- Vulnerable software and data supply chains expose the U.S. power grid to attack, and the U.S. Department of Energy wants to address the issue by reimagining the sector as similar to the defense industrial base, officials said Wednesday at a meeting of the DOE's Electricity Advisory Committee.
- Policies to address digital supply chain vulnerabilities are being developed and will be included in a report to the White House next year, said Cheri Caddy, senior advisor for cybersecurity in DOE's Office of Cybersecurity, Energy Security and Emergency Response (CESER).
- Chief among those policies, Caddy said, would be development of an Energy Sector Industrial Base similar to how the U.S. Department of Defense coordinates with a broad range of industries. The energy sector base would be a collaboration among DOE, the rest of government and the global private sector, capable of developing and maintaining the systems required to meet the United States' energy needs.
The energy sector is much larger than just energy companies, so securing its supply chains means casting a wide net, said Caddy. For energy, that could include critical manufacturing and software developers, water and communications companies, along with more traditional players.
"All of those are really part of the energy sector industrial base that we want to bring in, to put a rope around in a policy way, when we're thinking about certain types of policy or mission areas that apply broadly," Caddy said.
The goal, said Caddy, is to ensure stakeholders are broadly defined on projects or initiatives that require inclusiveness — similar to how DOD has approached defense for decades. And, she added, those stakeholders will evolve with the grid.
"As we introduce and accelerate more clean energy distributed resources, we're looking at adding additional stakeholders into the energy sector industrial base," Caddy said.
Securing that supply chain will help guard both physical and digital assets, she said, as software and data increasingly represent potential vulnerabilities. The acquisition of companies by foreign businesses exposes data and energy modeling to possible manipulation, Caddy said, and the code used in modern software is difficult to track.
The opaque development of software is an issue the federal government is already working to tackle. President Joe Biden issued an executive order in May to require the use of software bill of materials in government procurements, to allow for more efficient tracking of known vulnerabilities. And the utility sector has been collaborating with the U.S. Department of Commerce's National Technology and Information Administration on the tracking program.
"We're all concerned about reliance on foreign suppliers," particularly because software development can occur in adversary nations, Caddy said.
"That's exposing potentially our digital supply chain to risk from foreign interference," Caddy said. "We really can't tell a lot about where code is developed. It's assembled from all over the world. Software developers, of course, reuse code libraries, so we don't know where it comes from. ... So it is definitely a potential supply chain vulnerability."
Specific policies to address digital supply chain vulnerabilities will be included in CESER's report to the White House in February 2022.
"We're looking at the full range of policy solutions, and the White House has encouraged us to really think outside of the box," Caddy said. The report will consider possible executive actions, legislation, tax incentives and tariff policy, she said.