What is Supply Chain Management (SCM)?
Supply Chain Management (SCM) is the set of processes, systems, and partnerships needed to deliver products and services effectively from supplier to end user. It covers logistics, production, procurement, inventory, planning, and collaboration with external parties.
In the OT context, SCM is not only a logistics discipline but also a critical link in Cybersecurity, since suppliers often have deep access to systems, software, or hardware.
🧠 Core functions of SCM
- Procurement – Selecting suppliers, contract management
- Logistics – Transport, storage, receipt, and issue of materials
- Production planning – Aligning demand and capacity
- Inventory management – Optimising stock levels
- Supplier relationship management – Working together based on trust and performance
- Traceability – Tracking the origin and status of parts or materials
🔐 Cybersecurity in supply chains
| Cyber risk | Example in OT |
|---|---|
| Supply chain risk | Malware in firmware of a PLC from an external supplier |
| Uncontrolled remote access | Maintenance party has direct VPN access to the SCADA environment |
| Shadow IT / unvalidated tools | Installation of unapproved software in the production environment |
| Software integrity | Manipulation of update files without code signing |
Cyber attacks such as SolarWinds, NotPetya, and 3CX show that attackers increasingly enter via suppliers.
✅ Security measures in SCM
| Measure | Description |
|---|---|
| Supplier Security policy | Include security requirements for suppliers in contracts |
| Third Party Risk Management | Risk assessment and monitoring of external parties |
| Asset Inventory | Knowing which components and versions have been supplied by suppliers |
| Secure Boot & firmware signing | Protection against tampered firmware or hardware |
| Access Control & Jump Server | External access via controlled, logged routes |
| Patch management | Verifying and validating updates via trusted channels |
| Monitoring and anomaly detection | Detection of unusual activity on supplier connections |
🔁 SCM and standards
| Standard | Relevance to supply chain security |
|---|---|
| IEC 62443-2-4 | Requirements for integrators/suppliers of industrial systems |
| ISO 27001 & 27036 | Security of supply chains and contractual arrangements |
| NIS2 | Increased requirements for suppliers in critical sectors |
| SOC 2, ISAE 3402 | Assurance for suppliers with access to critical data/systems |
📦 Digital vs. physical supply chain
| Digital chain | Physical chain |
|---|---|
| Software suppliers, updates, cloud | Components, equipment, spare parts |
| Remote access, e-maintenance | On-site installations, field engineers |
| IT/OT integrations | Packaging, storage, just-in-time delivery |
In OT, the two are tightly intertwined and must be secured simultaneously.
📌 In summary
Supply Chain Management is essential for managing production, delivery, and cybersecurity risks. In OT environments, it is crucial to screen, monitor, and secure suppliers, components, and access chains.