Gaps in Supply Chain Cyber Security Demand a New Approach
In relation to supply chain security issues, Verve predicts many asset owners and researchers will assess more device firmware for inherently insecure components.
Learn MoreSubscribe to stay in the loop with the latest OT cyber security best practices.
Over the past several days, the country has grieved with the residents of Texas as the power grid failed to deliver the critical energy necessary to keep people warm, operate critical building control systems, and deliver water. The ramifications of this disaster will echo for weeks or months across the realms of politics, technology, global warming, renewable energy, etc.
But as a cyber security professional, the takeaways I draw come back to what it can teach us about cyber risk to the grid.
There will be lots of opinions, analyses, and reviews of what happened to the Texas power grid, but we will let others conclude with more time and data. Today, we are most focused on the basic construct of the supply chain and how this may pose other cyber-related risks.
In late 2020, the cyber world was as focused on the Solarwinds attack as much as we all are now focused on the Texas power grid. The audacious attack on Solarwinds software highlighted the risk to software supply chains. Organizations from the federal government to corporations and even cyber security companies such as FireEye were compromised by a very advanced attack that leveraged a weakness in Solarwinds’ software development lifecycle to gain access to their customers’ systems. This attack was so successful because Solarwinds had been so successful.
It was estimated that over 18,000 organizations were impacted by the Solarwinds vulnerability. These companies and public sector groups were “doing the right thing” by managing network and server infrastructure, but the software supply chain created a cyber risk unknown to the defenders. It turned out they were dependent on a weak link in their software supply chain.
But our electric grid relies on another type of supply chain… natural gas. And that supply chain creates a significant risk to the cyber defenses of the power grid itself.
Richard Clarke (the former National Coordinator for Security, Infrastructure Protection and Counterterrorism for the United States between 1998 and 2003 and currently serving as Chairman at Good Harbor Security Risk Management) published a book in 2019 about the cyber threats to our nation called The Fifth Domain. For the book, he interviewed me about the risks to the nation’s private infrastructure such as the power grid. My comment was that one of the largest risks wasn’t to the grid itself, but to the natural gas supply chain that provides it its fuel:
"If you really want to shut off electric power, that's not who you attack. You attack the gas pipelines. They are way less protected than the power grid. [The natural as system is] far more distributed with its compression stations, gasification, satellite comms to wireless modems to PLCs." - John Livingston The Fifth Domain, p. 269
As our grid shifts from coal to cleaner sources, natural gas has become a growing portion of the energy source, especially in the gas-rich geographies of Texas and the southwest. Maintaining electricity requires consistent flows from natural gas pipelines and the wells that pump it. In the Richard Clarke interview, I commented that with all the NERC CIP cyber regulations, we had left open a significant risk to the supply chain…the natural gas supply chain.
NERC CIP doesn’t regulate the interstate pipelines which the grid is so dependent. They certainly don’t have visibility into the security standards of the upstream gas producers. Yet, the grid is as dependent on that supply as it is on the wires that send the electricity to our homes and businesses.
This is the same hidden supply chain risk as Solarwinds. If an attacker could access and compromise those pipelines and/or wells, the grid is at severe risk.
Well, this risk has been demonstrated in Texas, but with ice rather than hacking. The ice and cold have shut in a large portion of the gas wells that produce the necessary supply. That same ice has frozen the control systems at pumps and transfer points along the critical pipeline infrastructure that is so critical to the generation facilities. Texas (and other southern states) drove a significant shift away from coal towards plentiful and low-cost gas. But that has placed their supply chain at risk…from ice, or in the future, from hackers.
Cyber security is part of the prevention and handling of a bad scenario whether due to an attacker or accident. Today’s bad situation is weather-related, yesterday it was natural disasters in the form of forest fires, and every other day seems to be ransomware and compromised endpoints and VPNs. But all disaster recovery plans need the support of people, processes, and technology. Decision-makers must plan for worst-case scenario instead of developing plans around optimized conditions.
Obviously, we should focus our immediate efforts on helping the people of Texas survive the urgent health problems and risks to life from this disaster. But as we step back to learn from this Texas power grid situation, I hope that we don’t just take lessons about the risk of weather or global warming on the grid. I also hope we look at the fundamental risk to the supply chain from cyber threats. And then take collective action to not just focus on regulations to protect the grid itself, but also consider expanding our view to the key supply chain elements that are key to its operation.
In relation to supply chain security issues, Verve predicts many asset owners and researchers will assess more device firmware for inherently insecure components.
Learn MoreFollowing the SolarWinds software incident, what lessons can asset owners learn from published causation and guidance - and how can product owners get more to help secure their customers?
Learn MoreRon Brash's response to Public Safety Canada's recent guidance to an OT and IT Cyber Incident Response Plan (CIRP)
Learn More