Vulnerabilities in Power Industry Supply Chain Increase Risk of Successful Cyber Attack on Electric Grid
“Coopetition” could help spur prompt solutions
By Tom Ridge, former Governor of Pennsylvania, former Secretary of Homeland Security
As Congress considers taking action on infrastructure and energy legislation in 2020, one cross-cutting issue still must receive priority attention – ensuring the security and resilience of our electric grid.
Securing the grid is an issue I have been elevating since 2014, and the latest study performed by Ridge Global for the non-profit Protect Our Power reveals another chink in our national armor: The supply chain that feeds hardware, critical equipment and cyber assets into our electric grid has become global in nature, and highly vulnerable to infiltration.
And while many utility industry regulators, organizations and individual companies are taking action, including implementation of best practices, gaps in the overall supply system present a clear and present danger to our national security.
This issue was also recently highlighted by the congressionally-appointed Cybersecurity Solarium Commission, noting the need to significantly increase supply chain risk management for critical infrastructure, and in the utility industry’s bi-annual simulated attack exercise known as GridEx, during which only three major utility supply chain vendors were among the more than 500 participants.
Driving this escalating risk is the increasing sophistication of the grid, where information technology (IT) and operational technology (OT) products and services are converging to make the grid more automated and efficient, but also opening up new cyber vulnerabilities and threats.
Making continuous improvements and upgrades to the electric grid is critical — electricity is the lifeblood of our economy — but we cannot make such improvements with hardware or software that is purposely designed to malfunction at some point or, worse, can be activated remotely by a foreign agent after installation to damage or destroy vital equipment or systems.
The challenge is that in today’s supply chain – across manufacturers, vendors, and system integrators alike – there are no universal protocols that oversee or guarantee that the hardware or software they provide to utility companies is secure and free from hidden threats.
Because this potential grid weakness is so significant, it is time for the utility industry to take the lead and encourage its universe of suppliers and vendors to engage in “coopetition.” This concept gained popularity in the early 2000s and means “cooperative competition” — competing companies working together to create a product or service that is of mutual interest but, most importantly, is of greater benefit or value than either could provide alone.
We are seeing coopetition in response to the coronavirus pandemic as companies work together to create a vaccine, and this example translates to the utility industry where some 3,000 vendors offer competing solutions to industry issues.
A spirit of coopetition in the utility industry supply chain, encouraged vocally and financially by the industry, could in theory speed the development of a unified, comprehensive, industry-wide protocol or standard to address risks and improve supply chain integrity.
Our report includes 18 specific recommendations, identifies the causes of supply chain vulnerabilities, and recommends a model framework for supply chain cyber risk management that can be applied to both the buyers and suppliers of products and services that go into our national electric system.
These suggestions, along with some healthy coopetition, can help jump-start the development of a dynamic long-term system for eliminating cyber threats to the grid emanating from the supply chain. Ridge Global is working now with industry leaders and regulators to formalize the model framework and turn those recommendations into action items, and more on this topic will be forthcoming in the near future.
The huge cyber security gaps in today’s electric industry supply chain — including no manufacturing standards, no product testing, and no certification process — are high-risk, unnecessary, and unacceptable.
Tom Ridge
Author Bio