Risk 4:

Supply Chain Compromise

HIGH RISK

Risk Overview

Description:

A supply chain compromise occurs when a threat actor manipulates hardware, software, or delivery mechanisms before a product reaches a utility provider. This high-level threat can manifest through malicious code implants, hardware tampering, or even compromised vendor employees during equipment servicing.

Because these attacks require significant complexity and effort, the actors involved are typically more sophisticated and capable than average cybercriminals seeking immediate financial gain. A vendor’s vulnerability is often driven by poor security programs and complex supply chains, but risk levels also fluctuate due to changes in ownership, manufacturing locations, or corporate consolidations. Ultimately, this allows breaches to bypass standard security because the products are "pre-infected" before they are integrated into the system. 

Key Drivers and Trends:

Bulk power system vendors and supplies are shared among utilities, resulting in complex and interconnected supply networks. The industry often inherits the trust relationships of vendor’s suppliers, which leads to supply chains being a prime entry vector for sophisticated attackers.

Acquisitions and mergers of vendors make tracking the financial and political ties difficult, broadening the inherent risk of a supply chain breach.

The following supply chain graphic from the National Institute of Standards and Technology Defending Against Software Supply Chain Attacks shows how a vendor can be the vector of compromise at many stages of the product and service lifecycle.

The rapid expansion of Inverter-Based Resources (IBRs) across the bulk power system relies on equipment from several manufacturers. Those same manufacturers also aggregate critical monitoring, control, and maintenance functions via remote connections. This shift significantly broadens the industry's attack surface, as global supply chain "touch points" provide adversaries more opportunities to compromise equipment. This threat is no longer theoretical, as evidenced by the discovery of rogue communication devices pre-installed in Chinese-manufactured solar inverters.

This vulnerability is compounded by a sharp rise in software supply chain incidents, with nearly 43% of security executives reporting issues in recent years. Collectively, these trends underscore a critical need for enhanced vendor vetting and oversight as the grid becomes increasingly decentralized and reliant on outsourced digital services.

Event History:

  • The 2024 CrowdStrike outage demonstrated how a single faulty software update can trigger massive, industry-wide IT failures and system reboots, even without malicious intent.
  • The Red Hat/XZ Utils compromise showed how attackers can inject malicious code into open-source Linux packages to gain remote access to utility operational control systems.
  • The Kaseya ransomware attack illustrated how a single breach of a managed service provider (MSP) can rapidly infect hundreds of downstream clients, paralyzing business and operational.

Actions to Reduce Risk:

The following mandatory NERC Reliability Standards exist, or are under development, to help mitigate this risk:

NERC Reliability Standard(s)

Mitigation Activities

CIP-013-2 (Supply Chain Risk Management)

Provides controls for most Bulk Electric System cyber equipment at medium and high impact assets. The standard requires that organizations develop and implement supply chain risk management plans. CIP-013-3, filed and pending regulatory approval, was modified so applicable systems also include shared cyber infrastructure used to support virtualization.

CIP-005-7 and CIP-005-8 (Electronic Security Perimeters)

CIP-005-7 is applicable to Bulk Electric System cyber equipment at medium and high impact assets and has requirements designed to manage vendor remote access. CIP-005-8, filed and pending regulatory approval, expands the scope of applicable systems that are covered by vendor remote access requirements

CIP-003-9 (Security Management Controls)

This standard is applicable to Bulk Electric System cyber equipment at low impact assets. Requirements are focused on vendor remote access, which is not as expansive as the overall suite of supply chain risk management requirements that are applicable to medium and high impact assets.

Other recommended actions include:

  • Review FERC Order No. 912, and follow NERC Standards Drafting Team 2025-06 Supply Chain Risk Management. This project addresses gaps in supply chain risk management. (The new standard covers plans to identify and respond to supply chain risks by type of Bulk Electric System cyber equipment.)
  • Apply the Secure Connectivity Principles for Operational Technology (OT) framework as listed in Nation-State Threats risk profile.
  • Understand the inherent risk of third parties. For example, determine how the vendor’s cyber systems are segmented and what the largest impact to your operations would be if that cyber system was rendered inoperable.
  • Contractually require vendors to make process and procedure changes to improve controls and reduce third-party risk.
  • Support changing equipment specifications and systems architecture so operational control systems that operate the bulk power system are more resilient to attack.
  • Vet vendors for foreign involvement with hostile nations. Security and Exchange Commission filings show changes in control, changes in management, major acquisitions, and company financial health.

Read more

Top Built with Shorthand