According to a new study commissioned by Protect Our Power, cyber-related vulnerabilities in the electric sector supply chain present a "clear and present danger" to U.S. national security and are growing as information technology (IT) and operational technology (OT) products and services converge in the evolving electric grid.
The imminent threat of a high-impact cyberattack is not going unchallenged. Important regulatory and voluntary, best practices-based efforts are underway to change this dynamic, according to the A Review of Power Industry's Supply Chain Security Risks report from Ridge Global, a security-focused advisory firm.
Protect Our Power, a not-for-profit electric grid resilience advocacy organization, commissioned the study in 2019, given the important role that the integrity of the supply chain plays in the generation, transmission and distribution (T&D) of electricity.
On the OT side, for example, cyber assets are part of T&D control centers, smart grid devices and smart meters, protective relays, outage and restoration software, and more. On the IT side, supply chain items that could contain a cyberthreat are vital to corporate operations, including customer service, telephone and electronic communications, security, interface with operations systems, and many other general corporate functions.
Ridge Global surveyed the efforts and programs of government standards agencies, the electric industry, and their trade organizations as they work to address potential supply chain cyber issues and risks. Researchers also interviewed leaders within and outside the electric sector.
In addition to identifying the causes of supply chain vulnerabilities, the 80-page report recommends a model framework for supply chain cyber risk management, applicable to both the buyers and suppliers of products and services.
"This notional end-to-end model framework is intended to provide a comprehensive baseline against which various regulatory requirements and ongoing voluntary and collaborative activities designed to enhance supply chain cyber risk management with the U.S. electric industry can be objectively evaluated," the report states.
The five key components of the model framework are:
- Establish corporate governance and set the direction for supply chain cyber risk management;
- Establish and maintain multi-dimensional information sharing partnerships and technical capabilities;
- Select the corporate risk management approach and conduct analysis to identify and prioritize risks;
- Create and continuously validate a trusted risk management-focused supplier network; and
- Implement controls to manage supply chain life cycle risk.
The report includes an examination of a new supply chain cybersecurity standard (CIP 013-1) issued by the North American Electric Reliability Corp. (NERC) that takes effect in July. It also examines recent revisions to two other NERC standards that pertain to supply chain risk management.
"Electricity is critical infrastructure and Americans want it protected. The threats posed to our electric sector are global and multifaceted in scope," said Tom Ridge, founder of Ridge Global, former Pennsylvania governor, and first U.S. secretary of Homeland Security. "When it comes to supply chain risk — manufacturers, vendors, and system integrators alike — there's no protocol that oversees what they embed in the system is secure. It is time the industry got together with its cohorts and developed a unified, comprehensive, industrywide protocol to address supply chain risk. There's a clear and urgent need for coordinated, industrywide action."
"Our hope is that this report jumpstarts a dynamic and enduring solution to cyberthreats that will secure the grid and make sure these vulnerabilities from equipment and the supply chain are fixed," said Richard Mroz, Protect Our Power's senior adviser for state and government relations and the former chairman of the Critical Infrastructure Committee for the National Association of Regulatory Utility Commissioners. "As the report makes clear, there are huge gaps in the electric sector's cyber protection for the supply chain. Those gaps include no manufacturing standards, no product testing, no certification process, and no agreement on who would even bestow a 'seal of approval.' The current state of affairs is untenable."
See eight-minute Q&A video with Ridge and Mroz here.