Why secure software development is the first line of defense against OT supply chain attacks

When Jaguar Land Rover's production lines came to a complete halt on September 1, 2025, the financial toll was immediate and staggering: nearly $67 million per week in direct losses, with estimates of the total economic impact reaching $2.8 billion. But the true damage extended far beyond the automaker's balance sheet.

The shutdown rippled through JLR's sprawling supply chain of 104,000 workers. Suppliers laid off staff due to the attack, and the UK government stepped in with a guaranteed loan exceeding $2 billion.

The scary thing is that this wasn't an isolated incident. In the United States, United Natural Foods (UNFI) discovered a cyberattack on June 5, 2025, that forced the company to shut down its network entirely, resulting in lost sales of up to $400 million. The attack left empty shelves at Whole Foods stores across the country and disrupted the supply of organic products to over 30,000 retail locations.

Both incidents share a troubling pattern: Attackers aren't just targeting individual companies anymore. They're weaponizing the software supply chain to achieve maximum impact with minimum effort.

White paper

Why the Secure Software Development Life Cycle (SSDLC) must be a key criterion in supply chain evaluations

For operational technology (OT) environments in manufacturing, energy, transportation or critical infrastructure, the risk involved with a cyberattack is extremely high. An attack doesn't just compromise data in OT environments; it brings entire production ecosystems to a standstill, with downtime costs that can reach hundreds of thousands of dollars per hour.

Still, most organizations focus their procurement evaluations on financial health, service-level agreements and infrastructure security. Yet many overlook the point where vulnerabilities are most often introduced — the software development process itself. For instance, Infostealer malware enables attackers to exploit years-old credentials, gaining access to manufacturers’ supply chain systems.

This reveals a fundamental weakness not in perimeter defenses but in the secure development lifecycle practices of the software suppliers that power modern industrial operations. Their systems are vulnerable because they weren’t built to withstand modern cyberthreats — and that makes manufacturers’ OT systems vulnerable, too.

Without assurance that suppliers follow rigorous secure software development life cycle (SSDLC) practices, manufacturers inherit risks that no network segmentation or air gapping can fully eliminate.

The business impact is measurable and severe:

• Operational downtime: Production halts cascade through just-in-time supply chains, affecting thousands of workers and disrupting delivery commitments.
• Financial losses: Beyond direct revenue losses, recovery costs include incident response, system restoration, regulatory fines and potential contract penalties.
• Compliance violations: Regulations like the EU's NIS 2 Directive, DORA and the Cyber Resilience Act now explicitly require secure development practices from suppliers.
• Reputational damage: For suppliers, being the "weak link" in a supply chain breach can permanently damage customer trust and lead to disqualification from future partnerships.

But this is more than just checking compliance boxes. It's about ensuring that the software controlling your production lines, managing your critical systems and connecting your industrial operations has security embedded from the first line of code to final deployment.

The IEC 62443 family of standards specifically addresses industrial automation and control systems security. Within this framework, IEC 62443-4-1 focuses exclusively on secure product development lifecycle requirements, providing the most rigorous and relevant standard for evaluating OT software suppliers.

Unlike general information security frameworks, IEC 62443-4-1 certification demonstrates that a supplier has implemented:

• Security by design: Security requirements are defined and threats modeled before any code is written.
• Secure coding practices: Developers are trained and code undergoes mandatory review and automated security testing.
• Dependency management: Third-party components are vetted, tracked and maintained through Software Bill of Materials (SBOM) practices.
• Secure release pipelines: Updates are signed, integrity-checked and delivered through hardened channels.
• Vulnerability management: Coordinated disclosure processes and defined response timelines for security issues.

For OEMs, system integrators and end customers in manufacturing and critical infrastructure, this certification provides concrete, independently verified evidence that software suppliers aren’t just promising security. They are systematically engineering it into every product.

Acronis has achieved IEC 62443-4-1 certification, alongside ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 and CSA STAR Level 2 — demonstrating a comprehensive commitment to secure development practices across both IT and OT environments.

This certification confirms that Acronis Cyber Protect for OT — and the broader Acronis portfolio — are built using rigorous, independently verified security practices designed for the realities of industrial environments:

• Protection for both IT and OT systems under a unified platform.
• Backup and recovery capabilities that can scale across global operations without requiring manual, site-by-site interventions.
• Security controls designed for environments where uptime is critical and traditional patching windows may be limited.
• Compliance support for organizations navigating NIS 2, DORA, IEC 62443 and sector-specific regulations.

A new white paper, "Why the Secure Software Development Life Cycle (SSDLC) must be a key criterion in supply chain evaluations," provides:

• Detailed analysis of how supply chain attacks exploit development weaknesses.
• Practical evaluation criteria for assessing supplier SSDLC maturity.
• A comprehensive checklist (Appendix A) for use in procurement and audits.
• Mapping to international standards including IEC 62443-4-1, ISO/IEC 27001, NIS 2, DORA and the Cyber Resilience Act.

The paper draws from Acronis's own certification journey and provides actionable guidance for:

• Corporate end-customers evaluating OT suppliers.
• OEMs that need to demonstrate secure development to their customers.
• System integrators building resilient industrial solutions.

Download the white paper to learn how to move your supply chain security from reactive defense to proactive, standards-based assurance.