What are supply chain risks?
Supply chain risks in Cybersecurity are risks that arise because your organisation depends on external parties, such as suppliers, software developers, IT service providers, or manufacturers of OT equipment.
If one of these links is hit by a cyber incident (such as an attack or vulnerability), this can have direct or indirect consequences for your organisation.
🔗 Examples of supply chain risks
| Risk | Example |
|---|---|
| Vulnerable third-party software | Vulnerability in a PLC firmware supplied by a vendor |
| Managed service is attacked | VPN provider or Cloud platform is targeted by Ransomware |
| Hardcoded backdoor in equipment | OT equipment with hidden access for maintenance purposes |
| Infiltration via partner network | Supplier gains access to your OT network without segmentation |
| Delivery of counterfeit hardware | Counterfeit components with malware or hidden communication module |
🎯 Why are they important?
- Increasingly, systems are interconnected through the digital supply chain
- Many organisations rely on external tools and services
- Attacks such as SolarWinds or Kaseya show how widely damage can spread
- NIS2 and ISO 27001 require that you also assess and monitor your suppliers
🔐 Measures against supply chain risks
| Security measure | Description |
|---|---|
| Supplier assessment | Reviews cybersecurity policy and certifications (e.g. ISO 27001) |
| Contractual arrangements | Lay down security obligations in SLAs or DPAs |
| Network segmentation / zones and conduits model | Restrict supplier access in OT/IT networks |
| Access management and monitoring | Temporary, controlled access via Jump Server or VPN |
| Software Bill of Materials (SBOM) | Insight into dependencies within supplied software |
| Patching policy for third-party components | Procedures for updates of supplier systems |
🏭 In the OT context
Supply chain risks also apply to:
- PLCs, SCADA software, or Historian databases from external suppliers
- External maintenance parties that have access to your production network
- Use of open-source libraries in embedded systems
📌 In summary
Supply chain risks are cyber threats arising from dependence on third parties. Through good cooperation, controls, segmentation, and Monitoring, these risks can be significantly reduced.