As the industrial sector advances into 2025, industrial supply chain security is increasingly likely to be defined by mandatory SBOMs (Software Bill of Materials), regulatory scrutiny, and the rise of AI (artificial intelligence) and advanced technologies. Cyber adversaries are also expected to be active this year, as they aim to react to new political developments and prove their continued ability to take action.
Adoption of emerging technologies such as AI, ML (machine learning) and IoT (Internet of Things) will change the processes by which companies will protect their supply chains and offer real-time monitoring, as well as predictive analytics, with precursors, which will help to uncover vulnerabilities.
Increase in the technical sophistication and number of cyber threats and threats is also pushing awareness of industrial supply chain vulnerabilities. Escalations of adversarial attacks generate the need for preventive actions, since the effects can be cascading and serious. Companies must balance efficiency with strong cybersecurity protocols, making risk mitigation strategies like segmentation and access controls essential.
Organizations are adopting industry standards and regulations to bolster supply chain security, enhancing trust among stakeholders and partners. Adhering to established guidelines ensures a unified risk management approach, enabling critical businesses to navigate the complexities of integrated supply chains.
In this changing environment, it is only by linking cybersecurity with the operational objectives that resilient supply chains will be established and prepared for disruptions. The investment in training, awareness programs, and continuous improvement will further solidify these efforts and usher in a new era of secure, efficient, and adaptive industrial supply chains facing the changing nature of challenges. By blending innovation and security, organizations are more likely to determine the resilience and competitive advantage of industrial organizations preparing for the future.
Key industrial supply chain security trends and strategies for 2025
Industrial Cyber reached out to experts in the industrial supply chain space to highlight the major trends set to transform industrial supply chain security by 2025, and explore strategies for organizations to proactively address emerging threats.
Matt Wyckhouse, CEO of Finite State told Industrial Cyber that in 2025, three trends will define industrial supply chain security – mandatory SBOMs; regulatory scrutiny; and growth of AI and advanced technologies.
“With the EU CRA coming into effect, SBOMs will become standard practice. These documents, paired with machine-readable vulnerability feeds, will give organizations a clearer view of software components and risks,” Wyckhouse said. “Heightened government oversight will require deeper transparency and better compliance measures across critical infrastructure. We expect to see increased harmonization of standards worldwide, making proactive risk management even more essential.”
He also mentioned that AI will accelerate threat detection and response, but also create new exploit paths like data poisoning and adversarial attacks.
To stay ahead, Wyckhouse identified that organizations need automated processes for collecting SBOMs, analyzing vulnerabilities especially in legacy software, and integrating security controls into every stage of product development.
Robert Kolasky, senior vice president for critical infrastructure at Exiger told Industrial Cyber that industrial supply chain security is on the top of the agenda in 2025 because of the actions of the Chinese government, as it relates to the ‘typhoon’ campaign to breach communications networks and other critical infrastructure for the purpose of espionage and – more concerning – potential disruption of critical functions. “Third parties and supply chains have been a critical attack mode utilized by Chinese cyber actors as well as others,” he added.
“At the same time, there is pressure on the industrial organizations to demonstrate that they are aware of critical suppliers and their underlying security – including with product assurance,” Kolasky highlighted. “Amongst the trends in 2025 will be advancement of software bills of material maturity, innovation in analytic tools to assess SBOMs, attestation of secure software development practices and contractual requirements.”
In 2025, Kolasky expects to see more attention on ‘proving’ industrial supply chain security for critical infrastructure that supports national security and market-based approaches to incentivize enhanced security. “To stay on top of emerging threats, organizations need to maintain strong information sharing channels and prioritize participation in relevant Information Sharing and Analysis Centers (ISACs).”
“In oil and gas, tighter OT/IT convergence, AI-driven security tools and stricter regulatory requirements are reshaping supply chain security,” Syed M. Belal, global director of OT/ICS cybersecurity strategy at Hexagon’s Asset Lifecycle Intelligence division, told Industrial Cyber. “Organizations can stay ahead by adopting proactive threat detection, fostering collaborative partnerships with vendors and ensuring regular risk assessments to adapt to evolving threats.”
AI, ML and IoT: Reshaping industrial supply chain security
The executives examine how the swift integration of AI, ML, and IoT technologies will reshape opportunities and vulnerabilities in industrial supply chain security.
