Why the UK’s complex supply chains create cybersecurity headaches
Why the UK’s complex supply chains create cybersecurity headaches
Publish Date: 2026-01-20 07:23:00
Source Domain: www.newcivilengineer.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Cyberattacks in 2025 underscored the stark reality that the UK’s economy is a high-value target for cyber criminals. With incidents across sectors making headlines and costing the country up to £14.7bn annually, the urgency for cyber resilience is rising fast.
Paul Hingley is business manager for cyber security and safety services at Siemens UK & Ireland
At the heart of this challenge lies a uniquely British issue: the structure of our supply chains.
SMEs, which account for 99.9% of UK businesses, form the backbone of our economy, from precision manufacturers to infrastructure subcontractors. While this brings agility and innovation, it also creates a patchwork of varying cyber maturity – and that’s where vulnerabilities emerge.
The forthcoming Cyber Security and Resilience Bill has ambitions to close these gaps. For the first time, cybersecurity will become a compliance issue. And it will require critical service providers and their suppliers, including SMEs, to implement basic cyber hygiene, report breaches more frequently, and prove their resilience to regulators.
While the Bill’s intent is to raise standards, it could feel overwhelming for smaller firms with limited budgets, time or in-house expertise. SMEs that take action now will be better prepared for compliance, while also being more attractive to buyers looking for cyber-secure partners.
Know your bills and directives
To keep adversaries at bay, the Bill’s central message is clear: cybersecurity must be treated with the same seriousness as workplace safety – something that’s currently being tackled by similar, EU legislation.
For SMEs within the industrial supply chain, this marks a major shift. From 2026, the Bill is expected to impose new duties across the industrial supply chain including: the proactive management of cyber risk; elevating cybersecurity to become a compliance issue; and securing connected assets across their lifecycle.
The final point is often a good starting point for SMEs shoring up their cyber security: map out all assets. Because you can’t secure what you don’t know you have.
The exact requirements of the UK’s Cyber Bill are yet to be seen, but they’re widely expected to align with EU legislation. We saw the EU CRA and NIS V2, EU directives and framework, come into law in October 2024, applying to critical infrastructure operators, manufacturers, machine builders and technology suppliers. It requires organisations to implement comprehensive risk management measures, report incidents within tight timeframes, and to secure supply chains with clear accountability at board level.
Setting the standard
Cyber regulation can be complex – but achieving compliance doesn’t have to be. The international standard IEC 62443 provides a clear, structured approach for industrial firms. Tailored to operational technology (OT) environments like factories, plants and utilities, it helps businesses secure systems, processes and products across the entire value chain.
Unlike generic IT standards, IEC 62443 accounts for legacy equipment, system integrators, component suppliers and end users. At Siemens, we adopt this standard, and we advise suppliers to do the same. It’s a globally recognised pathway to building resilience by design.
Maintaining these baselines is an important part of any cybersecurity plan. The number of manual processes this involves can make it time-consuming, but as agentic artificial intelligence (AI) continues to develop it will be well placed to take on many of these important yet mundane tasks.
So, as firms look for ways to ensure their operations are up to standard, powerful AI automation can play a key role in securing systems through continuous monitoring and the ability to automatically carry out vital updates.
Creating human firewalls
But it’s not just about physical systems – people are another asset that hackers will target.
Government data shows that 85% of those businesses that experienced a breach or attack in the year to June 2025 were victims of phishing attacks. The rise of AI and deepfake technologies are making these sorts of attacks increasingly sophisticated, meaning employee awareness has never been more important.
Phishing attacks are when criminals impersonate a trustworthy body like a supplier or even a colleague. They do this to trick a business’ staff into sharing sensitive information or clicking a link that allows them to launch a Trojan attack on their IT systems.
Regular training and consistent messaging around security policies are therefore just as important as firewalls for firms looking to build up their cyber resilience, even if for some SMEs, finding the time and resource for such training can be hard to come by.
Safeguarding our infrastructure
The coming regulations represent a real opportunity for firms across our infrastructure supply chains to shore up their defences.
There are a whole host of businesses involved in the day-to-day running of our infrastructure, from the small widget manufacturer to the major multinational company. It’s the smaller businesses that hackers will often seek to exploit, which is why cybersecurity standards need to be consistent to plug these vulnerability gaps.
The good news is that SMEs can put themselves on the right footing to achieve this and align with policy changes, helping them to overcome cybersecurity headaches, win trust, secure new contracts and limit the potential for widespread disruption.
Paul Hingley is business manager for cyber security and safety services at Siemens UK & Ireland
Like what you’ve read? To receive New Civil Engineer’s daily and weekly newsletters click here.
