NewsCyb3r Operations raises $5.4m to tackle third-party risk blind spots

Read article
Cyb3r Operations
Sector · Manufacturing & energy

Industry · Manufacturing & energy

Supplier evidence across the plant, the grid, and the supply chain that runs them.

Cyb3r Operations gives manufacturers and energy operators continuous third-party visibility across OT/ICS vendors, contractor workforces, logistics partners, and the IT estate behind production. Built for plant downtime risk, geographic concentration, and the regulatory floor.

Discover your third-party ecosystem nowSee the regulatory map

From the field

Our plant downtime risk is concentrated in five OT vendors and eleven contractor firms. Until we mapped it, we were treating IT and OT as two separate problems. Now we manage one supply chain.

Chief Information Security Officer · Global Manufacturing Group

What the manufacturing & energy supplier estate looks like

50 to 200

critical OT/ICS suppliers at a typical large manufacturer

500 to 2,000

total suppliers at a typical large manufacturer or energy operator

30 to 60%

of contractor workforces missing from the procurement spreadsheet

The problem

OT and IT are one supply chain. They were managed as two for a decade.

Manufacturers and energy operators carry two intertwined supply chains: the IT estate behind corporate operations and the OT estate behind plants, grids, and production lines. Most TPRM operating models address only the first. The OT vendors, contractor workforces, and tier-2 supplier dependencies that drive plant-downtime risk usually sit outside the GRC platform.

Ransomware groups, state-sponsored campaigns, and named OT-targeting malware (CRASHOVERRIDE, INDUSTROYER, FrostyGoop) have all targeted the OT side of the supply chain. NIS2 brought regulatory expectations alongside.

Today's reality

  • ·OT vendors and contractor workforces rarely catalogued in the GRC platform
  • ·Ransomware groups now routinely targeting manufacturing and energy
  • ·NIS2 + sector regulators (Ofgem, NERC CIP) raising the floor
  • ·Geographic and grid concentration usually invisible until an event

Supply chain shape

What a manufacturer or energy operator's supplier graph actually looks like.

OT, IT, contractor, and logistics mix. Plant-downtime risk lives in surprising places.

OT / ICS vendors

Industrial control system suppliers. Often the deepest supplier exposure for plant downtime.

  • Siemens
  • Schneider Electric
  • Rockwell
  • Honeywell

SCADA + operations platforms

The platforms running real-time plant and grid operations.

  • GE Vernova
  • AVEVA
  • Emerson
  • Yokogawa

Contractor workforces

Field engineering, maintenance, and turnaround contractors with operational access.

  • Major SIs
  • Specialist contractors
  • Maintenance partners

Logistics and supply

Logistics partners, raw material suppliers, and tier-2 manufacturers whose disruption stops production.

  • Major logistics
  • Raw-material suppliers
  • Tier-2 contract manufacturers

Cloud and IT infrastructure

Corporate IT cloud, ERP, and the IT systems increasingly bridging into OT.

  • AWS
  • Azure
  • SAP
  • Oracle

Energy-specific trading and grid

For energy: trading platforms, grid management, dispatch systems, and balancing services.

  • Sector-specific (ETRM, grid mgmt)

Threat landscape

Who is targeting manufacturing and energy right now.

State-sponsored, OT-specific malware, and targeted ransomware.

Volt Typhoon

Chinese state-sponsored

Long-term positioning across CNI including manufacturing and energy via supply-chain ingress.

Sandworm

Russian state-sponsored

Responsible for INDUSTROYER and CRASHOVERRIDE variants. Energy sector primary target.

INDUSTROYER, FrostyGoop, CRASHOVERRIDE

OT-specific malware

Designed to disrupt industrial control systems, deployed through compromised supply chains.

Lockbit, Black Basta, Akira (mfg campaigns)

Targeted ransomware

Manufacturing now consistently in the top sector targets for ransomware.

APT41

Chinese state-sponsored

Manufacturing IP and OT-targeting activity, including supply-chain pivots.

Contractor and insider threats

Recurring pattern

Field-engineering contractor access misused or compromised; often invisible to enterprise TPRM.

What changes

What manufacturers and energy operators get from Cyb3r Operations.

OT vendor and contractor visibility.

First-class coverage of OT/ICS vendors, field-engineering contractors, and the tier-2 dependencies behind production.

Plant-downtime risk mapping.

