Level 0 Defense Against the Supply Chain Threat
11 - Jun 2025
RESOURCES
Critical Infrastructure operators have long invested heavily in OT cybersecurity via network segmentation, enforcement of network access restrictions, and deploying perimeter defenses. Yet despite these efforts, one critical vulnerability persists: the supply chain.
According to research by ENISA, attackers are increasingly targeting the OT supply chain – compromising software updates, embedded components, and third-party service channels to infiltrate systems through trusted pathways. These attacks often bypass traditional detection layers entirely, remaining invisible until the physical process is affected.
Supply chain attacks are not new. But since 2024, their frequency, complexity, and relevance to OT environments have escalated. Research from early 2025 shows that attackers are not only increasing activity, but deliberately exploiting the blind spots that supply chain integrations create.
1. Trusted components are being weaponized: According to research published in 2025, ransomware attacks in industrial sectors rose by 46% between Q4 2024 and Q1 2025, driven in part by compromised firmware, vendor software, and third-party tooling used in OT environments. These attacks often arrive via updates or integrations from suppliers that asset owners assume to be secure and legitimate.
2. The IT-to-OT pivot is accelerating: Threat intelligence sources report that monthly supply chain attacks rose from approximately 13 per month in mid-2024 to nearly 25 per month by May 2025. A majority of those incidents targeted IT or telecom providers – organizations that serve as indirect gateways into OT. Once compromised, these vendors give attackers a clear path to industrial environments where monitoring is limited and response times are slow.
3. Supply chain entry points remain poorly monitored in OT: While ransomware and logic manipulation attacks are rising across industrial sectors, the common thread in many recent incidents is the lack of visibility into supply chain-linked devices and services. Legacy control systems often operate without real-time logging or anomaly detection, making it easy for attackers to manipulate behavior once a trusted vendor connection is exploited. As a result, organizations may not detect malicious activity until physical processes are affected which is long after the initial compromise.
Most OT security tools are designed to detect external threats: unauthorized access, suspicious traffic, or known malware signatures. But supply chain attacks don’t follow that pattern.
They enter through trusted channels (firmware updates, third-party tools, or vendor-supplied components) and operate with full privileges. Because they originate from sources the system is configured to trust, they raise no authentication errors or network anomalies.
Once inside, they can alter controller logic, manipulate sensor thresholds, or disable alarms: all without leaving a trace in logs or triggering alerts. Most OT devices, especially at Levels 0 and 1, lack the monitoring or logging capabilities needed to detect these changes.
The result is a visibility gap: defenders have no direct way to verify whether a PLC, sensor, or actuator is functioning as intended or until the process itself is affected.
That’s where SIGA’s Level 0 monitoring stands apart. Instead of relying on software-based telemetry or control system logs, SIGA captures raw electrical signal data (such as voltage and current) directly from the unprogrammable layer of the physical process.
This out-of-band monitoring provides a view that’s independent of controllers, firmware, and software, and therefore immune to manipulation through traditional cyberattack methods like logic tampering or false data injection.
It’s not just a visibility layer—it’s a reality check. If logic is altered, or a device begins to behave abnormally due to compromised firmware or a malicious update, the process-level signal will reflect that change—even when the control system reports everything is normal.
By establishing this “second channel of truth” at the physical layer, SIGA enables early detection, faster containment, and better decision-making across all phases of incident response—from detection to forensics and recovery.
Supply chain attacks in OT aren’t new. But they’ve become more frequent, more deliberate, and harder to detect -often entering through trusted firmware, vendor tools, and third-party integrations.
These threats don’t behave like conventional breaches. They don’t rely on brute force or obvious malware. They’re embedded in systems that operators trust – executing changes to logic, suppressing alarms, or influencing behavior without triggering any alerts.
Most detection tools can’t see this. They depend on logs, traffic patterns, and the assumption that if the system is quiet, everything is fine.
Level 0 monitoring challenges that assumption.
By capturing raw electrical signals at the process layer (independent of control logic or firmware) SIGA provides a direct view into how the system is actually behaving. If a controller has been compromised, the signal will show it.
Because in OT environments, it’s not what the system says: it’s what the process does.
