Team Shieldworkz
Securing the Industrial Supply Chain: Mandatory Risk Assessments Under the NIS2 Directive
For industrial organisations, the supply chain is no longer just a back-office procurement topic. It is an active, expanding part of your attack surface.
A single weak vendor account, an unvetted software update from a trusted provider, or a poorly managed remote service connection can easily become the entry point to your plant network, your safety instrumented systems, or your core production environment. That is exactly why the NIS2 Directive places supply chain security and third-party risk management directly in the spotlight.
Under the Directive, organisations in critical sectors are legally expected to take "appropriate and proportionate measures" to secure their operations. This requirement does not stop at your facility's physical walls. It extends across the suppliers, integrators, managed service providers, and technology partners that support your daily operations. In practice, this means you need to know exactly who touches your industrial environment, what they can access, how their actions are monitored, and how quickly you can contain them if their systems are compromised.
This blog translates complex regulatory requirements into an actionable, OT-focused playbook. We will break down the risks that matter most, the specific assessments you should run, the audit evidence you need to collect, and the practical controls that will help you reduce third-party exposure without slowing down plant operations.
Before we move forward, don’t forget to check out our previous blog post on “What could an IRGC takeover mean for Handala” here.
Decoding NIS2 for the Industrial Supply Chain
What is NIS2 really asking you to do? At its core, the directive demands that critical infrastructure and essential entities build a repeatable, documented way to identify supplier risk, score it, remediate gaps, and prove that the industrial environment remains resilient-even when third parties fail.
The original NIS Directive touched on these concepts, but NIS2 fundamentally changes the game by introducing strict management accountability. Your top management can now be held personally liable for gross negligence in cybersecurity risk management. This elevates industrial vendor security from a purely technical IT problem to a board-level imperative.
For plant managers, OT engineers, and CISOs, the practical meaning is straightforward: you must be able to demonstrate that you understand your supplier ecosystem, have rigorously assessed the risks it introduces to operational technology, and have implemented controls that match your level of exposure.
The Four Questions Your Assessment Must Answer
To satisfy regulatory scrutiny and genuinely protect your plant, your NIS2 supply chain assessment must answer four fundamental questions:
Who are our critical suppliers, service providers, integrators, and maintenance partners?
What specific access, plant data, or technology privileges do they hold?
What is the operational and safety impact if one of these partners is compromised, becomes unavailable, or acts maliciously?
What documented evidence do we have that these risks are being reviewed, scored, and systematically reduced over time?
Why the Industrial Supply Chain is Under Unprecedented Pressure
Industrial environments operate on a very long, highly complex chain of trust. Original Equipment Manufacturers (OEMs) ship programmable logic controllers (PLCs) and firmware. System integrators configure network switches and establish remote access gateways. Managed service providers monitor alarms from off-site operation centres. Software vendors routinely push patches to human-machine interfaces (HMIs). Maintenance contractors require temporary credentials to service robotic cells. Cloud platforms siphon historian data for predictive maintenance.
Every single link in that chain can introduce critical risk. Advanced threat actors know this. They rarely try to break through your heavily fortified corporate firewall directly. Instead, they target a weaker supplier, steal their credentials, abuse established trust relationships, or compromise a routine update channel. Once inside the trusted supplier's network, they pivot into your OT Security environment through legitimate, whitelisted pathways.
IT Vendor Risk vs. OT Vendor Risk
Supply chain risk in an industrial setting is fundamentally different from ordinary IT vendor risk. A vendor security failure in a corporate IT system might result in a data breach or privacy violation. A vendor security failure in an industrial system can stop an assembly line, corrupt critical batch data, disrupt safety instrumentation, or force an emergency manual shutdown of hazardous processes.
Feature | Corporate IT Vendor Risk | Industrial OT Vendor Risk |
Primary Impact | Data loss, privacy breaches, financial theft. | Production downtime, physical damage, safety incidents. |
Typical Access | Cloud databases, CRM systems, email servers. | PLCs, HMIs, SCADA systems, engineering workstations. |
Control Approach | Standardized, automated patching, frequent password resets. | Highly tested manual patching, compensating controls, physical safety limits. |
Threat Vector | Compromised SaaS tools, stolen API keys. | Compromised firmware updates, abused VPN remote access. |
Common Risk Patterns in Industrial Vendor Security
When our teams audit industrial facilities, we consistently uncover the same dangerous supply chain patterns:
"Always-On" Remote Access: Vendor VPNs or remote desktop connections that are left open 24/7, rarely audited, and unmonitored.
