All Posts

Remote Access

9 min read

 min read

June 17, 2026

Third-party access at utilities: connecting external partners in a KRITIS-compliant way

External service providers maintain the network control technology and IT of municipal utilities remotely, one of the biggest attack surfaces in the KRITIS environment. Here is what NIS-2 and the IT Security Catalogue under § 11 EnWG require, and how to make third-party access secure and verifiable.

Jan Zeppernick - Amitego CEO

Jan Zeppernick

Management

Introduction

Municipal utilities operate critical infrastructure: electricity, gas, water, heat and, increasingly, telecommunications. The network control technology and the IT systems behind it, however, are rarely run entirely in house. Control technology manufacturers, system integrators and IT service providers maintain them remotely on a regular basis. This very third-party access is one of the largest and most poorly controlled attack surfaces in the KRITIS environment.

This article explains why third-party access at municipal utilities is both a regulatory and a security problem, which concrete obligations follow from NIS-2 and the IT Security Catalogue under § 11 EnWG, and how external partners can be connected in a controlled, time-limited and verifiable way without slowing down operations.

Key Takeaways

  • Through energy law (EnWG) and NIS-2, municipal utilities are among the most heavily regulated operators of critical infrastructure, often even below the classic KRITIS thresholds of the BSI-KritisV
  • External service providers, whether for remote maintenance of network control technology, IT outsourcing, or SCADA and smart-metering manufacturers, are one of the most common points of entry. Around 29 % of companies in Germany have already been affected by supply chain attacks
  • NIS-2 (§ 30 BSIG) explicitly requires security across the supply chain and in dealings with service providers. The IT Security Catalogue under § 11 (1a) and (1b) EnWG calls for a certified ISMS in line with ISO/IEC 27001 and ISO/IEC 27019
  • Shared VPNs, shared admin accounts and permanently open remote maintenance access are neither state of the art nor audit-proof
  • Least privilege, just-in-time access and complete session recording close the gap, both technically and for the purpose of proof toward authorities and auditors
  • VISULOX connects external service providers through a central gateway, agentless, without a VPN, audit-proof and live in under two days

Why third-party access is a KRITIS problem for municipal utilities

Municipal utilities run a heterogeneous landscape of classic IT (billing, ERP, customer portals) and operational technology (OT): network control technology, SCADA systems, telecontrol technology and smart-metering infrastructure. Few utilities keep their own staff on hand for all of these specialized systems. Maintenance is handled by manufacturers, system integrators and IT service providers, almost always via remote access.

This creates a structural risk that differs from that of a typical company. A compromised service provider account here does not just lead to data leakage but potentially straight into the control of the electricity or gas supply. Typical weak points include:

  • Remote maintenance of OT: control technology and SCADA manufacturers need access to systems that control the grid. A hijacked maintenance account is a direct route into operational technology.
  • Shared accounts and shared credentials: one VPN account for an entire service provider team, one shared admin password, with no link to the individual person taking action.
  • Lack of traceability: who did what, when and on which system? Without session recording, that question cannot be answered, and so it cannot be audited.
  • Permanently open access: remote maintenance access often stays active for months or years, long after a project or contract has ended.

The threat landscape: the attack comes through the partner

Attackers have realized that the route via the service provider is more efficient than a frontal assault. A single compromised maintenance account can open access to many utilities at once if the same service provider supports several of them. The energy sector is disproportionately affected: the number of cyberattacks on the energy and utilities sector has more than doubled within two years, and the sector reports many times the OT/ICS incidents of other industries.

"Around 29 % of companies in Germany have already been affected by supply chain attacks, with consequences ranging from operational outages to reputational and financial damage." — Kaspersky, supply chain security study

For municipal utilities, this means that their own security is only as strong as the control they have over their service providers' access.

What NIS-2 requires of municipal utilities

With the NIS2 implementation act, the energy sector is comprehensively regulated. Municipal utilities regularly fall under it as important or essential entities, regardless of whether they exceed the classic KRITIS thresholds of the BSI-KritisV. Even mid-sized utilities with around 50 employees and 10 million euros in revenue are covered.

Three points are central to third-party access:

  • Risk management including the supply chain (§ 30 BSIG): affected entities must implement appropriate technical and organizational measures, expressly including the security of the supply chain as well as the acquisition, development and maintenance of IT systems. Third-party access falls squarely within this.
  • Reporting obligations (§ 32 BSIG): significant security incidents must be reported to the BSI within tight deadlines, an initial report within 24 hours, a follow-up report within 72 hours and a final report within one month. Without complete logging of third-party access, an incident can neither be reconstructed nor reported on time.
  • Responsibility and liability of management: management must approve and monitor the measures and is liable for violations. Fines of up to 10 million euros or 2 % of global annual revenue may apply.

More on the regulatory framework: NIS-2: what the new EU directive means for your company and the NIS-2 checklist for mid-sized businesses.

