Building Effective Supply Chain Cybersecurity - Industry Today - Leader in Manufacturing & Industry News
 

January 6, 2025 Building Effective Supply Chain Cybersecurity

Utilize risk management to develop and implement a successful security posture within your vendor ecosystem.

By Matthew DeChant, CEO of Security Counsel

In 2023, a supplier of Applied Materials, a global leader in the semiconductor industry, had one of their suppliers fall victim to a cyber-attack. This incident caused significant delays to critical component shipments that are estimated to cost Applied Materials as much as $250 million.

Countless studies have confirmed that of all cyber-attacks on manufacturers, supply chain attacks are the costliest and take the longest to identify. And while manufacturers must address cybersecurity threats across all aspects of the enterprise, supply chain risks loom ever larger, and according to a Gartner study, are predicted to triple in cost to manufacturers in just six years.

supply chain
By establishing internal and external policies and processes, manufacturers can defend themselves from third-party vulnerabilities.
Photo by Tom Fisk, Pexels

Technology, Processes, and People in Manufacturing Supply Chains

It’s easy to understand technology tools’ role in security operations, but without the right process and people in place, the manufacturing supply chain remains vulnerable to cyberattack. As Jennifer Chew highlights in her article covering supply chain fundamentals: “…it’s important to remember that success doesn’t come just from flashy technology alone, but in the strategic alignment of processes, people, and technology to drive positive outcomes and create long-term value.” This three-pillar notion cannot be more apparent than when we evaluate the success of a cybersecurity program within supply chain management.

In addition to managing all internal tools, processes and people, a sound security program must consider every external entity within the manufacturing supply chain including all communications and interactions between each of these vendor companies. A supply chain should be viewed as a community, an ecosystem; it should have common goals, language, expectations and security standards across the entire group of organizations.

Risk Management for Manufacturers

Successful supply chain cyber security begins with effective risk management. Understanding, evaluating, and documenting the highest risk elements of the manufacturing supply chain and mitigating them are the backbone to creating a robust supply chain cybersecurity program. The risk management activities will rely on an effective risk analysis at the beginning of every relationship and periodically throughout its lifecycle. It will rely on effective training of the internal team, and on successful communications with all external resources. 

Risk management relies heavily on asking the right questions. As you perform your risk analysis, the key questions and topics should include internal analysis of your personnel training and roles, your own policies and processes, and external management of vendors:

For internal personnel:

  • Has everyone who is responsible for your supply chain relationships been trained on all relevant cybersecurity protocols?
  • It’s very dangerous for suppliers to be orphaned; as such, who owns each vendor relationship? Is ownership redundant so multiple people have all relevant information?
  • Regularly scheduled testing is important. Who are the designated owners of the testing process if different from the account owners?

For internal policies & processes:

  •  Is there a published policy guiding all supply chain cybersecurity protocols and associated training?
  • Do you have the correct security controls in place for the specific product/service? Different controls may be required based on what the vendor provides – for example, office supplies versus a critical digital component containing sensitive IP will surely have different security control requirements
  • Is there a well-designed, documented and adopted incident response plan in the event of a breach at one of your vendor companies?
  • Are there established contingency plans to mitigate the impact of potential supply chain disruptions? And do these plans include the inclusion of fully vetted and on-boarded alternate suppliers?

For external supply base:

  • Do you conduct an external cybersecurity assessment on all potential new vendors, and if successful, do you have the right to re-assess each vendor on a scheduled cycle written into the contract?
  • Are there documented controls governing how data is stored and transferred for each product/service?
  • Do you understand the risks associated with sub-suppliers to your suppliers, and do you have this governance written into your contracts?
  • Are there any anticipated risks associated with global markets, conflicts, or regulatory changes affecting your vendor base that would disproportionately affect you?

Manufacturing Supply Chain Vendor Management

After thoroughly conducting your risk management activities and successfully documenting your findings, the output will guide your relationship with all of the companies in your supply chain. The guidelines and policies created will help to guide your interactions and communications with your suppliers. Policy will likely include:

  • Requirements and processes around the conduct of cyber due diligence on all outside vendors before the contract is signed
  • A well-documented relationship management plan including key team members on both sides, communication protocols, and a confirmed understanding of all contract details
  • Details on deliverables – don’t take vendor output for granted and check the contract for the list of deliverables, and ask if they are being met
  • A set of guidelines to evaluate the whole relationship, likely annually – this assessment will review:
    • All new or anticipated regulatory changes
    • Vendor team performance around all aspects of the relationship – communication, delivery schedules, etc.
    • Are costs continuing to be appropriate for the value received
    • Any new or updated expectations for the upcoming year
  • While a full assessment will occur annually, you should also have other methods to provide ongoing feedback and monitoring

Conducting effective risk assessment activities is critical to the successful management of the manufacturing supply chain from a cybersecurity perspective. Fortunately, the outputs from these efforts provide the roadmap for a robust supply chain cybersecurity program, and thereby help to minimize supply chain disruption and subsequent interruption to your core business. All of this will protect customer satisfaction and company profitability.

matt dechant security counsel

About the Author:
Matthew DeChant is the CEO of Security Counsel, a Cybersecurity management consultancy. Matt has 25 years of experience building information technology and security programs for numerous industry segments including manufacturing. As an in-house CISO and through Security Counsel, Matt has managed the creation of cybersecurity programs for numerous clients and their executive teams, corporate boards, and high-net-worth individuals. He leads response events and conducts tabletop exercises with his clients to help them prepare for their potential worst-case scenario cybersecurity events. He is part of numerous cybersecurity best practices committees & boards and is passionate about supporting quality cybersecurity education.

 

Subscribe to Industry Today

Read Our Current Issue

Spotlighting Equipment Manufacturing: Advocate for the People Who Build, Power, and Feed the World

Most Recent EpisodeCADDi: Making Design and Supply Chain Data Accessible

Listen Now

Tune in to hear from Chris Brown, Vice President of Sales at CADDi, a leading manufacturing solutions provider. We delve into Chris’ role of expanding the reach of CADDi Drawer which uses advanced AI to centralize and analyze essential production data to help manufacturers improve efficiency and quality.