Grid security EO: Impacts to the utility supply chain

Signed earlier this year, Executive Order (EO) 13920 declared a national emergency related to protecting the security, integrity, and reliability of Bulk-Power System (BPS) electric equipment used in the United States from potential attacks from foreign adversaries. Attacks on the BPS, through cyberattacks or other methods, would result in catastrophic failure of the U.S. electrical grid and would impact critical economic, health and safety, and defense infrastructure. As a result, the EO 13920: 

• Prohibits the acquisition of BPS equipment where foreign adversaries were involved in any or all of the design, development, manufacturing, or supply processes. Unless the vendor is prequalified for BPS purchases.
  
• Gives the Secretary of Energy authority to develop and enforce specific rules and regulations related to countries or BPS equipment under the scrutiny of the EO. These rules and regulations apply to both current BPS assets as well as ongoing and future BPS asset procurement.
  
• Establishes a task force, headed by the Secretary of Energy, that will define BPS equipment procurement policies and procedures, and establish cybersecurity evaluation criteria for national defense.

The actions within each of these core areas require utilities to address and modify their existing supply chain, asset management, and cybersecurity policies to swiftly react to the defined EO rules and regulations. This will apply to future BPS equipment, potentially existing BPS equipment, and in-flight BPS procurement activities in order to maintain utility compliance with the EO to protect the U.S. electric grid.

Introduction

In an effort to minimize exposure of vital infrastructure from foreign interference, the White House issued an executive order requiring U.S. utilities to source all products and services exclusively from domestic or allied countries. While many of the details remain in flux, the order is expected to complicate an already complex international supply chain.

Utility asset classes such as substation, transmission, and control systems and facilities will be most impacted by the executive order. These assets usually have complex engineering and manufacturing processes involving a web of suppliers and vendors. Some BPS equipment have mechanical, electrical, electronic, and software components provided by different suppliers. This leads to a complex supply chain system which makes material traceability difficult, especially at the raw material level. Understanding this supplier chain complexity through visibility and sourcing strategies will enable utilities to comply with the executive order.

Once BPS equipment is installed and operationalized in the field, it requires frequent maintenance to ensure lifecycles and return on investment metrics are met. When implemented, this order will have an impact on a utility's asset management strategies and sourcing strategies. Sourcing lead times may increase for most equipment ordered from Original Equipment Manufacturers (OEMs) in and outside the U.S. 

For utilities with both transmission and generation facilities, the new policies and regulations may affect numerous departments, and key stakeholders should begin preparing for possible disruption. Efficient inventory management and maintenance strategies must be employed to reduce the EO’s impact. 

Complexity of the supply chain

The supply chain is a dynamic, constantly evolving system of interconnected suppliers. Ongoing monitoring and verification is needed as suppliers grow, merge, and disappear is a constant risk mitigation effort. Moreover, the processes needed to validate and certify suppliers are still unknown, and a clear definition around ownership and responsibility has yet to be provided from the EO.

Visibility into the supply chain 

Gaining visibility into any supply chain involves tracing thousands of components from integrated circuits to insulators. The problem is compounded when including the supplier’s suppliers all the way down to raw material (see Figure 1). Businesses know their immediate suppliers but extending visibility and control beyond that will require added management and ongoing oversight as the portfolio of suppliers fans out in complexity.

One element that remains uncertain is the level of control that would need to be exercised, thereby defining the level of visibility needed. The EO has suggested using country of origin as a basis for control, but doing so fails to recognize the globalization of today’s supply chains and interdependencies of the manufacturing ecosystem. One potential path forward could involve assessing risk based on the risk of its component parts (e.g., number of integrated circuits, degree of internet access, number of control elements, or specific chips being monitored). 

Supply chain sourcing

The next task shifts to finding and contracting with alternate sources of supply. In most cases, choosing a supplier involves evaluating price. The process should also include evaluating parameters such as the cost of operation, compatibility with existing systems, internal training, ongoing maintenance, and quality. In assessing these areas, building a deep fact base will help end users define the importance of different parameters, inform negotiations, and identify pricing breaks.

Asset management

In instances that involve assets with a long useful life, the need to evaluate existing inventory on-hand and operating infrastructure may be a unique requirement. Due to their infrequent replacement combined with compatibility concerns for maintenance and repair, the option of directly evaluating an operating asset for remediation is a potential near-term solution to disposal and replacement of functioning hardware. Utilities should begin with an analysis of the install base to determine components that are installed but at risk for scrutiny of their security. 