The IT Security Catalogue under § 11 EnWG

The energy sector is additionally regulated on a sector-specific basis. Through § 11 (1a) EnWG (network operators) and § 11 (1b) EnWG (operators of energy facilities classified as KRITIS), the Federal Network Agency obliges operators to build and certify an information security management system (ISMS) in line with ISO/IEC 27001 and the industry-specific ISO/IEC 27019.

Among other things, the IT Security Catalogue requires controlled access management, documented authorizations and traceability of all access, including that of external service providers. In concrete terms, this means that third-party access must be limited to what is necessary (least privilege), clearly assigned to an individual and documented in an audit-proof way.

The threshold question of the BSI-KritisV, around 3,700 GWh per year in the electricity sector or roughly 500,000 people supplied, becomes less relevant in this context: through NIS-2, utilities below these thresholds are also obligated.

Why VPN and jump hosts alone are not enough

Many municipal utilities still connect service providers through classic VPN access or jump hosts. Neither solves the problem:

  • VPN grants network access rather than system access: a VPN tunnel opens the way into the network, not just to the system being maintained. If an attacker moves laterally from there, the damage is hard to contain.
  • Jump hosts without session control are a blind spot: without recording, it remains unclear what actually happened on the target system.
  • Shared accounts break verifiability: a shared service provider account makes it impossible to attribute actions to a specific person, a direct conflict with NIS-2 and the IT Security Catalogue.

Related risks in detail: Securing RDP: best practices against remote desktop attacks.

How to secure third-party access in a KRITIS-compliant way

Secure third-party access rests on a few consistently applied principles:

  • Least privilege: the service provider is given access only to the systems needed for the specific task, not to the network. More on this: The principle of least privilege.
  • Just-in-time access: access exists only for the agreed maintenance window and is automatically revoked afterward. There are no permanent credentials that could be hijacked.
  • Unique identity instead of a shared account: each service provider employee is identified and authenticated individually. Every action can be attributed to a person.
  • Session recording and the four-eyes principle: every session is recorded in full. For particularly critical operations, access can be approved and monitored live.

VISULOX: controlling third-party access for municipal utilities

VISULOX is a decentralized remote PAM platform built precisely for this requirement. External service providers are connected to the systems of municipal utilities in a controlled, time-limited and verifiable way:

  • A central gateway instead of a VPN: service providers connect exclusively through the VISULOX gateway. No direct system access, no exposed RDP port, no permanent VPN credentials.
  • Just-in-time and least privilege: access only to the system required, only for the approved maintenance window, with a personalized identity instead of a shared account.
  • Audit-proof logging: every access action is recorded completely, as proof for the IT Security Catalogue under § 11 EnWG and for the reporting obligations under NIS-2 (§ 32 BSIG).
  • Implementation in under two days: VISULOX is agentless and goes live within two working days without interfering with ongoing operations, even in legacy OT environments.

More on the topic: Securing third-party access: how to connect external service providers safely.

Checklist: securing third-party access in the KRITIS environment in 6 steps

  1. Create a service provider inventory: record which external partners access which systems, by what route and with which rights. An incomplete inventory is the most common point of entry.
  2. Eliminate shared accounts: replace shared accounts and shared VPN access with personalized, clearly attributable identities.
  3. Enforce least privilege at the system level: grant access only to the systems actually needed, with no blanket network access.
  4. Introduce just-in-time access: tie access to defined maintenance windows and revoke it automatically afterward.
  5. Enable session recording: record every service provider session in full, for forensics, incident response and audit.
  6. Secure contracts and evidence: anchor security requirements in contracts and keep access documentation audit-proof, for NIS-2 and the IT Security Catalogue.

Contact

Your Direct Path to Secure Remote Access

Speak directly with a cybersecurity expert.

Personal Meeting
Personal Meeting
Personal Meeting

Conclusion

Third-party access is indispensable for municipal utilities, as network control technology and IT cannot be run in house alone. The key question is therefore not whether external partners are granted access, but how controlled that access is. NIS-2 and the IT Security Catalogue under § 11 EnWG turn what was long considered best practice into a verifiable obligation, with personal responsibility for management.

The combination of least privilege, just-in-time access, unique identity and complete session recording reduces the attack surface to a minimum while at the same time delivering the required proof. VISULOX connects external service providers through a central gateway, without a VPN, audit-proof and live in under two days, with no interference in ongoing operations.

Jan Zeppernick - Amitego CEO

Jan Zeppernick

Management

Jan verfügt über mehr als 12 Jahre Beratungserfahrung bei PwC und Ernst & Young, mit Schwerpunkt auf Informationssicherheit und Compliance für kritische Infrastrukturen und die Automobilbranche. Als zertifizierter ISO 27001 Lead Auditor und Strategieexperte berät er Organisationen beim Aufbau und der Auditierung von Sicherheitsmanagementsystemen nach ISO 27001 und TISAX.