Operational Technology Supplier Assurance

A FTSE 100 international packaging and recycling group engaged BSS to design and deliver a third-party operational technology (OT) cyber assurance programme across a defined subset of its paper and packaging suppliers. The decision to commission was made internally, ahead of any regulator, insurer or customer requirement. The programme was delivered in line with IEC 62443, and produced a repeatable methodology, a complete set of supplier assessments and a prioritised remediation roadmap.

The challenge:

OT cyber risk in a manufacturing supply chain differs from traditional IT third-party risk. Production depends on a wide network of suppliers, many of whom interact with the client’s plant environments through vendor-managed assets, engineering services, control systems and on-site presence. Standard IT-style supplier assurance does not adequately capture this exposure. General information security questionnaires do not address legacy controllers, flat networks, safety-critical dependencies and the proximity of suppliers to live production lines.

The client recognised that without an OT-specific and repeatable assurance approach, it had no consistent view of cyber posture across suppliers’ underpinning paper and packaging operations, and no baseline against which those suppliers could be measured. The objective was to establish a defensible, IEC 62443-aligned methodology that could be applied uniformly across the supplier base and reused over time.

The solution:

BSS delivered the programme across four phases:

Discovery: BSS established the methodology and supporting toolset, developing OT-specific and IEC 62443-compliant questionnaires for both paper and packaging suppliers. BSS also configured digital risk protection tooling for external evidence-gathering. The approach was validated with two pilot suppliers, confirming scope, timeline and cost ahead of full delivery.

Assessment: Across two assessment phases, 15 third-party suppliers, five paper and ten packaging, were assessed against the IEC 62443-aligned questionnaire, supported by digital risk protection findings and supplier clarifications. Each supplier received a structured assessment combining questionnaire responses, an evidence review and external technical signals. This generated a defensible record of OT cyber posture for each supplier.

Prioritisation: BSS conducted a structured review of all 15 assessments, identifying themes, control gaps and supplier-specific risk concentrations. The output was a prioritised remediation tracker, which assigned critical, urgent, high, medium and low categories, alongside the input material for the OT control standards.

Remediation and Improvement: BSS provided advisory support to suppliers on remediation activity and produced 15 OT control standards, five for paper and ten for packaging, establishing the OT cyber controls the client expected across its OT supply chain. The engagement closed with a reporting and roadmap workshop, transferring ownership of the programme and its outputs to the client.

The outcome:

The client received 15 completed OT supplier assessments, 15 OT-specific control standards, a prioritised remediation tracker and a continuous-improvement roadmap.

Beyond those deliverables, the client now holds a repeatable, IEC 62443-aligned methodology which can be extended to additional suppliers, refreshed on a defined cycle and used as defensible evidence of OT cyber due diligence in any future regulator, insurer or customer enquiry. The OT control standards clarify what is expected of suppliers and give the client a consistent reference point for ongoing assurance. The reporting and roadmap workshop also embedded the methodology and operational knowledge within the client’s internal teams, equipping them to run and extend future cycles independently.

Empower change through Barclay Simpson Solutions’ bespoke delivery model

Your vision for change and improvement shouldn’t be compromised by blueprint consultancy delivery models. Barclay Simpson Solutions creates bespoke, tailor-made and adaptable solutions to suit the individual needs of your organisation and your project. Get in touch today to discuss your needs:

BSS
Tel: 020 7936 8999   info@bss.uk.com