Analysis of the install base should begin by prioritizing components that are most critical to decrease risk of disruption and have long lead times. As these components are identified, utilities should determine if critical spares are on hand. For those parts already in the system, utilities should consider installing operational technology to track these assets and gather usage data that can be leveraged to build predictive failure models. If it is determined that a component is at risk of failure, the visibility into where the component is currently sourced allows the utility to evaluate vendor compliance and identify alternatives if necessary, before disruption occurs. This is only possible with an accurate view of inventory, a map of the supplier base, and a visibility into asset lead time for replacements of critical spares.

While the importance of tracking new assets is critical, tracking assets currently installed in the field is equally important. Although the EO focuses on what will be required going forward, there is an inherent risk associated with those components that have already been integrated into the grid systems. If there was a threat identified in a particular asset, utilities that can identify areas where they may have installed that asset in the field and will be able to move quickly to isolate the risk and if necessary, replace the asset. Creating risk profiles for not only suppliers, but specific components can guide a utility’s short- and long-term procurement activities. Risk profiles and visibility of assets throughout their lifecycle is crucial to protect against potential security threats.

Protecting the BPS from cyber attacks 

Considering that BPS components are critical to grid operations, the EO likely will place a heightened awareness on the evaluation of existing-state supply chain programs to include cybersecurity criteria. The supplier in the supply chain with access to native bulk power system components should acknowledge and certify that cybersecurity protection controls and measures are in place.

Verifying that existing suppliers have enacted internal processes to ensure that digital equipment and software (or other native BPS components) are provided to them free of defects could lessen the chance of a cyberattack from adversely impacting the safety, integrity, or availability of a BPS. Regardless of the final call to action the DoE may require from utilities, it is important to take proactive steps in preparation of the EO and the release of rules and recommendations.  

Given the modern threat landscape on critical infrastructure, the federal government is highly invested in limiting the installation of BPS equipment sourced from adversaries of the U.S. While not all BPS components will contain a critical cyber element, implementing the philosophy of a Secure Product Development Lifecycle (SPDL) as illustrated below is recommended to maintain the integrity of critical BPS components from conceptual design to retirement. 

The control strategy is anchored by a defensive strategy, leveraging secure design principles and architectural guidance within, and incorporates security controls into the asset design process. Once a new digital design is proposed, the cyber security specialist and responsible engineer should work together to map the design into the defensive strategy. A high-level description of each phase of the SPDL is provided below:

From the time an asset is purchased, sits on a skid, and is placed into the production environment, there are critical steps that must be taken. Leveraging the strategy provided by the SPDL is a good starting point. Utilities should recognize the digital components going into their equipment design and the various vendors supplying these critical components. They should work with vendors to provide assessment analysis during equipment design, manufacturing, and installation – this is especially true for custom-made high-ticket BPS equipment.  

As guidance from the DoE becomes clearer on the expected rules and recommendations of the EO and resumption of NERC CIP 013-1 Cyber Security – Supply Chain Risk Management – for those BPS systems that may be impacted – it is recommended to adopt a security approach that is risk based vs. compliance driven, while also balancing the need to support and enable business and operational needs.

Conclusion

No end user or supplier can be fully responsible for maintaining the safety of our power delivery network. As a shared responsibility, both supplier and utility should share the burden of maintaining vigilance over the power delivery network. Similar to the approach taken in medical device, aerospace, or automotive industries, suppliers are certified and required to follow guidelines established by government and the industry to ensure proper operation and safety of their products. Similarly, manufacturers are responsible for implementing quality systems, certification programs, and selection criteria to ensure that guidelines established by the government are observed and applied. The responsibility for maintaining the safety of the network must be shared across the supply chains such that no single point of failure exists. 

Complexity aside, the approach to addressing risk should involve a framework that evaluates the specific scope of control exercised by the component. In other words, the category or type of commodity (e.g., microprocessor, PLCs, network devices, etc.) should have a higher level of scrutiny than commodity products and components (e.g., copper wires, aluminum sheet metal, plastic housings, etc.). Leverage a cybersecurity approach, where a utility applies increasing levels of control and scrutiny as the risk profile (i.e., ability to be impacted) for the category increases, as an appropriate path forward. Products with low to no risk of being controlled or with no impact on the output or operation does not require the same level of oversight as those of high-risk categories. By adopting a tiered approach to controls, you minimize the effort to manage complex supply chains allowing greater attention to those high-risk areas.