OT supply chain security: the link nobody watches

When we talk about industrial cybersecurity, the conversation usually revolves around firewalls, network segmentation, or anomaly detection. Rarely does anyone mention what happens before the equipment reaches the plant floor. A PLC, an industrial switch, or an RTU ships with firmware, third-party libraries, and in many cases preconfigured remote maintenance access. All of that enters your OT network without anyone questioning it.

Why the OT supply chain is an attractive target

Compromising a single industrial component manufacturer can reach dozens or hundreds of facilities with one attack. SolarWinds in 2020 proved this logic in the IT world: a trojanized update of the Orion software hit over 18,000 organizations, including government agencies and critical infrastructure operators.

In OT, the risk compounds. Industrial equipment life cycles run 15 to 25 years. That means a compromised component can remain active for decades with nobody checking its integrity. On top of that, many OT device manufacturers rely on second- and third-tier suppliers for chipsets, protocol stacks, and communication modules, each carrying their own vulnerabilities.

Real incidents that should concern you

In 2023, Mandiant documented a campaign where attackers modified the firmware of HVAC access controllers distributed to pharmaceutical plants across Europe. The altered firmware included a backdoor enabling remote access to the OT network through the climate control system.

Another less publicized but equally relevant case: in 2021, Forescout researchers found critical vulnerabilities in TCP/IP stacks used by more than 150 IoT and ICS device manufacturers (the AMNESIA:33 project). The problem was not in the final product but in a shared library that nobody audited.

What the regulations say

IEC 62443-2-4 sets specific requirements for integration service providers, including supply chain management. Part 4-2 of the same standard requires component manufacturers to implement secure development practices and maintain software component traceability.

The NIS2 directive, in force since October 2024, mandates that essential and important entities assess their supply chain risks and include cybersecurity clauses in vendor contracts. This is not optional: non-compliance can result in fines of up to 10 million euros or 2% of global turnover.

Concrete measures to protect your OT supply chain

▹Require an SBOM (Software Bill of Materials) from every equipment and industrial software vendor. The SBOM lists all software components included in a product, allowing you to track known vulnerabilities in third-party libraries.
▹Verify firmware integrity before deploying any new equipment. Compare hashes against those published by the manufacturer and, where possible, analyze the binary in an isolated environment.
▹Audit remote maintenance access. Many manufacturers configure VPN connections or service ports that stay open after commissioning. Document every access point and enforce multi-factor authentication.
▹Include cybersecurity requirements in contracts. Vulnerability response times, incident notification obligations, IEC 62443 certifications: all of it should be in writing before signing.
▹Monitor the behavior of new devices during the first weeks of operation. A legitimate device should not be attempting connections to unknown external IP addresses.

Don't trust, verify

OT supply chain security is not solved by an annual audit or a compliance questionnaire sent by email. It requires continuous visibility into what enters your industrial network and the willingness to challenge vendors who cannot demonstrate their security practices. It is a cultural shift, and for many industrial organizations, one that is years overdue.

Need to assess your industrial supply chain risks? Contact us for an initial consultation.