Shared Credentials: Generic logins (e.g., "Vendor_Admin") used by multiple contractors across different service teams, making accountability impossible.
Unverified Updates: Unsigned or poorly controlled firmware, patches, and PLC configuration files applied without secondary verification.
Unmanaged Devices: Supplier laptops and diagnostic tablets that are plugged directly into plant switches without being scanned for malware.
Shadow Operations: Outsourced maintenance where the plant manager no longer knows exactly who has access to the machines, when they are logging in, or what they are changing.
In the context of Industrial Cybersecurity, a supplier is not merely a digital risk. Supplier failure rapidly cascades into an availability issue, a safety hazard, and a compliance violation all at once.
A Practical NIS2 Supply Chain Risk Assessment Process
The goal of complying with the NIS2 Directive is not to generate mountains of paperwork. The goal is to build a robust, decision-making process that you can repeat efficiently for every critical supplier. Here is a practical, six-step framework designed specifically for OT environments.
Step 1: Build a Complete Supplier Inventory
You cannot secure what you do not know exists. Begin by listing every vendor, integrator, maintenance provider, cloud service, and support partner that touches your OT environment. Go beyond the obvious software vendors. Include HVAC contractors who have remote access to building management systems, third-party logistics systems tied to the warehouse, and indirect providers.
Step 2: Classify Each Relationship by Access and Impact
Not all vendors pose the same risk. Group your suppliers based on what they can physically or logically reach. Do they have remote access? Engineering access? Can they alter production data? Do they touch safety-instrumented systems (SIS)? Or do they have no direct system access at all? Once categorized by access, map the business impact. Ask the plant manager: If this supplier's access is compromised and used to send malicious commands, how much does it cost us per hour, and is anyone's physical safety at risk?
Step 3: Collect Evidence, Not Just Promises
Do not rely on a vendor's marketing brochure. Ask for hard proof. Request access logs, documentation of their secure development lifecycle (SDLC), their specific patching procedures, vulnerability handling policies, proof of Multi-Factor Authentication (MFA) enforcement, employee background screening processes, and their incident response contact matrices.
Step 4: Score Risk Using a Simple, Repeatable Model
Complex scoring algorithms are rarely adopted by busy engineering teams. Keep your model simple and practical.
Low Risk: Limited OT access + strong demonstrated controls + easy operational recovery.
Medium Risk: Partial OT access + moderate oversight + moderate production impact.
High Risk: Privileged engineering access + weak visibility/evidence + major operational or safety impact.
Factor in variables like how easily you could recover if their specific hardware failed, how frequently they require remote access, and whether they rely heavily on their own subcontractors.
Step 5: Fix the Highest-Value Gaps First
Do not try to fix everything simultaneously. Start with compensating controls that immediately reduce the "blast radius" of a compromised vendor. Remove standing access, enforce MFA for all remote connections, segment your vendor jump servers away from core production zones, strictly verify all code and firmware before deployment, and ensure you are logging every privileged action taken by a third party.
Step 6: Reassess on a Regular Cycle
An assessment is a snapshot in time. The threat landscape shifts daily. Repeat your risk assessment after any major architectural changes, during supplier contract renewals, following any cybersecurity incidents (even near-misses), and at least annually for all suppliers categorized as "High Risk."
What to Include in Your Industrial Vendor Security Questionnaire
A well-crafted supplier questionnaire is short, highly specific, and directly tied to actual OT exposure. Avoid generic IT compliance templates that ask about corporate data privacy; instead, ask questions that help your engineers make immediate security decisions.
The OT Vendor Security Checklist
Authentication & Identity: How do you authenticate your users and service accounts when accessing our industrial environment? Do you enforce Multi-Factor Authentication (MFA) for all remote access and privileged engineering activity?
Change Management: How are firmware, software, and logic configuration changes approved, digitally signed, and tested before being pushed to our plant?
Incident Response: How quickly (in hours) will you legally commit to notifying us of a security incident within your network that may affect our plant operations?
Subcontractor Risk (Nth Party): Which of your subcontractors, freelancers, or third-party tools can access the same systems or data that we entrust to you?
Environment Isolation: If you provide cloud analytics or managed services, how do you logically separate our OT data from your other customers to prevent cross-contamination?
The best vendor management programs go beyond the questionnaire. Tell your vendors you expect evidence. Accept architecture diagrams, sanitized log samples, and written policies. This gives your security team concrete artifacts to review, rather than relying on a simple "Yes/No" checkbox.
