Global manufacturing group locks down 3rd-party OT access — without breaking maintenance windows
Customer
Fortune 500 industrial manufacturer
Sector
Manufacturing / OT
Scale
60,000+ employees · 40+ production plants · 200+ active vendor relationships
Region
Global · HQ in Western Europe, plants across NA / LATAM / EMEA / APAC
The Challenge
The group ran maintenance and equipment-vendor access through a constellation of jump boxes, vendor-specific VPN tunnels, and ad-hoc "send a temporary password" workflows. After a supply-chain incident traced to a compromised vendor account in 2023, the security team got a board mandate to bring all vendor access into a centrally-controlled, recorded, time-bounded model — without disrupting the production maintenance windows that ran 24×7 across timezones. The complication: many vendors used proprietary engineering software with unusual protocols, some plants ran on air-gapped networks, and the security team had no leverage to mandate vendor-side software installation.
The Approach
Phase 1 — Vendor inventory + risk tiering (4 weeks)
200+ vendors classified by access scope, sensitivity, and operational urgency. Tier-1 vendors (PLC programming, robotics maintenance, ERP support) prioritized for the first migration wave. Tier-3 vendors (printer toner, vending machine resupply) deprioritized.
Phase 2 — Agentless gateway deployment per region (6 weeks)
DataDike HA pairs deployed in 4 regional hubs (US-East, EU-Central, BR-São Paulo, APAC-Singapore) to minimize latency for vendor sessions. Network design routed vendor traffic through the regional gateway, never the corporate VPN. Air-gapped plants got a local DataDike instance with one-way audit forwarding.
Phase 3 — Vendor onboarding workflow (8 weeks)
Self-service vendor portal: vendor requests access, plant maintenance manager approves with justification and duration, session opens via browser with no software install required on vendor side. Vendor proprietary engineering software runs inside an isolated browser session on the gateway, never on the vendor laptop. Recording captures everything.
Phase 4 — Cut vendor VPN access (4 weeks)
Vendor-specific VPN tunnels decommissioned in waves once equivalent gateway-mediated access was validated for each vendor. Some legacy vendors required protocol-specific work (one PLC vendor used a non-standard variant of a legacy industrial protocol; we built a custom proxy).
The Outcome
200+
Vendor accesses brought into recorded, time-bounded sessions
0
Vendor-side software installations required
47
Standing VPN tunnels eliminated
100%
Of vendor sessions now recorded with command + screen + file-transfer audit
< 4 hours
Average vendor request → approved → session-open turnaround (down from days)
12 weeks
Total program duration from kickoff to last vendor migration
“The security audit framing changed completely. Before, we tracked vendor access by counting active VPN tunnels and hoping. Now every vendor session has an owner, a duration, an approver, a recording, and an artifact in the audit trail. The board question moved from "are we exposed?" to "what does the activity look like?" — that is a different conversation.”
— VP of Industrial Cybersecurity, Fortune 500 manufacturer
Have a similar problem? We will walk through your environment in a 30-minute session and tell you honestly whether DataDike fits.
Book a 30-minute reviewRelated case studies
Top-tier Brazilian retail bank cuts PAM operational cost 58% — and cleared the next BACEN audit in two weeks
Replacing a legacy multi-component PAM with DataDike, a leading Brazilian retail bank consolidated 7 admin consoles into 1, dropped FTE load by 60%, and produced clean BACEN audit evidence on demand.
LATAM healthcare network passes joint HIPAA + LGPD assessment after standing up session recording in 5 weeks
A regional healthcare operator with 18 hospitals and 200 clinics needed clinical-system session recording for a joint HIPAA + LGPD compliance program. DataDike was production for 1,400 clinical staff in 5 weeks.