Supply chains are the overlooked risk in industrial cybersecurity

This is a guest blogpost by Magpie Graham, technical director of threat intelligence, Dragos.

The resilience of the UK’s critical infrastructure increasingly depends on trust. Or rather, how far that trust extends into our supply chains. As digital interdependence grows, so too does our exposure, often in ways that remain invisible until it is too late.

Supply chains as an emerging frontline

Supply chain compromise is fast becoming a key attack vector for adversaries targeting operational technology (OT). These threats are no longer limited to theoretical discussions or isolated cases. They are real, persistent, and growing in complexity.

Whether it is a software update laced with malicious code, a service partner unknowingly breached, or third-party access that goes unmonitored, attackers are exploiting blind spots across the extended OT ecosystem. These vulnerabilities are especially dangerous in operational environments, where cyberattacks can escalate into real-world, physical disruption.

Exposure is greater than many assume

Many organisations assume they have air-gapped networks or closed systems. Yet, in our work at Dragos, we frequently see OT assets exposed on the public Internet. Many organisations believe they are isolated, only to discover accessible endpoints, unpatched vulnerabilities, and devices with little or no authentication.

The supply chain only amplifies this risk. Equipment choices, outsourced services, and upstream dependencies can all introduce exposure, especially when adversaries target specific technologies or vendors based on geopolitical motives.

We saw this clearly in a campaign involving Unitronics PLCs. Many victims were unaware they were even a target but found themselves compromised simply because of the manufacturer they had chosen. These organisations were not high-value targets in the traditional sense. They were caught in the crossfire of wider global tensions.

Risk hidden deep in the chain

One of the reasons supply chain risk is so difficult to manage is because it often lies several layers removed from the organisation itself. A compromise might occur within the software development lifecycle, in firmware shipped with third-party components, or via a trusted IT vendor who unknowingly propagates malicious updates across their customer base.

The SolarWinds breach is a prime example. Although this incident came from the IT space, the lesson applies directly to OT. Many industrial systems rely on a mix of proprietary software, specialist hardware, and third-party vendors. Many of these systems are often built on legacy architecture that was never designed with cybersecurity in mind.

In some cases, compromised hardware may even enter the environment with embedded malicious code or counterfeit components. Once deployed, it can be years before the risk is identified, if it is at all.

When IT meets OT, the risk multiplies

Modern OT environments are rarely isolated. Interfaces with business IT systems are increasingly common, particularly in energy, manufacturing, and logistics sectors. Systems used for inventory, engineering workstations, or remote diagnostics often connect directly to enterprise networks. These connections can create viable paths for intrusion.

Many of these connected systems also have links to external partners. Remote maintenance tools, shared cloud platforms, and third-party integrations can all provide attackers with a foothold. Without full visibility into these relationships, defenders are left exposed. The attack surface is not just growing, it is becoming more fragmented and harder to monitor across interconnected organisations.

A collective responsibility

The security of critical national infrastructure cannot rest solely on the OT operators. Responsibility must extend across the entire value chain. Supply chain partners, whether or not they work directly in industrial environments, must recognise the role they play in protecting national infrastructure.

There is a growing need for formal mechanisms that allow upstream suppliers to alert national authorities, such as the NCSC, when they detect a breach that could impact downstream systems. Supply chain partners often hold early insight into compromises that could affect critical infrastructure, and without clear reporting pathways, those insights risk being lost or delayed. That level of accountability and proactive communication is now essential across OT supply chains. It cannot be optional.

You cannot defend what you cannot see

This is not just a phrase – it is a foundational truth. Effective OT security begins with visibility. Organisations need to know what is on their network, where it came from, and how it interacts with the wider ecosystem.

To build true resilience, organisations should begin with comprehensive asset discovery, ensuring that even internet-facing OT systems are identified and accounted for. They must map dependencies between OT and IT systems, while also pinpointing any third-party access points that may introduce risk. Ongoing monitoring for remote access vulnerabilities and misconfigured interfaces is essential to reduce exposure.

In addition, incident response plans should explicitly consider scenarios involving supply chain compromise, ensuring preparedness across interconnected environments. Finally, organisations should begin preparing for future regulatory requirements, including legislation such as the UK’s Cyber Security and Resilience Bill. This aims to strengthen national infrastructure by introducing mandatory cyber risk management, clearer incident reporting obligations, and increased oversight of third-party suppliers. Even the strongest cybersecurity tools will not protect an organisation that does not understand where its risk resides. Gaps in knowledge are gaps in defence.

Evolving threat landscape

Threat actors are already exploiting weaknesses in global supply chains. Whether motivated by financial gain, political objectives, or disruption, they are targeting the very systems we rely on to keep lights on, shelves stocked, and public services running.

In recent campaigns, threat actors have increasingly leveraged low-sophistication methods, such as exploiting unpatched systems and exposed OT assets to gain access to critical environments. We are also seeing a convergence between state-sponsored actors and hacktivist groups, who are adopting ransomware-style tactics to amplify the impact of their operations while reducing attribution risk. These hybrid threats often exploit trusted third-party technologies or suppliers, meaning that organisations can become targets not for who they are, but for who they rely on. As a result, many victims are caught in the crossfire of broader geopolitical tensions.

Looking ahead

Improving security across supply chains is no longer a ‘nice to have’ – it is essential. Proactive visibility, shared responsibility, and constant monitoring are now the minimum standard. Trust in the supply chain must be earned and maintained, not assumed. It is time we treated supply chain exposure as a national security priority.