Cybersecurity is a top-of-mind concern for electric cooperative leadership. As stewards of the country’s critical infrastructure, co-ops understand the need to monitor and secure their internet-connected systems and to train staff to build a culture of security.
But what about things like a newly purchased software platform that arrives without robust cybersecurity defense or, worse, comes with malicious code already embedded? Or a vendor who remotely accesses your system to conduct maintenance or a software upgrade and unwittingly allows an intruder in?
These so-called supply chain issues are key risks in the war against cyberattacks.
“There is digital technology in every aspect of our business,” says Jim Jones, vice president and chief information officer at Maple Grove, Minnesota-based G&T Great River Energy. “Every piece of software essentially opens some form of vulnerability, and we have to address that.”
A new report by NRECA and the American Public Power Association (APPA), Managing Cyber Supply Chain Risk—Best Practices for Small Entities, aims to elevate awareness of the risks associated with a utility’s supply chain and give options for introducing or increasing security to those processes and products.
The paper was written at the request of the North American Electric Reliability Corporation and is based on interviews with and analysis of nine electric cooperatives and municipal utilities.
“Distribution co-ops should determine procurement best practices and enforce them,” says Philip Huff, director of IT security and compliance for Arkansas Electric Cooperative Corp., the G&T based in Little Rock. “This white paper is a good place to start.”
Joe Priestley, director of technical services at Corn Belt Energy Corporation in Bloomington, Illinois, notes that supply chain cybersecurity issues can be extremely complex, but it boils down to a familiar concept: “doing due diligence to make sure we are protecting ourselves and members.”
The report offers a catalog of risk-mitigation practices that bolster supply chain cybersecurity and identifies key operational priorities for utilities to focus on.
Coordination and cooperation
Because procurement decisions are often made in several departments, the report notes, it’s critical that all groups are aware of supply chain risks and that each group takes steps to reduce them. The report authors found that strong engagement from senior leadership and open interdepartmental coordination and cooperation are strong mitigation factors.
“You have to have leadership to identify priorities and ensure that there is follow-through on things,” he says. “You have to understand who owns the assets and risks and who has authority to institute mitigation and changes.”
This is especially important for smaller organizations, Jones adds, where the security and risk-mitigation controls apply to all of their assets and affect the entire cooperative’s risk level.
The report also details practices like conducting utility-wide cyber-risk assessments and developing processes for quickly identifying unusual system activity.
The report identifies several options for utilities when they’re choosing a product vendor, including using well-known and trusted companies, reducing the number of vendors used, and vetting vendors with a standard questionnaire.
“Utilities have little to no visibility into how their vendors develop and test software or into their vendors’ employment practices,” the report notes. “[P]rudent selection of vendors will help mitigate … risks up front.”
Huff of Arkansas Electric adds that co-ops have “very limited ability to force any security requirement on a vendor.” That makes it particularly important to evaluate a company’s cybersecurity practices before beginning a relationship, he says.
The report suggests utilities leverage their trade associations and fellow utilities in developing a list of trusted vendors and to vet companies that are less well-known. Future solutions may include third-party cybersecurity accreditation for vendors.
Vendor remote access
The report flags remote system access by vendors as a primary concern for utilities.
Not too long ago, most trusted vendors who requested access to a co-op’s network would be allowed in with few barriers, Jones says. Not so anymore.
“Cooperatives should discuss alternatives, including saying no,” he says. “If there are no other options, cooperatives should insist that the vendor use the cooperative’s own remote access tools instead of using what the vendor recommends or provides. This enables the cooperative to maintain full control and visibility.”
The report notes that there are tools available to help utilities control when vendors can have remote access and where they can go as well as monitoring what a vendor does while on the network.
“At Great River Energy, we physically toggle on and off at our discretion the remote link into one of our generation facilities,” Jones says. “We also have a policy that disallows vendor-provided remote access solutions. All vendors must use our solutions.”
Software patching, integrity, and authentication
Deploying new software systems, and patching or upgrading current systems, is a key challenge for utilities. The report notes that SCADA security patches are a particular concern.
“[F]ailing to apply software patches in a timely fashion can leave a utility’s system unprotected from known risks,” the report states. “However, knowing which patches to install and when, and deploying those patches across an organization, can be a complicated task.”
Research showed that several utilities negotiate patch management contracts with their vendors that mandate testing and validation of patches before deployment.
For new software systems, utilities report that conducting risk-assessments and off-network testing prior to launching the software is essential.
“As technology improves, upgrading to new software and hardware can be attractive in terms of cost and functionality,” the report says. “But the decision to jump to the newest technology should be taken with great care, because the introduction of new technology might increase supply chain risk.”
Report authors pointed out that electric co-ops have access to a host of cybersecurity tools through the Rural Cooperative Cybersecurity Capabilities Program (RC3), a partnership that began in 2016 between NRECA and the Department of Energy’s Cybersecurity for Energy Delivery Systems program.
Among the offerings through RC3 is a series of free Cybersecurity Summits with industry cyber experts as well as peer-to-peer discussions. The program is also developing a cybersecurity self-assessment for co-ops and a series of cybersecurity guidebooks to provide information pertinent to specific job roles within a cooperative.
Visit cooperative.com to read the full supply chain cybersecurity report.