Taming Digital Supply Chain Threats: NYSE CISO’s Battle Plan for the AI Era

Author: Dianna O’Neil 

In Interos’s latest Voices of Innovation session, NightDragon Founder & CEO Dave DeWalt, tackled today’s new breed of digital supply chain threats with Steve Pugh, Chief Information Security Officer (CISO) of the Intercontinental Exchange, Inc., better knowns as the New York Stock Exchange. As CISO, Pugh is responsible for securing critical economic infrastructure across multiple subsidiaries, geographies, and regulatory jurisdictions. 

Together Pugh and DeWalt explore the fluid landscape of digital risk and the critical role of AI supply chain risk intelligence in addressing escalating threats.  

Speed and Scale: The Core Challenges 

Pugh emphasized that the fundamental issues in digital supply chain risk management are the speed and scale of dispersed and sophisticated threats originating from bad actors, cyber criminals, adversarial nations, and other dynamic and fast-moving entities all over the world. “The key for a lot of my peers and colleagues is how do we keep up and innovate at that same speed [as bad actors], and then match the scale?” Pugh emphasized the staggering complexity of today’s attacks underscore the need for rapid adaptation and scalable solutions in the face of evolving risks. 

Building on this, DeWalt described the current global threat environment as “the perfect supply chain risk storm,” highlighting flashpoints with implications for digital supply chain stability.  

  • Heightened geopolitical tensions 
  • Regional conflicts 
  • Shifting dependencies on nations 
  • Increased cyberattacks targeting supply chains and third-party providers 

Unmasking “Unknown Unknowns”

Against this backdrop, Pugh noted the need to effectively communicating supply chain risk to high-level stakeholders, including corporate boards, to align on critical threats and move from insight to action, aided by emerging technologies that allow enterprises to take a proactive security posture. 

Pugh emphasizes two domains: visibility and control. “At the board level, we talk about it in two domains. The first is visibility, and then the second is control. And you really can’t talk about control unless you have the right level of visibility in your supply chain.” He focused on the critical importance of comprehensive supply chain visibility, using AI risk mapping and monitoring, as a prerequisite for effective risk management. 

Pugh elaborated by referencing Donald Rumsfeld’s “known knowns, unknown knowns, and unknown unknowns” matrix. He stated, “There’s a lot of unknown unknowns… that’s where the complexity really gets tough.” To illustrate this complexity, he shared an example from the experience of colleague at external engineering firm: that person experienced a catastrophic incident caused by “one bolt from a supplier somewhere in the world” failing—not due to malice but simply due to negligence or defect. He drew a parallel with third-party software and technology providers, noting how vulnerable third-party software solutions from obscure tiers of the supply chain can have significant consequences across interconnected digital supply chains. 

AI to the Rescue

Both DeWalt and Pugh expressed optimism about the role of AI and advanced risk intelligence in addressing supply chain challenges, particularly the ability of AI to deliver enhanced visibility and risk analysis at speed and scale. 

AI enables the ingestion and analysis of vast amounts of data from various sources, providing insights into complex supply chain relationships in real-time. Pugh explained, “AI can come alongside us and almost be a companion, to scale up and do so at speed and reason over all of these different data points.” Given the hundreds of millions of businesses globally, with billions of sub-tier supply chain interdependences, this capability is crucial for managing multi-tier risks effectively. 

Pugh detailed three primary ways AI is enhancing software development and security: 

  • Reasoning over code to find and fix defects quickly 
  • Generating cleaner, more secure code 
  • Enabling co-development with AI for native integration 

“We end up in this place where… you end up with some really good code that has fewer defects,” Pugh noted. He elaborated on how AI can create a “virtuous software development cycle” that significantly reduces potential vulnerabilities over time. 

Converging Physical and Cyber

Pugh’s role at NYSE encompasses both physical and cybersecurity—a trend that DeWalt sees increasing across industries. This convergence allows for a more comprehensive approach to risk management since physical threats can impact digital assets, unleashing a ripple effect with devastating financial consequences. 

Amid these changing dynamics, Pugh sees the CISO role evolving into that of a “risk business partner” to company leadership. “I think the role of the CISO is evolving to become more of a risk business partner,” he explained. This broader perspective allows for a more holistic approach to security and risk management across an organization. 

