Matchtech and InfoSec People have joined forces to tackle one of the most overlooked vulnerabilities in Transmission and Distribution: the security risk sitting inside your workforce. Together, we combine deep T&D recruitment expertise with specialist information security knowledge to help grid operators close the gap between hiring speed and vetting rigour. This article draws on that combined intelligence.
Right now, somewhere in your Transmission & Distribution (T&D) environment, a specialist contractor is working on a protection relay. Another is remoting into a SCADA platform. A third is carrying out substation automation work under a statement of work signed off by a project manager who left six months ago.
None of them were vetted to the standard applied to your permanent staff. None of their remote access arrangements were provisioned with the controls your security policy requires. And when their engagements end, there is no guarantee their access will be revoked.
This is the workforce stability problem in OT (Operational Technology) security. And it is not a future risk. It is present in every active engagement your organisation cannot account for today.
Rushed hiring is a security event.
From a security standpoint, a rapid hire who bypasses vetting is not just a staffing decision. It is an unassessed access event in an OT environment where third-party compromise is a primary attack vector (NCSC, 2024).
The problem is what gets skipped when hiring moves fast. Background checks that should take weeks get compressed into days. Security assessments of the supplying organisation never happen at all. Subcontractors are brought in under the lead firm’s contract without any visibility of who they are or what their security posture looks like.
From a security standpoint, a rapid hire who bypasses vetting is not just a staffing decision. It is an unassessed access event in an OT environment where unassessed access is the primary attack vector.
The vetting gap nobody owns.
Most T&D organisations apply rigorous personnel security standards to their own staff. Pre-employment screening, right-to-work checks, security clearance where required. The insider threat framework is understood. The process is owned.
That same standard does not extend to the consultants, specialist engineers and Statement of Work (SOW) -based service providers who access the same OT environments. Not because the risk is lower. Because the governance question of who is responsible for third-party vetting in a services procurement context has never been clearly answered.
Procurement owns the commercial terms. Operations owns the delivery scope. Security is consulted occasionally, if at all. Nobody owns the security vetting of the people doing the work.
The result is a category of workforce that has physical and logical access to critical infrastructure, working under contracts that say nothing meaningful about the security standards they must meet.
What inadequate vetting looks like in practice.
The security risks in unmanaged SOW procurement are not abstract. They show up in specific, identifiable ways across T&D operations:
- Specialist engineers with no background check hold logical access to SCADA (Supervisory Control and Data Acquisition) platforms and protection systems for months at a time.
- Lead firms subcontract work to individuals whose identity and security posture are invisible to the commissioning organisation.
- Remote access credentials provisioned for commissioning work are never revoked when the engagement concludes.
- SOW contracts specify delivery milestones and payment terms but carry no security obligations, no incident notification requirements and no personnel change notification clause.
- Access granted under one programme persists silently into the next, because off-boarding is tied to HR processes that do not cover third-party contractors.
Each of these is a control failure. Collectively, they represent a security posture that is significantly weaker than the one your CAF assessments or NIS compliance evidence might suggest.
The regulatory exposure is real.
The NIS Regulations place explicit obligations on operators of essential services to manage supply chain security risks (DSIT, 2018). The NCSC Cyber Assessment Framework includes supplier risk management criteria (NCSC, 2024). Ofgem's resilience expectations are clear about the need for third-party governance in OT environments (Ofgem, 2025).
If a post-incident investigation reveals that the access point used by a threat actor was a SOW provider engaged through a procurement arrangement that applied no security vetting, the governance failure belongs to the organisation. Not the supplier. The regulatory and reputational consequences of that position are not theoretical.
Structured screening is the fix. Governance is the mechanism.
The answer to workforce instability in OT security is not to slow down hiring. It is to build a governance framework that makes security screening non-negotiable at the point of engagement, regardless of programme pressure or timeline.
A well-structured MSP (Managed Service Programme) framework converts the third-party vetting question from an afterthought into a governed control. Every SOW provider is assessed before access is granted. Security obligations are contractually embedded in every engagement.
Sub-contractor visibility is required as a condition of appointment. Remote access is provisioned to defined standards. And off-boarding includes verified access revocation tied to engagement completion, not project manager memory.
This is not compliance theatre. It is a security control applied to the workforce category that currently sits outside your control framework.
What a security-compliant MSP framework delivers.
For CISOs operating in T&D, a structured MSP framework provides:
- Pre-engagement security assessment of all SOW providers covering organisational security posture, supply chain depth and OT access history before any access to grid environments is approved.
- Contractual security obligations in every SOW agreement specifying vetting requirements, remote access standards, incident notification and personnel change notification.
- Governed remote access for OT-touching engagements, including MFA (Multi-Factor Authentication) requirements, session recording, access scoping and time-limited credential management.
- Sub-contractor visibility requirements extending security governance beyond the lead firm to every individual accessing OT environments under the arrangement.
- Systematic off-boarding integrated into SOW completion, ensuring no residual access persists beyond the end of an engagement.
- A consolidated, auditable trail of all third-party OT access supporting CAF (Cyber Assessment Framework) assessments, NIS (Network and Information Systems Regulations) compliance evidence and regulatory review.
A defensible security posture starts with who you let in
Workforce stability in OT security is not about headcount or retention. It is about knowing, with confidence, that every person with access to your grid infrastructure has been assessed, is operating under defined security obligations, and will have that access systematically removed when their engagement ends.
The gap between your permanent workforce security posture and the standard applied to your SOW providers is not an operational inconvenience. It is a security exposure with a governance remedy.
Matchtech and InfoSec People work together to build that remedy into your services procurement framework. The problem is real. The fix is structured. And the time to address it is before the next incident makes the gap visible.
