By Gonda Lamberink, UL Senior Business Development Manager
2021 has utility professionals focused on supply chain cybersecurity in an effort to secure the connected grid. What’s at stake? The very ownership of connected systems and grid infrastructure. Where connectivity is everywhere and many systems can be vital, a successful cyberattack against the power grid could severely disrupt power-dependent critical or essential infrastructure and services including traffic lights and cameras, public transportation, hospitals, water systems, manufacturing, data centers, etc.
The connected, or smart, grid is part of the new Internet of Things (IoT) paradigm: more and more devices are connected, ready to sense, analyze and communicate data with other devices and systems, enabling higher levels of integration and automation of smart grid systems than with just the internet. More connectivity, however, increasingly exposes the smart grid to increased security risks as more connectivity means the attack surface is growing and malicious parties are ready to exploit devices or systems that may have weak security controls.
Recent exploitations of smart devices and systems have been making headlines and reinforce the importance of secure design, implementation and integration to mitigate security risks. 2020, with its global pandemic, has also shown how interdependent the world really is. We now regularly think about all of our connections or interactions with others potentially posing a risk. That’s how utilities are looking at their supply chain into 2021.
In short, this is a shift to a zero trust mindset, which informs next-generation security.
It’s long been said that so-called “perimeter” security is broken. Network perimeter firewalls used to be like the walls of a castle —those outside the walls are untrusted while those inside can move about with little restriction. However, attackers are increasingly able to get through or bypass perimeter security, because with ever more connectivity on- and off-premises, organizations and networks are growing more and more porous. It becomes much harder to draw a boundary on a secure inside versus outside. Every vendor, system or component represents risk if they are not verified to establish trust.
Zero trust means moving away from a traditional perimeter-based security approach. How do we apply a zero trust mindset to securing utility supply chains? While security controls like network firewalls remain important, they are not sufficient alone to not protect utility organizations from attacks that begin in the organizations and systems of their suppliers or vendors. When vendors have access to utilities’ systems and networks, a successful attack on a vendor through island hopping or leapfrogging techniques by attackers can lead to a successful attack on utility organizations. For this reason, a new focus on assessing, managing and also improving the security of supply chain vendors is required.
Utility supply chains can be complex, comprising many hardware and software, including open source, components. The commercial off-the-shelf (COTS) and proprietary components used in any complex deployment may have been developed by hundreds of different manufacturers. The software assets used, whether open source or commercial, will have many developers and dependencies of its own. With that much supply chain complexity, the threat or risk of vulnerabilities that are already built into components is growing. End-use organizations and environments, such as utilities and the grid infrastructure, must realistically but comprehensively assess, verify and manage the integrity and security of their supply chain.
Implementing a zero-trust policy and security across an entire supply chain can seem intimidating. Many utility professionals and security leaders may not know where to begin. With NERC-CIP-013-1 having taken effect in October 2020, utilities are now required to implement supply chain security risk management plans for high and medium impact bulk energy systems (BES). Beyond facing security risk, NERC-CIP-013-1 adds a compliance dimension in that noncompliance by utilities may result in penalties that can escalate up to $1 million (USD) per day. Supply chain security risk management is critical to avoid disruption and manage risk, including financial risks.
Shifting to a zero trust mindset, embracing supply chain risk management and staying on top of compliance – it can all be very daunting. Where do you begin? The following steps can be useful in building a foundation or strategy:
- Ensure management buy-in and organization alignment by engaging relevant internal stakeholders, like IT, security, compliance, legal, procurement and operations. Security risk management is as much a culture as it is a process or activity. It requires a collaborative approach, reaching across organizational or functional silos.
- Next, identify BES systems and vendors, and select relevant supply chain security frameworks, such as those based on NIST Special Publications or IEC 62443.
- For supply chain risk management scope, with a zero trust mindset, in principle consider everyone and everything with direct or indirect access to networks.
- As for standards and frameworks, typically some focus more on IT whereas others are more tailored for operational technology (OT) or IoT systems. Ensure covering both IT and OT.
- At a minimum, to cover NERC-CIP-013-1 mandatory requirements, prepare vendor criteria and assessments. The North American Transmission Forum (NATF) has provided the “NATF Cyber Security Supply Chain Criteria for Suppliers” as a useful resource.
- For covering NERC CIP-013-1 requirements and more, the key is to standardize vendor criteria as much as possible to establish a uniform method. Consider independent assessment by partners who can help establish and maintain risk management plans.
- Unless assessment is a core capability for your organization, to establish and also maintain risk management plans for large supply chains can be too resource-intensive. In addition to bringing assessment expertise and efficiency, partners add independent, third-party value, facilitating trustworthy information sharing.
- Put mechanisms in place for validating or verifying vendors meeting NERC CIP-013-1 and additional security requirements on a regular basis for ongoing security risk management. Standardize and automate audits and information-sharing leveraging third-party partners’ support.
Securing the smart grid supply chain isn’t easy and will take time and effort. But it’s important to get started, incorporating a zero trust mindset and gaining organizational and management alignment and prioritization. Take these steps and you can start making big impacts on mitigating supply chain security risk.
About the Author
Gonda Lamberink is an experienced business development manager in UL’s Identity Management & Security division. Gonda focuses on cybersecurity for IoT market segments globally including smart home, smart building and Industry 4.0. Gonda is driving thought-leadership, identifying business opportunities and building capabilities within UL to provide IoT manufacturers and service providers with cybersecurity advisory, testing and compliance solutions. IoT applications of focus include smart home entertainment and appliances, building security, building automation, energy management, lighting and industrial control systems. Prior to developing a focus on IoT cybersecurity, with UL also, Gonda worked on digital payment security for e- and m-commerce. Before joining UL, Gonda worked as a strategy consultant with PwC Transaction Services in Amsterdam and as an economist with the Dutch Ministry of Economic Affairs.