Most manufacturers have done the majority of IT work. You've got a firewall, maybe even an MSP watching your network around the clock. You've tightened up passwords, trained your team on phishing emails, and you know where your data lives.
Then one Tuesday morning, you’re suddenly the subject of a cyber attack. And the entry point was nothing you could’ve predicted.
It was the calibration tech who comes out twice a year. He's been servicing your CMM for a decade. Between visits, he has remote access to check readings and ensure everything is running smoothly. You've never thought twice about it.
Neither has he, and that's the problem. Somewhere down the line, his credentials got compromised and an attacker is now walking into your network using the same login your calibration vendor has used for years.
To your systems, it looks completely normal. “Yep, there’s Joe pushing the last firmware update, nothing to worry about here.” But in reality, it’s the result of sophisticated attack on your company.
These types of supply chain attacks have become a serious IT blindspot, one most manufacturers aren’t taking seriously yet.
Most manufacturers focus cybersecurity spending on their own systems. That's the right instinct, but it only covers half the problem. The vendors, subcontractors, and remote access tools connected to your operation are just as likely to be the entry point for an attack. This post breaks down how it happens, why smaller shops are specifically targeted, and what practical steps you can take to close the gap before it becomes a crisis.
The cybersecurity conversation in manufacturing has matured a lot over the past few years. Shop owners understand ransomware. They know about phishing. They've invested in protection.
But the threat landscape shifted while that investment was happening. Attackers figured out that well-protected manufacturers are hard to hit directly. So they stopped trying to break through the front door and instead waltz right through the unlocked back door.
They go after the vendors, suppliers, and service providers who already have legitimate access to your systems:
Supply chain attacks against manufacturers have surged 431% since 2021, according to research from Foley & Lardner. That's a fundamental shift in how attacks are being run.
Your security posture is only as strong as the least-secure company in your vendor ecosystem. Most manufacturers haven't mapped that ecosystem. Most don't know who still has access, how much access they have, or whether that access is even still necessary.
That's the blindspot.
A supply chain attack happens when a bad actor compromises one of your vendors or service providers and uses that relationship to reach you.
It sounds complicated, but the mechanics aren't.
Your ERP vendor has a support account with remote access to your system. A hacker breaches that vendor's network, grabs the credentials, and logs into your ERP using the same access your vendor uses for legitimate support calls. To your system, it looks like a normal login. There's no alarm or red flag raised. It just looks like a user accessing files they're authorized to reach.
According to SecurityScorecard, 41% of ransomware attacks now involve a third-party access vector. Attackers aren't brute-forcing their way through your firewall. They're walking in through a door that was already open.
The Kaseya attack in 2021 is the clearest example. Attackers compromised a remote monitoring platform used by IT providers, then rode that access downstream to thousands of small and mid-sized businesses. Those businesses had no direct relationship with Kaseya. They were just customers of someone who did. One breach resulted in thousands of victims, all through a trusted vendor relationship.
Here's something worth thinking about: how many companies have remote access to your systems right now?
Not just your IT provider. Your ERP vendor. Your machine tool manufacturer. The company that supports your CAD software. The calibration service that connects remotely to check your measurement equipment. The subcontractor who pulls BOMs from your system to quote jobs.
When they actually sit down and count, most manufacturers are surprised by the number. And more surprised when they realize that a significant portion of those access accounts are permanent.
Permanent access means the credentials exist and work 24 hours a day, 7 days a week, regardless of whether anyone from that vendor has touched your system in six months. Stolen vendor credentials account for 40% of third-party breaches, and in many cases those credentials have been sitting dormant and unmonitored long before anyone uses them maliciously.
The fix isn't complicated in concept: access should exist when it's needed and be revoked when it isn't. But most shops don't have a process for that. Nobody owns it, so it falls through the cracks between the vendor relationship and the IT function.
That gap is exactly what attackers count on.
There's a common assumption in manufacturing that cyberattacks are a big-company problem. If you're a 30-person job shop in Colorado, who's coming after you?
The answer might surprise you.
Manufacturing has been the most targeted industry sector for the fifth consecutive year, accounting for 27% of all cyberattacks where sector attribution was possible. And the attacks aren't concentrated at the top of the supply chain. They're concentrated at the bottom.
Attackers understand how defense and aerospace supply chains work. Prime contractors have enterprise security teams, dedicated compliance programs, and significant IT infrastructure. Their tier-2 and tier-3 suppliers often have none of that. A small shop making precision components for a defense program might have a VPN connection to a prime's system for submitting documentation. That connection is a door. And the shop is easier to breach than the prime.
Sensitive defense information is most often exposed at the smaller supplier level, not at the prime contractor. The smaller firms have fewer resources, limited IT staff, and often incomplete visibility into how data flows through their systems. They didn't feel like targets, so they didn't act like it.
That's exactly why they became targets.
Supply chain attacks nearly doubled in 2025, rising from 154 incidents to 297. Threat actors are increasingly compromising smaller vendors and suppliers to gain indirect access to larger industrial targets.
This is also part of what CMMC compliance is trying to address at the regulatory level. If your vendors touch controlled information, they have to meet the same security standards you do. Your compliance doesn't stop at your building's edge.
But CMMC aside, the risk exists whether you're a defense contractor or not. Any manufacturer with vendor relationships and remote access is exposed.
None of this requires a massive IT overhaul to start making progress. It requires visibility and ownership.
This is exactly the kind of work that our IT for manufacturing services help with. Vendor relationship management, access controls, network segmentation, and ongoing monitoring are core to how we operate as a fractional IT department for manufacturers on the Front Range and beyond.
The breach that takes a shop down rarely looks like a Hollywood hacker scene. It’s just a Tuesday morning login from a vendor account that nobody thought to audit.
If you don't know who has access to your systems right now, that's the place to start. We'd be glad to help you find out. Reach out to our team and let's take a look at what's connected to your network.
What is a supply chain cyberattack?
A supply chain cyberattack happens when a bad actor compromises a vendor, subcontractor, or service provider and uses that trusted relationship to access the target organization's systems. Rather than attacking a well-defended network directly, attackers exploit the access that legitimate third parties already have.
How do cyber attackers get access through vendors?
The most common method is stolen credentials. If a vendor's login information is compromised through a phishing attack or data breach on their end, an attacker can use those credentials to access any system that vendor is connected to. Shared or permanent access accounts, combined with no multi-factor authentication, make this significantly easier.
Are small manufacturers a target for cyber criminals?
Yes, manufacturers are the most targeted type of business for cyber attacks and have been for five consecutive years. Smaller manufacturers are often targeted specifically because they're connected to larger primes or defense programs but have fewer security resources. Attackers use the small shop as an entry point to reach a larger target upstream.
How does CMMC relate to vendor security in manufacturing?
CMMC requires that any vendor or subcontractor who handles controlled unclassified information meets the same security standards as the prime contractor. This means your compliance obligations flow down to your supply chain. If a vendor touches sensitive data and isn't compliant, that's your exposure, not just theirs.