High-Impact OT Security Controls for Third-Party Risk Management
Once inherent risk is identified, the next step in third-party risk management is shrinking your exposure. The following controls are highly effective in industrial environments because they are designed to prevent a supplier's bad day from becoming your plant's worst day.
1. Least Privilege and Just-In-Time (JIT) Access
Give vendors access only to the specific systems they are contracted to maintain, and only during approved maintenance windows. Eliminate "standing access." If an integrator needs to troubleshoot a robotic cell, they should request access, receive a time-bound credential (e.g., active for 4 hours), and have that access automatically revoked when the window closes.
2. Strong Identity and MFA
Enforce strict identity controls. Ban the use of shared accounts (like "Maintenance_Team_A"). Every individual vendor employee must have a unique, traceable ID. Implement Multi-Factor Authentication (MFA) for all external connections into the OT network. If mobile phones are banned on the plant floor for safety reasons, utilize physical hardware tokens (like FIDO2 keys).
3. Strict Network Segmentation
Do not allow a vendor VPN to drop directly onto the plant floor network. Route all external vendor connections through a secure DMZ. Require vendors to log into a dedicated jump server or Privileged Access Management (PAM) broker. Separate these jump paths completely from your core engineering, historian, and safety system layers.
4. Continuous Session Monitoring
Trust, but verify. Record privileged vendor sessions. If a vendor is updating PLC logic, you should have a video-like recording or detailed keystroke log of that session. Configure your monitoring tools to trigger an alert if a vendor attempts to access an IP address outside of their designated work zone.
5. Secure Update Handling
Never apply a vendor patch directly to a live system without verification. Verify digital signatures on all firmware, patches, and configuration files. Test updates in an offline staging environment or on a single non-critical asset first. Always ensure you have a tested, offline backup and a clear rollback plan before authorizing the change.
6. Asset and Dependency Visibility
Maintain a clear map of which industrial processes depend on which suppliers. If a major software provider announces a critical vulnerability, you must be able to query your inventory immediately to know exactly which HMIs or servers in your plant are running that specific software version, allowing you to prioritize isolation and patching.
Building Your 30-60-90 Day Execution Plan
The fastest way to lose momentum in a NIS2 compliance initiative is to finish an assessment and then let the resulting spreadsheet gather dust. To create real resilience, convert your findings into a prioritized, time-bound execution plan.
Timeframe | Key Objectives | Actionable Tasks |
Days 1 - 30 | Visibility & Ownership | Inventory all critical suppliers. Assign an internal business owner to each. Identify exactly which vendors possess privileged credentials or remote access to the OT network. |
Days 31 - 60 | Quick Wins & Triage | Close the easiest, highest-risk gaps. Disable stale and inactive vendor accounts. Enforce MFA on all external gateways. Restrict "always-on" VPNs to request-only access. |
Days 61 - 90 | Formalization & Reporting | Finalize your vendor scoring model. Gain executive approval for remediation timelines. Generate the first board-level report demonstrating the current risk trend and mitigated vulnerabilities. |
Crucial Questions to Ask Before Approving a New Supplier
Before signing a contract or provisioning network access for a new vendor, pause and ask:
Do they require direct or indirect access to active production or safety-critical systems?
Can their engineers clearly explain how they secure their own remote access tools, software update pipelines, and subcontractors?
Can they provide documented proof of their incident notification timelines and disaster recovery planning?
Crucially: Would a cyber compromise of this specific supplier force us to physically isolate our network, shut down a process, or shift to emergency manual operations?
Proving Compliance: Evidence for Audits and the Board
Complying with NIS2 is not just about executing the technical work; it is equally about demonstrating that the work is managed consistently. Regulators and auditors look for evidence of a living, breathing process, not a static binder created the week before the audit.
The NIS2 Audit Evidence Checklist
Ensure your teams are archiving the following artifacts securely:
An up-to-date, dynamically maintained supplier inventory detailing the internal business owner, the vendor's access level, and their criticality score.
Copies of completed risk assessments and scheduled re-assessments for all critical and high-risk suppliers.
Timestamped logs and records of vendor access approvals, periodic access reviews, and credential revocations.
Counter-signed remediation plans outlining specific security gaps, assigned owners, target dates, and final closure status.
Documented incident notification pathways and emergency contact matrices for each critical supplier.
Executive summaries and meeting minutes that prove management is actively reviewing risk trends.
