Back to Resources

Taking Back the Keys: Why Self-Custody Will Define Critical Infrastructure Security in 2026

For more than a decade, vendor remote access has been treated as a practical necessity. But as we move toward 2026, the strategy of Critical Infrastructure Self-Custody has shifted from a preference to a mandate.

The Hidden Risk in Vendor Access Models

In many operational environments, vendor access has grown organically. From turbine suppliers to building management contractors, unmanaged access paths create a web of risk that sits outside the asset owner’s direct visibility.

This isn’t about malicious intent; it’s about governance. When credentials exist beyond central identity systems, activity occurs in the shadows. This is why a Critical Infrastructure Self-Custody model is the only way to ensure long-term resilience.

SOCI Compliance and Asset Accountability

Regulatory frameworks, including Australia’s SOCI obligations, now place explicit accountability on asset owners. “We trusted the vendor” is no longer a defensible legal position. If a third party accesses your operational systems, you must be able to prove who, when, and what was done without relying on that vendor’s logs.

The 4 Pillars of a Self-Custody Access Model

A true self-custody approach requires four foundational shifts in how OT access is governed:

  • Brokerage Control: All remote access is brokered through enterprise-controlled portals rather than vendor-owned VPNs.
  • Centralised Identity: Authentication is managed via the asset owner’s internal systems (MFA/SSO).
  • Time-Bound Permissions: Access is role-based and automatically revoked after the maintenance window closes.
  • Sovereign Logging: All activity logs are retained in the asset owner’s environment for audit and incident response.

Secure Access as Boardroom Governance

Identity-aware access is no longer “IT plumbing.” It is a foundational control discussed alongside safety systems and redundancy. Boards in 2026 are moving from trusting a vendor’s access model to governing it themselves.

How to Implement Critical Infrastructure Self-Custody

Transitioning to a self-custody model doesn’t happen overnight. It requires a tiered approach to reclaiming the “keys” to your environment:

Step 1: The Access Audit. Most organisations are surprised by the number of active “backdoor” connections. Identifying every persistent VPN and legacy credential is the first step toward sovereignty.

Step 2: Unified Access Gateways. Replace fragmented vendor connections with a single, hardened entry point. This provides a “single pane of glass” for all third-party activity.

Step 3: Just-in-Time (JIT) Provisioning. Move away from “always-on” access. By implementing JIT, access is only granted when a specific work order is active, significantly reducing the attack surface.

“Trusting a vendor is fine. Trusting their access model is no longer acceptable.”

If you are ready to re-evaluate your vendor access strategy, reach out to our critical infrastructure experts for a consultation.