Tariffs and the overall global economic landscape have created supply chain woes for all kinds of enterprises. A cyberattack that further complicates supply chains isn’t something business leaders want added to the mix.
However, enterprises continue to face cyberthreats, according to Cole Humphreys, compute sales specialist for U.S. public sector, Department of War at Hewlett Packard Enterprise. Those threats include “counterfeit or tampered components, firmware manipulation, code injection in build pipelines, insider compromise at suppliers and logistics-stage interference.”
He explains that increasingly, attackers are shifting their focus upstream, targeting firmware, manufacturing processes and lower-tier suppliers, where controls are weaker. And artificial intelligence (AI) is helping bad actors to increase the effectiveness of their attacks.
“As hardware and firmware become more complex and globally distributed, organizations need continuous verification rather than periodic checks,” Humphreys says.
As businesses work to strengthen their supply chain security, it’s important that they understand best practices and which solutions can best help to protect their organizations.
Click the banner below to read the latest CDW Cybersecurity Research Report.
Preparing for Today’s Supply Chain Threats
Enterprises must be prepared for both the threats they’re familiar with and emerging threats. Humphreys highlights the threats organizations should prepare for, including:
- Firmware and hardware insertion attacks targeting boot chains and management controllers
- Compromise of AI/machine learning model pipelines and training data
- Vulnerabilities introduced through additive manufacturing or software-defined hardware by supply chain tampering
- Increased geopolitical and regulatory constraints on a secure supply chain
- Climate-driven disruptions affecting manufacturing and logistics
READ MORE: Strengthen supply chain resilience with third-party risk management strategies.
The Role of Third-Party Management in Supply Chain Security
Supply chain security doesn’t work without strong third-party management.
“It enables structured onboarding, ongoing monitoring and contractual enforcement of security requirements,” Humphreys says. “Mature programs treat suppliers as security partners with measurable obligations, including telemetry sharing, signed artifacts and auditability, practices reflected in HPE’s approach with Trusted Supply Chain suppliers.”
Modern assessments must be continuous, data-driven and risk-based, he adds, explaining that they should incorporate:
- Automated security ratings and real-time posture data
- Evaluation of firmware security practices, build pipeline integrity and secure manufacturing
- Operational resilience, including business continuity and geopolitical considerations
- Verifiable evidence such as attestations, signatures and provenance artifacts
Humphreys emphasizes that the most important shift enterprises can make in their third-party risk management strategy is to favor partners who provide provable — not theoretical — assurance.
“Telemetry, signed firmware, verified provenance and secure manufacturing should be baseline expectations,” he says. “Enterprises should also elevate supply chain security as a business risk requiring executive oversight, cross-functional alignment, and sustained investment in automation and continuous assurance — an area where HPE’s Trusted Supply Chain and the HPE ProLiant Compute Gen12 platform provide a measurable advantage.”
Solutions and Processes To Strengthen Supply Chain Security
Real-time visibility across every supplier is not practical for large enterprises, Humphreys points out. “A more realistic model prioritizes high-risk suppliers, critical components and security-sensitive firmware,” he says.
In addition to third-party risk assessments, Humphreys says other important processes to implement include:
- Integrating security into procurement by requiring provenance and signed firmware
- Continuous supplier assurance through audits and telemetry-based validation
- Rigorous change control processes enforced with cryptographic authorization
- Clear incident response and escalation playbooks
Effective supply chain security requires a layered approach, according to Humphreys. Those layers should include platform security with hardware roots of trust, cryptographic checks and secure update paths. Authenticity and provenance controls are another layer. They should include firmware and verifiable chain of custody. Operational monitoring rounds out the layered approach, including integrity telemetry and automated verification, Humphreys explains.
He says that “HPE ProLiant Compute Gen12 and iLO 7 deliver these capabilities out of the box with Compute Ops Management, which is also backed by HPE’s Trusted Supply Chain to ensure devices arrive uncompromised.”
These platforms help to mitigate today’s supply chain risks by delivering verifiable integrity from boot to runtime, while also enabling updates throughout the platform lifecycle.
Enterprises don’t have to navigate third-party risk management and supply chain management alone.
“At a time when supply chains span across borders and may involve several OSPs, effective third-party risk management is more important than ever,” says Larry Burke, principal and vice president with the Global Security Strategy Office at CDW, in a blog. “An expert partner with deep expertise in cybersecurity and data privacy risks in response to the current threat landscape as well as the rigorous requirements of regulators can help you leverage technology-driven solutions to fortify your supply chain risk management capabilities and assess your current third-party risk management maturity level.”
