CESER Secures Critical Infrastructure Through Cyber Supply Chain Risk Management

In today's interconnected world, nearly every operation relies on a complex web of digital components—from hardware and firmware to software and services.  This reliance can introduce significant vulnerabilities. The Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response’s (CESER) Energy Cyber Sense program aims to improve the nation’s ability to identify and engineer out cybersecurity vulnerabilities across the energy supply chain through partnerships with manufacturers and energy infrastructure technology users.  Robust Cyber Supply Chain Risk Management (C-SCRM) programs are especially critical as they aid in identifying, assessing, and mitigating risks. 

Historically, C-SCRM programs have focused on software supply chains.  However, evolving cyberattack vectors have demonstrated broader implications for both hardware and firmware. Security needs for these technologies are intricate, depending on their installation, configuration, and maintenance.  Addressing risk must go beyond technical security measures and must encompass the processes required to deploy, operate, and maintain these digital components.

A recent IEEE Security & Privacy magazine articleshowcased CESER’s work in this space including several contributions that would improve C-SCRM. The article explains why practitioners must align on consistent terminology to clearly discuss C-SCRM problems and determine solutions.  Additionally, it outlines how experts should classify digital component cyberattacks based on their lifecycle stage and type (hardware, firmware, software, services) to provide a clear understanding of different threat classes and available options for mitigation and response.

The article also highlights key obstacles that C-SCRM programs currently face:

• Organizational Obstacles: Organizations have greater control over products specially designed to meet their needs, while commercial-off-the-shelf (COTS) products are cheaper, widely adopted, and easier to use and manage.  The widespread adoption, trust, and influence of COTS products can expose organizations to common-mode vulnerabilities, which can lead to more cyberattacks.
• Technical Obstacles: Organizations frequently lack adequate visibility into implicit dependencies among their digital components.  This makes it difficult to assess and manage evolving vulnerabilities. Software Bill of Materials (SBOMs) and Software Composition Analysis (SCA) can serve as resources to combat this problem, but they are often plagued with accuracy and usability issues.
• Procedural Obstacles: Specialization across multiple tiers of suppliers can create silos, increasing the complexity of coordinating mitigation and response efforts.  Systems marketed for a specific function to one stakeholder group often possess broader functionality as general-purpose computers support a versatile feature set.  This further complicates risk assessment and management.

CESER delivers timely, actionable information to the energy sector through programs like Energy Cyber Sense.  With a dedicated focus on infrastructure hardening efforts, CESER will continue to provide technical assistance to drive innovation on energy hardware, software, and equipment solutions.