Ensuring Electric Grid Supply Chain Security: A Matter of National Importance
By Rick Mroz, former president, NJ Board of Public Utilities
As federal agencies, the electric utility industry and its myriad suppliers and vendors work to ascertain the full breadth and scope of the Trump Administration’s May 1, 2020, Executive Order (EO) 13920, Securing the United States Bulk-Power System, a thought-provoking white paper on the subject has emerged from a former senior Department of Defense official.
Dr. Paul Stockton, former Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs and an expert on cybersecurity and infrastructure resilience issues, quietly published the white paper on September 2 on the Idaho National Laboratory website, outlining in detail a series of steps for securing the U.S. electric grid from attacks originating in the bulk power system (BPS) supply chain.
As Protect Our Power has been pointing out more than two years, it is no secret that the supply chain that feeds hardware, critical equipment and cyber assets into our electric grid has become global in nature, and highly vulnerable to inappropriate infiltration. Indeed, as detailed in the latest report Ridge Global/Protect Our Power, gaps in the overall supply chain system “present a clear and present danger to our national security.”
And while making continuous improvements and upgrades to the electric grid is critical — electricity is the lifeblood of our economy — we cannot make such improvements with hardware or software that is purposely designed to malfunction at some point or, worse, can be remotely activated by a foreign agent after installation to damage or destroy vital equipment or systems.
The challenge with today’s supply chain – across manufacturers, vendors, and system integrators alike – is that there are no protocols that oversee or guarantee that the hardware or software they provide to utility companies is secure and free from hidden threats. Preventing such threats is a mammoth task that spans industries and activities, from manufacturing and shipping to installation and maintenance, across the globe.
Stockton, now managing director at Sonecon, a Washington, D.C.-based economics and security analysis firm, addresses this challenge head-on, noting that while the Department of Energy is the lead agency implementing the EO, numerous other agencies and organizations are also identified in the EO as playing key BPS security roles.
A main challenge, according to Stockton, is that “No organizational framework exists to coordinate DOE’s implementation efforts with these diverse stakeholders and help them achieve unity of effort.”
To address this, Stockton proposes “building on collaborative arrangements already established by the Electricity Subsector Coordinating Council (ESCC), the North American Transmission Forum (NATF), and other organizations noted in this report, DOE and its partners should create an organizational framework to lead and coordinate EO implementation activities for many years to come.”
He then lays out three areas of focus for disrupting the use of the BPS supply chain as a weapon — understanding the goals of a BPS attack; understanding the implications of compromised equipment in the BPS; and, developing effective countermeasures — and identifies four “opportunities for progress” in making the grid less vulnerable to supply-chain based attacks.
Over the next several blogs, Protect Our Power will examine each of these four “opportunities for progress,” and we will also be working with Ridge Global on development of recommended cybersecurity frameworks for both the U.S. bulk power and electric distribution systems, to provide recommendations to the current DOE rulemaking process on supply chain cybersecurity, and to elicit opinions on an eventual certification process for equipment moving through the electric grid supply chain.
Dr. Stockton’s white paper represents an important step forward in addressing a key electric grid vulnerability — supply chain integrity and security — and Protect our Power encourages readers to review the document and stay tuned here for further developments and viewpoints on this critical issue.
Rick Mroz
Author Bio