Introduction #

The global electric power sector depends on increasingly complex supply chains that have become a source of cybersecurity risk, which utilities and other organizations in the sector must manage, especially as they continue toward digitalization to realize efficiency and control in their operations. Cybersecurity Supply Chain Risk Management (C-SCRM) requires organizations to understand not only their own infrastructure and processes, but also their dependencies on vendors, their vendors’ cybersecurity risk management capabilities, and the cybersecurity capabilities of the vendors’ products. This handbook considers C-SCRM through the lenses of risk management, asset management, policies and planning, and procurement.

Organization of this Handbook #

The contents of this handbook were developed based on a ten-part webinar series on supply chain cybersecurity issues in the electric power sector.¹ Recordings of the webinars are embedded at the beginning of each section. The webinar series was organized through the US Energy Association’s (USEA’s) Advancing Modern Power Through Utility Partnerships (AmpUp) program. The AmpUp program is funded by the United States Agency for International Development (USAID). The ten webinars were grouped into four overarching categories: Risk Management; Asset Management; Governance, Policies, and Planning; and Procurement.

Risk Management #

The webinars in this section examined the current landscape of supply chain cybersecurity risks, the standards that exist to help organizations address that risk, and the methods that utilities can apply for risk assessment and mitigation.

Asset Management #

The webinars in this section looked at how organizations can adapt to supply chain risks through sound asset management. Defensible architecture is foundational to mitigating many cybersecurity risks, including supply chain risks. Defensible architecture also enables utilities to rely on vendors who require remote access, including cloud services, which act a bit like remote users with uninterrupted remote access.

Governance, Policies, and Planning #

The webinars in this section covered some of the strategic, executive thinking needed to build a culture of security, including supply chain cybersecurity. All utilities should develop incident response plans that capture how personnel would respond to an incident, especially a supply chain related incident. This plan drives requirements for additional controls and capabilities. Governance policies and procedures are essential to create a unified security posture across the organization and to identify and address gaps. Strategic planning and risk management can be informed by popular frameworks and tools such as the Cyber Informed Engineering (CIE) and the Distributed Energy Resources Cybersecurity Framework (DERCF) discussed here.

Procurement #

The webinars in this section explored the procurement process and lifecycle of relationships with vendors. Utilities must begin with cybersecurity in mind when procuring new products and systems, from gathering requirements prior to the request for proposal, to evaluating vendors and their products, to deploying selected products and services, and even through off-boarding vendors at the end of a relationship with a supplier.

Appendixes #

Acronyms contains a list of acronyms used across this handbook.

Cybersecurity Supply Chain Checklist contains a list of actions utilities should consider to address supply chain cybersecurity. This list reflects the guidance from all 10 webinars in this series.