Ensuring Utility Industry Supply Chain Integrity
John Lang, chairman, Protect Our Power, former Corporate Treasurer, Aetna Life and Casualty
A lot of questions were raised in the utility industry following issuance of an “Executive Order on Securing the United States Bulk-Power System” by the White House on May 1.
While the EO is focused on the bulk electric system — the power plants, transmission lines and related interconnections that generate and deliver power to local distribution systems — it was a bit vague on the exact scope of its application, and on the process that will be used to determine which countries or companies will no longer be trusted to supply equipment to the industry.
But one thing is clear — the EO is going to affect the utility industry supply chain, which has become global in nature and therefore vulnerable to malicious infiltration by entities possibly interested is damaging our national electric grid, the lifeblood of our economy and society.
While many, including Protect Our Power, acknowledged the EO as “an important step” toward a more secure grid and grid-related supply chain, it is equally important to note that it is one step among many that are being taken to address an issue of concern that has grown exponentially in the last several years.
A report from Ridge Global, in collaboration with Protect Our Power, issued in February, highlighted the increasing sophistication of the grid, where information technology (IT) and operational technology (OT) products and services are converging to make the grid more automated and efficient, but also opening up new cyber vulnerabilities and threats.
As Gov. Ridge said in an op-ed at that time, the globalization of the utility industry presents a “clear and present danger to our national security.” What is needed is an industry-wide protocol that defines the responsibility and accountability needed to ensure the integrity and security of components going into, or connected to, the U.S. electric grid regardless of origin.
This is no simple task, since a component or piece of equipment that is purchased from a reputable vendor in the U.S., or a country considered to be an ally, could easily contain parts manufactured in, for example, China and Russia. Without a foolproof protocol that enables the traceability of every component or piece of equipment, we cannot fully protect the integrity of the grid.
This already challenging situation is made even more difficult with the Internet of Things, which involves literally billions of devices that are not part of the grid, but are connected to the Internet, and can therefore provide a pathway to the grid.
Ridge Global and Protect Our Power, building on the model framework for supply chain risk management outlined in their February report, are developing a formal collaborative in which buyers, sellers, and grid regulators can come together to establish a framework that will enable a buyer of grid equipment to know that the product they buy is safe and approved for use in the U.S. grid.
This collaborative process will also be especially important to smaller, rural, or municipally-owned utilities, which often do not have the financial or human resources to engage in significant grid security maintenance or upgrades.
Establishing an effective industry supply chain protocol will take time, but its success is necessary and vital to our national interests. Attempts to hack into our electric grid number in the millions every single day, and unless we engage in an all-out effort to tighten up grid access through every possible channel, it is only a matter of time until an attack succeeds.
John Lang
Author Bio