Securing the UK’s interconnected supply chain: managing emerging sub-tier risks across defence and critical national infrastructure

Modern threat actors increasingly exploit subtier suppliers within the defence and CNI ecosystem, recognising that these smaller organisations often lack the governance, assurance mechanisms, and security maturity found at prime contractors or regulated operators. Rather than attempting to breach a well protected defence prime or CNI asset directly, adversaries target lower tier manufacturers, niche technology providers, managed service partners, and logistics specialists. These entities routinely hold privileged access, sensitive design or operational data, integration responsibilities, or trusted digital pathways, making them effective vectors for lateral movement into the wider enterprise.

Once established inside a sub-tier supplier, hostile actors can conduct a range of quiet, sustained activities: the manipulation of software updates or build pipelines; the insertion of counterfeit, tampered, or vulnerable hardware components; credential harvesting; or reconnaissance to map upstream dependencies. The inherently complex, opaque, and globally distributed nature of modern defence and CNI supply networks means these compromises can persist undetected for extended periods. As a result, risk can propagate across what functions less as a linear supply chain and more as an interconnected “Supply Web”, where compromise at one node can have system-wide consequences.

Increasingly, these intrusions take the form of twin cyber–physical attacks, where digital compromise is enabled or reinforced by physical access—and vice versa. A cyber breach may begin with classic digital tradecraft such as credential theft, malware deployment, or corrupted firmware, but its success may depend on a physical enabler: access to a production line, coercion or manipulation of an insider, or interference with a testing or assurance process. Equally, a physical intrusion (connecting an unauthorised device, tampering with components, or breaching a storage or transport environment) may be coordinated to support a broader cyber operation.

There is an increasing cross-over between the domains to which supply chain management has been applied. The physical domain is now impacted by both the IT security (Cyber) domain, such as O/T and Service provision. Examples of which are clearly seen in industries such as construction where the provenance of materials and equipment now needs to consider embedded technologies and the numerous suppliers involved in monitoring, maintenance, obsolescence and disposal.

1. Emerging technologies in the supply chain: enablers and risks

Emerging technologies (cloud platforms, AI models, digital twins, and connected operational systems) offer enormous opportunity but also introduce new attack surfaces. Without governance, they amplify systemic risk across entire ecosystems.

The dependence of these technologies on significant capacity for compute, high density power – and the associated cooling) is increasing dependence on 3rd party provision from hyperscalers or shared infrastructure models. As a result, it is increasingly important to identify the risks to resilience that these shared services carry as options for mitigation may be limited or need to consider alternative approaches to achieve the business outcome, rather than technology resilience only.

2. Wholistic approach

There are a wide range of tools and services already available for threat evaluation, vulnerability assessment, security monitoring, supplier governance, software development, system health and availability; but these are not yet integrated to provide a wholistic view of the security posture and most impactful risks facing an organisation or the service(s) delivered to their customers.

Nine23 has been working with specialist partners, such as Veriom who provide tool set to identify the root-causes of vulnerabilities in software and fix them at source; Arqit, who provide PQC encryption technology and provide the ability to assess the data-in-transit; alongside tools that are monitoring infrastructure, network, boundaries and beyond. The aim being to provide visibility of the most significant risks to an organisation, based on the context of operation, that could come from within or via the complex supplier networks on which they rely.

3. Driving accountability across the supply chain

Accountability must scale across every node of the Supply Chain (primes, SMEs, cloud services, toolchain providers, integrators, and subcontractors). Nine23 enforces accountability through:

4. Global alignment and best practice

Supply Chain security depends on coherence with international frameworks: NCSC Cloud Principles, UK Government Security Classifications, DEF STAN 05‑138, DCPP, CSM, and broader global standards. Nine23 ensures organisations remain interoperable and secure in multinational ecosystems.

5. National security: supply chains as critical assets

Supply Chains underpin the UK's Defence, economic stability, and national resilience. Governments must strengthen governance, incentivise maturity, and embed Secure by Design expectations across critical projects.

6. Defence: AI, autonomy and the future digital backbone

AI introduces powerful capability for Defence sustainment, autonomy, and data‑driven decision-making. But Shadow AI, model poisoning, and uncontrolled LLM usage create new risks. Nine23 addresses this through AI governance, safe tooling environments, and SbD- aligned integration into platform lifecycles.

Conclusion

Modern supply chains have become complex networks of equipment, software and service components — interconnected, interdependent, and strategically vital. Nine23’s Secure by Design approach ensures emerging technologies strengthen resilience rather than undermine it. As TechUK launches the Supply Chain Security Playbook, Nine23 is proud to contribute practical, proven methods for securing the UK’s digital and Defence future.

Cyber Resilience Programme activities

techUK brings together key players across the cyber security sector to promote leading-edge UK capabilities, build networks and grow the sector. techUK members have the opportunity to network, share ideas and collaborate, enabling the industry as a whole to address common challenges and opportunities together. Visit the programme page here.

Upcoming events

Latest news and insights

Learn more and get involved

Cyber Resilience updates

Sign-up to get the latest updates and opportunities from our Cyber Resilience programme.

Email _ Book now _ Annual Dinner 2026 (1).png

Meet the team

Jill Broom

Head of Cyber Resilience, techUK

Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.

Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.

Email:: [email protected]
Website:: www.techuk.org/
LinkedIn:: https://www.linkedin.com/in/jill-broom-19aa824

Read lessmore

Annie Collings

Senior Programme Manager, Cyber Resilience, techUK

Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.

In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.

Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.

Email:: [email protected]
Twitter:: anniecollings24
LinkedIn:: https://www.linkedin.com/in/annie-collings-270150158/

Read lessmore

Olivia Staples

Junior Programme Manager - Cyber Resilience, techUK

Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.

She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.

Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.

Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).

Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.

Email:: [email protected]

Read lessmore

Securing the UK’s interconnected supply chain: managing emerging sub-tier risks across defence and critical national infrastructure

Steve Jewell

Introduction

1. Emerging technologies in the supply chain: enablers and risks

2. Wholistic approach

3. Driving accountability across the supply chain

4. Global alignment and best practice

5. National security: supply chains as critical assets

6. Defence: AI, autonomy and the future digital backbone

Conclusion

techUK Supply Chain Security Campaign Week 2026

Securing the chain: innovation, accountability and resilience in supply chain security webinar