Authors: Dr. Andrea Little Limbago and Ben Gowan
As Cybersecurity Awareness Month draws to a close, protecting our systems must be a focus throughout the year, not just in October. Most overviews and trainings focus on the ransomware and phishing attacks that dominate the headlines, as they continue to be the most prominent and financially destabilizing attacks. However, beyond the headlines, the cyber risk landscape continues to expand at a rapid pace on par with the enormous geopolitical shifts and technological advancements that are defining the era. In turn, these additional cyber risks pose significant challenges for global supply chains, impacting everything from business operations to hardware security. They also highlight how the key fundamentals of resilience are more crucial than ever before.
Transportation Operations Under Fire
Throughout 2025 cyber events have routinely disrupted physical business operations. Planes, trains, and automobiles have all experienced cyber-driven repercussions this year. A cyber attack in September on Collins Aerospace impacted its MUSE airport check-in system, delaying thousands of passengers across several airports in Europe, including Heathrow, Brussels and Berlin. Jaguar Land Rover halted global production lines for weeks after a ransomware attack. Assessment of the economic impacts of the breach is still ongoing, but initial estimates are over $2bn. Just days later, Bridgestone Americas was also attacked. While production was temporarily disrupted in several locations, the company reports that rapid response limited the breach and no customer data was compromised. These events highlight the reality that cyber security and business logistics are now fully intertwined, with cyber incidents leading directly to physical supply disruptions.
Software Supply Chain Exposure
Every malicious cyber disruption begins with an attack vector, and a growing vector is software supply chains themselves. Developer ecosystems like github, jira and npm as well as major enterprise applications like Salesforce and Sharepoint all experienced widespread attacks in the past 6 months. The blast radius of the F5 BIG-IP breach extends well beyond the exposed systems, rippling out from software compromise to vendor supply chain relationships . That type of extended supply relationship mapping is essential for modern supply chain risk management, and mitigating against third-party attack vectors.
Concentration Risks & Digital Infrastructure
As last week’s AWS outage demonstrated, significant portions of the digital infrastructure are highly dependent on a few key companies and the physical infrastructure that powers it. Amazon, Microsoft, and Google control the majority of cloud infrastructure, introducing vulnerabilities and significant ripple effects from even minor disruptions.
However, the concentration risk is not limited to cloud infrastructure. 95-99% of all global data runs through a few hundred underseas cables. A recent joint statement by six European countries claimed “Russia is systematically attacking European security architecture.” From the Red Sea to South China Sea to the Baltic Sea, these cables have experienced geopolitically-driven disruptions and already caused widespread outages.
Data centers have geographically-driven concentration risk, with the US and China hosting 70% of global capacity. These data centers are at risk of both cyber attacks and natural hazards, with security threats on the rise and some calling attacks on data centers the biggest threat to AI.
The Chip Wars & Trustworthy Networks
Over the last year, the back-and-forth Nvidia chip bans between the US and China is part of the broader geo-economic competitive landscape. It also is indicative of the broader regulatory focus on the emerging technologies that are crucial to global economies. Not only is there a concentration risk – with Taiwan producing over 90% of advanced semiconductor chips – but the regulatory landscape continues to fluctuate. US sanctions continue to target Chinese technology and AI companies. In return, China has expanded rare earth restrictions, with a specific focus on defense and chip production.
Semiconductors not only represent regulatory risks, but also highlight their potential exploitation as an attack vector. As Chris Miller highlights in “Chip War”, companies have allocated significant resources defending against cyber attacks, but very few devote resources to verifying chips or inspecting circuit boards. Supply chain compromise via hardware – such as through counterfeit components or inherited components – is a growing concern. As global tech infrastructure bifurcates along geopolitical fault lines, trustworthy hardware becomes a critical piece in building secure supply chain ecosystems.
Focusing on the Fundamentals
The physical supply chain disruptions and massive scale of breaches this year are concerning, but it’s important to recognize that security fundaments don’t change and there are meaningful actions organizations can take to mitigate these threats. The ultimate collapse of KNP logistics after a ransomware attack was due to a weak password. The npm compromises started with a phishing email to key developers. While attackers and their techniques are more sophisticated than ever, well executed enterprise cybersecurity basics can still combat their tactics. Indeed, password hygiene and phishing, and many other common initial access vectors, are very practically addressed in the CISA stopransomware-guide. Building supply chain resilience involves proactively scaling integrating standard best practices from cybersecurity and SCRM to meet the modern threat landscape. Similarly, the fundamentals of supply chain resilience also are crucial to address the expansive cyber risk landscape, such as diversification and visibility.
From Awareness to Action
Cybersecurity, more than ever, is fundamentally a core business concern and integral to modern supply chain risk management. The cyber risk register now belongs squarely in the business risk register. NIST has addressed this specific confluence for years in SP 800-161 with specific C-SCRM recommendations. A few critical proactive recommendations include:
- Maintain a live supplier inventory and multi-tier map
- Continuously monitor suppliers
- Embed C-SCRM into acquisition and due diligence
- Define and report C-SCRM metrics to leadership
interos.ai enables every one of these key functions. Continuous, holistic supply chain risk management, enabling your organization to take targeted meaningful actions to mitigate risks. Speak to a supply chain expert today to safeguard your operations.