Wyckhouse noted that AI and machine learning offer incredible opportunities for real-time threat detection and remediation. These technologies excel at sifting through massive datasets—spotting anomalies faster than humans ever could— and can significantly reduce false positives.
“However, the explosion of IoT devices in industrial contexts widens the attack surface significantly. Each connected sensor or controller introduces potential entry points that aren’t always covered by traditional IT security,” Wyckhouse remarked. “Additionally, AI itself is vulnerable to sophisticated manipulations, including adversarial attacks that confuse algorithms or data poisoning that corrupts machine learning models. To mitigate these risks, organizations must invest in specialized IoT/OT security solutions, robust testing of AI models, and a clear incident response plan that addresses AI-specific threats.”
Kolasky identified that these new technologies are all related to automation, seeing patterns, and learning faster. “By definition, they should both improve the ability of attackers and defenders. In the case of industrial security, the unfortunate reality is too often the attacker innovates more quickly than the defenders, so artificial intelligence may identify additional vulnerabilities and learn from exploit attempts.”
He added that the challenge for defenders is to use these technologies to better map supply chains and critical points to ensure they are hardened and monitored and – when incidents do occur – contained.
“AI/ML enables advanced threat detection and predictive maintenance in oil and gas operations, reducing downtime risks,” Belal said. “However, IoT expansion increases vulnerabilities. Integrating AI tools with cybersecurity frameworks enhances resilience, while strong vendor alliances can offer tailored solutions to address specific threats and operational needs.”
Cyberattack hotspots: Vulnerabilities in industrial supply chain
The experts identify the most vulnerable areas of the industrial supply chain to cyber threats and explain how attackers exploit these weaknesses. They also predict which types of cyberattacks are likely to prevail in 2025.
Wyckhouse pointed out that attackers frequently target embedded systems and IoT devices, which are often overlooked by traditional security platforms, third-party software components, and CI/CD (Continuous Integration/Continuous Delivery) pipelines. Legacy software is also a popular attack point, as older systems rarely receive patches or updates, leaving known weaknesses open for exploitation.
“In 2025, we expect continued dominance of ransomware and supply chain attacks. Ransomware remains profitable and highly disruptive, while supply chain attacks offer adversaries the chance to infiltrate multiple organizations simultaneously,” Wyckhouse said. “We also anticipate more attacks on AI systems as adoption grows and persistent threats against critical infrastructure.”
Kolasky remarked that the parts of the industrial supply chain most susceptible to cyber threats start with areas that are heavily software dependent and crucial to real time operations, which can include logistics management systems, enterprise resource planning, and related security and safety providers. “All of these are closely integrated with business operations and thus are potential targets from motivated adversaries. These systems also operate largely in the cloud, which means the ways that they are deployed and interact with CSPs creates a cyber vulnerability.”
“The attacks that are likely to dominate are opportunistic attempts of deploying ransomware and strategic exploration that can be seen as a precursor to enhanced geopolitical conflict,” Kolasky noted. “Adversaries are likely to be active this year, as they will want to be responsive to new political factors and demonstrate that they are still capable of acting.”
Belal said that third-party vendors, legacy OT systems and IoT devices in oil and gas are susceptible to attacks. Threat actors exploit these through ransomware, phishing and supply chain-specific malware.
In 2025, he pointed out that ransomware-as-a-service and advanced OT-targeted attacks will dominate. Regular assessments and targeted security controls are crucial for risk mitigation.
Addressing lessons learnt, consequences of supply chain breaches
Reflecting on past supply chain breaches, the executives focus on the most critical operational and financial consequences industrial organizations should prepare for.
Wyckhouse mentioned that past breaches illustrate there are four main consequences industrial organizations need to prepare for. These include operational disruptions like halted production lines, disrupted product deliveries, and compromised critical control systems; financial losses from ransoms, system restoration, regulatory fines, legal ramifications, and reputational damage; supply chain instability due to a compromised vendor; and loss of intellectual property and sensitive data.
Kolasky said that supply chain breaches are most significant when they are used to cause operational shutdown, which can occur via ransomware or other malware that is used to shut down connections that impact operating systems or to obfuscate availability of information which could prevent the ability of organizations to operate their core systems safely.
“In industrial cyber, when a security incident becomes a potential safety incident that is the most significant concern,” according to Kolasky. “This also crosses over with regulatory requirements and avoiding liability, which can have significant negative financial consequences. Organizations need to account for these downsides by being proactive in demanding and demonstrating transparency with their suppliers.”
“Supply chain breaches in oil and gas can cause operational shutdowns, environmental risks, regulatory penalties, and reputational harm,” Belal said. “The Colonial Pipeline breach demonstrated how disruptions cascade through operations and the economy. Organizations should prepare by enhancing incident response plans, focusing on asset visibility, and fortifying supply chain resilience.”
Blending industrial supply chain efficiency with cybersecurity
The executives offer practical strategies that industrial organizations can adopt to balance maintaining supply chain efficiency with implementing strong cybersecurity defenses. They also discuss the most effective approaches for mitigating risks.
Wyckhouse said that organizations can strike a balance between efficiency and implementing robust cybersecurity defenses by focusing on ‘shifting left’ and integrating security from the earliest stages of development; automating SBOMs, binary analysis, and vulnerability scanning within CI/CD pipelines so these tasks become routine rather than disruptive; and investing in real-time monitoring to detect anomalies early. He also called for focusing remediation efforts on the highest-risk vulnerabilities, and enforcing multi-factor authentication, least-privilege policies, and strict vendor access policies to reduce the impact of compromised credentials.
He added that proven approaches include DevSecOps (embedding security into every aspect of software development), adopting standards-based programs (like IEC 62443 or ISO 27001), and continuous employee training at all levels.
“The first practical strategy is to know your vendors and their vendors and regularly evaluate how they are used in your systems to understand which are the most critical in terms of importance to operations and system connectedness and access,” Kolasky said. “For the most critical vendors, their cyber security posture needs to be assessed and monitored using best in class technology.”
From there, Kolasky added that organizations should put in place contract language, where possible, that demands attestation of good cyber security and secure by design processes as well as information sharing about any cyber incidents that occur – to include sharing of software and hardware bills of materials. “These bills of materials can be used to identify risk factors and possible correlations to vulnerabilities, which can enable conversations between organizations and their suppliers and, as mandated by contract, corrective actions.”
Belal said that strategies include segmenting OT/IT networks, leveraging real-time threat detection tools, and conducting supplier security audits. “Embedding cybersecurity into design processes, supported by AI-enabled monitoring tools, helps maintain efficiency while ensuring robust defenses. Collaborative efforts across the supply chain also enhance collective resilience.”
Leveraging industry standards, regulations for industrial supply chain protection
The executives examine how organizations can utilize industry standards and frameworks, such as NIST, ISO, or CMMC, to bolster supply chain security while preserving operational efficiency. They emphasize effective strategies that can harmonize compliance, risk mitigation, and supply chain performance.
“Standards like NIST, ISO, and CMMC provide a structured roadmap for identifying and mitigating risks in industrial environments,” Wyckhouse said. “Organizations that map their security programs to these frameworks can more easily demonstrate compliance, allocate resources effectively, and integrate security measures into daily operations.”
He added that key steps include aligning internal processes, like secure coding practices, vulnerability scanning, and incident response, to recognized frameworks; using tools that automatically track controls, generate SBOMs, and document adherence to requirements to reduce manual overhead and maintain continuous security; and performing regular risk assessments, focusing on high-impact improvements first.
Kolasky said that industry standards and frameworks provide the common language by which organizations can communicate with suppliers about security needs and practices.
“Organizations can utilize supply chain risk capabilities to assess risk factors with critical suppliers and ensure that their most critical vendors and others that present high- and medium-risk follow accepted industry standards,” he added. “This should not add additional compliance burden if the standards are already in place, which limits the need for new evaluations for every vendor and for vendors to do bespoke assessments for every new contract.”
Belal said that industry standards such as NIST CSF and ISO 27001 offer structured guidelines for risk management and incident response. “Organizations can ensure robust security while maintaining efficiency by integrating these standards into operational workflows and automating compliance processes. Periodic reviews and gap analysis help balance compliance with performance needs,” he concluded.
By: Anna Ribeiro, Industrialcyber / 05 May, 2025.
