Growing use of customized software to make energy supply chains more efficient and versatile also has made them more vulnerable to cyberattacks, and company leaders and specialists are increasingly concerned, speakers agreed during a discussion last month at the Atlantic Council.
Their remarks came as the AC released an issue brief, Supply Chain in the Software Era, co-written by two of the speakers: Andy Bochman, senior grid strategist in the Idaho National Laboratory’s Homeland Security Directorate, and Beau Woods, cyber safety and innovation fellow in the AC’s Scowcroft Center for Strategy & Security, who moderated the discussion.
Also participating were Cynthia L. Quarterman, a distinguished fellow in the AC’s Global Energy Center who previously led the US Pipeline & Hazardous Material Safety Administration and the US Minerals Management Service; Joyce Corell, assistant director in the supply chain and cyber directorate in the Office of the Director of National Intelligence; and Jesper Gronvall, civil security systems business director at Saab North America.
Bochman and Woods found that operational practices and supply chains, while not identical across all energy businesses including electricity and oil and gas, are similar enough to support a common analysis. “While there already is large bodies of work, key aspects of energy sector cyber supply chain risk remain underexamined,” they said.
After an extensive review of existing literature, their research focus narrowed to a much-overlooked but large energy sector aspect: flaws in software components unintentionally built into products as they are designed or implemented. They said that these falls are called “unintended taint,” which is distinct from both counterfeit substitution of lower quality or inferior products, and “malicious taint,” which is intentional supply chain subversion.
Bochman and Woods recommended in their issue brief that:
• Existing frameworks be applied across energy industry segments.
• Incentives be provided to develop trusted internet technology practices to avoid unintended taint in energy operations.
• Government agencies and industry organizations share vulnerability, monitoring, coordination, and information to increase awareness of existing software vulnerability.
• Examinations be undertaken by Congress, the US Departments of Energy and Homeland Security, and other identified stakeholders of other operation, liability, and regulatory models.
“How can we take this complex problem and break it down to systems where we can work? Folks in the energy sector tend to be masters of their own domain. So do folks in the cyberspace sector. They need to work together to be master where their domains cross,” said Woods.
“One challenge we faced was trying to narrow the discussion down so it wouldn’t be so overwhelming, but still make it applicable to a broad range of energy operations,” added Bochman. “The four steps aren’t a solution, but a possible remedy to be discussed. There will be plenty of critics, and we’ll be interested to hear what they say.”
Corell said a wide range of people working in energy are looking for ways to make systems more secure. “It’s the folks in procurement, research, personnel, and security sharing information from their areas of expertise. It’s increasingly an issue where people are trying to find solutions,” she said.
“A decade ago, oil and gas industry computing centers were largely secure. Now, the companies, from multinationals to mom-and-pop operators, need systems which can be sealed,” said Quarterman.
Safety and reliability can pose security conflicts, Quarterman said. “Regulators try to stay ahead of new problems that are developing, but they have had to spend time addressing old problems. At PHMSA, we had pipeline integrity management programs to address safety, but they usually didn’t consider cybersecurity. The government and industry need to work together to develop the necessary solutions,” Quarterman said.
Gronvall observed that the primary goal is to continue delivering products and services reliably. “If we don’t, others will,” he said.
“We’re going to see a shift in the energy risk management landscape where companies and people will need to decide how much they’ll relay on systems,” said Bochman. He noted that in 2015, when Ukraine’s electric power systems were hacked, the operator was phasing out employees and replacing them with an automated system. Not all the workers were gone when problems began to occur, and enough came back to restore service and address problems, he said.
“There are a number of best practices: Know what you have. Know what software is running because your adversaries already have spent a lot of time on your system learning how it works. As companies embrace learning more about their supply chains, their cybersecurity will improve,” Bochman said.
“Companies need to think through what they’re doing. Many still need bodies, or at least cameras, on their operations. Regulators need to keep open minds,” said Quarterman.
“Right now, we try to find a single cause and correct it. We need to become more resilient,” said Corell.
“Striving for efficiency can compromise efficiency. Can you have both? You can if you’re properly informed about risks you are taking if you apply automated systems. Russia uses Ukraine a testing ground for its attacks. It also can be a classroom for us,” said Bochman.
