NewsCyb3r Operations raises $5.4m to tackle third-party risk blind spots

Read article
Cyb3r Operations
Sector · Critical national infrastructure

Industry · Critical national infrastructure

Supply chain evidence for the operators the country depends on.

Cyb3r Operations gives CNI operators continuous, sector-aware third-party visibility across IT, OT, and contractor supply chains. Built for the regulator dialogue, the resilience review, and the next state-sponsored campaign.

Discover your third-party ecosystem nowSee the regulatory map

From the field

Our sector regulator wanted nth-tier visibility across our OT vendors. Without an outside-in operating model, we could not have answered. Now the picture is current to the business day.

Chief Information Security Officer · UK Critical National Infrastructure

What the critical national infrastructure supplier estate looks like

50 to 200

critical OT/ICS suppliers at a typical CNI operator

30 to 60%

of contractor workforces are missing from the procurement spreadsheet

2 to 3 tiers

of state-sponsored adversary positioning inside supply chains

The problem

The supply chain that runs the country is opaque past tier-1.

CNI operators carry a supplier estate that mixes IT, OT, ICS, contractor workforces, and the sector regulator's increasing expectation of nth-tier visibility. Most TPRM operating models were built for office IT; few survive a regulator question about a specific OT vendor's subprocessor.

When a state-sponsored campaign or a named OT-targeting attack happens, the operator's first job is to show the regulator that exposure is understood and contained. That answer cannot start at zero.

Today's reality

  • ·OT and contractor supply chains rarely catalogued in the GRC platform
  • ·NIS2 + NCSC CAF + sector regulators converging on nth-tier evidence
  • ·State-sponsored threats now routine across CNI sectors
  • ·Sector regulator asks the question the same day a public incident happens

Supply chain shape

What a CNI operator's third-party graph actually looks like.

OT and IT mix, with contractor and tier-2 visibility usually the weakest link.

ICS / OT vendors

Industrial control system suppliers whose ingress is a recurring attack pattern. Often overlooked in IT-focused TPRM.

  • Siemens
  • Schneider Electric
  • ABB
  • Honeywell

SCADA & operations platforms

The platforms running real-time operations. Downtime is sector-critical, sometimes life-critical.

  • GE Vernova
  • AVEVA
  • Emerson

Contractor workforces

Field engineering and maintenance contractors with operational access. Frequently not in the GRC platform.

  • Major SIs
  • Field service contractors
  • Engineering consultancies

Telecoms & connectivity

Connectivity for operational and corporate networks. Concentration with one or two providers common.

  • BT
  • Vodafone
  • Verizon
  • Sector telco

Cloud & IT infrastructure

Corporate IT cloud and infrastructure providers, increasingly overlapping with OT support.

  • AWS
  • Microsoft Azure
  • Google Cloud

Specialist sector providers

Sector-specific platforms (energy trading, grid management, water treatment control, aviation operations).

  • Sector-specific (e.g. ETRM, grid mgmt)

Threat landscape

Who is targeting CNI right now.

State-sponsored, targeted ransomware, and ICS/OT-specific patterns dominate.

APT28 (GRU), APT29 (SVR)

Russian state-sponsored

Sustained targeting of energy, water, transportation, and government supply chains.

Volt Typhoon

Chinese state-sponsored

Long-term positioning inside CNI providers for potential disruptive action; supply chain ingress is the primary vector.

Sandworm

Russian state-sponsored

Responsible for major OT-targeting attacks including CRASHOVERRIDE and INDUSTROYER variants.

INDUSTROYER, CRASHOVERRIDE, FrostyGoop

OT-specific malware families

Specifically designed to disrupt industrial control systems, deployed through compromised supply chains.

Lockbit, BlackBasta (CNI campaigns)

Targeted ransomware

Increasing willingness to target CNI operators when financial gain aligns with state-sponsored interest.

Insider and contractor threats

Recurring pattern

Field-engineering contractor access misused or compromised; often invisible to office-IT-focused TPRM.

What changes

What CNI operators get from Cyb3r Operations.

IT and OT supplier visibility in one view.

Map office IT, ICS/OT vendors, contractor workforces, and tier-2 dependencies in a single graph.

Sector regulator dialogue evidence.

Tailored evidence packs for Ofgem, Ofcom, Ofwat, CAA, and NCSC CAF assessments.

