In December 2020, the world discovered one of the most sophisticated cyberattacks in history: SolarWinds. Russian hackers from the APT29 group had infiltrated the servers of this Texas-based IT monitoring company, injecting malicious code into a routine software update. The result: 18,000 client organisations, including the Pentagon, the US Treasury Department, and Microsoft, were compromised. A single company, representing a tiny fraction of the global technology ecosystem, became the entry point to the world's most sensitive systems.
Five years later, the SolarWinds incident has become the symbol of a new reality: cybercriminals have understood that directly attacking digital fortresses is less effective than targeting their suppliers. With damage projections reaching 150 billion dollars by 2030, supply chain attacks now represent one of the most critical threats to the global economy.
Waking up to reality
"For an industrial company operating in a strategic sector, the most important threat remains failing to produce what it must deliver to its clients," states Philippe Armandon, Partner and Head of Supply Chain Management Operations at Sopra Steria Next. "However, there's a growing awareness of our cyber dependencies. Thanks to ANSSI and major industrial companies imposing tests on their supply chains and adopting better monitoring practices, the situation has been improving over recent years."
This risk prioritisation varies considerably across sectors. While civilian industry still places cyber behind production and financing issues, other domains are seeing their priorities shift. "Defence industry is different," notes the expert. "Among defence contractors, particularly around nuclear, all supply chain contributors are extremely closely monitored in terms of security. Given current Russian aggression, cyber is probably becoming the number one risk in this sector."
Finding needles in haystacks: the challenge of massive supplier networks
How can cyber risk be assessed across an ecosystem that may include thousands of suppliers? "The difficulty of measuring at this scale, through three-level assessments: good, medium, poor. But being well-ranked isn't sufficient to resist the next attack," explains Loïc Bournon, former Group IT Director at Safran.
The approach must be pragmatic, especially for the most vulnerable: "With a few questions, you can determine if a company is on the right track to resist and be resilient," details the expert, now Senior Advisor at Sopra Steria. "If the contact person combines several IT production responsibilities, cyber functions, and even business and management support, that's an immediate red flag." The challenge is particularly acute in aerospace and defence, where you often find "SMEs with limited resources and staff, who outsource their cyber to local players who may not have the critical mass to manage a crisis."
The human element further complicates the equation. "We often think of malicious attacks via information systems, but there's also the human factor," emphasises Philippe Armandon. "Attackers target vulnerable individuals who have grievances against their employer or financial problems. They identify these behaviours on social media and don't hesitate to approach targeted individuals," specifies the Operations and Supply Chain Management head.
Why governance must lead the charge
Effective supply chain cybersecurity therefore requires much more than technological fixes: it demands comprehensive governance that breaks down team silos. "You need cross-functional governance involving IT, procurement, risk management, security, and legal. Everyone must speak the same language to reach agreement," affirms Emeline Segarra-Chabot, Product Manager for Governance & Crisis Management at Sopra Steria.
"Suppliers must be classified according to their criticality: do they have interconnections? Do they handle sensitive data? What's the production impact if they're compromised and malfunction?" This approach allows, according to the expert, proportionate security requirements to be applied: "Specific clauses, regular audits, penetration testing, integrated continuity plans, security and quality assurance plans..."
Under fire: when crisis management separates winners from losers
The cybersecurity adage is clear: it's not "if" but "when" an attack will occur. And when it happens, experience has shown the crucial importance of preparation. "Anyone who hasn't prepared their crisis management will inevitably fail. Those who haven't conducted exercises and refined their processes will struggle enormously to restore an acceptable situation for business operations," observes Loïc Bournon.
The priorities to implement? Rapid incident qualification, impact assessment, and technical response decisions. Communication, often the neglected aspect, must not be overlooked: "Communication strategy is extremely important and must be anticipated according to major risk scenarios. This is often an unanticipated aspect deemed non-priority due to time constraints, whereas a consolidated and prepared strategy can make a huge difference in perception, both internally and externally," notes Emeline Segarra-Chabot.
People first
So where should a company serving a sensitive player begin? "I'd start with people—that's the link that needs to be sensitised," recommends Philippe Armandon. "From the onboarding of a new employee, these subjects must be addressed quickly: best practice behaviours, badges, PC security, social media, people's ability to detect situations for themselves and/or others, and capacity to respond or alert the appropriate authorities."
Sector players must also comply with a regulatory framework attempting to keep pace with ongoing technological developments. "The NIS 2 directive contains supply chain requirements: control the supply chain or face significant financial sanctions," explains Emeline Segarra-Chabot. The penalties for non-compliance are indeed deterrent: up to 10 million euros in fines or 2% of global annual turnover for essential entities.
Five years after SolarWinds, lessons have been learned: organisations that treat cybersecurity as an integral part of their supply chain strategy don't just protect themselves from attacks—they gain competitive advantage. In a world where every supplier can become an entry point, resilience is no longer an option but a strategic and regulatory necessity.