What is a supply chain attack?

Key takeaways

• Supply chain attacks bypass the target's own perimeter by abusing the trust the target extends to a third party.
• The categories include software supply chain (compromised updates, dependencies, code signing), vendor remote access (compromised vendor employees or infrastructure), services supply chain (managed providers compromised), and physical supply (counterfeit components, hardware implants).
• For mid-market manufacturers, the dominant supply chain exposure is vendor remote-access compromise and software-update compromise; physical hardware tampering is rare.
• Manufacturers in defense, automotive, aerospace, and energy supply chains face additional scrutiny because they are access points into larger primes.
• Defense centers on vendor governance, software-update integrity, named-account access for vendors, and continuous monitoring of cross-boundary traffic.

What are the main types of supply chain attack?

Supply chain attacks fall into five categories. Each one has a different attack mechanic and a different defending control set.

1. Software supply chain. The attacker compromises software that the target uses. The compromise can be at the vendor (modifying the build pipeline, replacing the signing key, replacing the distribution endpoint), in open-source dependencies (typosquatting, malicious update of a dependency), or in the update mechanism (man-in-the-middle on an unencrypted update channel). The compromised software is then trusted by the target's installed base.

2. Vendor remote access. The attacker compromises a vendor that has remote access to the target's environment. The vendor's own credentials, devices, or infrastructure become the attack path. Particularly important for OT-vendor relationships where the vendor has direct access to control systems.

3. Managed services supply chain. The attacker compromises a managed-service provider (MSP, MSSP, cloud provider, SaaS platform). The provider's access to multiple customer environments produces the cascading effect: one compromise reaches many downstream targets.

4. Vendor as social engineering vector. The attacker compromises a vendor's mailbox, sends BEC or spear phishing from the legitimate vendor account, and reaches the target through the inherited trust. Less famous than software-supply-chain incidents but more common at mid-market manufacturers.

5. Physical supply. Counterfeit or implanted hardware components reaching the target through legitimate procurement. Rare at the mid-market segment; more common at defense and high-value-IP targets. ARG includes this as a category for completeness; the realistic exposure for most mid-market manufacturers is low.

The right framing is that "supply chain" is not a single category. Different mechanics require different controls. A program that addresses software supply chain only (SBOM, dependency scanning, build-pipeline hardening) but ignores vendor remote access misses the dominant real-world threat.

How modern supply chains create cascading risk for manufacturers

Three properties of modern manufacturing supply chains produce cascading risk.

1. Increasing software content in industrial equipment. Modern PLCs, HMIs, SCADA components, robotic systems, and machine tools all run software. The software receives updates from the vendor. Each update is a potential supply chain attack point.
2. Vendor remote access as operational necessity. Equipment vendors increasingly require remote access for diagnostics, predictive maintenance, and warranty support. The remote access path is, in security terms, a permanent vendor-controlled door into the manufacturer's environment.
3. Tiered supplier relationships. Manufacturers depend on suppliers who depend on their own suppliers. A compromise three tiers removed can reach the manufacturer through cascading trust. Tier-N suppliers are usually too small to have meaningful security programs; the cascading effect concentrates risk at the tier-1-to-tier-2 boundary.

The cascading effect is what makes supply chain risk distinct from direct attack. A direct attack requires the attacker to reach the manufacturer. A supply chain attack lets the attacker reach the manufacturer through whichever path is weakest, anywhere in the chain.

For manufacturers building products in defense, automotive, aerospace, energy, or healthcare, the cascading effect runs in the other direction too: a compromise of the manufacturer becomes an attack on the prime contractor or downstream customer. The manufacturer's security posture is part of someone else's supply chain risk model.

