Threat Intelligence

Supply-Chain and Firmware Attacks on RTUs, PLCs and ICS

The 2020 SolarWinds compromise showed the world how a single trusted software update could quietly seed backdoors into thousands of organisations, including critical infrastructure operators. For energy, the equivalent nightmare reaches deeper still: into the firmware of the remote terminal units, programmable logic controllers and protection relays that physically operate the grid. A compromised component or a malicious update to these devices can hand an attacker control of the field equipment itself, beneath the level most monitoring ever sees.

The 2020 SolarWinds update compromise reached thousands of organisations, including critical infrastructure

The hardware that runs the grid is a supply-chain target

RTUs, PLCs and intelligent electronic devices are the workhorses of energy operations, opening breakers, regulating flows and reporting field data. They are sourced from a global web of manufacturers, integrators and distributors, often with long service lives and infrequent firmware updates. Every link in that chain, from chip fabrication to the engineer who flashes an update on site, is a point where malicious code or a counterfeit part could be introduced.

  • Remote terminal units (RTUs) relaying field data and commands
  • Programmable logic controllers (PLCs) automating processes and protection
  • Intelligent electronic devices and protection relays in substations
  • The integrators, distributors and maintenance vendors who supply and service them

Firmware: the layer below the radar

Firmware sits beneath the operating system and applications that most security tools monitor. A backdoor planted in device firmware can survive reboots, evade endpoint protection entirely, and grant persistent low-level control. Because energy operators rarely have the means to verify firmware integrity independently, they typically trust whatever the vendor ships, which makes a compromised vendor or tampered update an exceptionally powerful attack route.

Counterfeit and compromised hardware

Beyond firmware, counterfeit ICS components are a recognised problem in long, opaque supply chains. A counterfeit relay or controller may be unreliable, may contain unvetted code, or may have been deliberately altered to enable later access. Even legitimate parts can be intercepted and tampered with in transit. For high-value, long-life grid assets, the provenance of every critical component genuinely matters.

Managing ICS supply-chain risk

You cannot inspect every chip, but you can build assurance into how you select, verify and monitor suppliers and the components they provide. The priorities are knowing who is in your supply chain, holding them to security standards, and verifying integrity wherever you can.

  • Assess and continuously monitor the security posture of hardware and firmware suppliers
  • Require security commitments, vulnerability disclosure and update integrity in contracts
  • Verify firmware integrity and source updates only through authenticated channels
  • Maintain an accurate inventory and provenance record for critical ICS components

How Kyanite Blue and Panorays defend against supply-chain risk

Firmware and hardware risk almost always enters through a third party, so the most leverage comes from understanding and governing those relationships. Kyanite Blue deploys Panorays third-party risk management to continuously assess the security posture of the vendors, integrators and manufacturers in your ICS supply chain. Panorays evaluates each supplier's external security, maps your exposure to them, and tracks changes over time, so a weakening supplier or an emerging issue is flagged before it becomes your incident. We use this to prioritise the suppliers that touch your most critical field equipment, and to build security obligations into how you select and renew them, turning an opaque supply chain into one you can actually manage.

Frequently Asked Questions

Why is firmware such a dangerous place for an attacker to hide?

Firmware runs below the operating system and the applications that most security tools watch, so a backdoor planted there can persist through reboots and reinstalls and remain invisible to endpoint protection. In ICS devices like RTUs and PLCs, compromised firmware can grant low-level control of physical equipment, making it one of the most powerful and stealthy footholds an attacker can establish.

What did SolarWinds teach energy operators about supply chains?

The 2020 SolarWinds compromise showed that a trusted software update from a reputable vendor can be weaponised to deliver backdoors into thousands of customers at once, including critical infrastructure. For energy operators it underlined that trust in a supplier is itself an attack surface, and that the security posture of vendors and the integrity of their updates must be actively assessed rather than assumed.

How can a small energy operator manage ICS supply-chain risk realistically?

No operator can audit every chip, so the practical approach is to focus on the suppliers that touch your most critical equipment, assess their security posture continuously, build security and update-integrity requirements into contracts, and maintain an accurate inventory of critical components. Third-party risk management tooling makes this manageable by automating supplier assessment and flagging changes over time.

Bring your ICS supply chain under control with Kyanite Blue

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides