The Invisible Attack Surface
When Colonial Pipeline went dark in May 2021, the immediate narrative focused on ransomware and operational technology. What received far less attention was the structural vulnerability that made such an attack possible: a supply chain so complex and globally distributed that no single entity — not the operator, not the regulator, not the vendor — possessed complete visibility into its dependencies.
Five years later, the problem has intensified. The convergence of geopolitical fragmentation, accelerated digitalization of operational technology, and the consolidation of critical component manufacturing in a handful of jurisdictions has created what researchers at the Atlantic Council describe as systemic single points of failure embedded in the foundations of modern civilization.
This assessment is supported by multiple independent analyses from government and private-sector researchers. The challenge is no longer theoretical — it is operational.
Mapping the Dependency Graph
Consider a typical water treatment facility in a mid-sized European city. Its SCADA systems run on programmable logic controllers manufactured in one country, with firmware developed in another, using cryptographic libraries maintained by a distributed open-source community spanning a dozen jurisdictions. The network switches connecting these systems use chips fabricated in Taiwan, assembled in Malaysia, with management software developed in Shenzhen.
73%
Infrastructure operators
Rely on components from adversarial nations
14,000+
Installations at risk
From a single compromised firmware update
6
Average supply chain depth
Layers between operator and component origin
Research conducted by the European Union Agency for Cybersecurity (ENISA) in early 2026 mapped the dependency graphs of 340 critical infrastructure operators across 22 EU member states. The findings were stark: the average operator depended on software and hardware components passing through six distinct national jurisdictions before reaching their operational environment. In 23% of cases, at least one critical component originated from a jurisdiction designated as a systemic cyber threat source by the operator's own national security assessment.