Why mid-market manufacturers are the soft access path to larger primes

A 200-person manufacturer that supplies parts to a defense prime contractor is, from the prime's perspective, a supply chain node with attractive properties for an attacker:

1. Real access. The manufacturer ships product to the prime. The manufacturer holds CUI (controlled unclassified information) related to the prime's program. The manufacturer's engineering files describe the prime's products in fabrication detail.
2. Less security investment than the prime. A Fortune 500 defense prime has substantial security investment; a 200-person tier-2 supplier usually does not. The supplier is the path of least resistance.
3. Plausible communication. Email between the supplier and the prime is routine. A compromise of the supplier's mailbox produces plausible-looking communication into the prime.
4. Underdeveloped flow-down enforcement. Primes flow security requirements to subcontractors; subcontractors flow them further; enforcement at tier-3 and beyond is uneven. The actual security posture at lower tiers often does not match the flow-down requirements.

The cascading-trust dynamic is what drives CMMC 2.0 and similar regulatory frameworks. The pressure from primes onto mid-market suppliers is increasing, not decreasing. The dominant near-term security investment driver for many mid-market defense suppliers is supply-chain-driven compliance pressure rather than direct threat awareness.

Examples of supply chain attacks

The historical record provides the threat model.

• SolarWinds (2020). Compromised the build pipeline of SolarWinds Orion network management software. The malicious update reached thousands of customers, including federal agencies. Demonstrated software supply chain attack at scale through a trusted vendor.
• Kaseya (2021). Compromised Kaseya VSA (a remote monitoring and management tool used by MSPs). Used to deploy ransomware through MSPs to their downstream customers. Demonstrated cascading impact through managed services supply chain.
• 3CX (2023). Compromised the 3CX phone-system software. Malicious updates reached customers through the legitimate update channel. Demonstrated that software supply chain attacks affect operational tools, not just security tools.
• MOVEit (2023). Compromised Progress Software's MOVEit file transfer tool. Affected hundreds of organizations that used MOVEit directly or whose vendors used it. Demonstrated that file-transfer infrastructure is a supply chain attack point.
• NotPetya (2017). Compromised M.E.Doc, a Ukrainian tax accounting software. Malicious update produced wiper malware that affected international manufacturers (Maersk, Merck, FedEx). Demonstrated that regional vendors produce global supply chain risk.
• Vendor-mailbox BEC at mid-market manufacturers (ongoing). A vendor's mailbox is compromised; subsequent emails from the legitimate sender route invoices or change requests through the manufacturer's AP. The most common real-world supply chain attack against mid-market manufacturers; rarely makes public news but accounts for material loss in aggregate. See What is business email compromise (BEC)?.
• OT vendor remote-access compromises (various). Vendors with remote access to OT systems have been compromised, with downstream effects on the customers they connect to. Lower public profile than IT supply chain events; comparable impact at affected facilities.

The pattern: high-profile incidents demonstrate the upper limit; the day-to-day reality at mid-market manufacturers is dominated by vendor-mailbox BEC and software-update tampering through normal IT software.

How to assess third-party and software supply chain risk

A supply chain risk assessment covers four surfaces.

1. Vendor inventory and access mapping. Every vendor that has access to the manufacturer's environment, what kind of access, what data, what frequency. Vendors with remote access into OT are flagged separately. Vendors with shared mailboxes or credentials are flagged separately. See What is third-party risk for manufacturers?.

2. Software inventory and update mechanisms. Every piece of software in use, vendor, version, update mechanism. Software with automatic update flows is flagged separately because the update channel is the attack point. SBOM where available; vendor-disclosed component lists where SBOM is not.

3. Critical-path dependencies. Which vendor compromises would stop production. Which software compromises would prevent critical workflows. The criticality ranking determines investment priority.

4. Flow-down compliance. For manufacturers in regulated supply chains (defense, automotive, aerospace), the flow-down requirements from prime contracts mapped against actual practice. The gap between what is contractually required and what is actually implemented is itself a finding.

The output is a ranked vendor list and a ranked software list, each tagged with risk and recommended mitigation. The list is the foundation for ongoing supply chain risk management.

