrastructure operators. Across these jurisdictions, the common theme is consistent: operators can no longer treat vendor risk as a procurement function; it is a regulated governance obligation.
A TPRM Framework Built for Critical Infrastructure Operators
A generic TPRM framework — one designed primarily for financial services or technology companies — will not serve critical infrastructure operators adequately. The framework needs to account for OT-specific risk dimensions, the long lifecycle of infrastructure assets, the concentration dynamics of the vendor market, and the geopolitical risk factors that are unique to this sector.
1. Risk-Tiered Vendor Classification
Classification must be driven by operational impact and access type, not contract value. A small OT maintenance firm with direct access to SCADA systems warrants Tier 1 treatment; a large professional services firm providing HR consulting warrants Tier 3. The classification criteria should explicitly address: network access type (IT-only, OT-adjacent, OT-direct), data sensitivity classification, operational criticality (what happens if this vendor fails or is compromised?), geographic and geopolitical exposure, and the duration and depth of the relationship.
This classification drives the due diligence pathway, the monitoring intensity, the contractual provisions required, and the access governance controls that apply. Critically, it should also drive exit planning — Tier 1 vendors require tested contingency plans; Tier 3 vendors can rely on market alternatives.
2. OT-Specific Due Diligence
Standard information security questionnaires — however well-structured for IT environments — miss the dimensions that matter most for OT vendors. A comprehensive OT vendor due diligence framework should incorporate:
- IEC 62443 alignment: the international standard for industrial cybersecurity provides a structured assessment framework for OT vendors, covering security management, product security, and system integration practices.
- Firmware and software integrity controls: how does the vendor ensure the integrity of firmware and software updates distributed to field equipment? What signing and verification mechanisms are in place?
- Remote access governance: what are the vendor's access management practices for remote connections to customer OT environments? Are connections session-specific and time-limited, or persistent? Who at the vendor holds privileged access credentials?
- Hardware provenance documentation: where is equipment manufactured? What is the ownership structure of the vendor and its component suppliers? Are there components sourced from jurisdictions that present geopolitical risk?
- Vulnerability disclosure and patch cadence: what is the vendor's published vulnerability disclosure policy? What is the typical time from vulnerability identification to patch release? What is the process for emergency patch distribution for safety-critical vulnerabilities?
- Incident response in OT contexts: does the vendor have documented and tested incident response procedures specifically for OT environments? Do they have the capability to support an operator's incident response during a crisis affecting their products?
3. Contractual Protections Aligned to Sector Risk
Vendor contracts in critical infrastructure must go beyond standard commercial terms. Risk-aligned contracts should address: security incident notification timelines (often regulatorily mandated — NIS2 requires initial notification within 24 hours, detailed reporting within 72 hours); audit rights covering both IT and OT systems; sub-contractor disclosure and approval obligations; hardware and software end-of-life obligations; access termination procedures on contract end; data handling and sovereignty requirements; and specific performance obligations around vulnerability remediation timelines. Where NIS2 or NERC CIP obligations apply, the contract should explicitly incorporate the operator's regulatory requirements and make vendor compliance with those requirements a contractual obligation.
4. Continuous Monitoring Across the Vendor Lifecycle
Point-in-time assessments — however thorough — capture a snapshot that is immediately out of date in fast-moving threat environments. For critical infrastructure operators, whose vendor relationships often span decades, the monitoring programme is at least as important as the initial due diligence. Continuous monitoring should cover: financial health and distress signals; adverse media coverage including security incidents, regulatory actions, and geopolitical developments; published vulnerability disclosures in products deployed across the operator's estate; sanctions and export control developments relevant to vendor entities and their key personnel; and changes in vendor ownership, leadership, or corporate structure that may affect risk posture.
Crest.Digital's vendor intelligence platform is built for organisations that cannot afford to discover a material vendor risk event after the fact. See how continuous monitoring and agentic AI workflows change the risk equation for critical infrastructure operators.
How Agentic AI Is Transforming TPRM for Critical Infrastructure
The scale of the vendor monitoring challenge in critical infrastructure is genuinely daunting. An electricity distribution operator may have hundreds of active vendor relationships spanning OT equipment suppliers, network contractors, cloud platforms, telecoms providers, consultants, and engineering firms — each of which needs to be actively monitored across multiple risk dimensions, continuously, for the duration of the relationship. Doing this manually is not operationally viable at the vendor count that most operators actually manage.
Agentic AI — AI systems that operate with a degree of autonomy to complete defined tasks, make contextual decisions, and initiate follow-on actions without requiring human direction at every step — changes this equation fundamentally. In a TPRM context, agentic AI workflows can:
- Monitor vendor risk signals continuously: AI agents ingest news feeds, financial databases, regulatory action records, vulnerability disclosure registries, and sanctions lists in real time — maintaining a live risk signal for each vendor in the portfolio without manual analyst effort between review cycles.
- Triage and prioritise alerts autonomously: rather than delivering raw signal volumes to risk teams, AI systems assess the materiality of each signal relative to the specific vendor relationship — filtering noise and surfacing only the events that warrant human attention.
