Despite daily attempts to attack the US electric grid, a cyber attack has yet to cause a power outage in the United States. But such attempts have been successful in other countries, according to a 2019 report from the Government Accountability Office (GAO).
Cyber attacks have grown in number and sophistication over the past 15 years. In January 2019, in a worldwide threat assessment, then-Director of National Intelligence, Daniel R. Coats, warned that nation-states have the capabilities to launch a cyber attack on the US electric grid. The FBI and Department of Homeland Security jointly issued an alert in 2018 about foreign government actions targeting the US energy sector.
In May 2020, the White House elevated the security of the US bulk-power system to a national emergency in an Executive Order. The EO bans the acquisition, importation, transfer or installation of bulk-power system electricity equipment from companies under foreign adversary control. Six countries have been expressly listed by the Department of Energy (DOE) as “foreign adversaries.”
The EO covers equipment used in the interconnected energy transmission and power generation needed to maintain transmission reliability (69kv or more). This equipment includes control centers and the software used to manage flows of electricity, protective relays, voltage regulators, transformers and automatic circuit reclosers.
Some 85% of new high-voltage utility transformer orders have come from abroad in the past decade.
Supply chain and third-party risk has been a focus for utilities for a while. But utilities don’t have the level of visibility into and accountability for the players and elements—contractors and sub-contractors, suppliers, other third parties in the ecosystem, relationships, assets and inventories—that the EO demands. Utilities may not be prepared to address these vectors of risk.
A task force led by the Energy Secretary will publish criteria for prequalifying particular equipment and vendors in the bulk-power system electric equipment market for future transactions. It will also identify which equipment needs to be removed from the grid. The task force needs to identify the equipment affected by the EO “as soon as practicable” and publish rules or regulations implementing the EO within 150 days of its issuance (or by Sept. 28, 2020).
Most will struggle with answering the questions the EO poses:
No. The EO scrutinizes the country of origin for vendor products and services, which NERC CIP-013 doesn’t. With the new EO, more systems are in scope, and additional supply chain information must be captured, including sources of materials.
However, complying with NERC CIP-013 by the Oct. 1, 2020, deadline will go a long way. The existing NERC CIP-013-1 Supply Chain Security requires utilities (generators, transmission operators, etc.) to establish a plan to assess the risk presented by vendors and products that have access to assets, as well as the overall procurement process.
Utility technologies are typically multi-decade investments that allow for investments to amortize, while avoiding downtime and keeping a working state undisturbed. A successful malicious actor would most likely be motivated to establish a presence and lurk in the system for months or, more likely, years, waiting for the most opportune time to launch an attack with maximum impact.
Also, while utilities may have taken steps to harden their external walls against potential attacks and disruptions, their external environments (third parties, assets and external relationships) may not have received the same level of enhancement and protections. Hackers frequently use a back door to attack a supply chain—involving hundreds of contractors and subcontractors—and then work their way to the utilities.
In a smart grid, a smarter cyber strategy secures the web of connections—relationships, assets, devices, networks and communications. “Virtually every device now has a chip in it. [If] you are getting your chip from overseas, [what] if there's anything in there that makes us vulnerable?” asks Bernard McNamee, commissioner of the Federal Energy Regulatory Commission (FERC). Not surprisingly, the restrictions in the EO on bulk power mirror those for the US information and communication technology and services industry in EO 13873, signed in May 2019.
Ironically, for all the advanced technologies in the smart grid, governance around third-party risk management (TPRM) and the asset-inventory process in utilities have lagged behind other industries. The utilities industry historically has had a manual and paper-based system for tracking assets.
According to our Digital Trust Insights study on resilience, 38% of the EU&M (Energy, Utilities and Mining) sector respondents said that they don’t have a full inventory of assets. Only 37% conducted an inventory of key processes and assets in 2019. About 60% last conducted an inventory of key business processes and assets in the last five years; 3% did so within the last six to 10 years. In comparison, across all industries, 91% of the high-resilience-quotient respondents (high-RQ) maintain an accurate inventory, which is refreshed as needed. (High-RQ respondents are the top 25% of scorers on three measures of resilience.)
