The proliferation of digitalization across industrial sectors has enhanced throughput and minimized manufacturing defects. Modern technology and manufacturing have become inseparable, and for good reason. However, implementation is not without its downsides. Cybercriminals have turned their attention to production lines.
For many manufacturers, navigating cybersecurity incidents at this scale is unfamiliar, so they haven’t considered the risks posed by third parties. Suppliers and vendors often drastically increase the risk of data breaches and malware injection. Digitalization is here to stay, so industry professionals must master risk management.
Third-Party Vendors Pose Cybersecurity Risks
Heightened information technology (IT) and operational technology (OT) convergence, the widespread use of software-as-a-service platforms and increased industrial Internet of Things adoption have expanded third-party environments exponentially.
Even when examining the distribution of cyberattacks worldwide, manufacturing remains one of the most frequent targets of cyber threats. In fact, it was the most targeted industry in 2024, experiencing 26% of all cyberattacks — more than the finance, business, energy or transportation sectors. Just over five years prior, it was at 10%.
Even if all vendors follow cybersecurity best practices perfectly — and few do — their very existence increases attack surfaces. Many expose manufacturers to insider threats, malware and compromised systems. Even if their IT environment is totally separate, they can still lose proprietary or personally identifiable information to cybercriminals.
A common misconception is that cybercriminals almost exclusively target high-profile organizations that can afford to pay substantial ransoms. However, Verizon’s 2023 Data Breach Investigations report revealed operations with fewer than 1,000 employees were targeted nearly as much as those with more than 1,000 employees.
In reality, cybercriminals often go out of their way to target suppliers and vendors because their security posture is less robust, but they are still connected to internal systems or process critical data. While manufacturers focus on defending critical systems from external threats, they often slip in through internal doors left ajar.
The Consequences of Third-Party Attacks
Say a hacker compromises a third-party manufacturing execution system and takes advantage of IT/OT convergence to move into a programmable logic controller. They could trigger erroneous alarms, physically damage equipment or cause total system failure.
In the best-case scenario, professionals spend hours resolving strange machine behaviors. At worst, the entire production floor shuts down because hardware is irreparably damaged or out-of-control manipulators injure workers. Breaches at the vendor level can compromise OT systems, expose intellectual property, cause noncompliance or harm brand reputation.
The consequences of a third-party attack are similar to those of regular cyberattacks, the main difference being damage to business relationships. Depending on how the interconnections are set up, cybercriminals may target hardware or data storage systems they wouldn’t have access to otherwise, expanding the attack’s scope.
Theoretically, the attacker could use the manufacturing facility as a springboard to target third parties beyond the one it initially compromised, resulting in a massive cyberattack that impacts the entire supply chain. In this scenario, the other vendors could hold the manufacturer accountable, potentially leading to legal consequences.
5 Risk Management Strategies for Manufacturers
The hardware and software supply chains in industrial environments are incredibly complex. Manufacturers must be diligent about reducing third-party breach risks.
1. Establish a Vendor Selection Process
Cyber threats extend beyond third-party providers. According to PWC, just 34% of industrial sector professionals understand their nth-party risks well. As a result, only 44% audit vendors’ security postures and just 36% have rewritten contracts to mitigate risk. A rigorous vendor selection and assessment process with surprise audits is key.
2. Eliminate Shadow IT and OT
Shadow IT and OT can increase the attack surface, lead to data breaches or cause strange equipment behavior. Identifying them within the immediate environment is tough enough, so how do leaders prevent third parties from using them? Strict onboarding and auditing processes are crucial since unauthorized applications and devices won’t appear in documentation.
3. Air Gap the IT and OT Networks
Cyberattacks targeting OT have doubled since 2009, mainly due to their convergence with IT. These attacks were still relatively rare before 2019, but incident volume has risen dramatically since then. Many industry professionals wrongly believe they have air-gapped systems when they don’t, which can increase the risk of compromise.
Designing an airtight air gap involves completely isolating the OT environment, which can hinder data collection and subsequent applications since IT applications must receive the required input from OT. An alternative is to use firewalls between adjacent layers, but that only stops lateral movement. Preventing vertical movement requires unidirectional networks or gateways.
4. Separate Low and High-Security Systems
Decision-makers should go beyond IT and OT, isolating systems based on their threat level. They should disconnect low and high-security systems by placing them on separate, secure networks. This segmentation approach can help prevent critical issues.
5. Adopt the Principle of Least Privilege
Zero-trust architecture operates on the principle of least privilege — that people should only get the fundamental privileges their duties require. No person or device is to be trusted, regardless of how long they’ve been at the facility or how high their rank is. It is typically leveraged internally, but leaders can apply it to vendors and suppliers.
Manufacturers Can Secure Their Environments
Rigorous vendor assessments, air-gapped IT and OT systems, shadow IT identification, network segmentation and a zero-trust approach can help defend against third-party attacks. However, leaders must remember that no cybersecurity strategy is foolproof. Even if they achieve 99.99% protection, that gap is large enough for determined hackers to slip through.
A simple fact of the digital age is that even the most diligent and trustworthy suppliers are vulnerable to cyberattacks. Unless their negligence caused the breach, manufacturers shouldn’t hold the incident against them. However, that doesn’t mean they should continue with business as usual. They should take each incident as a learning opportunity to strengthen their defenses.
