Managing risk in the energy sector’s cyber supply chain

This article is part of the World Economic Forum's Geostrategy platform

As the energy sector has become more globalized and increasingly complex in its reliance on software components, the supply-chain risk has evolved and expanded.

While energy sector cyber supply-chain issues have been recognized and studied for several years, they still persist.

One such risk that stands out is “unintended taint”, namely flaws in software components unintentionally built into products in design or implementation, which makes them distinct from both counterfeit — substituting lesser quality or imitation products — and “malicious taint,” which is intentional supply-chain subversion.

Unintended taint may lead to unintended supply-chain subversion, and represents a significant and credible threat to the uninterrupted functionality of critical infrastructure within the energy sector.

The report Supply Chain in the Software Era outlines a taxonomy for understanding certain energy sector risks and provide concrete and exploratory recommendations for policy makers and the private sector.

While some of the options may be unattractive to some, others are comparatively easy, if the will exists. The much less attractive option is to continue down the current road, providing the pathways for accidents and for adversaries to undermine energy operations, which would have a much more profound effect on the sector, the global economy, and national and international security.

Bookending the research between 2015 and 2017, two high-profile cyberattacks in Ukraine and Saudi Arabia leveraged supply-chain vulnerabilities to impact operations at two energy sector organizations.

In December 2015, hundreds of thousands of Ukrainian homes were temporarily plunged into darkness in the first confirmed cyberattack against an electric grid. In August 2017, a cyberattack halted operations at Saudi Aramco. In both cases, improvements in the security of supply-chain components would have halted the attacks.

Cyber supply-chain security has become a prominent issue in the energy sector, and the attempts to address it are growing. For instance, the North American Electric Reliability Corporation (NERC) is updating its Critical Infrastructure Protection (CIP) standards to include supply-chain protections.

Additionally, companies like BitSight, Security Scorecard, and Sir-Track (in Germany), which measure “digital exhaust,” are increasingly used to measure public, observable artifacts of third-party suppliers’ Information Technology (IT) and IT security practices.

However, gaps still exist — NERC-CIP applies to only a subset of systems and components that impact safety and reliability at a subset of electric utilities, and measuring Internet-facing security is (at best) an indirect bellwether of the technology used in energy sector control systems.

Software security vulnerabilities are a natural result of the development process and —despite best efforts — cannot be fully eliminated.

Each year, more than 10,000 security vulnerabilities are discovered in common off-the-shelf (COTS) components. They show up in global cyber supply chains, including those of the energy sector; and weaknesses and vulnerabilities in software design and implementation accrue along the multistep journey through the supply chain, whether intentional or accidental.

A single software component can compromise the operational integrity of critical systems. For instance, hardcoded default passwords — a known class of supply-chain vulnerabilities — in a safety-instrumented-systems component facilitated the shutdown of Saudi Aramco’s operations in December 2017.

Several alternative courses of action are recommended in the brief to address these issues.

Apply existing frameworks across the energy sector— Energy sector companies or the Department of Energy (DOE) can leverage existing frameworks, particularly the NERC-CIP standard and the DOE’s Cybersecurity Capability Maturity Model, as blueprints for improving security across the energy sector, including third-party suppliers.

Incentivize trusted IT Practices to Avoid Unintended Taint in the Energy Sector —Congress, the DOE, and energy sector companies can increase awareness and adoption of practices that are known to be effective, and avoid those that are known to be ineffective, through reduction of regulatory burden, use of buying power, or other incentives.

Vulnerability Monitoring, Coordination, and Sharing— The DOE, the Department of Homeland Security (DHS), and industry organizations can increase awareness and understanding of existing software vulnerabilities across the sector to reduce information asymmetry among organizations affected by the same or similar issues.

Examine Other Models of Operation, Liability, and Regulation — Congress, the DOE, and DHS, as well as other affected stakeholders should identify and analyze alternative approaches to operation, liability, and regulation, which may increase safety, security, and reliability across the energy sector.

Supply Chain in the Software Era, Beau Woods and Andy Bochman