- Initiate and track remediation workflows: when a risk finding requires a vendor response — a security patch deployment, a policy update, an audit right exercise — AI agents can initiate the remediation workflow, track vendor progress, send escalating follow-ups, and flag overdue or unsatisfactory responses to human risk owners. This autonomous remediation tracking is particularly valuable for operators managing hundreds of concurrent vendor relationships.
- Manage questionnaire operations at scale: AI-driven questionnaire platforms dispatch, track, and validate vendor assessments autonomously — following up on missing responses, flagging inconsistencies, and surfacing responses that require human review, without consuming risk team capacity on administrative coordination.
- Maintain vendor risk scores dynamically: rather than static annual scoring, AI systems update vendor risk scores continuously as monitoring signals arrive — ensuring that risk prioritisation reflects current vendor posture rather than a point-in-time snapshot that may be twelve months out of date.
The human-in-the-loop governance principle remains essential in this model. Agentic AI handles the volume, velocity, and routine decision-making that would otherwise consume risk team capacity; human risk professionals direct programme strategy, make consequential governance decisions, and manage the exceptions that AI systems escalate. The result is a TPRM operation that achieves genuine, continuous oversight at a scale that manual processes cannot deliver — without proportionally scaling headcount.
For critical infrastructure operators specifically, this matters because the consequence of a missed risk signal is not a regulatory fine or a reputational issue — it may be a grid disruption, a service outage, or a safety incident. The monitoring capability that agentic AI provides is not an efficiency gain; in high-consequence sectors, it is a governance necessity.
Building a TPRM Programme That Meets the Regulatory Bar — and Goes Beyond It
Regulatory compliance is the floor, not the ceiling, of an effective TPRM programme in critical infrastructure. Operators who build their programmes around minimum compliance obligations tend to discover that minimum compliance does not prevent incidents — it only determines the scale of the penalty that follows one. The organisations that genuinely manage third-party risk as a governance discipline consistently outperform on both resilience and regulatory standing.
Programme Design Principles for Critical Infrastructure Operators
OT and IT Risk Governance Must Be Integrated, Not Siloed
The most persistent TPRM failure mode in critical infrastructure is the organisational separation between IT security governance — which manages vendors through conventional procurement and information security frameworks — and OT asset management, which has historically managed vendor relationships through engineering and maintenance functions without structured risk oversight. Bridging this gap, with a unified vendor risk framework that applies consistently across both IT and OT vendor populations, is the foundational programme design requirement.
Regulatory Mapping Must Be Embedded in the Programme, Not Bolted On
Operators subject to NIS2, NERC CIP, or sector-specific requirements should design their TPRM programme so that compliance evidence is generated as a natural by-product of routine risk management activity — not assembled retrospectively before an audit. This means the programme's documentation, vendor registry, assessment records, and monitoring logs should be structured to directly satisfy regulatory information requests without additional reporting overhead.
Incident Response Integration Is Non-Negotiable
A TPRM programme that identifies a vendor risk signal but cannot rapidly connect that signal to the operator's incident response process has created the illusion of oversight rather than its substance. For critical infrastructure operators, vendor risk intelligence must feed directly into operational incident response: a critical vulnerability in a deployed OT product should trigger a defined response workflow — not sit in a risk register awaiting the next governance committee meeting.
Exit and Contingency Planning Is a Programme Component, Not an Afterthought
For Tier 1 vendors — particularly those supplying OT equipment or services where exit is operationally complex — the programme must maintain current, tested contingency plans. This includes pre-qualifying alternative vendors before they are needed, maintaining spare equipment inventories for critical components, archiving firmware and software versions sufficient to sustain operations through a vendor disruption, and testing transition procedures at intervals appropriate to the vendor's criticality.
Technology Investment in Vendor Intelligence Platforms Delivers Measurable Returns
For operators managing vendor portfolios of hundreds of relationships across IT and OT domains, the cost of building and maintaining a world-class TPRM programme manually is prohibitive. AI-driven vendor intelligence platforms — providing automated monitoring, risk scoring, questionnaire management, and agentic remediation workflows — deliver both the governance quality and the operational efficiency that the environment demands. The business case for platform investment in this context is straightforward: the alternative is either significant analyst headcount growth or accepting a monitoring gap that regulators and adversaries will both eventually exploit.
Executive Takeaways: TPRM for Critical Infrastructure
- Critical infrastructure third-party risk is categorically different in consequence from conventional enterprise vendor risk — a breach via an OT vendor can produce physical, safety, and societal impacts that data breaches in other sectors do not.
- IT/OT convergence has eliminated the assumption that operational technology environments are protected from third-party risk by air gaps or operational segmentation. Remote access requirements for OT vendors have created live, persistent exposure pathways.
- Regulatory obligations — NIS2 in Europe, NERC CIP in North America, CISA guidance, and parallel frameworks in Asia-Pacific — now impose specific third-party risk management requirements with meaningful enforcement consequences for critical infrastructure operators.