Of course, the utilities industry realizes the need to improve its cyber posture. According to PwC’s Digital Trust Insights study on business-driven cyber, 67% of the 136 industry executives said their cyber team is “significantly” transforming to meet the needs of the business, and another 12.5% said their cyber team is “very significantly” transforming.
The heightened focus on the components of critical infrastructure is expected to increase over time, eventually affecting not only purchasing activities, but full life-cycle accountability, including more robust device impact analysis, industry pooling of high-value spares, trusted maintenance and more detailed continuity planning and exercises. Boards and regulators will ask questions about a company’s critical elements and where they originate.
Now’s the time for utilities companies to begin formalizing improvements in supply chain risk management, asset management and third-party risk management. It’s also time to double down on broader security controls for the systems running the electric grid.
Replace manual tracking with a digital inventory of your assets and current external relationships (including third parties), with descriptions of their services and assets. Risk-rank your organization’s exposure to these relationships (based on functionality of component). And plan for a continual refresh of the inventory.
Ask about your assets and relationships:
Establish policies, procedures, requirements and governance on how the organization will identify, assess, monitor and manage risks. Develop a risk-based, decision-making approach to profile and prioritize relationships.
You’ll likely have to educate and raise awareness within the risk, cyber and IT functions in your organization. Only 17% of the 77 EU&M industry execs in our Digital Trust Insights study “strongly agree” that their cybersecurity team takes a risk-based approach—rather than a transactional approach—in securing their ecosystem. Only 19% of the 136 business and security execs prioritized strengthening third-party risk management as an area for significant transformation.
Consider engaging vendor certification services to identify existing relationships with any organizations that may not meet the task force’s criteria for permitted suppliers. Focus on specific locations and affirm that no existing assets are on the non-permitted list. The sites could then be monitored for prohibited transactions, an approach allowing for compliance without having to maintain a fully accurate inventory.
The EO is “a real wakeup call” for vendors. They’ll need to understand and fairly represent the country of origin of their products and components of those products. While they may not be directly regulated by the EO, they could be affected if they are listed as a prohibited vendor or are unable to effectively attest to the origin of their products. Vendors should expect increased auditing and certifications—scrutiny that’s faced by suppliers of military and defense equipment and services today. It would be good to get their house in order and establish their own third-party risk management program.
Develop management activities and steps to manage each relationship, from request through termination. Establish a plan for integrating new requirements into existing contracts. For net new contracts, ensure enhanced contract language is integrated into all relevant future contracts.
Plan for termination and exit strategies to discontinue existing relationships that don’t pass the criteria or don’t get on the prequalified vendors list for future transactions. The EO refers to remediation activities such as isolation, monitoring or replacement. Rules and regs will provide guidance when an existing component is prohibited.
Supply chain security, while absolutely necessary, is only one aspect of securing the electric grid. Utilities should continue to manage the overall security of their operational systems to enhance grid reliability. A comprehensive program which encompasses all aspects of cybersecurity — from asset identification to vulnerability management and comprehensive monitoring — is fundamental to protecting this critical infrastructure.
While the EO doesn’t address the cost of replacing vulnerable systems, state utility commissions have generally been supportive of utilities recovering the costs incurred to improve the security of electric transmission and distribution systems. Also, FERC is considering implementation of a Cybersecurity Incentives Policy which will allow utilities to earn an increased return on equity for investments in cybersecurity improvements. However, to obtain recovery, utilities will have to demonstrate actual risk reduction.
Just as importantly, power and utilities companies should look for opportunities to fund improvements from cost savings in other areas through the consolidation of technology and processes, rationalization of tools, and security orchestration automation and response.