The Hidden Risk in Your Supply Chain:

Securing What You Don't Control

The average operational environment is a patchwork of operational technology (OT) from third-
party vendors, many of whom regularly access it remotely to support and maintain their technology. 

According to a Ponemon Institute survey of security professionals, 60% of organizations have given OT systems access to over 50 different vendors. A quarter have given access to over 100.
That’s 50-100 potential points of exposure where the cybersecurity team has at least some reliance on third-party security practices.

This limited control and visibility not only affects an organization's ability to react, but it can also lead to unexpected risks hiding in your supply chain.

What is supply chain security?

Protecting your business from the risks vendors, products, and services introduce is the essence of supply chain security. It covers everything upstream of your operations, including software, hardware, components, and service providers. Strong supply chain security sets clear standards for partners and checks that those standards are being met over time.

The goal of supply chain risk management is to ensure weaknesses outside your organization don’t become problems inside it.

A supply chain attack happens when someone targets one of those trusted links in an attempt to steal your data, commit payment fraud, or do something else malicious. Instead of attacking your systems directly, they break into a supplier, tamper with a tool or update, or slip malware into something you use every day. That’s why supply chain security is about ongoing verification practices so you can catch issues early, before they spread.

Supply chain attacks: An easy-to-dismiss risk vector

Less than 10% of organizations ranked the supply chain as one of their organization's top three security priorities, according to the 2024 State of ICS Cybersecurity report. More than 40% of respondents ranked it sixth of the seven priorities, and over a quarter ranked it in last place.

But according to the 2024 Global Cybersecurity Outlook Report by the World Economic Forum, 41% of organizations that had suffered a material incident in the preceding year put the blame on a third party.

This gap between priority and reality demonstrates a disconnect that has to be addressed.

Why are supply chain attacks on the rise?

Modern businesses depend on sprawling networks of software, cloud services, open-source components, and specialized suppliers. This leaves them vulnerable because a single compromise upstream can cascade to dozens or hundreds of downstream targets. For cybercriminals, these supply chain attacks are far more efficient than going after companies one by one.

On top of that, attackers (including well-resourced criminal groups and state actors) have learned that trust relationships and automated update pipelines are high-leverage entry points. Many company leaders aren’t well-versed in the gaps caused by third-party players. The 2024 Global Cybersecurity Outlook Report reported that 54% of organizations have an insufficient understanding of cyber vulnerabilities in their supply chain. AI is helping them move faster and scale campaigns to help increase their odds of success.

Cybercrime Magazine notes that the cost of software supply chain attacks were expected to rise from $46 billion in 2023 to $60 billion by 2025. And, while Gartner first predicted supply chain attacks would rise to impact 45% of organizations by 2025, that was a very conservative estimate. Blackberry reported in 2024 that 75% of organizations experienced a cyberattack in their software supply chain within the past 12 months.

What is the most common entry point for a supply chain attack?

• Vendor/service-provider access accounts
  • Remote access, such as MSP or software vendor logins, are used by attackers to reach customers.
  • On-site access introduces malware carried on the laptop of a vendor’s employee.
• Developer/maintainer identities for code repositories or package registries (phishing or social engineering to hijack accounts, then publish poisoned updates).
• CI/CD or build-system secrets exposed or stolen, enabling attackers to sign or distribute trojanized software updates.
  

What is operational technology?

OT (including Industrial Control Systems) is the bridge between technology and the real world. From programmable logic controllers (PLC) to discrete process control systems (DPC), these systems interface with physical equipment to manufacture, refine, and deliver everything from energy to food.

The term ‘operational technology’ first showed up in the early 2000s as a response to the rise of interconnected technology being implemented in operational environments. This movement was making the operational environment as connected as the IT environment, leading to a similar abbreviation.

Previously, equipment had been operated in person, with fragmented architectures, cumbersome management processes, and limited outside connectivity. New, connected equipment allows businesses to implement remote, centralized control, which increases efficiency.

However, this efficiency comes at a cost: increased risk.

