Supply chain problems mean something else in utility cybersecurity

Supply chain has become the scapegoat for many of our ills since the start of the pandemic. The supply chain has carried the brunt of everything from car prices skyrocketing to a lack of holiday decorations and gifts. The supply chain has negatively impacted the electric utility industry as well, but not in the way you might expect. 

The complex supply chain for the electric utility industry has increased the vulnerability for cyber attacks. Sure, the remote access capabilities of vendors have long posed a threat and a potential security blind spot, but as the industry moved further toward digitization it has opened up more links in the chain to attack, including consultants, contractors, and integrators. Most of these links in the chain are using the internet to communicate with their home base. 

In a fall 2021 report by industrial cyber security organization, Dragos, the authors said utilities have to understand and attempt to address how the supply chain opens them up to attack. In many cases, this starts at the contract level, learning how these different links in the chain are communicating, what assets they are using and bringing on site. The authors recommend retroactively vetting contracts, which for large utilities, could mean tens of thousands of contracts. 

According to the authors, many attacks are happening at different points in the supply chain. The best example is the SolarWinds attack, where hackers infiltrated the original manufacturer's network and then gained access to client assets. 

The pandemic has also accelerated the industry's use of remote access and virtual private networks so employees could work from home. Work from home and remote access was inevitable, and many companies are organizations were planning for it already. However, the pandemic saw companies giving out free versions of their remote access software in order to soften the disruption of work from home mandates. Although it was, in some ways, positive that companies had to figure out their work from home and remote access policies, some of the security planning was made null by the necessity of using new remote access software. 

The industry's move to digital is as certain as the fact that there will always be groups looking to disrupt power systems through ransomware and malware attacks. They will only get more sophisticated. Power companies big and small are at constant risk, and the supply chain represents the largest soft spot for many companies. Know your contracts, have a response plan, and put cybersecurity as a top priority.