Under Pressure: The Manufacturing Sector’s Battle with Supply Chain Vulnerabilities

Supply chain attacks are a growing concern. Gartner predicts that in 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021, and the World Economic Forum’s (WEF) 2025 Outlook highlights that 54% of large organisations identify supply chain challenges as the biggest barrier to achieving cyber resilience.

Protecting What Powers Production

Manufacturers are increasingly in the crosshairs of cybercriminals, especially through their supply chains. Their heavy reliance on large complex supply chains, which typically include multiple third-party suppliers for raw materials, logistics, and specialised services, creates significant risk for the industry, as its interconnected nature provides more entry points for cybercriminals to exploit.  In fact, globally, the manufacturing sector is the most targeted by ransomware, accounting for 69% of all industrial ransomware incidents in 2024 with over 1,100 attacks across 26 subsectors. This highlights how third-party vulnerabilities can ripple through production lines, causing costly disruptions.

As supply chains today navigate permacrisis, a state of near-constant disruption due to geopolitical tensions, economic volatility, and technological shifts, it is difficult for manufacturers to anticipate and react to disruptions. They struggle with limited visibility over their extended supply chains, often unaware of the activities of third-party suppliers and the potential vulnerabilities they introduce. Many are yet to grasp the impact a lack of oversight over their supply chain, and the subsequent risks this introduces, has on their operations. Such risks can expose manufacturers to serious operational, financial, and reputational damage, leading to a loss of customer trust. Without proper governance, vulnerabilities in suppliers or vendors, such as cybersecurity flaws, compliance failures, or ethical breaches, can cascade into production delays, data breaches, or regulatory penalties.

A Multi-Layered Strategy for Third-Party Access Security

Unfortunately, there is no simple fix and strengthening third-party access security requires a layered, proactive approach that balances usability with control. Manufacturers can regain control by adopting an identity-centric Zero Trust security model that verifies every user, device, and access request with no assumptions and no implicit trust. By implementing strong authentication, least-privilege access, and continuous monitoring, they reduce the risk of third-party breaches.

Identity and Access Management (IAM) tools help to enforce policies across hybrid environments, while conditional access evaluates context like device health or location before granting entry. This approach ensures only verified identities interact with critical systems, even across the most complex supply chains. With Zero Trust, manufacturers can build resilience, protect intellectual property, and maintain operational continuity even in today’s increasingly interconnected threat landscape.

It is also important to segment networks, isolating third-party access to specific zones or applications using network segmentation and firewalls. This limits lateral movement in case of compromise.

Manufacturers should also monitor and audit continuously, logging all third-party activity to detect anomalies and undertaking regular audits to ensure compliance and uncover hidden risks. Additionally, they should automate onboarding and offboarding, using workflows to provision and de-provision access quickly and accurately – especially for short-term contractors or vendors. And they must enforce contracts and SLAs which mandate minimum security requirements in vendor agreements, such as incident reporting, breach notification timelines, encryption standards, and audit rights. Finally, manufacturers must use secure access tools, leveraging solutions like ZTNA (Zero Trust Network Access) and PRA (Privileged Remote Access) to control how third parties connect.

Non-Human Identities Outnumber Human Users By 45:1

Controlling access rights is particularly important as non-human identities, like service accounts, API keys, bots, and machine credentials are exploding across manufacturing environments. Industry research suggests that machine identities now outnumber human users by a factor of 45 to 1 across enterprises. In manufacturing, this ratio can be even higher due to the heavy use of automation, IoT devices, and CI/CD pipelines. For example, a mid-sized manufacturer might manage tens of thousands of non-human identities across production lines, cloud infrastructure, and third-party integrations. These identities often have persistent access and elevated privileges, making them prime targets for attackers if left unmanaged.  This is why it is important to enforce risk-based access policies across the entire network and identity environment, while securing privileged access, and to seamlessly incorporate human and machine identities into a risk-aware certification process.

NIS2 Raises the Stakes for Supply Chain Security

Understandably, regulatory compliance, especially under the EU’s NIS2 Directive, is now a strategic imperative for manufacturers. NIS2 expands cybersecurity obligations to include not just core operations, but also the entire supply chain, recognising that third-party vulnerabilities can compromise critical infrastructure.

To ensure compliance and mitigate risks, manufacturers must evaluate the cybersecurity posture of suppliers and service providers, as required by Article 21(2)(d) of NIS2. They should also align with EU-wide and national risk assessments to identify high-risk suppliers and technologies. NIS2 also introduces strict penalties for non-compliance, up to €10 million or 2% of global turnover, which makes proactive governance not just smart, but essential for manufacturers.

Tackling Third-Party Risk with Targeted Expertise

It is evident that securing complex environments and supply chains represents a significant challenge for manufacturers, particularly given the constraints of limited resources and economic pressures. But in a landscape where supply chain vulnerabilities threaten manufacturing stability, partnering with proven identity and cybersecurity experts becomes essential to improve the security posture across the supply chain.

When deep identity and access management expertise are combined with advanced Zero Trust architectures, cybersecurity evolves and empowers manufacturers to enforce least-privilege access, secure both human and machine identities, and maintain full visibility across third-party relationships. Their combined capabilities not only strengthen compliance with directives like NIS2, but also enhance operational resilience, mitigate cyber risk, and enable secure growth.

As the manufacturing sector faces escalating cyber threats and increasingly complex supply chains, the need for a robust, proactive cybersecurity strategy has never been greater. Strengthening third-party access, securing identities (both human and non-human), and aligning with regulatory frameworks, are key steps toward protecting operational continuity and reputation. By embracing modern identity management principles and Zero Trust security models, manufacturers can enhance visibility, minimise risk, and build long-term resilience. In such a high-stakes environment, investing in the right technologies and expertise isn’t just a precaution, it’s a strategic imperative for sustained success.

Written by Dave McGrail, Head of Business Consultancy, Xalient and Jon Neal, EMEA Field CTO at Saviynt