In order to build an effective strategy to prevent compromised equipment from being installed in the U.S. electrical grid, Dr. Stockton suggests two different, but mutually supportive paths will need to be followed:

1. Develop a list of prohibited equipment, defined as equipment or components that are produced by entities that have foreign adversary “ownership, control, and influence.” This initiative will help DOE identify equipment as “pre-qualified” for purchase.[i]
2. Recognizing that adversaries will seek to “beat the system,” DOE and industry partners should ramp up testing and evaluation (T&E) programs for equipment which, if compromised, poses the greatest risk of causing severe disruption on the grid.[ii]

Scrutinizing Vendors and Strengthening Risk Management Processes

FERC has approved a series of mandatory NERC reliability standards to reduce bulk power system supply chain risks. To supplement NERC’s mandatory standards, the North American Transmission Forum (NATF) is playing a key role in coordinating supply chain cybersecurity initiatives for electric industry organizations, vendors, and third-party assessors. NATF has also created cross-industry, cross-sector (gas), and cross-border (Canada) collaborations, and put out a model, criteria, and questionnaire designed to create a streamlined, industry-accepted approach to obtain critical information for evaluating suppliers’ cybersecurity practices and conducting risk assessments.[iii]

Dr. Stockton believes that the NATF’s risk assessment initiatives are the most mature in the electric industry to date and that the organization is “uniquely positioned to rapidly advance solutions by recognizing and uniting accomplishments from all industry organizations, suppliers, third-party assessors, and vendors providing solutions for industry, government agencies, and regulators.”[iv]

In addition, the Stockton report notes, the National Institute for Standards and Testing and its industry partners have developed a Cyber Supply Chain Risk Management program, which provides support to users in managing risk in the distributed and interconnected nature of IT/OT product and service supply chains.[v]

Testing and Evaluation

Recognizing the global nature of the utility industry supply chain, NERC has warned that foreign adversaries seeking to penetrate process-oriented risk management techniques may well use a combination of artificially low, or subsidized, costs coupled with “[d]eliberately opaque and convoluted networks of largely unknown resellers and brokers” to offer highly cost-competitive products with unclear origins.[vi]  NERC further suggests that some entities with easy access to capital may simply acquire the target organization, or a connected entity, as a way of “locking down strategic portions of a broader value chain” and creating opportunities to push out compromised equipment.[vii]

While pre-approving vendors can greatly streamline procurement activity and improve security, asset owners must continue to be alert to the risk of insider threats for compromising pre-approved equipment. This is true even if asset owners have process controls in place to ensure that no subcomponents are produced by vendors controlled or influenced by foreign adversaries.[viii]

In order to Implement the Executive Order effectively, Dr. Stockton suggests that industry and government will need to agree on two major challenges:

• Prioritizing which equipment is most important to test; and,
• Rapidly scaling-up existing T&E programs to meet rapidly escalating demand.

On the first challenge, the Executive Order lists more than a dozen types of equipment are part of the process to secure the bulk power system, and many of these have multiple suppliers who may offer multiple versions of each product.  To address this complexity, Dr. Stockton suggests using a consequence-driven, cyber-informed engineering approach to determine which types of compromised equipment would cause the most damage to the grid if compromised (thus helping an adversary achieve their goals). He further suggests considering “mission-dependency” modeling to help target T&E assessments for the most mission-critical equipment.[ix]

The second challenge is the availability of T&E testing – even with the national labs, private

companies, and bulk power system entities, there is simply not enough capacity to meet anticipated demand.  A potential solution:  A DOE-led, and perhaps funded, public-private partnership to jump-start the expansion and sustainability of domestic T&E capabilities. Such a program would need to further accelerate DOE’s Cybersecurity Testing for Resilient Industrial Control Systems (CyTRICS™) program from “proof of concept” to a robust reliable system, as well as pursue other options and opportunities with energy sector partners to apply a targeted, collaborative approach to testing industrial control system components.[x]

Lastly, Dr. Stockton acknowledges that in order to make progress on this myriad of issues all the industry players — vendors, bulk power system entities, DOE, and private testing companies — will have to address a number of issues.  These include ensuring the confidentiality and security of vendor intellectual property and data; liability protection for participating vendors; exemption from information disclosure of test results; and, the secure sharing of test results. To do so, DOE and its partners will need an organizational framework for sustained dialog and consensus-building.[xi]

Next week: Strengthening Unity of Effort for Executive Order Implementation