Supply chain disruptions are among the most pressing issues for today’s manufacturers. While geopolitical tension and events like the COVID-19 pandemic have taken the spotlight in this area, another risk factor — cybersecurity — deserves attention, too. Upstream and downstream supply chain attacks pose serious risks to manufacturers and their partners.
As manufacturers embrace Industry 4.0 technologies, their cyber vulnerabilities throughout the supply chain rise. Many organizations now realize the need to address these risks, but fewer understand that an interconnected supply chain means shared weaknesses between parties.
Manufacturing experienced the most cyberattacks of any sector in 2022. One of the primary reasons manufacturers are such popular targets is because their attack surfaces are massive. In addition to a skyrocketing number of internet-connected devices, they have extensive third-party dependencies, opening them to supply chain attacks.
Supply chains have digitized to increase efficiency and reliability, and parties share vast amounts of data. A manufacturer’s upstream suppliers, 3PLs and downstream partners may all have access to their systems and sensitive data. Consequently, an attack on one entity in the supply chain can affect everyone involved.
One such attack in 2022 led an automaker to fall 13,000 vehicles behind production targets despite not targeting the manufacturer directly. Instead, it hit a parts supplier, leading to a network shutdown at its facility. As a result, the supplier couldn’t fulfill orders or communicate with its downstream customers.
Other attacks could target a software provider to steal sensitive customer information from manufacturing partners. If a breach from a downstream supply chain partner reveals enough personal information about a manufacturer’s customers, it could also land them in legal trouble. These situations will become more likely as cybercriminals realize how much disruption they can cause through one attack.
Given how severe supply chain attacks can be, manufacturers must prevent them whenever they can and mitigate them when they can’t. Here are some strategies to reduce the risks of upstream and downstream attacks.
Supply chains are large and complex, so it can be challenging to know your weak points. Consequently, performing a cyber-risk assessment is essential to reveal what makes your chain vulnerable and how you can address it.
Third-party risk assessments should involve network mapping to show dependencies and penetration testing to judge the strength of existing cybersecurity measures. These services incur extra expenses but save money in the long term by preventing costly attacks. The average cost of a data breach in the U.S. reached $9.44 million in 2022, so the upfront cost is well worth the investment. You can’t defend what you don’t know is vulnerable, and that’s precisely what a risk assessment reveals.
These tests should look at a manufacturer’s internal controls and processes and those of their upstream and downstream partners. Many organizations likely give too much access and information to too many parties. Thorough assessments bring these to light to inform more effective changes.
Manufacturers should require more from their upstream and downstream partners. Just as some companies only work with those who meet certain ESG criteria, manufacturers should require proof of high security standards before working with anyone.
This selection begins with researching potential partners’ security backgrounds before reaching out. Any business that has experienced a major breach or handled a cybersecurity incident poorly is a liability. You should also look for third-party security standards like ISO 27002 or NIST SP 800-53 certification.
It’s important to remember that you can’t reasonably ask for something you don’t achieve on your own end. Manufacturers also should pursue cybersecurity certifications to offer assurance that they won’t jeopardize partners’ data either.
Even if everyone in the supply chain meets higher security standards, attacks are still possible. No defense is 100% secure, and even the most experienced employees can still make mistakes that let attackers in. Given these risks, manufacturers must restrict who can access what data.
The safest solution is to implement the principle of least privilege. This holds that every user, app and device should only be able to access the data and systems it needs to do its job. This may seem like limiting visibility at first, but it ensures one breach at any point in the network can’t jeopardize all your data.
Minimizing access privileges is also an important way to stop insider threats. Over half of all organizations have experienced one in the last year, so preventing internal breaches is crucial. These are usually a matter of human error rather than malicious employees, but the effect is the same.
Many technical controls necessary to stop supply chain attacks vary depending on the specific technology in use. However, some are essential in every situation. That’s the case with continuous monitoring.
Continuous monitoring uses artificial intelligence (AI) to watch for suspicious activity across company devices and networks. If something off occurs — such as unusually large file transfers or a user trying to access a database they don’t normally need — the AI stops it and alerts IT staff.
These quick responses are crucial for preventing internal and external breaches. Using AI also removes the need for a dedicated security operations team and enables faster, more accurate warnings.
Even if every party in the supply chain implements these other steps, breaches are still possible. Despite rising awareness around cybersecurity, 68% of all organizations have experienced a cyberattack in the past year. These occurrences are too common to assume they’ll never happen to you, so you need a backup plan.
Manufacturers must keep backups of all sensitive data and mission-critical systems, both offline and in the cloud. Every organization in the supply chain also needs a formal process for using these backups to recover from a breach. That plan should include communicating the breach to affected parties and several mitigation measures.
Supply chain organizations should review these plans annually to ensure they’re still relevant and effective. Repeated risk assessments can also help by revealing any new vulnerabilities to address.
Supply chain attacks can be devastating and happen in any part of the process. While digitization is important, cybersecurity improvements must be part of manufacturers’ initiatives to address the resulting vulnerabilities.
Effectively mitigating these threats requires cooperation among all a manufacturer’s partners. These broad shifts can be challenging but are far less costly and disruptive than a successful attack. Security is always worth the effort.