Navigating cybersecurity risks in the manufacturing supply chain
The interconnected nature of global business is forcing manufacturers to adopt more robust frameworks to identify vulnerabilities and ensure the integrity of the components they rely on.
Easier said than done because manufacturing is anything but monolithic.
This is a complicated landscape featuring a sector spanning industries ranging from pharmaceuticals to chemical plants and automakers. Each has different levels of exposure and security priorities based on risk profiles, international operations and the type of goods produced.
High-hazard industries, for example, often invest more in cybersecurity to prevent catastrophic events, while smaller manufacturers may struggle to allocate sufficient resources until they experience a breach firsthand.
Regardless of size or specialty, one thing remains constant: manufacturers must defend against both direct attacks on their supply chains and those that exploit their networks as a conduit. Achieving this requires visibility, control and thorough risk assessments.
Manufacturers occupy a critical position within supply chains and face risks from both upstream and downstream stages. They are vulnerable to direct attacks that could disrupt their operations and halt production, as well as to the risk of embedding cyber exploits in their products, either intentionally or unknowingly, enabling attacks to propagate further along the supply chain. Supply chain attacks typically fall into two main categories: those that target the supply chain itself and those that infiltrate systems through compromised components.
Attacks on the supply chain target key suppliers or components to disrupt operations and delay the delivery of goods
Attacks through the supply chain occur when compromised components, such as an infected chip, make their way into a manufacturer’s production line, embedding malware that can infect downstream systems or customers.
In both scenarios, attackers exploit vulnerabilities in third-party vendors, creating ripple effects that can impact not just a single company but entire industries. So, how can manufacturing organizations build resilience against this expanding web of threats?
Cyber acceptance testing
To strengthen their defenses, manufacturers must expand operational readiness to include security standards for products and services before deployment. While factory and site acceptance tests are standard, cybersecurity often receives less scrutiny.
Cyber acceptance testing (CAT) bridges this gap by identifying known and unknown vulnerabilities in components before integration. This includes malware scans for familiar threats, anomaly detection to flag suspicious behaviors like unauthorized communications and system integration tests to uncover vulnerabilities that arise when components are combined. What’s more, we need to protect what is known as well as what is unknown – and so for the latter, there are also ways to detect unknown exploits, such as with anomaly detection.
Without these proactive measures, manufacturers risk inheriting supplier vulnerabilities, leaving their operations exposed to significant threats.
Supply chain security
Manufacturers should also adopt a security-by-design approach that anticipates potential threats and builds protective measures into systems from the start. By maintaining a ‘clean build’ approach, organizations can then monitor for vulnerabilities throughout the production process and establish clear protocols for detecting and responding to anomalies.
Yet, the need for supply chain resilience – the ability to pivot to alternative suppliers or components in the face of disruption – sometimes clashes with cybersecurity
goals. While many companies enforce strict security protocols with their primary suppliers, these measures often fail to extend to secondary or backup vendors. You may have resilience in your supply chain, but if you haven’t vetted your backup suppliers, you could be opening new vulnerabilities when switching sources.
To sidestep this risk, make sure that secondary and tertiary suppliers meet the same cybersecurity standards as their primary vendors. Also, embed cybersecurity requirements in supplier contracts and conduct regular audits to confirm compliance.
At first blush that may sound like a lot. But by aligning resilience with strong cybersecurity measures, manufacturers can safeguard their operations without compromising their ability to adapt in times of disruption.
Cyber visibility
Organizations must aim for comprehensive cyber visibility across their components and sub-components to identify potential vulnerabilities. Understanding the origin of these elements is essential, but equally important is assessing and prioritizing their risk levels to effectively manage and mitigate potential threats.
Manufacturers should map their entire supply chain to understand where components originate and conduct deeper assessments of their critical suppliers. All the while, manufacturers should strive to collaborate closely with their suppliers to ensure mutual understanding of cybersecurity protocols.
Part of that effort might also extend to the adoption of a standardized certification process that helps manufacturers consistently evaluate the security practices of their suppliers. Adopting frameworks such as NIST and IEC 62443 can prove effective when paired with proactive measures, such as anomaly detection and scenario planning with key suppliers.
Preparing for an inevitable future
The manufacturing sector faces significant pressure to modernize and secure its operations amid growing threats to its supply chains. However, with a proactive approach, manufacturers can transform cybersecurity from a regulatory obligation into a competitive advantage.
Achieving this requires a shift in mindset – where security becomes a fundamental component of both operational processes and strategic objectives. For forward-thinking manufacturers, this shift presents a valuable opportunity to stand out in an increasingly interconnected market.
By positioning themselves as trusted partners who can withstand cyber disruptions without compromising output or quality, they’ll be able to enhance their reputation and strengthen their market position at the same time.
Ian Bramson
Ian Bramson is Vice President of Global Industrial Cybersecurity at Black & Veatch. Black & Veatch is a 100-percent employee-owned global engineering, procurement, consulting and construction company with a more than 100-year track record of innovation in sustainable infrastructure. Since 1915, it has helped its clients improve the lives of people around the world by addressing the resilience and reliability of its most important infrastructure assets.