In a previous blog article, I highlighted how utilities can shift from focusing on cybersecurity to a commitment to intelligent grid security. One of the five areas to address was supply chain risk, which is no longer a distant threat. To borrow a phrase from American novelist Tom Clancy, this risk is now a “clear and present danger”—and two recent news stories illustrate why.
The first article, “The Big Hack,” was published by Bloomberg News in October 2018. The second, a January 2019 Wall Street Journal article, provides an in-depth explanation of how Russia exploited supply-chain vulnerabilities—what the WSJ called “the system’s unprotected underbelly”—to infiltrate an estimated two dozen or more utilities.
These were not direct attacks on utilities, but rather attacks via supply chain. Attackers employed social engineering to gather credentials of supply-chain partners and, ultimately, leverage that information to breach utilities’ systems. Some utilities and their partners were unaware of the attack until they were contacted by federal law enforcement agencies.
These attacks illustrate the importance of integrity at every link of a transmission and distribution supply chain. Historically, utilities have trusted, but not necessarily verified, supply-chain partners. Today, maintaining integrity requires more than having what you believe to be an “ironclad” contract.
It’s time to start carefully evaluating each partner’s integrity much as you would evaluate individual people. There are some you may trust with a key to your house and unfettered access; others you may not admit unless you are present to monitor their behavior. And still others will fall somewhere in between. It should not be much different with your transmission and distribution supply chain, especially when assessing partners that have access to the “crown jewels” of the electric system.
Although NERC CIP 013 standards are taking shape to provide guidance in this area, the Wall Street Journal reminds us that standards always lag threats. With a true sense of urgency in mind, here are two key steps I believe every utility should undertake:
- Take it to the top. Initiate an ongoing conversation about these risks with your C-suite and board. Start getting smart about the nature of the threat. Elevating this to a C-level and board issue positions your organization to be ahead of the curve when the standards are finalized and released.
- Think strategically about mitigation. These threats are complex and multifaceted; the solutions must be equally sophisticated. Start getting strategic about how you can evolve transmission and distribution. For example:
- Rethink your operational technology architecture to drive integrity into the architecture itself (a topic I’ll address in greater detail in a future post).
- Start talking to manufacturers to confirm they understand the threats. Whenever budget permits, opt for manufacturers with higher security standards.
- Give thought to how you can design for greater integrity as you conduct business planning for the next five to 10 years.
- Always leverage security investments as opportunities to enhance operational efficiencies as well. In other words, every dollar you spend on reducing risk should have a dual use in driving operational reliability and business performance.
As with the other pillars of intelligent grid security, supply-chain risk is an executive-level challenge with executive-level accountability. These are no longer abstract threats to delegate to a security leader or team. These are very real—and very insidious—threats that demand utilities assemble the right blend of business, technical and security expertise.