Briefing the Board
When presenting to top management or the board of directors, avoid deep technical jargon about PLC protocols or firewall rules. A highly effective board update should concisely cover three points:
Which specific suppliers present the highest risk to our revenue and safety, and why.
What specific controls were implemented or improved this quarter to mitigate that risk.
What critical vulnerabilities remain open, which executive owns the remediation, and the exact date it will be resolved.
Common Pitfalls in Industrial Vendor Security
As you mature your program, be careful to avoid these common industry mistakes:
Treating all suppliers equally. Do not waste time sending a 100-point cybersecurity questionnaire to the vendor supplying breakroom coffee. Rank suppliers strictly by access and operational impact, and focus your resources on the top 20%.
Accepting questionnaires as proof. Counting a completed questionnaire as a security control without verifying the underlying evidence is a recipe for a false sense of security.
Ignoring the "off" switch. Leaving remote access pathways open between scheduled service windows is one of the leading causes of OT breaches. Close the door when the vendor leaves.
Forgetting the Nth party. Letting your primary integrators bring in subcontractors who inherit OT access without passing through your separate review process creates massive blind spots.
Working in a silo. Separating compliance work from daily plant operations guarantees failure. Procurement, IT security, and plant engineering must act as a unified team.
How Shieldworkz Can Help
Moving from a scattered, ad-hoc vendor review process to a structured, compliant OT supply chain security program is a heavy lift. Shieldworkz specializes in helping industrial organisations navigate this exact transition.
We do not just hand you a generic compliance checklist. We work alongside your engineering and security teams to assess exactly where supplier access physically and logically enters your environment. We identify the highest-risk trust paths and translate complex NIS2 requirements into a practical, phased remediation roadmap that respects your production uptime.
Our core offerings include:
NIS2 Supply Chain Risk Assessments: Deep-dive evaluations of your vendor ecosystem tailored for OT environments.
OT Third-Party Access Reviews: Architecture reviews to identify and lock down rogue remote access pathways.
Industrial Vendor Security Scoring: Custom-built questionnaires and evidence-verification services to accurately score your integrators and OEMs.
Remediation Roadmaps: Step-by-step engineering plans to implement least privilege, segmentation, and monitoring for high-risk suppliers.
Board-Ready Reporting: Clear, actionable metrics and dashboards that satisfy executive oversight requirements and ease the burden of regulatory audits.
The Outcome: You gain a transparent view of your vendor exposure, establish ironclad control over third-party access, and generate the exact evidence you need to ace compliance reviews, satisfy auditors, and confidently update your leadership team.
The NIS2 Directive fundamentally pushes industrial organisations to treat their supply chain as a critical component of their overall cybersecurity posture, rather than brushing it off as a separate procurement issue. This is the correct direction for the industry, as history repeatedly shows that the most damaging OT incidents often begin with abused trusted access.
The winning approach to securing the industrial supply chain is methodical but simple: know your suppliers, classify their level of access, rigorously verify their internal controls, ruthlessly remove unnecessary trust and standing access, and review the entire ecosystem on a regular, unforgiving cycle. When you execute these steps well, you do more than just check a compliance box-you drastically lower your operational risk and make your plant significantly harder to compromise.
If your team is currently building, auditing, or refreshing its NIS2 program, Shieldworkz can help you cut through the noise. We help you accurately assess supplier risk, prioritize the technical controls that actually matter on the plant floor, and turn regulatory text into practical, protective action.
Ready to secure your supply chain and simplify your compliance journey? Request a demo with our OT security experts today to see exactly how Shieldworkz helps industrial teams build resilient, NIS2-compliant operations. Here
Additional resources
A downloadable report on the Stryker cyber incident here
Remediation Guides here
Removable media scan solution vendor evaluation and selection checklist here
IEC 62443-based OT/ICS risk assessment checklist for the food and beverage manufacturing sector here
Recibe semanalmente
Recursos y Noticias
También te puede interesar
Everything you need to know about the Hasbro breach
Prayukth K V
Fortalecimiento de la postura de seguridad durante escaladas de amenazas mediante IEC 62443
Equipo Shieldworkz
La hoja de ruta de resiliencia en seguridad OT: un análisis profundo de la remediación conforme a IEC 62443
Equipo Shieldworkz
¿Qué podría significar para Handala una toma de control por parte del IRGC?
Prayukth K V
Guía de un líder de CTI para crear un sandbox de APT
Prayukth K V
Del clic a la crisis: cómo se vulneró Nova Scotia Power
Equipo Shieldworkz
