Your OT security is only as strong as your weakest supplier

Introduction

You’ve done the work. Your OT environment is assessed. Your controls are in place. Your team understands the risks and knows how to respond. By any reasonable measure, your production environment is well protected.

But what about your supplier chain?

What happens when a key component or logistics supplier is hit by ransom or malware and their factory goes offline? Their production stops. Your orders go unfulfilled. Within days, depending on how much buffer stock you carry, your own production line starts to feel the pressure. Within a week, it may stop entirely impacting your revenue and reputation.

You were not attacked. Your systems were not touched. But your operations are disrupted all the same.

This is the supply chain cyber security risk that most OEMs and Tier 1 manufacturers have not yet fully addressed. Your OT security posture is not determined by your own controls alone. It is determined by the ability of every critical supplier in your chain to keep their production running. And the weakest link in that chain is almost certainly not you.

Why internal controls are necessary but not sufficient

Large manufacturers are making progress on OT security. Dedicated security teams, defined policies, frameworks aligned to NIST or IEC 62443, and formal risk management programmes are starting to be seen at the top of the supply chain. That investment is real and it matters.

What it cannot do is protect against the production consequences of a supplier going offline. No firewall prevents that. No incident response plan covers it. The risk is not technical, it is operational, and it sits entirely outside the boundary of your own environment.

The question for any OEM or Tier 1 manufacturer is therefore not only “how secure are we?” It is “how secure are the businesses we depend on to keep our production running?”

The ripple effect of a supplier production halt

When a manufacturer is taken offline by a cyber incident, the immediate damage is theirs. The ransomware, the encrypted systems, the recovery costs, the regulatory exposure: all of that falls on the business that was attacked. But the operational consequences do not stay contained.

In lean manufacturing environments, where just-in-time delivery has reduced inventory buffers to a minimum, the downstream effects of a supplier outage can be felt within days. A single component unavailable from a single source is enough to halt assembly at multiple sites further up the chain. The larger and more complex the product, the greater the number of dependencies, and the more points of potential failure.

The commercial consequences follow quickly. Delivery obligations do not pause because a supplier had a bad week. Contractual penalties, emergency sourcing at premium cost, and damaged customer relationships are the near-term results of disruptions that originated elsewhere in the chain.

The global financial impact of OT cyber incidents is projected to exceed $329 billion, with the majority of those losses driven not by direct damage but by cascading shutdowns, recovery time, and supply chain disruption. Most of that cost lands on businesses that were never directly targeted.

When it happens in practice: ASCO Industries, 2019

In June 2019, ASCO Industries, a Belgian Tier 1 aerospace supplier manufacturing critical wing components, slats, and flap systems, was hit by a ransomware attack. ASCO was not an obscure business. It supplied directly into Boeing, Airbus, Bombardier, and Lockheed Martin.

The attack forced ASCO to shut down all four of its global factories. The shutdown lasted for several weeks. None of the OEMs had been attacked. None of their own systems were compromised. But all of them felt the consequences. Production builds had to be re-sequenced, delivery schedules shifted, and thousands of workers across the supply chain were furloughed while the disruption worked its way through.

The ASCO incident is one of the clearest illustrations of how a single cyber incident at a single supplier can halt production across multiple major OEM programmes simultaneously. The attack did not travel up the chain. The disruption did.

Why smaller suppliers carry the most risk

The cyber security posture of a supply chain is not set by its strongest member. It is set by its weakest.

Smaller manufacturers, the Tier 2 and Tier 3 suppliers that form the foundation of most industrial supply chains, face a combination of factors that make them genuinely more vulnerable to a damaging cyber incident. Security budgets are limited and competing operational pressures mean that investment in OT security is often deferred in favour of more visible priorities. There may be no dedicated security resource at all. Legacy equipment is common, patching is inconsistent, and the gap between what a credible OT security posture looks like and what actually exists can be significant.

None of this reflects a failure of intent. It reflects the reality of running a smaller manufacturing business without the resources or specialist capability that larger organisations can bring to bear. But the consequence, from the perspective of supply chain risk, is consistent: the most vulnerable businesses in the chain are also the ones that can cause the most disruption when they go offline.

What relying on self-certification misses

It’s true that many OEMs and Tier 1 manufacturers have some form of supplier security questionnaire in place. Suppliers are asked to confirm that they have policies, that they carry out patching, that they have some form of incident response capability. The box is ticked and the relationship continues.

The problem is that self-certification tells you what a supplier believes about their own security posture, not what their posture actually is. A supplier can answer every question in good faith and still have significant gaps. They do not know what they do not know. Their legacy OT environment may have vulnerabilities that no one in the business has the expertise to identify. Their remote access arrangements may have been set up years ago with no formal controls around them.

A questionnaire cannot surface what the supplier cannot see. It gives you a record of assurance, not a meaningful picture of risk.

The case for a structured supplier assessment approach

The proportionate response is not to audit every supplier to the depth of a formal certification programme. That is neither practical nor necessary for most supply chains. The goal is to identify where the greatest risk actually sits, and to address it in a way that is reasonable for all parties.

That starts with understanding your own supply chain clearly. Which suppliers are genuinely critical to continued production? How long could you sustain operations if each of them went offline? Which of them are likely to have the lowest security maturity based on their size, their sector, and what you already know about how they operate?

From that foundation, a structured but light-touch assessment approach, one designed for OT and manufacturing environments rather than adapted from IT security frameworks, gives you an actionable picture of your exposure. It tells you where to focus, where to engage with suppliers to raise their posture, and where the residual risk is manageable. It also gives you a credible basis for responding to the questions that procurement teams at your own customers are increasingly starting to ask.

The regulatory direction reinforces the case for acting now. The EU’s NIS2 Directive requires in-scope organisations to assess the security posture of their direct suppliers. The UK’s Cyber Security and Resilience Bill is progressing through parliament with similar supply chain provisions in scope. Customers who are subject to those requirements are already starting to ask questions of their supply base. Being able to respond with confidence protects relationships and competitive position.

Strong OT security within your own walls is the foundation. Understanding and managing the risk that sits in your supply chain is what makes that foundation worth building.

Talk to Harpoon

If you are an OEM or Tier 1 manufacturer concerned about the cyber security posture of your supply chain, Harpoon can help you understand where the risk sits and what a proportionate response looks like. Contact us to arrange a free consultation.

Read next

For the full picture of supply chain cyber security in OT and manufacturing environments, including the regulatory landscape and how to get started, see: Supply chain cyber security: a guide for manufacturers.