The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


Supply chain problems mean something else in utility cybersecurity

image credit: Courtesy Dreamstime
Christopher Neely's picture
Independent Local News Organization

Journalist for nearly a decade with keen interest in local energy policies for cities and national efforts to facilitate a renewable revolution. 

  • Member since 2017
  • 753 items added with 371,795 views
  • Jan 17, 2022

Supply chain has become the scapegoat for many of our ills since the start of the pandemic. The supply chain has carried the brunt of everything from car prices skyrocketing to a lack of holiday decorations and gifts. The supply chain has negatively impacted the electric utility industry as well, but not in the way you might expect. 

The complex supply chain for the electric utility industry has increased the vulnerability for cyber attacks. Sure, the remote access capabilities of vendors have long posed a threat and a potential security blind spot, but as the industry moved further toward digitization it has opened up more links in the chain to attack, including consultants, contractors, and integrators. Most of these links in the chain are using the internet to communicate with their home base. 

In a fall 2021 report by industrial cyber security organization, Dragos, the authors said utilities have to understand and attempt to address how the supply chain opens them up to attack. In many cases, this starts at the contract level, learning how these different links in the chain are communicating, what assets they are using and bringing on site. The authors recommend retroactively vetting contracts, which for large utilities, could mean tens of thousands of contracts. 

According to the authors, many attacks are happening at different points in the supply chain. The best example is the SolarWinds attack, where hackers infiltrated the original manufacturer's network and then gained access to client assets. 

The pandemic has also accelerated the industry's use of remote access and virtual private networks so employees could work from home. Work from home and remote access was inevitable, and many companies are organizations were planning for it already. However, the pandemic saw companies giving out free versions of their remote access software in order to soften the disruption of work from home mandates. Although it was, in some ways, positive that companies had to figure out their work from home and remote access policies, some of the security planning was made null by the necessity of using new remote access software. 

The industry's move to digital is as certain as the fact that there will always be groups looking to disrupt power systems through ransomware and malware attacks. They will only get more sophisticated. Power companies big and small are at constant risk, and the supply chain represents the largest soft spot for many companies. Know your contracts, have a response plan, and put cybersecurity as a top priority. 



No discussions yet. Start a discussion below.

Christopher Neely's picture
Thank Christopher for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »