For years, policymakers have been concerned about a catastrophic cyberattack that could disrupt the electric grid, causing widespread power outages and impacting national security, the economy and public safety. As electric utilities and the government grapple with the myriad of cybersecurity challenges affecting critical electric infrastructure, a new challenge has emerged: cyber risk to the thousands of different businesses, vendors and suppliers that make up the electric sector supply chain.
Corporations and government agencies alike are increasingly focused on cyber risk to the supply chain because data breaches affecting critical vendors, contractors and other business associates can cause direct harm to the first-party organization. These third-party incidents represent a growing attack trend. There is perhaps no more famous incident than the 2013 breach affecting the retailer Target. In that incident, attackers penetrated the network of Target's HVAC (heating, ventilating and air conditioning) contractor, which had a direct connection into Target's network in order to observe refrigeration units in each of the stores. Gaining access to the HVAC contractor, the attackers rode directly into the Target network and stole millions of credit card numbers. The result was not only a material financial loss for Target, but also the ousting of Target's CEO, chief information officer and the near-dismissal of several key board members.
Target is just one of a number of retailers that have experienced third party breaches. Lowe's, Goodwill and other retailers have also been victimized through their third parties. And it's not just retailers. The recent U.S. Office of Personnel Management data breach that compromised the data of millions of federal employees provides another example of how storing data on a third-party server can have catastrophic consequences.
Electric utility organizations are well aware of cyberattacks targeting their own third-party supply chain partners. For example, in 2014, an independent system operator reported a breach in a third-party market monitor, compromising certain sensitive operating cost data for industry participants. The independent system operator severed connections between the breached party's information systems in order to provide assurance that its compromised systems could not be leveraged to cause any further harm.
Federal energy regulators recently surveyed electric utilities on existing practices to prevent a catastrophic cyberattack emanating through the supply chain. Other federal regulators in finance, defense, healthcare and consumer data have all adopted requirements or guidance for supply chain risk management.
Electric utilities are working to reduce their risk from supply chain attacks, following a series of steps that have become best practice across the many sectors seeking to address this new risk. The first step for these organizations is to identify "critical" third parties — those organizations that provide IT (information technology), information communications technology and/or industrial control systems critical for the operation of the electric grid, as well as those third parties who maintain connectivity/access to critical bulk power system networks. Critical electric sector vendors may also be those vendors who hold or maintain sensitive data about electric sector operations, including designs and blueprints.
The second step is to examine third-party contracts to make sure that supply chain partners are meeting an agreed-upon level of cybersecurity. Before entering into a contract or signing a renewal, they ask for and receive information about their third party's cyber risk management efforts.
And finally, utilities are increasingly seeking to continuously monitor their third parties in real time. Unlike static, point-in-time assessments, real-time alerts when a third party's network security is impacted can help utilities work directly with their critical vendors to reduce the impact of a cyber incident.
While there are no silver bullets to eliminate cyber risk to an organization’s supply chain, there are concrete steps that every organization can take to reduce and manage the risk. Policymakers, federal regulators and electric utilities can begin by prioritizing these three efforts to address this challenging new cyber risk to the industry.
Olcott is vice president of business development for BitSight Technologies. He previously served as legal adviser to the Senate Commerce Committee and as counsel to the House of Representatives Homeland Security Committee.