PST warning: Salt Typhoon and the contractor-linked model behind critical infrastructure hacking

Analyst lens; what boards tend to miss

1) Espionage is an operational risk multiplier

Even when the immediate objective is intelligence collection, access to operational dependencies, supplier relationships, and recovery procedures can become a disruption accelerator later.

2) Edge exposure is still the front door

PST’s “vulnerable network devices” wording should prompt immediate questions about patch governance, asset visibility, and whether suppliers operate or manage any exposed infrastructure on a client’s behalf.

3) Do not overfit rhetoric across chapters

PST uses “so dangerous” language here:

“The enemy is at times framed as so dangerous and malevolent that certain individuals ultimately perceive violence as a necessary response.” (PST, 2026, p23)

But that appears in a section on anti-government actors and violence, not cyber operations. Advisers should avoid blending emotionally charged language into cyber threat briefings unless the source clearly intends it.

What good looks like; UK actions that stand up in board minutes

Do now (7–30 days)

* Edge device exposure sweep: inventory all internet-facing appliances; confirm patch levels; remove legacy remote access paths; validate secure admin access.

* Privileged access controls: reduce standing admin rights; enforce strong MFA for administrators; review service accounts and remote management tools.

* Supplier access mapping: list third parties with remote/admin access; verify authentication strength; ensure logging is enabled and reviewed.

* Detection focus shift: prioritise alerts for credential abuse and administrative tooling over malware-only signals.

Do next (this quarter)

* Network segmentation around crown jewels: make lateral movement harder and noisier.

* Recovery evidence: run at least one technical restore test for a critical service and capture results for audit and insurer conversations.

* Assurance narrative: map to NCSC guidance and Cyber Essentials as baseline, then add “beyond baseline” controls where risk justifies it.

Measure; four board-friendly indicators

* Percentage of internet-facing devices under verified patch SLAs

* Percentage of privileged accounts with strong MFA and continuous monitoring

* Number of third parties with persistent admin access to critical systems

* Proven recovery time for critical services from real tests, not tabletops

Mini-scenario; how this plays out in a UK corporate

A UK firm has several remote-access appliances managed by a third party. One device falls behind on patches. An attacker compromises it, then uses valid credentials to expand access quietly. There is no ransomware. The attacker maps systems, dependencies, and supplier pathways, and collects documentation. Months later, a second event escalates faster because the attacker already understands the environment.

Board Questions (use on one slide)

* Which services are our “crown jewels”, and who is accountable for their resilience

* Which internet-facing devices do we run, and can we evidence patch compliance

* Which suppliers have admin access to critical systems, and how is it controlled and logged

* What would our telemetry show if valid credentials were abused

* How quickly can we contain admin misuse without disrupting operations

* When did we last prove recovery of a critical service end to end

* What would we disclose, and on what timeline, if sensitive data access is suspected

If you advise UK boards, turn PST’s warning into a one-page “pre-positioning risk” brief: edge exposure status, privileged access posture, third-party access inventory, and last recovery test results. That is the artefact executives can act on this quarter.