The Cybersecurity Business Case for Manufacturing Supply Chain

by | Jun 23, 2022

Executive Summary:

Research shows that the manufacturing supply chain is a tinderbox for cybercrime. The good news is that there’s significant leverage from investment in basic security fundamentals.

 An additional point for organizations that have contracts with the U.S. federal government is that this is one of the reasons there’s new emphasis on compliance. There are already basic cybersecurity requirements which flow down to their entire supply chain. Contractors with the U.S. Department of Defense (DoD) are facing pending changes from a program called Cybersecurity Maturity Model Certification (CMMC) which squarely takes aim at the significant problem this research illustrates.

    Read More:

    What’s the research on cybercrime in manufacturing?

    • Manufacturing was the #1 most attacked industry in 2021
    • Manufacturing ranked top for all ransomware in 2020
    • Defense Manufacturing ranked #1 most exposed to large scale cyber attack by McKinsey analysis
    • Manufacturing ranks second for cyber espionage behind government targets

    To be completely transparent, the 2022 Threat Intelligence report from IBM X-force says manufacturing is #1 most attacked while the Verizon Data Breach Investigations Report says manufacturing is #2. Either way, it’s not a popularity contest anyone wants to win.

      What’s the research on supply chain visibility?

      • Visibility into the supply chain tiers drops off much faster in Aerospace and Defense than other verticals
      • At Tiers 9+ Manufacturing has only 9% visibility, IT and Technology has 36%

      What changes with Cybersecurity Maturity Model Certification (CMMC)?

      • CMMC is a change in how the U.S. Department of Defense (DoD) is approaching the compliance of its contractors with the cybersecurity requirements that have been in their contracts since at least 2017.
      • The main clause in CMMC that gets attention is the introduction of third-party certification of compliance with cybersecurity requirements for organizations that handle sensitive data types
      • Pending final rule making, statements from DoD officials indicate that certification will be required of the entire bidding team before contract award.

      DoD contractors are under no obligation until CMMC goes into effect, right?

      Existing requirements in contracts since at least 2017 include:

      • Implementation of a list of controls; the list varies with the sensitivity of the data you handle but all companies that do business with the federal government have at least 15 cyber requirements in contracts now, even without CMMC
      • Contractors must “flow down” the contract requirements to all subcontractors and this flows down to all levels of the supply chain
      • DoD Contractors are responsible to manage the compliance of their suppliers with these requirements

      What’s needed?

      • If your organization is already working to improve cybersecurity, then sharing this picture with stakeholders may help the medicine go down that much easier
      • If your organization is a Defense contractor or subcontractor which is not yet compliant with existing requirements then show this picture to your business decision makers to gauge their appetite for keeping their existing DoD business or going after new contracts
      • Watch the SecuriThink Field Notes space for more posts on how we make the business case for cybersecurity to business asset owners.
      • If you have comments, please join the discussion on the relevant LinkedIn post here:


      1. IBM X-Force Threat Intelligence Report 2022
      2. Cisco 2021 Cyber Security Threat Trends
      3. Building a more competitive US manufacturing sector. April 15, 2021.
      4. Verizon Cyber-Espionage Report 2020-2021
      5. Interos Annual Global Supply Chain Report 2021
      6. Verizon 2022 Data Breach Investigations Report
      7. Chain image: