Manufacturing supply chain cybersecurity requires: a vendor risk assessment process for all third parties with network access, strict controls on vendor remote access (jump servers, time-limited sessions), contractual security requirements in supplier agreements, monitoring for anomalous activity from vendor connections, and a vendor incident response process. For manufacturers supplying defense or government customers, CMMC supply chain requirements may also apply.
How Supply Chain Attacks Work in Manufacturing
Supply chain attacks in manufacturing typically follow one of three patterns:
- Compromised vendor credentials: An attacker compromises your equipment vendor's VPN account and uses it to access your OT environment. The SolarWinds attack is the IT equivalent — attackers compromised a vendor's software to reach customers.
- Malicious software updates: Attackers compromise a vendor's software distribution process and inject malware into updates that are then pushed to customer systems. This has occurred in industrial software (the 2022 Incontroller/Pipedream malware framework targeted industrial control systems).
- Phishing through the supply chain: Your employees trust email from suppliers. Attackers who compromise a supplier's email can use it to send convincing phishing emails to your team, including requests for wire transfers, credential harvesting, or malware delivery.
Vendor Risk Assessment: Who Gets Access to What
The foundation of supply chain security is knowing who has access to your systems and why. Create a vendor access inventory:
| Vendor Type | Access Level | Risk Level |
|---|---|---|
| Equipment vendor (remote diagnostics) | Direct access to specific machine controllers | High — direct OT access |
| ERP/software vendor (support) | Application and database access | High — can reach business data |
| Managed IT provider | Full infrastructure access | Critical — full trust |
| Logistics/EDI partner | EDI transactions only | Medium — limited to EDI data |
| Raw material supplier | Typically email only | Low — no system access |
For each high- and critical-risk vendor, conduct a security assessment:
- Does the vendor have a written cybersecurity policy?
- Do they use MFA for their own systems?
- Have they experienced a cybersecurity incident in the past 24 months?
- Are they SOC 2 Type II certified (for software vendors)?
- Do they have cyber liability insurance?
Technical Controls for Vendor Access
- Jump server: All vendor remote access should go through a centrally managed jump server (bastion host). Vendors connect to the jump server; the jump server connects to the target systems. This creates a single point of control and logging for all vendor sessions.
- Time-limited access: Vendor access should be enabled for specific service windows and disabled immediately after. "Always on" vendor VPN connections are unnecessary and dangerous — most vendors only need access when actively working on your systems.
- Session recording: Record all vendor remote sessions. This provides accountability and forensic evidence if a session is misused.
- Separate credentials per vendor: Never create a shared "vendor" account. Each vendor has their own credentials, and those credentials can be disabled independently if the vendor is compromised or the relationship ends.
- Principle of least privilege: Vendors should only be able to access the specific systems they need. An HVAC vendor has no reason to access your ERP system.
Contractual Security Requirements
Security requirements should be in your supplier agreements, not just hoped for:
- Incident notification: vendors must notify you within 24–48 hours if they experience a cybersecurity incident that may affect your systems or data
- Security standards: require vendors to maintain specific controls (MFA, encryption, security awareness training)
- Right to audit: reserve the right to request security documentation or conduct assessments
- Data handling: specify how your confidential data (CAD files, production specs, customer information) must be handled and protected
Defense Customer Requirements
If you supply to the Department of Defense or defense prime contractors, CMMC (Cybersecurity Maturity Model Certification) supply chain requirements likely apply. CMMC Level 2 requires compliance with 110 NIST 800-171 controls — and your primes are increasingly flowing down these requirements to their suppliers. See our CMMC Level 2 checklist for details. A manufacturing IT provider familiar with CMMC can help you assess your current compliance posture.
Frequently Asked Questions
Should I require my suppliers to have cybersecurity certifications?
For suppliers with network access to your systems or those handling your sensitive data, yes. SOC 2 Type II is the appropriate standard for software vendors and managed service providers. For manufacturing suppliers that exchange EDI data, requiring written security policies and annual training may be more practical than formal certification.
What is a Software Bill of Materials (SBOM) and why does it matter?
An SBOM is a formal list of components in software — essentially an ingredients list. SBOMs allow you to quickly determine if software you're running is affected by a newly discovered vulnerability in a component. The FDA now requires SBOMs for medical devices, and CISA recommends them for industrial software. Ask new software vendors for SBOMs before purchasing.
How do I handle a situation where a key supplier has poor cybersecurity?
Start with your contract — most supplier agreements have limited leverage over security practices. The practical options are: require improvement as a condition of continued business (effective for important suppliers), limit their access to your systems to the minimum necessary (technical controls), maintain enhanced monitoring of their access sessions, or qualify an alternate supplier to reduce dependency. Document your risk assessment either way.