One of the most overlooked areas when considering the cybersecurity posture of grid entities is the impact of their supply chains. In today’s smart grid environment, myriad third-party solutions are required, most of which either have a digital interface or are connected to highways of remote access in the form of IP packet networks. Many grid partners, meanwhile, utilize their own project applications and tools, and some either connect remotely to an entity’s infrastructure or require the accumulation of sensitive customer information that is then analyzed and processed outside of the entity’s control. 

Finally, lacking specificity and non-uniform approaches for the identification and assessment of supply chain security risks can lead to incomplete or inaccurate risk evaluations by either the supply chain partner or the entity itself. This variation suggests that supply chain risk analysis may not reflect the actual risk posed to the entity.

These concerns have been addressed with the release of NERC CIP 013-2 standard which pertains to supply chain risk management. However, today there is no single uniform recommended process for ensuring that supply chain partners are taking appropriate actions to protect entity infrastructure data. 

Using real-world practical examples, we will identify weaknesses inherent in current non-standardized grid supply chain compliance activities and offer updates on efforts to improve compliance capabilities and reduce risk.