- Vulnerable software and data supply chains expose the U.S. power grid to attack, and the U.S. Department of Energy wants to tackle the problem by reinvent the sector is similar to the defense industrial base, officials said at a meeting of the DOE’s electricity advisory committee on Wednesday.
- Policies to address vulnerabilities in the digital supply chain are being developed and will be included in a report to the White House next year, said Cheri Caddy, senior cybersecurity adviser in the Office of Cyber ââSecurity. , Energy Security and Emergency Response (CESER) of the DOE.
- Foremost of these policies, Caddy said, would be the development of an industrial base for the energy sector similar to how the US Department of Defense coordinates with a wide range of industries. The base of the energy sector would be a collaboration between DOE, the rest of government and the global private sector, able to develop and maintain the systems necessary to meet the energy needs of the United States.
The energy sector is much larger than energy companies alone, so securing its supply chains means casting a wide net, Caddy said. For energy, this could include critical manufacturers and software developers, water and communications companies, as well as more traditional players.
âIt’s all really part of the industrial base of the energy sector that we want to put in place, to put a rope around in a political way, when we think of certain types of policies or mission areas that are apply widely, âCaddy said. .
The goal, Caddy said, is to make sure stakeholders are broadly defined on projects or initiatives that require inclusion, in the same way the DOD has approached defense for decades. And, she added, these stakeholders will evolve with the grid.
âAs we introduce and accelerate distributed cleaner energy resources, we seek to add additional stakeholders into the industrial base of the energy sector,â said Caddy.
Securing this supply chain will help protect physical and digital assets, she said, as software and data increasingly represent potential vulnerabilities. The acquisition of businesses by foreign firms exposes data and energy modeling to possible manipulation, Caddy said, and the code used in modern software is difficult to follow.
The opaque software development is an issue the federal government is already tackling. President Joe Biden issued an executive order in May to require the use of a software nomenclature in government procurement, to allow more effective tracking of known vulnerabilities. And the utilities sector worked with the National Technology and Information Administration of the US Department of Commerce on the follow-up program.
âWe are all concerned about the dependence on foreign suppliers,â especially because software development can occur in adversarial countries, Caddy said.
âThis potentially exposes our digital supply chain to the risk of foreign interference,â Caddy said. âWe really can’t say much about where the code is developed. It is assembled from all over the world. Software developers, of course, reuse code libraries, so we don’t know where it came from. â¦ So it is. certainly a potential vulnerability in the supply chain. “
Specific policies to address vulnerabilities in the digital supply chain will be included in CESER’s report to the White House in February 2022.
âWe are looking at the full spectrum of political solutions, and the White House has encouraged us to really think outside the box,â Caddy said. The report will examine possible executive actions, legislation, tax incentives and pricing policy, she said.