OT security vs. IT security

In large part, OT is at risk because it is now as connected as IT. Yet despite these similarities, the intrinsic differences between the two mean that IT-centric security measures are inadequate for OT environments. OT environments are dominated by relatively older systems and a focus on uninterrupted operations, which often override any security concerns and prevent the application of IT security controls.

Andrew Ginter sums up the differences between IT and OT very effectively:

• In IT security, you protect information.
• In OT security, you protect systems from information.

In other words, in IT, you want to stop attackers from getting into your system and taking or corrupting your stored data. In OT, you want to stop attackers from sending commands (i.e. data) that take control of your equipment, including through third-party vendors.

Why is OT vulnerable to third-party attacks?

Few organizations have the ability or investment to develop, build, and maintain all operational equipment. So, they rely on third-party vendors not only to engineer and build the equipment, but to update it as well.

Added to that, OT is often sold with strings attached (i.e. lock-in).

Due to the real-world safety risks associated with the loss or compromise of OT systems, many vendors will no longer warrant that the equipment will work as expected or accept liability for anything that goes wrong if your organization accesses the device.

As a result, organizations authorize access for an average of 77 third-party vendors, according to the Ponemon Institute survey.

These vendors may have direct connections to the network in order to monitor and work on the OT systems they installed. Some may send workers to plug their laptops directly into your network, or they may have periodic remote access.

Regardless of how these vendors are monitoring and maintaining their systems, they are connecting to your network in some way, shape, or form.

That’s 77 vendors you have limited control over, installing their technology into your OT environment and increasing your supply chain risk. This risk continues as they maintain ongoing connectivity to your network to support their equipment or system.

The increased OT complexity caused by mergers and acquisitions

A single organization’s production security is complex enough on its own. But, in some industries, like oil & gas, mergers and acquisitions are everyday occurrences.

Aside from the business complexities this creates, it also integrates facilities that rely on technology from different vendors, often with incompatible or barely compatible software. Simply replacing all the technology with an organizational standard could take months or years and is rarely feasible, leaving production environments twice as complex, with twice as many vulnerabilities as previously.

As businesses continue to merge and divide, the OT sprawl only increases, putting organizations at greater risk of a breach.

The risks of supply chain security breaches

Until recently, OT systems were generally isolated from IT networks. They operated independently and often had no real connectivity to broader business networks or the Internet.

Complex technology with greater connectivity opens the door for outside threats

Today, as organizations become more and more data hungry, companies are deploying increasingly complex technology in OT networks, replacing older, proprietary networks with IP networks that offer the potential for greater connectivity.

With this new technology, organizations can:

• increase the amount of data that is generated
• derive significant business value from this data with modern-day data analytics (including, but not limited to AI), like
  • ordering/processing efficiency
  • process optimization
  • analytics (where can I improve performance?)
  • real-time feedback to customers (where is my order at?)
  • just-in-time management of materials/ingredients/components,
  • etc.  
• take advantage of the cloud in OT networks

The result is that we now have exponentially more "things" connected to OT networks, driving our networks to expand in scope. While this supports better data and real-time insights, it also increases the risk for supply chain attacks.

Outdated systems or patched infrastructure can be vulnerable to malicious attacks

Despite the growth, many companies continue to operate using older, more vulnerable infrastructure to avoid the capital costs and the loss of production that come with change. In addition, many of the higher-level OT systems are running on common platforms (Windows) and are therefore familiar to attackers and subject to common attacks.

This increased demand for data drives the increased connectivity to business networks, which increases the risk and exposure to familiar attacks, like:

• Ransomware
• Malware
• Denial of service (DoS)

It also provides a pathway that attackers can leverage to gain entry and then move laterally through industrial environments.

These consequences are familiar because they are prevalent in IT. But, because OT is a bridge between the digital and real world, the aftermath of a breach in an OT environment carries risks that extend past digital or business consequences to impact the real world.

What is a real-life example of a supply chain attack?

If hackers gain access to OT systems, they can shut down a facility. A Russian advanced persistent threat group known as "Sandworm" was able to do exactly this when they gained access to Ukrainian energy distribution companies in 2015. They disrupted power in parts of Ukraine, leading to a blackout of one to six hours for over 200,000 customers.

