Silent Sabotage: Supply Chain Air Gap Imperative
End-of-life technology in critical national infrastructure creates exploitable gaps that supply chain attackers actively target. With the UK scoring the highest risk of five nations assessed, organisations must reconsider where their most sensitive data resides, and whether it should remain reachable at all.
Mark Fermor
Director & Co-Founder, Firevault
The Hidden Liability in Every Network
A November 2025 report by WPI Strategy, commissioned by Cisco, quantified a problem most organisations prefer not to discuss: the mounting risk of End-of-Life (EoL) technology embedded within critical national infrastructure. The findings are stark.
Of five nations assessed, the United Kingdom scored the highest EoL risk at 92.0, ahead of the United States (88.0), Germany (87.8), France (83.0), and Japan (65.0). The UK's elevated score reflects both high exposure to unsupported technology and the concentration of its infrastructure, which amplifies the blast radius of any single compromise.
These are not theoretical risks. 60% of EU cyber breaches in 2022 to 2023 exploited known vulnerabilities for which patches existed but had not been applied. In healthcare alone, a 2022 survey found that 60% of French hospitals were still running Windows 7, two years after Microsoft ended security support.
Source: WPI Strategy, "Update Critical", November 2025 | ENISA NIS Investments Report 2024
Supply Chain Attacks Thrive on Technical Debt
Supply chain compromises do not require sophisticated zero-day exploits. As the report notes, "even well-resourced adversaries often gain initial access through relatively simple means, such as unpatched network devices, mismanaged credentials, or IT equipment that is so obsolete that it cannot even be effectively updated or secured."
The pattern is consistent. The SolarWinds incident demonstrated how a single compromised software update could reach thousands of organisations, including government agencies. In February 2024, a joint cybersecurity advisory confirmed that the Chinese state-sponsored group Volt Typhoon had compromised multiple US critical infrastructure sectors, including communications, energy, transportation, and water, using these exact methods.
The advisory's four recommended actions began with "apply patches for internet-facing systems" and ended with "plan end of life for technology beyond manufacturer's supported lifecycle."
Source: CISA Advisory AA24-038A, February 2024
The Remediation Gap
The WPI Strategy report identifies a systemic failure in how governments and infrastructure operators fund technology replacement. In the US, federal IT spending reached $100 billion in 2023, with an estimated $80 billion allocated to operating and maintaining existing systems, including legacy infrastructure, representing a 12% increase on 2021 figures.
In the UK, 228 legacy IT systems were identified across government departments in 2024, with over one in four rated "red" for high likelihood and impact of operational and security failures. The UK Police National Computer, still in active service, is 51 years old.
The report is direct about the cause: "Current funding approaches to public sector IT projects end up encouraging underinvestment and de-prioritisation of remediation. This leaves governments servicing increasing technical debt, rather than investing in cybersecurity enhancements."
Source: National Audit Office, "Government Cyber Resilience", 2024
Why Patching Alone Is Not Sufficient
Patching addresses known vulnerabilities in supported software. It does nothing for equipment that can no longer receive patches. It does nothing for supply chain compromises where the update mechanism itself is weaponised. And it does nothing for the window between a vulnerability being discovered and a patch being deployed, a period that averaged 60 days across critical infrastructure sectors in 2023.
The WPI Strategy report identifies an additional compounding risk: "newer technology products typically share some common code base with older technology. This means that new patches for current technology can be used to expose vulnerabilities in that common code base shared with obsolete technology." In other words, patching current systems can inadvertently create a roadmap for attacking the unpatched ones.
This is the fundamental limitation of any defence strategy that assumes all data must remain connected and accessible.
The Case for Physical Disconnection
Every mitigation strategy discussed in the report, from asset registers to procurement reform to AI-assisted patching, operates within the same paradigm: keeping connected systems secure. These measures are necessary, but they share a common assumption that data must remain online to be useful.
For the subset of data that organisations cannot afford to lose, that assumption should be challenged.
Firevault's offline secure storage removes critical assets from the network entirely. Not behind additional layers of software defence, not in an "isolated segment" that remains addressable, but physically disconnected at Layer 1. The storage has no IP address, no network path, and no admin interface when not in active use.
This is not a backup solution. It is a fundamentally different architecture for protecting data that matters most: board records, intellectual property, regulatory evidence, identity documents, encryption keys, and disaster recovery baselines.
What the Report Means for Data Protection Strategy
The WPI Strategy findings reinforce a conclusion that the cybersecurity industry has been reluctant to state plainly: the attack surface of connected systems is growing faster than the capacity to defend it.
Organisations that hold high-value, high-consequence data should be asking a different question. Not "how do we better secure our connected systems?" but "does this data need to be connected at all?"
For crown-jewel assets, the answer is increasingly clear. Physical isolation is not a retreat from modern security practice. It is the logical response to a threat environment where trust in the digital supply chain is structurally compromised.
You cannot breach what is not connected.
Share this article
Silent Sabotage: Supply Chain Air Gap Imperative
End-of-life technology in critical national infrastructure creates exploitable gaps that supply chain attackers actively target. With the UK scoring the highest risk of five nations assessed, organisations must reconsider where their most sensitive data resides, and whether it should remain reachable at all.
Related Reading
You may also find these useful
Offline Secure Storage for Operational Technology
Offline secure storage for operational technology reduces exposure to cyber attack, protects critical system data, and supports recovery when connected defences fail.
CrowdStrike 2026 Global Threat Report
The CrowdStrike 2026 Global Threat Report analysed trillions of security events across 281 tracked adversaries. Its findings, from 27-second breakout times to 82% malware-free intrusions, confirm that the most critical data must be stored beyond the reach of any network.
AI Is the New Insider Threat: 2026 Thales Report
The 2026 Thales Data Threat Report surveyed 3,100+ security professionals across 20 countries. Its findings, from AI as insider threat to 97% of organisations harmed by deepfakes, reveal why offline secure storage is no longer optional.