Channeling Optimism

As digital supply chain risks continue to evolve and expand, integrating AI technologies and continuous supply chain lifecycle risk intelligences alongside converging physical and cybersecurity offers promising solutions. Pugh’s final thoughts reflected a promising outlook: “I am optimistic on AI… I think it’s something that will certainly help us.” By embracing these generational innovations while maintaining a real-time view of risk management, organizations can better navigate the complex and fraught landscape of global supply chains in the digital age. 

Technology such as Interos Watchtower™ utilizes AI to continuously map and monitor relationships across the risk lifecycle to help enterprises mitigate physical and digital threats before they escalate to crisis. 

To learn more about how Interos can fortify your supply chain, contact us 

 

 

What Satellites Reveal About Concentration Risk in Multi-Tier Supply Chains

The Space Development Agency (SDA), a U.S. Space Force agency, is sounding the alarm on concentration risk in the satellite supply chain.

The SDA has ambitious plans to deploy hundreds of small satellites in low-Earth orbit, but risks have emerged with contractors relying on single sources for critical subsystems, threatening to delay the project. Col. Alexander Rasmussen, chief of SDA’s Tracking Layer program, emphasized the need for government contractors to diversify the supplier base for mission-critical components and to get supply chains “energized” early.

Concentration risk is endemic across multiple public and private sector organizations, fueled by interdependent supply chains with tens of thousands of potential failure points.

A single incident can trigger catastrophic ripple effects, paralyzing operations and inflicting severe financial damage. Interos data shows that large enterprises lose $34 million annually due to disruptions triggered by concentration risks.

Examples of at-risk goods and services include:

Semiconductors

The world’s semiconductor manufacturing is concentrated in Taiwan, specifically at the Taiwan Semiconductor Manufacturing Company (TSMC) and United Microelectronics Corp (UMC). Any disruption to their operations, whether due to earthquakes and other natural disasters, geopolitical tensions, or other factors, could have severe ripple effects across global supply chains for electronics, automobiles, and other vital industries reliant on semiconductors.

Rare Earth Metals

China dominates the global supply of rare earth metals, which are critical components in many high-tech products, including smartphones, electric vehicles, and military equipment. Any disruption to China’s rare earth production or export policies could significantly impact global manufacturing and technology industries.

Global Shipping Chokepoints

A significant portion of global maritime trade passes through a handful of critical chokepoints, such as the Strait of Hormuz, the Strait of Malacca, and the Panama Canal – all of which have continue to grapple with disruptions triggered by geopolitical tensions, accidents, or natural disasters, could severely impact global supply chains and trade flows.

Strategies to Mitigate Concentration Risk

Addressing concentration risk requires a multi-faceted approach anchored in real-time supply chain lifecycle risk intelligence. Here are some practical strategies identify and mitigate concentration threats:

  • Comprehensive Supply Chain Mapping: Companies must gain multi-tier visibility into their supply chains to identify potential concentration risks and other threats. This involves mapping all suppliers and their interdependencies.
  • Predictive Risk Intelligence and Monitoring: Leveraging advanced risk analytics platforms like Interos, businesses can continuously monitor physical and digital supply chains for geopolitical, financial, cyber, regulatory, ESG, catastrophic, and other risks. Real-time alerts and predictive analytics enable proactive mitigation strategies.
  • Supplier Diversification: Reducing reliance on a single supplier or region by diversifying the supply base can mitigate concentration risk. However, this must be balanced against the potential increase in complexity and costs.
  • Nearshoring and Reshoring: Bringing production closer to end markets or back to domestic facilities can reduce exposure to geopolitical risks, trade tensions, and transportation disruptions.
  • Collaboration and Transparency: Fostering collaboration and transparency across the supply chain ecosystem can enhance risk visibility and enable coordinated risk mitigation efforts.

Addressing concentration risk and other supply chain vulnerabilities is not a one-time exercise but a strategic process that requires continuous monitoring, adaptation, and investment.

By prioritizing proactive and predictive supply chain technology like Interos, companies can fortify their operations against potential disruptions, safeguard their bottom line, and maintain a competitive edge.

Click here to learn how Interos can secure your supply chain against concentration risk and other threats.

A long time ago in a supply chain far, far away…

The Millennium Falcon might look like a piece of junk but it can do point five past lightspeed and
– as they say in the bars of Tatooine – it’s got it where it counts.

Not bad for a bucket of bolts won in a card game.

