In response to President Biden’s Executive Order 14017, America’s Supply Chains, the Department of Energy (DOE) today released a comprehensive plan to ensure security and increase energy independence in the United States.
The report, “America’s Strategy to Secure the Supply Chain for a Robust Clean Energy Transition,” lays out critical strategies to build a secure, resilient, and diverse domestic energy sector industrial base (ESIB), including engaging with the government and private sector to develop a secure digital component supply chain strategy for the ESIB.
As the energy sector has become more globalized and digitized with the increased use of smart systems, the supply chain risks for digital components have evolved and expanded, the report emphasizes.
“The supply chain risks have grown in recent years as increasingly sophisticated cyber adversaries have targeted and exploited vulnerabilities in these digital assets. Key cyber vulnerabilities include reliance on untrusted foreign suppliers and software developers, criminal activity risks, fragmentation and inconsistent oversight of interdependent of cyber supply chains, and concentrated cyber risks,” the report says.
Cyber components in energy sector systems are globally sourced in an increasingly fragmented and dynamic digital supply chain. And according to the report, cyber supply chain risks stem from this reliance on lower-cost foreign suppliers of software, “which may be designed, developed, manufactured, maintained, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary.”
In addition, the reliance on untrusted foreign suppliers and software developers creates an opportunity to insert malicious code or otherwise interfere in software developed within their borders or compromise the integrity of datasets.
The report also found that the risk for damage or destruction of energy system equipment from malicious cyber actors with criminal motives is increasing.
Historically, energy sector systems were not attractive targets for cybercriminals because generally they did not hold significant amounts of monetizable information. But the ease of conducting ransomware attacks and the ability to elicit a quick payoff means that these attacks will continue to be an issue for the energy sector.
“Ransomware is a more pernicious threat for energy sector systems as it can deny or degrade system availability, and a top requirement for energy sector systems is continuous availability. Malicious cyber actors understand that the priority for availability for energy systems makes these system owners more likely to pay quickly to restore service, rather than face days, weeks, or months of downtime to restore from backups,” the report says.
Regarding the oversight of the energy supply chain, the report finds no holistic definition or framing of the constituent digital supply chains for energy sector systems. The complexity of these digital supply chains results in a fragmented approach to prioritizing and managing interdependent cybersecurity risks.
“Regulation and oversight, where they do exist, are provided by multiple Federal departments and agencies, and multiple levels of state, local, tribal, and territorial governments, each with different approaches,” the report says.
Finally, the report finds that critical infrastructure systems, including energy sector systems, frequently rely on a limited number of strategically important software components. This dependency has been a strategic target for software supply chain attacks, most notably the 2020 SolarWinds Orion platform compromise.
In the report, DoE laid out three cyber-related policy areas to boost the cybersecurity of digital components, virtual platforms, and data.
First, DoE emphasized the importance of improving data and analytic capabilities. To understand current and emerging supply chain threats risks, it’s important to have access to data and analytical tools for decision support in improving and maintaining resilient digital supply chains.
“Current information and analytical tools are fragmented, inconsistent, and incomplete. Comprehensive and normalized data are fundamental to illuminating, analyzing, and baselining systemic digital supply chain risks, as well as tracking progress,” the report notes.
DoE said it plans to partner with other Federal agencies to develop an ESIB Database and analytical decision modeling capabilities.
Second, DoE emphasized the importance of engaging with the public and private sector to develop a secure digital component supply chain strategy strategic approach.
“Because cyber supply chain risks are shared among interconnected energy systems, a more holistic approach is needed to effectively increase resilience in supply chain security,” the report notes. “Enabling key ESIB-wide functions. Including defining and prioritizing critical digital supply chains, baselining and defining goals, and planning for changes anticipated as the drive to modernize and decarbonize the grid accelerates.”
Lastly, DoE emphasized the need for updated oversight and guidelines. Developing more cohesive and consistent policies, standards, and processes to manage shared cybersecurity risks for the ESIB “will help improve the fragmented and inconsistent oversight of supply chain risks for digital components in critical energy systems,” the report notes.