Best practices for supply chain risk management

1. Vendor inventory maintained as a live document. New vendors added when onboarded; departed vendors removed when offboarded; vendor access reviewed at least quarterly.
2. Named-account access for all vendors. Shared "vendor" accounts replaced. Each vendor representative has named credentials. Access is logged to the named account, not to "the vendor".
3. Bastion routing for vendor remote access. All vendor connections route through a controlled jump server with MFA, session recording, and time-bounded access. See What is the IT/OT convergence problem?.
4. Software update controls. Updates from critical vendors received through validated channels with signature verification. Automatic updates evaluated case by case; some are appropriate, some are not. Manual update review for the highest-impact software (OT software, security software, network infrastructure software).
5. SBOM consumption. Where vendors provide SBOMs, consume them and monitor for new vulnerabilities in disclosed components. Where vendors do not provide SBOMs, document the gap.
6. Vendor security questionnaires that have teeth. Annual security questionnaire with named accountabilities, not check-box compliance. Findings drive contract adjustments and (for critical vendors) periodic reassessment.
7. Continuous monitoring of vendor-side breaches. Public breach disclosures involving vendors are monitored; affected vendors are contacted to confirm scope.
8. Incident response readiness for vendor compromise. IR playbooks include scenarios for vendor compromise: a software vendor publishes a malicious update, an OT vendor's infrastructure is compromised, a managed-service provider is breached.
9. Insurance and compliance alignment. Supply chain risk evidence supports cyber insurance renewal and CMMC / NIST SP 800-171 compliance.

Supply chain attack FAQs

Is software supply chain the same as vendor supply chain?

No. Software supply chain refers specifically to attacks through the software a company uses or builds (compromised dependencies, malicious updates, code-signing compromise). Vendor supply chain is broader and includes vendor-managed services, vendor remote access, vendor employees as social engineering targets, and physical supply (counterfeit components). The two overlap; the framing matters because the controls differ.

Does CMMC require supply chain risk management?

Yes. CMMC 2.0 inherits NIST SP 800-171 controls, which include supply chain risk management requirements (3.13.13 and others in newer revisions). Defense-supplier manufacturers need documented supply chain risk management as part of their CMMC posture, with depth scaling to the assessment level. See What is CMMC 2.0?.

How do primes flow security requirements to subcontractors?

Through contractual flow-downs. A prime contractor's contract with the government typically requires the prime to flow specified security requirements to its sub-tier suppliers, who flow them to their own subcontractors, and so on. For defense work, the flow-downs include CMMC level requirements, breach notification timelines, and cyber-insurance requirements.

What is an SBOM, and is it required?

An SBOM (Software Bill of Materials) is a formal inventory of all software components in a product, including dependencies, versions, and origins. Required for some federal procurements; increasingly common as a private-sector expectation; expected to expand across regulated industries. For manufacturers that build software-containing products, SBOM generation is becoming a baseline expectation.

How ARG models supply chain exposure during audits

Supply chain exposure is part of ARG's integrated on-site audit at manufacturing clients. The work covers vendor inventory, software-update mechanisms, and critical-path dependency analysis.

The audit is conducted by David Ashby, with vendor-relationship interviews and supporting analysis from James Wall on the digital infrastructure side. The vendor inventory is built from procurement records, OT vendor management documentation, IT vendor contracts, and SaaS subscriptions. Each vendor is tagged with access type, data class, frequency, and a criticality rating.

The software inventory is built from endpoint management tools, OT system documentation, and active scanning where appropriate. The output is a software map with vendor, version, update mechanism, and (where available) SBOM linkage.

Where the engagement permits, controlled exercises validate specific supply chain attack paths during on-site weeks: vendor-impersonation pretexts that test the manufacturer's verification habits when a real-looking vendor communication arrives, OAuth-grant lures that test whether vendor-impersonation tools could obtain mailbox access, and physical pretexts that test how unfamiliar "vendor representatives" are handled at the gate. See What is pretexting? and What is consent phishing (OAuth phishing)?.

Findings consolidate into the engagement report alongside third-party risk findings and the broader OT security audit. The remediation backlog prioritizes vendor-access governance, software-update controls, named-account access, and bastion routing. The output supports CMMC and NIST SP 800-171 supply chain risk management evidence.

Apply as a founding client or see how the engagement works for the full delivery cycle.