Collaborate to protect cybersecurity along energy supply chain

Cybersecurity poses a critical risk to the quality and reliability of the United States power infrastructure, according to the U.S. Commerce Department, particularly cyberattacks through the supply chain that can compromise the integrity of the critical hardware and software that underpin utility operations. 

Participants across the supply chain must work collaboratively to protect the cybersecurity of their operations, said energy industry stakeholders during the Nov. 9 session, “Friend or Foe? (In)Security in the Cyber Supply Chain,” held at the 2021 annual meeting and education conference of the National Association of Regulatory Utility Commissioners (NARUC) in Louisville, Ky.  

“We live in a highly interconnected world where organizations must rely on each other for critical products and services,” said panel moderator Judy Jagdmann, commissioner of the Virginia State Corporation Commission. “On the upside, the benefits are efficiency and cost effectiveness. On the downside, no one entity has complete visibility into their supply chain ecosystem.” 

This has created “a growing concern, particularly in the energy sector as it rapidly adopts advanced digital technologies that support new business models,” Jagdmann said, noting that cybersecurity practices come into play here. “Are we really aware of our vendor’s cybersecurity practices? And how about our vendor’s vendor’s vendor’s cybersecurity practices, and so on down the increasingly long chain?”

Supply chain cybersecurity is an increasing threat for Southern California Edison (SCE), one of the nation’s largest electric utilities, said virtual panelist Brian Barrios, SCE’s chief information security officer and vice president of cybersecurity and IT compliance.

“We’re putting much more energy into it,” Barrios said. “What scares me now is that more actors are doing it and it’s trickling down to less-sophisticated actors and then nation states are attacking the United States in many realms, including critical infrastructure. And they’re using [a variety of] techniques much more often.”

The Commerce Department says such techniques may include software or hardware that has been counterfeited or tampered with and which fails to operate as designed, or worse, contains rogue functionality, unstable configurations or undermined security mechanisms. Such compromised components, the department says, could enter the supply chain from lower tiers that have traditionally been less visible to the utilities. 

“At the end of the day, adversaries in many cases have figured out our vendor trust relationships sometimes better than we can ourselves because they’re willing to put the resources into it to really study it,” Barrios said. “Those trust relationships can result in operational risk, reputational risk, cyber risk, or just the risk of delivering the power, in [SCE’s] case.” 

And supply chain vulnerabilities are very broad and complex, said Barrios.

“At SCE, my goal is to ensure we deliver clean, reliable, safe power to our customers,” he said. “The first question I ask is what is the actor trying to get after? You have to get into their mindset. Are they trying to collect information on us? Are they trying to understand the architecture of our systems? Do they want information on the vendor loop? They may want to go after multiple targets or sectors, such as the federal government. They could have a lot of different motivations.”

To have a comprehensive cybersecurity program, panelist Tom Deitrich, president and CEO of Itron, which partners with cities and utilities to deliver industrial IoT solutions, said there are five things to think about: 

1. Identification: What do you really need to protect? What’s the attack surface that would be available to someone who is trying to attack your processes, data or your devices?
2. Protection: How do you lock it down? Encryption or other techniques?
3. Detection: Quick detection of when someone is trying to intrude.
4. Response: If there is a breach, how do you ensure it’s isolated? How do you respond?
5. Recovery: What remediation do you take after the fact? What lessons did you learn?

“Every supplier in the supply chain should be thinking about” this framework, he said. 

“If I flip it around… what kinds of questions do we want to be asking from a regulatory commission point of view?” Deitrich said, pointing to issues surrounding planning procedures, standards, systems, procurement, and training and awareness.

“The weak link in every system happens to be each of us — it’s the human,” said Deitrich, who attended the NARUC panel in person. “I also think what’s fundamentally important is that it’s a team sport. No one company, no one supplier, and no one regulatory body has all of the answers. The more we collaborate, the better off we will be.”

Additionally, he suggested that companies in the supply chain should balance costs over the long term with risk.

Virtual panelist Matt Wakefield, director of information, communication and cybersecurity research at the nonprofit Electric Power Research Institute (EPRI), which provides research on behalf of the electric industry, agreed that the value of collaboration is important when it comes to supply chain cybersecurity.

“It’s important to prioritize our efforts based on risk,” Wakefield added, “and this goes way beyond procurement to include insider risk attacks, software updates and human accidents and mistakes that could have unintended consequences.”

Wakefield suggested that companies take a risk-based approach that’s based on the principle that your systems will be breached, so then what are the consequences. “This can help you prioritize where to put your efforts,” he said. 

There are also engineering solutions to help companies minimize the risk, added Wakefield, who said that EPRI uses the Cybersecurity Technical Assessment Methodology, which is a systems engineering approach that looks at equipment vulnerabilities, mitigations from a risk perspective, the consequences of an exploit occurring from a vulnerability, and what the likelihood is for such consequences.   

“I want to emphasize that this goes way beyond procurement,” Wakefield said. “It is not uncommon at all to have digital equipment in the field that has a password that is publicly available and while not a super challenging issue to resolve, you have to be aware of it from a perspective of managing it, having equipment locked up, having key management processes in place. The scale of supply chain security is vast.” 

In a nutshell, you won’t have a secure supply chain if you don’t have a way to control all of the vendors providing information into it, said Dietrich.

“If you’re unsure about what is happening deeper into your supply chain, you can’t be sure what’s happening inside your product,” he said. “You must be constantly looking, scanning and maintaining that. If you find something problematic, how do you detect it and handle it and correct it along the way to manage the process?”