Connect with us

Hi, what are you looking for?



Cyber Security Risks in Industrial Supply Chains

Manufacturing supply chains are vital to the development and fulfillment of any modern technology—they change rapidly as sectors overlap, products evolve, and global locations of suppliers change. This dynamic nature of the supply chain exposes enterprises to a wide variety of risks. 

Manufacturing supply chains are vital to the development and fulfillment of any modern technology—they change rapidly as sectors overlap, products evolve, and global locations of suppliers change. This dynamic nature of the supply chain exposes enterprises to a wide variety of risks. 

Traditionally, industries as diverse as automotive, pharmaceuticals, oil & gas, and food & beverage have invested heavily in documenting traceability in their supply chains. This has helped significantly for product recalls, identification of tampered or counterfeit components, and in projecting potential problems along the supply spectrum. More recently, industrial control vendors and their customers have been bringing similar discipline to cyber security in their supply chains.

The Shamoon virus attack, which affected 30,000 workstations at one oil producer in 2012, highlighted how risk in the supply chain of a system can lead to significant exposure.

Supply Chain SecuritySupply chain cyber security risks

Strategic consulting firm Booz Allen Hamilton first coined the term Supply Chain Management in the 1980s. The firm is widely respected for its engagements in the field and recently studied supply chain security risks in what the U.S. Department of Homeland Security calls the “critical manufacturing” sector. Critical manufacturing includes companies like GE, Siemens, ABB, Schneider Electric and others that make industrial automation systems.

Homeland Security has also highlighted the importance of risk management for the “critical infrastructure” – which it defines as “the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.”

Booz Allen has provided a broad assessment of risks across the supply chain including:

• Lack of visibility into the sourcing and tracking of cyber sensitive components throughout the supply chain lifecycle

• Lack of integrated processes leaving cyber-security and accountability gaps between large critical manufacturers and their suppliers

Advertisement. Scroll to continue reading.

• Limited controls to protect sensitive data and critical transactions between large critical manufacturers and suppliers

Nadya Bartol, Senior Cyber Security Strategist at the Utilities Telecom Council (UTC), is deeply involved in supply chain risks in the infrastructure sector, having been a principal contributor to ISO/IEC 27036-3 that provides guidelines for information and communication technology supply chain security, which also has direct applicability to industrial automation supply chains.

She worries, especially as supply chains become more global, about intentional insertion of malicious functionality, including backdoors, viruses and extra, unrequested features, counterfeit electronics, and software code quality and their impact on cyber security, as her graph below summarizes (source).

Supply Chain Cyber Security

The emergence of standards

The good news: as awareness of these risks grows, industry and regional cyber security standards have been evolving. The American Petroleum Institute’s API 1164 guideline addresses security around oil and gas SCADA operations. In the U.K., CPNI has a “good practice” guide around industrial control systems. In Germany, the NAMUR 115 standards focuses on security issues in process industries such as chemicals and energy. In addition, the ISA/IEC 62443 series of standards continues to make headway in defining a set of integrated security standards that span the lifecycle of industrial automation systems.

From a supply chain perspective, the IEC 62443-2-4 standard (security program requirements for service providers of industrial automation and control system) is particularly promising.

The pioneering work for this standard came from the WIB, a group of end users founded in 1962 in the Netherlands to explore manufacturing challenges at large energy and chemical companies like Royal Dutch Shell, BP and Dow. In 2010, the WIB Plant Security Working Group issued a supplier security standard that evolved into the IEC 62443-2-4 standard.

Supplier Certifications

The WIB also included a certification program for their standard that became known as the Achilles Practices Certification (APC). A number of large utilities and oil and gas companies are now requiring key suppliers to become APC certified in order to increase their security posture, including their supply chains.

A growing list of major control systems vendors, including Emerson, GE, Honeywell, Siemens and Yokogawa, have undergone APC certification. This has started a ripple effect from these major suppliers, also referred to as Tier 1 suppliers, to their Tier 2 and subsequent suppliers.

These certifications – with regular re-certifications – and emerging standards are helping to increase confidence in the ability to reduce cyber security risks. Given the challenges facing the supply chain, following standards such as IEC 62443-2-4 will help vendors along with their suppliers be better equipped to protect critical manufacturing and infrastructure assets.

Related: Learn More at the ICS Cyber Security Conference

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.