In celebration of May the Fourth, Interos turned its artificial intelligence-powered supply chain
risk management technology on the company that makes the ship that made the Kessel Run in
less than 12 parsecs.

Our report is based on a detailed analysis of Star Wars lore with all companies mentioned
appearing in canon, the official collection of stories and history that Lucasfilm accepts as part of
the Star Wars saga. Our analysts dove deep into the available data, conducting a legitimate
analysis using the Interos platform.

What we found is a supply chain littered with risks as the Falcon operates in a universe with just a little bit of political instability, making it more than difficult to ensure the procurement of the
right part at the right time. This may go without saying, but it turns out an intergalactic war
fought between all-powerful space-wizards is bad for the widespread availability of necessary
parts and raw materials.

Let’s dive into our insights. Please note that none of our analysts died to bring you this
information, but there were algorithms and machine learning involved.

1. Koensayr Manufacturing (power converter): Medium Financial Risk

The Falcon uses a power converter from Koensayr Manufacturing, perhaps one of the top
makers of starfighters in the galaxy. However, Koensayr took a hit when the Empire took control
of the galaxy, losing out on several government contracts it held with the Galactic Republic. This
is not great news for Koensayr’s financial stability, so Han and Chewie may want to keep an ear
open for a new power converter supplier, just in case.

2. Torplex (deflector shield): Low Financial Risk | Medium Operational Risk

As partners with the Corellian Engineering Corporation (CEC) and later Sienar-Jaemus Fleet
Systems, Torplex deflector shields were quite common in a galaxy rife with competitors. That
gives them a low financial risk, but the company may find itself at risk for espionage with other
players in their field, so we tag them with a medium operational risk.

3. Coaxium (hyperfuel): High ESG Risk | High Operational Risk

A necessary part of a hyperdrive’s ignition chamber and sometimes used as fuel, coaxium
comes from planets like Kessel, known for its enslaved workforce and reputation for corruption.
After its rise, the Empire began to attempt to monopolize production of the substance as well.

4. Girodyne (sub-light engines): High Operational Risk

The company that makes engines for starfighters and other galaxy-traversing ships has a fairly
diverse product set. All these moving parts, though, require specialization and we worry
Girodyne finds itself at a high operational risk, since it leans so heavily on its own suppliers for
success.

5. Phylon Transport (tractor beam): Low Political Risk | Low Financial Risk

The maker of the Falcon’s tractor beam emitter found itself in a good spot, thanks to
relationships with CEC and the Kuat Drive Yards, two major ship producers.

6. Cloud City (gas mining colony): High Political Risk

The Falcon likely used tibanna gas to cool its hyperdrive, which would be abundantly available
in Cloud City. Sadly, Han and Chewie’s last trip there ended… poorly. Cloud City remains on
many intergalactic restrictions lists as of this writing, so the Corellian Engineering Corporation
may want to look for suppliers elsewhere.

The Official Interos i-Score™

The Millennium Falcon’s supply chain certainly has its challenges. The galaxy is filled with
spaceships and spaceship parts, meaning that if Han and Chewie cannot get a replacement
part directly from a supplier, there are certainly secondary options available.

However, and this should go without saying, an intergalactic economy that includes the
presence of the Death Star can never be completely safe. (Our system is not calibrated to
calculate how vaporizing an entire planet like Alderaan impacts intricate supplier models, but we
safely assume it’s high.)

For these reasons, we will give the Corellian Engineering Corporation, makers of the Millennium Falcon, an Interos i-Score™ of 77, indicating medium overall risk. If Han or any other pilot is
worried about their ship’s supply chain and ever wants to improve their operational resiliency, they
can find us at the cantina in Mos Eisley.

Special thanks to Lucasfilm for its input on this project. All information was sourced through
official, canonical, Star Wars sources.

 

Satellite Supply Chain Concentration Risk: Starlink and the U.S. Dominate the Market

 By Geraint John

Satellites are becoming the new supply chain battleground in critical infrastructure as countries seek to bolster their military capabilities and national security against the threat of war.

However, this is not some James Bond-style plot in which rival powers vie for control of space-based nuclear weapons, as in the 1995 film GoldenEye, but something more prosaic: a quest for bomb-proof internet connectivity.

Ukraine’s success in stemming the Russian army’s advances across its territory have been credited, at least in part, to its access to Starlink, a constellation of more than 3,000 low-orbit satellites owned and operated by Elon Musk’s company, SpaceX.