State-sponsored threat exposure mapping.

Named threat-actor monitoring overlaid against supplier graphs to flag targeted exposure early.

Geographic and grid concentration.

Identify single-region, single-grid, and single-substation dependencies before an event surfaces them.

Contractor and workforce visibility.

Surface the contractor workforces and service providers that often sit outside the procurement spreadsheet.

Continuous resilience evidence.

Operational resilience requirements evidenced against suppliers, refreshed continuously.

Regulatory map

Rules of the road for CNI operators.

Sector regulator + horizontal cyber regulator + supply-chain-specific expectations.

Regulator

NIS2

Jurisdiction

EU

Obligation

Supply chain security obligations for essential and important entities; incident reporting clocks.

What we evidence

Continuous third-party evidence aligned to Article 21 controls.

Regulator

NCSC CAF + GovAssure

Jurisdiction

UK

Obligation

Cyber Assessment Framework expectations across CNI operators.

What we evidence

Continuous evidence aligned to CAF objectives A.4 (Supply Chain) and B.4 (System Security).

Regulator

Network and Information Systems Regulations

Jurisdiction

UK

Obligation

UK transposition of NIS, oversight by sector competent authorities.

What we evidence

Supplier risk evidence aligned to designated competent authority expectations.

Regulator

Ofgem, Ofcom, Ofwat, CAA

Jurisdiction

UK sector

Obligation

Sector-specific supply chain and resilience expectations.

What we evidence

Sector-tailored evidence packs and operational resilience supplier mapping.

Regulator

TSA Security Directives (US)

Jurisdiction

US

Obligation

Pipeline, rail, and aviation cyber requirements including third-party expectations.

What we evidence

Supplier evidence aligned to TSA-mandated cyber controls.

Regulator

NERC CIP

Jurisdiction

US (electricity)

Obligation

Critical Infrastructure Protection standards including supply chain risk management (CIP-013).

What we evidence

CIP-013 supplier evidence with continuous monitoring trace.

Sector scenarios

What this looks like in practice for a CNI operator.

Three short stories from the field, each anchored to a platform capability.

Scenario 01

State-sponsored exposure mapping

A UK energy operator was named in a Volt Typhoon threat advisory. Cyb3r Operations had already mapped the relevant supplier graph and surfaced four contractor accounts and two ICS-vendor connections with elevated exposure.

See the Ransomware Early Warning use case

Scenario 02

Geographic concentration for the regulator

A water operator's regulator asked about flood and grid exposure across the supplier base. The geospatial map was on screen the same afternoon with two critical contractor locations flagged inside an active flood-warning zone.

See the Geospatial Supplier Risk use case

Scenario 03

NCSC CAF supply-chain evidence

A transport operator's GovAssure review needed CAF A.4 (Supply Chain) evidence in two weeks. The team pulled a per-supplier evidence pack mapped to CAF objectives in one afternoon.

See the GRC persona page

The critical national infrastructure buying centre

The roles that lead this in the sector.

Each persona reads the third-party picture slightly differently. Click through to the role-specific page for the full operating-model framing.

Chief Risk Officer

Answers the sector regulator's question about supply-chain exposure on the same day.

Open the Chief Risk Officer page

CISO

Sees state-sponsored and OT-targeting exposure mapped to the supplier graph in real time.

Open the CISO page

Head of GRC

Generates NCSC CAF and NIS2 evidence packs on demand for sector regulator dialogue.

Open the Head of GRC page

Sector questions

Questions CNI operators ask in the first conversation.

Yes. OT vendor visibility, ICS vendor risk signals, and the contractor workforces that sit alongside them are first-class. The platform was built for the IT plus OT plus contractor reality, not just office IT.

CAF objectives A.4 (Supply Chain) and B.4 (System Security) have built-in mappings. Outside-in evidence satisfies the supply-chain monitoring expectations without supplier engagement.

Yes. Evidence packs can be filtered for Ofgem, Ofcom, Ofwat, CAA, or any other competent authority expectations, generated on demand.

Named threat actor monitoring overlays the supplier graph and surfaces elevated exposure as advisories emerge or as observable signals shift.

Contractor and field-engineering workforces are first-class in the discovery and monitoring picture. They typically represent the largest gap in CNI TPRM today.

Yes. Cyb3r Operations is built to UK central government cyber standards and aligns to NCSC CAF assessment expectations.