Translate supplier risk into plant-downtime impact, the language the COO and plant manager speak.

Geographic and grid concentration.

Surface single-region, single-grid, single-substation dependencies before an event.

OT ransomware early warning.

Susceptibility scoring weighted for the OT-targeting threat landscape.

NIS2 and sector regulator evidence.

Evidence packs aligned to NIS2 Article 21 and sector-specific (NERC CIP, Ofgem) expectations.

One supply chain, not two.

Bring OT and IT supplier risk into a single operating model instead of two parallel programmes.

Regulatory map

Rules of the road for manufacturing and energy.

Sector regulator plus horizontal cyber regulator plus supply-chain-specific expectations.

Regulator

NIS2

Jurisdiction

EU

Obligation

Essential and important entities in manufacturing and energy; supply chain security obligations.

What we evidence

Article 21-aligned continuous third-party evidence.

Regulator

NERC CIP

Jurisdiction

US (electricity)

Obligation

CIP-013 supply chain risk management for bulk electric system operators.

What we evidence

CIP-013 supplier evidence with continuous monitoring trace.

Regulator

Ofgem

Jurisdiction

UK energy

Obligation

Energy-sector supplier and resilience expectations.

What we evidence

Energy-sector tailored evidence packs.

Regulator

TSA Pipeline Security Directives

Jurisdiction

US (pipelines)

Obligation

Cyber requirements including third-party expectations for pipeline operators.

What we evidence

Supplier evidence aligned to TSA security directive expectations.

Regulator

IEC 62443

Jurisdiction

Global (OT)

Obligation

Industrial automation and control systems security standard including supplier expectations.

What we evidence

OT vendor evidence aligned to IEC 62443 clauses.

Regulator

Cyber Resilience Act (EU)

Jurisdiction

EU

Obligation

Product cybersecurity expectations applying to manufactured products including supplier components.

What we evidence

Component-supplier evidence aligned to CRA expectations.

Sector scenarios

What this looks like in practice for manufacturing and energy.

Three short stories from the field, each anchored to a platform capability.

Scenario 01

Plant-downtime risk mapping

A global manufacturer's CISO needed to translate supplier risk into plant-downtime exposure for the COO. Cyb3r Operations mapped OT vendors, contractor workforces, and tier-2 dependencies to specific plant lines. Five OT vendors and eleven contractor firms drove the bulk of exposure.

See the Nth-Tier Dependencies use case

Scenario 02

Geographic concentration before a weather event

An energy operator's CRO needed to understand supply-chain exposure to a forecast severe-weather event. The geospatial overlay surfaced two critical contractor depots and one tier-2 logistics partner inside the projected path.

See the Geospatial Supplier Risk use case

Scenario 03

Ransomware susceptibility across the OT vendor base

A manufacturer's GRC team monitored ransomware susceptibility across the OT vendor base. Three vendors moved into elevated susceptibility ahead of named attacks against the sector; the team pre-positioned a contingency vendor for each.

See the Ransomware Early Warning use case

The manufacturing & energy buying centre

The roles that lead this in the sector.

Each persona reads the third-party picture slightly differently. Click through to the role-specific page for the full operating-model framing.

CISO

Brings OT and IT supplier risk into one operating model.

Open the CISO page

Chief Risk Officer

Sees plant-downtime risk concentrated in named suppliers with continuity-tolerance framing.

Open the Chief Risk Officer page

Head of GRC

Generates NIS2, NERC CIP, IEC 62443 supplier evidence on demand.

Open the Head of GRC page

Sector questions

Questions manufacturing and energy teams ask in the first conversation.

Yes. OT vendor visibility, ICS vendor risk signals, and the contractor workforces alongside them are first-class. The platform was built for the OT plus IT plus contractor reality.

NIS2 Article 21 and NERC CIP-013 have built-in mappings. Evidence is timestamped and ready for regulator review.

OT vendor evidence is mapped to IEC 62443 clauses for industrial automation and control systems security expectations.

Yes. The platform maps suppliers to specific plant lines, business services, and continuity tolerances, producing exposure framings the COO and plant manager recognise.

Field engineering, maintenance, and specialist contractor workforces are first-class. They typically represent the largest gap in manufacturing and energy TPRM today.

Yes. Native feeds into IT SIEM, ticketing, and IR routing, and read-only integration with OT monitoring tools where supported. The platform sits alongside, not replacing.