Ukraine’s military relies on Starlink’s fast, reliable internet access to share battle plans, co-ordinate operations and target Russian positions.

In the words of a Ukrainian soldier quoted in a recent Economist article: “Starlink is our oxygen.” Without it, “our army would collapse into chaos”.

The Satellite Supply Chain: Low Orbit, High Potential

Other nations concerned about their vulnerability to attack and the security of their land- and seafloor-based fiber-optic cables for internet traffic, are keeping close tabs on Ukraine’s experience.

Taiwan, which has seen tensions with China escalate during the past year, is reported to be seeking private investment to establish its own satellite communications network.

China itself has submitted plans for a 13,000-satellite constellation, Russia has designs on a 264-satellite network, while the European Union agreed late last year to begin developing its own low-orbit system.

Japan, South Korea and Australia are among other countries looking to operate similar constellations of their own in the future.

Unlike traditional geostationary Earth orbit (GEO) communication satellites, which fly more than 35,000km above the planet’s surface, low-Earth orbit (LEO) satellites operate much closer to home.

Starlink’s satellites orbit just 550km from Earth, which means they can receive and transmit data much faster, making high-bandwidth internet streaming and video services possible.

Other benefits include the fact that:

  • They communicate with users on the ground via portable and easily powered receiving equipment
  • Their (stronger) signals are harder to jam
  • Russian efforts to hack them have so far been ineffective
  • Because there are hundreds of satellites serving each location, physically taking the network down – through, say, a missile attack – would require enormous scale and vast expense.

 

America’s World Domination May Lead to Imbalanced Supply Chains

The United States dominates global satellite ownership, with 63% of the almost 5,500 commercial, military, civil and government satellites launched to date, according to data compiled by the Union of Concerned Scientists (UCS), a U.S.-based nonprofit organization.

Its dominance in LEO satellites – which comprise 86% of the total satellite population – is even more pronounced, thanks to Starlink.

The U.S. owns almost 50 times as many LEO communication satellites as Russia, and almost 90 times more than China, according to UCS.

Building on this data, Interos has created a satellite concentration and diversification metric. The metric demonstrates the resilience the U.S. has in this area, with extremely high satellite diversification, whereas Russia and China are both rated a high concentration risk.

This is good news for supply chains in the U.S., but those in less diversified areas may increasingly be more prone to internet disruptions or complete blackouts.

Taiwan has just one GEO communications satellite, through a joint venture with Singapore’s telecoms provider, while Ukraine doesn’t own any and relies on those of its allies.

Communications Satellites Owned by Selected Countries.

While Considering Future Satellite Trends, Beware Single Sources in Space

Aside from the potential for cyber interference in this newly critical and rapidly expanding infrastructure, from a supply chain perspective the main risk is arguably the extreme concentration of suppliers.

At present, Starlink is a de facto monopoly for customers outside of China and Russia, because of its dominance of launch capacity. Its Falcon 9 rockets took off more than 60 times last year and each is capable of carrying over 50 LEO satellites.

Rivals Blue Origin, owned by Jeff Bezos, the United Launch Alliance – a joint venture between Boeing and Lockheed Martin – and France’s Arianespace are all in the process of readying new rockets.

UK-based OneWeb – which partners with France’s Eutelsat and Airbus – is currently dependent on SpaceX after its access to Russian launch facilities was scuppered last year. And Virgin Orbit last month failed in its inaugural attempt to launch nine LEO satellites from British soil using a rocket mounted below a reconfigured 747.

Interos has implemented a new satellite concentration risk score, which evaluates the concentration of accessible communication satellites in a country. A country with more satellites or increased access receives a high score and has less risk of satellite disruptions. This score currently shows France as being very high risk – even higher than Russia and China – whereas the UK is medium risk. However, diversification should be an important objective for these and other countries over the next few years.

While industry analysts expect there to be four or five active competitors in this global market eventually, for now SpaceX can call the shots.

For example, although it abandoned a suggestion in October that it would start charging Ukraine for its services, it has restricted use of its network in Russian-occupied territory such as Crimea, according to The Economist.

Government, military and commercial procurement chiefs would therefore be wise not to put all of their bets in this new space race on Mr. Musk’s satellite network, which may well become the next frontier in supply chain concentration risk.