- Vendor concentration in OT markets means that a single vendor compromise or failure can affect multiple operators simultaneously, creating systemic risk that individual operator programmes cannot fully control — but can significantly mitigate through good intelligence and contingency planning.
- Agentic AI workflows make continuous monitoring operationally viable at the vendor portfolio scale that critical infrastructure operators actually manage — moving from annual snapshots to real-time risk intelligence without proportionate headcount growth.
- Programme design must integrate OT and IT vendor governance, embed regulatory compliance evidence into routine risk management activities, and maintain tested contingency plans for Tier 1 vendors where exit is operationally complex.
Frequently Asked Questions
Critical infrastructure operators — energy utilities, transmission system operators, water authorities, and telecom providers — face a third-party risk environment that differs fundamentally from other enterprise sectors. First, the convergence of IT and operational technology (OT) networks has dramatically expanded the third-party attack surface: vendors who service industrial control systems, SCADA platforms, remote access tooling, and IoT devices now represent direct pathways into systems where a breach or disruption can have physical, safety, and societal consequences far beyond a data compromise. Second, vendor ecosystems in these sectors are often highly specialised and concentrated — a small number of providers supply the same equipment or software to multiple competing operators, meaning a single vendor failure or compromise can affect national-scale infrastructure simultaneously. Third, regulatory obligations are intensifying across jurisdictions: NIS2 in Europe, NERC CIP in North America's power sector, the UK's Critical National Infrastructure (CNI) framework, and CISA's guidance in the United States all impose explicit third-party risk obligations that carry significant enforcement consequences. Managing this environment with traditional, annual-cycle TPRM approaches is no longer operationally viable.
For energy and utility operators, the vendor categories that pose the most material third-party risk are: OT and ICS vendors supplying industrial control systems, SCADA software, and remote monitoring platforms who often require persistent network access; managed service providers who hold privileged access to critical systems and represent a primary adversarial target; engineering and construction contractors who require temporary but deep access to plant networks during capital projects; cloud and SaaS vendors handling operational analytics or customer systems; and telecommunications providers whose connectivity services are embedded directly in operational resilience. Each category requires a different due diligence approach and a different set of contractual protections — a single-template questionnaire approach will systematically under-assess the highest-risk relationships.
Regulatory obligations for third-party risk management in critical infrastructure are expanding across major jurisdictions. In Europe, the NIS2 Directive (effective October 2024) explicitly requires operators of essential services to implement supply chain risk management measures with penalties up to €10M or 2% of global annual turnover. The EU's DORA regulation imposes similar requirements on financial market infrastructure. In the United States, NERC CIP-013 mandates supply chain risk management plans for bulk electric system operators, while CISA's Cross-Sector Cybersecurity Performance Goals include third-party monitoring provisions. In the UK, the NCSC's Cyber Assessment Framework and the CNI resilience programme impose third-party oversight requirements on regulated operators. Across Asia-Pacific, regulators in Singapore (MAS TRM Guidelines), Australia (Security of Critical Infrastructure Act), and India (CERT-In guidelines) have all tightened third-party risk obligations for critical sector operators in recent years. The common direction is clear: third-party risk governance is now a regulatory obligation, not an optional best practice.
For critical infrastructure operators, the stakes of a delayed risk signal are categorically higher than in most enterprise sectors. AI-driven continuous monitoring addresses this by maintaining real-time awareness across multiple risk dimensions — financial health, adverse media, regulatory actions, cybersecurity incident disclosures, and geopolitical developments — for every material vendor in the portfolio, without requiring manual analyst effort between formal review cycles. In practice, this means that if an OT vendor announces a critical vulnerability in a product deployed across the operator's substations, an AI monitoring platform surfaces the alert and initiates an autonomous response workflow within hours — not weeks. Agentic AI workflows extend this further: autonomous agents can initiate vendor contact, request remediation timelines, track patch deployment progress, and escalate to human risk owners when responses are unsatisfactory or overdue. This is particularly valuable for critical infrastructure operators managing vendor portfolios of hundreds of contractors and service providers across geographically dispersed assets, where the operational cost of manual monitoring at scale is prohibitive.
An effective TPRM framework for critical infrastructure operators should be built around five core components. First, risk-tiered vendor classification driven by operational impact and OT access type — not contract value. Second, sector-specific due diligence incorporating IEC 62443 alignment checks, firmware and software integrity verification, hardware provenance assessment, and remote access governance reviews. Third, continuous monitoring with AI-driven alerting covering financial health, adverse media, vulnerability disclosures, sanctions exposure, and geopolitical developments. Fourth, regulatory alignment mapping so that compliance evidence for NIS2, NERC CIP, and applicable local frameworks is produced as a by-product of routine risk management rather than as a separate reporting burden. Fifth, tested exit and contingency plans for Tier 1 vendors — particularly OT equipment suppliers where exit involves complex asset dependencies — with pre-qualified alternative providers and maintained spare component inventories. Without tested contingency plans, even a highly sophisticated monitoring programme cannot prevent a vendor disruption from becoming an operational crisis.