Beyond that, malicious actors can also take control of your operations, disabling safety systems, reprogramming firmware, and even physically destroying equipment, as happened in the Fuxnet ICS Malware attack on Moscollector, a Moscow-based company managing water supply and wastewater treatment.

For critical infrastructure, however, the risks are even higher.

For example, in 2024, a ransomware attack on Synnovis, a vendor to England's National Health Service, resulted in the death of a patient.

Consequences like this make OT security essential not only for the safety of the company, but for the people who work for it and its customers.

Top supply chain risk vectors

Third-party software risks

• Vendor software often contains vulnerabilities due to:
  • Lack of software development and cybersecurity experience
  • Business pressures to release new features and versions
  • An overriding focus on operational functionality and reliability
  • Lack of cybersecurity testing
  • Inability to update due to operational needs, complex interdependencies, and long system lifecycles.
• Vendor’s published software can be replaced with compromised versions, which are then downloaded and installed in customer networks
• Vendor emails can be compromised, leading to malicious actors gaining control of trusted communications

Vendor access failures

• Installing unauthorized remote access software such as TeamViewer
• Simple passwords that never change
• Unauthorized Internet connectivity, such as cellular devices
• Vendors sharing passwords or accounts
• Vendors changing settings or creating accounts outside of company process
• Connecting unauthorized or compromised laptops
• Connecting USB devices containing malware

How to address OT third-party vulnerabilities

As in most complex, connected environments, perfect security isn’t possible. So, the first step in maintaining a secure OT environment is to find where your focus and investment will have the biggest impact.

1. Perform a supply chain security assessment

A supply chain security assessment that reviews your OT environment will help you find where the ‘biggest bang’ would happen if there were a breach. You need to know:

• Is there a third-party-managed system that your entire production line relies on?
• Is there a safety mechanism that keeps your facility from melting down?
• Is there a delivery system that your clients rely on?

It’s critical to understand your cyber vulnerabilities so you know where to prioritize updates or support. Without regular assessments of your technology and processes, you are essentially flying blind.

2. Establish third-party risk management

Evaluating publicly available information about your vendors will give you insight into which ones you can trust, where further investigation is warranted, and which ones need more oversight or a nudge to take their security more seriously.

1. Know every vendor, asset, and remote pathway into OT (including subcontractors).
2. Prioritize the ones with privileged access to safety/production-critical systems.
3. Enforce MFA/PAM, least privilege, time-boxed sessions, and full session recording for OT support.
4. Validate vendor patching, vulnerable handling, secure SDLC (for OT software), and incident disclosure.
5. Keep vendor activity in tightly scoped zones, routed through monitored intermediaries so a compromise can’t spread laterally.

Treat third-party risk as continuous. You need to review access, configs, and vendor posture on a set cadence.

3. Implement security measures and OT best practices

Once you understand where to focus your efforts, there are a few essential security measures you can implement to make the biggest impact.

• Shift security left by embedding it in your procurement processes, leveraging RFPs and purchase agreements where possible.
• Implement sheep dip solutions, like USB cleaning kiosks and secure file shares.
• Manage credentials through centralized authentication and provisioning, secure onboarding/offboarding process, federated identity and regular reviews.
• Build security into your network architecture through segmentation, guest/vendor networks, network access control, secure remote access solutions, and monitoring to increase visibility.
• Hold vendors accountable by maintaining as much visibility as possible into their practices and using the leverage you have to correct insecure practices.

Secure your supply chain with expert support from iON

Starting with those first internal and external risk audits, we can help you manage third-party risks to your OT in a variety of ways. These include security assessments, creating secure architecture templates, and implementing security technologies for segmentation, visibility, identity, and remote access.

We can also help you increase the safety of your third-party vendors by interfacing with them to assess and encourage security on their end, or even work with them to pinpoint their weaknesses and offer solutions that will keep them and their customers secure.

Supply chain risk management is crucial to long-term success in our digital-first world. To assess your risk and improve your vendor security, talk to an iON expert today.