ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Manufacturers Must Reduce Risk of Upstream and Downstream Supply Chain Attacks

Supply chain disruptions are among the most pressing issues for today’s manufacturers. While geopolitical tension and events like the COVID-19 pandemic have taken the spotlight in this area, another risk factor — cybersecurity — deserves attention, too. Upstream and downstream supply chain attacks pose serious risks to manufacturers and their partners.

As manufacturers embrace Industry 4.0 technologies, their cyber vulnerabilities throughout the supply chain rise. Many organizations now realize the need to address these risks, but fewer understand that an interconnected supply chain means shared weaknesses between parties.

The Importance of Supply Chain Cybersecurity

Manufacturing experienced the most cyberattacks of any sector in 2022. One of the primary reasons manufacturers are such popular targets is because their attack surfaces are massive. In addition to a skyrocketing number of internet-connected devices, they have extensive third-party dependencies, opening them to supply chain attacks.

Supply chains have digitized to increase efficiency and reliability, and parties share vast amounts of data. A manufacturer’s upstream suppliers, 3PLs and downstream partners may all have access to their systems and sensitive data. Consequently, an attack on one entity in the supply chain can affect everyone involved.

One such attack in 2022 led an automaker to fall 13,000 vehicles behind production targets despite not targeting the manufacturer directly. Instead, it hit a parts supplier, leading to a network shutdown at its facility. As a result, the supplier couldn’t fulfill orders or communicate with its downstream customers.

Other attacks could target a software provider to steal sensitive customer information from manufacturing partners. If a breach from a downstream supply chain partner reveals enough personal information about a manufacturer’s customers, it could also land them in legal trouble. These situations will become more likely as cybercriminals realize how much disruption they can cause through one attack.

How to Reduce the Risk of Supply Chain Attacks

Given how severe supply chain attacks can be, manufacturers must prevent them whenever they can and mitigate them when they can’t. Here are some strategies to reduce the risks of upstream and downstream attacks.

Conduct a Risk Assessment

Supply chains are large and complex, so it can be challenging to know your weak points. Consequently, performing a cyber-risk assessment is essential to reveal what makes your chain vulnerable and how you can address it.

Third-party risk assessments should involve network mapping to show dependencies and penetration testing to judge the strength of existing cybersecurity measures. These services incur extra expenses but save money in the long term by preventing costly attacks. The average cost of a data breach in the U.S. reached $9.44 million in 2022, so the upfront cost is well worth the investment. You can’t defend what you don’t know is vulnerable, and that’s precisely what a risk assessment reveals.

These tests should look at a manufacturer’s internal controls and processes and those of their upstream and downstream partners. Many organizations likely give too much access and information to too many parties. Thorough assessments bring these to light to inform more effective changes.

Hold Supply Chain Partners to a Higher Standard

Manufacturers should require more from their upstream and downstream partners. Just as some companies only work with those who meet certain ESG criteria, manufacturers should require proof of high security standards before working with anyone.

This selection begins with researching potential partners’ security backgrounds before reaching out. Any business that has experienced a major breach or handled a cybersecurity incident poorly is a liability. You should also look for third-party security standards like ISO 27002 or NIST SP 800-53 certification.

It’s important to remember that you can’t reasonably ask for something you don’t achieve on your own end. Manufacturers also should pursue cybersecurity certifications to offer assurance that they won’t jeopardize partners’ data either.

Minimize Access Privileges

Even if everyone in the supply chain meets higher security standards, attacks are still possible. No defense is 100% secure, and even the most experienced employees can still make mistakes that let attackers in. Given these risks, manufacturers must restrict who can access what data.

The safest solution is to implement the principle of least privilege. This holds that every user, app and device should only be able to access the data and systems it needs to do its job. This may seem like limiting visibility at first, but it ensures one breach at any point in the network can’t jeopardize all your data.

Minimizing access privileges is also an important way to stop insider threats. Over half of all organizations have experienced one in the last year, so preventing internal breaches is crucial. These are usually a matter of human error rather than malicious employees, but the effect is the same.

Implement Continuous Monitoring

Many technical controls necessary to stop supply chain attacks vary depending on the specific technology in use. However, some are essential in every situation. That’s the case with continuous monitoring.

Continuous monitoring uses artificial intelligence (AI) to watch for suspicious activity across company devices and networks. If something off occurs — such as unusually large file transfers or a user trying to access a database they don’t normally need — the AI stops it and alerts IT staff.

These quick responses are crucial for preventing internal and external breaches. Using AI also removes the need for a dedicated security operations team and enables faster, more accurate warnings.

Create a Backup and Recovery Plan

Even if every party in the supply chain implements these other steps, breaches are still possible. Despite rising awareness around cybersecurity, 68% of all organizations have experienced a cyberattack in the past year. These occurrences are too common to assume they’ll never happen to you, so you need a backup plan.

Manufacturers must keep backups of all sensitive data and mission-critical systems, both offline and in the cloud. Every organization in the supply chain also needs a formal process for using these backups to recover from a breach. That plan should include communicating the breach to affected parties and several mitigation measures.

Supply chain organizations should review these plans annually to ensure they’re still relevant and effective. Repeated risk assessments can also help by revealing any new vulnerabilities to address.

Supply Chain Attacks Demand Attention

Supply chain attacks can be devastating and happen in any part of the process. While digitization is important, cybersecurity improvements must be part of manufacturers’ initiatives to address the resulting vulnerabilities.

Effectively mitigating these threats requires cooperation among all a manufacturer’s partners. These broad shifts can be challenging but are far less costly and disruptive than a successful attack. Security is always worth the effort.

Emily Newton
Emily Newton
Emily Newton is the Editor-in-Chief of Revolutionized, an online magazine celebrating advances in science and technology.

Related Posts

Ask the Automation Pros: The Use of Artificial Intelligence in Process Control

The following discussion is part of an occasional series, "Ask the Automation Pros," authored by Greg McM...
Greg McMillan Nov 12, 2024 4:30:00 PM

Protecting Electrical Terminal Blocks From Tampering

Electrical terminal blocks are a common sight in the automation world. Usually mounted on DIN rail in ind...
Anna Goncharova Nov 8, 2024 10:30:00 AM

How to Access ISA Technical Content

You Have Questions? ISA Has Answers. Serving up member-generated technical content related to standards, ...
Renee Bassett Nov 5, 2024 7:00:00 AM