Software supply chain attacks are a growing concern, as evidenced by numerous cyber compromises reported over the past year. Supply chain risks for software, virtual platforms and services, and data in energy sector systems including have grown in recent years as increasingly sophisticated cyber adversaries have targeted exploiting vulnerabilities in these digital assets. Supply chain risks for digital components will continue to evolve and likely increase as these systems are increasingly interconnected, digitized, and remotely operated.

On February 24, 2022, U.S. Department of Energy Secretary Jennifer Granholm submitted America’s Strategy to Secure the Supply Chain for a Robust Clean Energy Transition to President Biden in response to Executive Order 14017, America’s Supply Chains, issued one year ago. Not only did Secretary Granholm provide an overall strategy, but in support of the policy actions and recommendations therein, the Department of Energy submitted fourteen deep dive supply chain assessments of critical components and technologies. The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) produced one of these reports, covering cybersecurity threats, vulnerabilities, and risks to supply chains for digital components in energy sector systems. 

Executive Order 14017 sets out a policy foundation for “resilient, diverse, and secure supply chains” to ensure U.S. economic prosperity and national security, with a particular emphasis on maintaining America’s competitive edge in research and development. E.O. 14017 notes that cyber attacks, geopolitical and economic competition, and other conditions can reduce the integrity of critical goods, products, and services. This emphasis on integrity applies to digital components including software, virtual platforms, data and data-related commercial services.

CESER’s report identified key cyber supply chain vulnerabilities including reliance on untrusted foreign suppliers and software developers; reliance on opaque and highly dynamic global supply chains for digital goods and services; high and often unrecognized reliance on certain ubiquitous key digital components in energy sector systems that have the potential for cascading effects if concurrently compromised; and fragmentation and inconsistent oversight of interdependent of cyber supply chains. The report also identified key cyber threats including national security threats from adversary nations with sophisticated intelligence collection and cyber capabilities and threats from criminal actors employing ransomware attacks via digital supply chains. 

To address these interdependent risks, DOE is organizing comprehensively and taking action. Key actions will include a more inclusive definition of the Energy Sector Industrial Base; developing interagency data sources and analytics to support comprehensive supply chain assessments; partnering to develop a secure digital component supply chain strategy for the Energy Sector Industrial Base; and addressing fragmented and inconsistent oversight of supply chain risks for digital components in critical energy systems.

CESER’s report highlights cyber supply chain efforts underway at DOE and the National Labs, including the new Energy Cyber Sense Program (under the Bipartisan Infrastructure Law)[1]; the Cyber Testing for Resilient Industrial Control Systems program; and the Clean Energy Cybersecurity Accelerator program. CESER’s report also identifies strategic opportunities energy sector stakeholders can take to ensure that the supply chains for these digital assets are developed with cybersecurity in mind, including applying principles of Cyber-Informed Engineering.

Visit the detailed policy report to learn more about recommendations that address supply chain threats, vulnerabilities, and risks. 

[1] Section 40122 of the 2021 Infrastructure Investment and Jobs Act (Pub. L. 117-58)