At the selected nuclear power plant, more than 300 external suppliers deliver software and hardware used in critical systems. However, the power plant is lacking a proper strategy for cybersecurity supply chain risk management for these suppliers. Without proper visibility and involvement of the IT-security department in the procurement processes and continuous monitoring, vulnerabilities could remain undetected posing a serious risk to safety, operations, and regulatory compliance.

The study started with an analysis of relevant C-SCRM frameworks and guidelines (NIST, ISO, CISA, NCSC, ENISA, ENSI etc.), following analysis of the existing procurement and supply chain processes at the nuclear power plant. Appropriate international frameworks and guidelines were applied to optimize the supply chain and risk management processes. The research included BPMN process mapping, internal interviews, and the development of structured risk assessment tools and questionnaires for supplier evaluation. Supplier risk scoring models and continuous monitoring concepts were also developed.

The thesis delivers a comprehensive concept for implementation of Cybersecurity Supply Chain Risk Management (C-SCRM) processes at the selected nuclear power plant. Key outcomes include a supplier risk assessment model based on disqualification controls and scoring criteria, process modifications to ensure mandatory IT-security involvement, and proposed contractual clauses for vulnerability reporting and patch obligations. A framework for continuous risk monitoring and a catalogue of mitigation measures were developed, aligning operations with both national (ENSI) and international standards. These results provide a practical and auditable approach to enhancing procurement security and supplier governance in critical infrastructure. At least the thesis provide recommendations for the next enhancements in regards to continuous monitoring, contractual obligations for suppliers and asset inventory.