Guest Post by Debra van Opstal and Katie Jereza
A modern power grid—one with the capacity to sense, monitor and respond—will be critical to America’s future competitiveness, driving growth and sustainability. But, a modern grid will also create new risks and vulnerabilities. Some of these risks will come through the Internet or communications networks. There is also growing concern that corrupted, counterfeited or compromised components or software will be introduced through the supply chain, degrading the performance of the power system or causing large-scale disruptions on command.
The U.S. Resilience Project, with support from the U.S. Department of Energy and George Mason University – and in partnership with EnergySec, Edison Electric Institute, GridWise Alliance, Internet Security Alliance and Supply Chain Risk Leadership Council – examined this problem in a workshop on Securing the Smart Grid: Best Practices in Supply Chain Security, Integrity and Resilience. The goal was to explore the extent to which existing best practices in supply chain risk management could help narrow the scope of cyber risks to the smart grid—and identify where there are gaps and opportunities for public-private collaboration.
We had a couple of “aha” insights.
- First, global interconnectivity and interdependence are raising the bar for supply chain risks.
What happens anywhere now has the potential to create ripples everywhere. Floods in Thailand created a worldwide shortage of hard disk drives. The emergence of global supplier networks has increased the risk of poor quality or counterfeit parts or malicious insertion of Trojan Horses. These risks not only endanger critical infrastructure, but also impact corporate revenues, profits and shareholder value. For companies, supply chain has been transformed from a back office issue to a potential bet-the-company risk.
- Second, in order to manage these new risks, America’s corporate leaders have been investing in more stringent supply chain processes and tools that create confidence in sourced materials, manufacturing quality, shipment security and end-of-life disposal.
As part of the workshop preparation, we collected examples of best practices in supply chain security and continuity, including vendor assessment processes, supply chain mapping, the attachment of global positioning systems and sensors to shipments to detect unauthorized entry, and software coding processes that reduce the risks of unauthorized and unwanted coded insertions, to name a few.
- Third, these cutting-edge tools have tremendous relevance to narrowing cyber risks to the smart grid from a spectrum of scenarios.
The problem is that cyber executives are not familiar with best practices in supply chain security and resilience—and supply chain executives are not responsible for cybersecurity. And, this is true for both the public and private sectors.
The Bottom Line:
Supply chain and cybersecurity are inextricably linked. The existing processes and tools in supply chain security and resilience within businesses can help inform the challenge of securing the smart grid supply chain from cyber threats. As government seeks to address these threats, it should look to industry best practices that can simultaneously achieve both competitiveness and security. And government resources can be focused on safeguarding the appropriate areas that commercial best practices do not—and often cannot—address.
A report synthesizing the key findings from this initiative will be released in summer 2012. For the most relevant and up-to-date information on practices and tools available today for managing supply chain risk visit www.usresilienceproject.org.
About Debra van Opstal and Katie Jereza
Debra van Opstal, Director, USRP – Debra was recently a senior vice president at the Council on Competitiveness, while there, she was responsible for developing new programmatic concepts and while ensuring high quality and synergies among the Council’s research programs. Ms. Van Opstal also served as the secretary to the Council’s board of directors and led the Council’s work on enterprise resilience, authoring Transform: The Resilient Economy.
Katie Jereza, Director of Cybersecurity Program, Energetics – Katie Jereza [pronounced her-ay-sa] is director of the cybersecurity program at Energetics Incorporated, where she manages strategy and technical support to the DOE Office of Electricity Delivery and Energy Reliability R&D Program. Katie is known for her work in fostering public-private partnerships that help raise broad awareness and drive action on infrastructure protection and resilience issues. In 2009, she won the International Technical Publications Excellence Award for her work with the Roadmap to Secure Control Systems in the Water Sector. In 2011, Katie helped the Energy Sector Control Systems Working Group update the Roadmap to Achieve Energy Delivery Systems Cybersecurity and the Nuclear Sector Joint Cyber Subcouncil develop the Roadmap to Enhance Cyber Systems Security in the Nuclear Sector. Katie holds a B.S. in Chemical Engineering from Virginia Tech and an M.B.A from Loyola University Maryland.