Understanding Supply Chains to Manage Risk

Over the past century, globalisation has altered the way we communicate, the way we trade, and the way we source goods and services. The advent of the internet supercharged this shift, breaking through terrain and time zones to enable real-time communications, transactions and supply of digitally-enabled goods and services.

The change has been transformative and rapid and, while globalisation has brought with it incredible opportunity and growth, it has also introduced new risks.

Across the world, the significance and fragility of the global supply chain has crystalised for governments and organisations. In an environment characterised by geopolitical flux, fierce competition for tech supremacy and reliance on connected digital systems, supply chain security has never been more important or urgent.

Australia has not been immune to the impacts of global supply chain challenges, nor from the risk of third parties that seek to infiltrate and compromise our critical infrastructure. This has left the companies we rely upon to deliver essential goods and services exposed.

We explore current issues faced by critical infrastructure industries, the common causes and emerging threats that entities need to consider. It is important to remember that while cybersecurity risks are top of mind currently, we must consider these risks in context of the broader operating environment, including traditional sources of risk such as physical and personnel disruptions.

Geopolitical flux and the Rise of Supply Chain Disruption

Since the pandemic the occurrence of significant events, such as the blockage of the Suez Canal, the war in Ukraine, and escalating conflict in the war in the Middle East, have resulted in increased supply chain uncertainty and insecurity globally.

These more ‘traditional’ disruptions, however, have occurred concurrently with an unprecedented increase in digital threats. Global unrest has seen an unparalleled increase in digital espionage, as nation state and state-sponsored threat actors try to understand local and global critical infrastructure supply chains and infiltrate them.

Given its strategic geographic location and dependency on global trade, Australia is significantly exposed to the risks of supply chain disruption, notably from events impacting global logistics, such as shipping, ports and rail transport. In this environment, a small disruption can have a large impact.

ASIO’s Warning: Sabotage as a Strategic Threat

In a recent address, Australia’s Director-General of Security Mike Burgess revealed foreign espionage was costing Australia $12.5 billion a year, with the Australian Security and Intelligence Organisation (ASIO) disrupting 24 "major espionage and foreign interference" operations in the last three years.[1]

In his 2025 Annual Threat Assessment, Mr Burgess stated that “sabotage is a head of security in its own right”.

“We expect sabotage will pose an increasing threat in the next five years and this is not limited to an attack on defence assets. Even in the absence of conflict, foreign regimes are expected to become more determined to, and more capable of, pre-positioning cyber access vectors they can exploit in the future,” he said.

“We are getting closer to the threshold for high-impact sabotage. ASIO assesses authoritarian regimes are growing more willing to disrupt or destroy critical infrastructure to impede decision-making, damage war-fighting capabilities and sow social discord.”[2]

These words must serve as a wakeup call for every Australian organisation, especially in relation to supply chain security. And as international experience has shown, the critical components that underpin our digital supply chains are particularly vulnerable.

References:

[1]https://www.abc.net.au/news/2025-07-31/asio-chief-warns-of-espionage-costs/105598696

[2]https://www.asio.gov.au/director-generals-annual-threat-assessment-2025

Lessons from the US: Salt Typhoon and BADBOX 2.0

In 2024, the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), advised that Chinese state-sponsored cyber actors were seeking to preposition themselves on IT networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict.[3]

The group, known as Salt Typhoon, used malicious software to penetrate internet-connected systems by exploiting vulnerabilities such as weak administrator passwords, factory default logins and unpatched devices. They targeted communications, energy, transportation, water and wastewater systems.[4]

In June 2025, the FBI released an advisory about cyber criminals exploiting Internet of Things (IoT) devices connected to home networks to conduct criminal activity using the BADBOX 2.0 botnet.[5] According to the advisory, cyber criminals gain unauthorised access to home networks through compromised IoT devices, such as TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products. Most infected devices were manufactured in China.

It states: “Cyber criminals gain unauthorised access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process. Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services known to be used for malicious activity”.[6]

While the latter example did not impact critical infrastructure networks (that we know of), it serves to highlight the significant and widespread impacts pre-compromised devices could have on critical infrastructure assets.

References:

[3]https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/prc-state-sponsored-actors-compromise-and-maintain-persistent-access-us-critical-infrastructure

[4]https://theconversation.com/what-is-volt-typhoon-a-cybersecurity-expert-explains-the-chinese-hackers-targeting-us-critical-infrastructure-226600

[5]https://www.ic3.gov/PSA/2025/PSA250605

[6]https://www.ic3.gov/PSA/2025/PSA250605

Thales Cyber Services Insights: What We’re Seeing

At Thales Cyber Services - through our work in security assessment and delivery - we have seen numerous instances of third or fourth order supplier dependencies not being understood or appreciated and specific components being not as expected. This has resulted in breaches and other issues that have impacted on the ability of these organisations to deliver critical services.

In the short, medium and long term, the repercussions of such issues can be felt.

In the short-term reputational damage can be significant, especially in the case of a major or disclosable incident.

In the medium term, remediation can be costly, as can regulatory reporting and responses.

And in the long term, the increasing risk of legal class actions and significant financial penalties by regulators is coming to the fore.

As we look forward in a complex global environment, increasing convergence of IT and OT technologies, and heightened cyber security risks, supply chain security and oversight must be viewed as strategic and operational imperatives.

Supply chain security cannot be perfect, but risk can be significantly mitigated. This begins with extensive oversight of organisational supply chains and, where necessary, this should consider the sources of critical digital components.