Workshop Presents New Approaches to Cybersecurity for Critical Infrastructure Supply Chains

Energy and Security Experts Convene at One of the First Workshops To Focus on Supply Chain Risk Particular to Renewable Technologies

July 30, 2021

Image of a port city with digital lines overlaid demonstrating wireless connections.

A car built in a factory moves down the assembly line as workers bolt on each component. The supply chain is fairly clear: The parts may be manufactured in different places, but all come here for assembly. If just one is compromised, the manufacturer could wind up with a costly recall.

A power system, like a good car, is measured by its speed, reliability, and security, with potentially severe consequences for errors. But unlike car parts that stay static once leaving the factory, energy supply chains are subjected to constant updates and revisions, and they are vulnerable to both faulty engineering and cyberattacks.

These challenges were discussed in a recent full-day workshop hosted by the U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) and the National Renewable Energy Laboratory (NREL), called Managing Cyber Supply Chain Risk for Renewable Technologies. Policymakers from CESER and the DOE Office of Energy Efficiency and Renewable Energy joined speakers from the counterintelligence community, the national laboratories, and the renewable energy industry to share their perspectives on securing power systems of renewables and distributed energy resources.

“This is an opportunity that you rarely get, to start to address cybersecurity as part of the ideation phase,” stated the acting principal deputy assistant secretary of CESER, Puesh Kumar, in his opening remarks. “With a lot of the legacy electric grid...you’re bolting on cybersecurity after the fact, which ends up being more expensive.” To integrate cybersecurity directly into the architecture of clean energy systems, the focus needs to move upstream.

EERE Principal Deputy Assistant Secretary Kelly Speakes-Backman outlined the Biden/Harris administration’s ambitious clean energy goals, including 500,000 electric vehicle charging stations by 2025, 100% decarbonized electricity by 2035, and investment in innovation fueling this transition. EERE recently announced a $1.5 million request for proposals for projects that integrate security and energy efficiency.

“These investments will help protect American manufacturers, ensure that they are prepared to respond to and recover from cyberattacks, and make them more competitive and resilient,” Speakes-Backman said. DOE is also extending technical support to manufacturers and suppliers.

For example, the Cyber Testing for Resilient Industrial Control Systems program, or CyTRICS, seeks to evaluate emerging software and hardware products, preferably in their early stages, to help manufacturers understand vulnerabilities that they may not have caught in the design process. Standardized testing with consistent and comparable data enables meta-analysis with sector-wide scalability. Developed at Idaho National Laboratory, CyTRICS evaluations are now performed at five national laboratories.

What other part of the supply chain should be assessed? Raw materials and component parts for solar panels and batteries are predominantly produced overseas. NREL senior engineer Samantha Reese presented analysis on how trade policies will impact that supply but is optimistic about the promise of using wide-bandgap semiconductor materials as an alternative. Industry panelist Maggie Morganti, of Schneider Electric, reminded the audience that people are also part of the supply chain. A workforce that is well versed in cybersecurity and drilled in response protocols will be better prepared to sustain operations in the case of a breach.

A reoccurring theme at the workshop was the roles and responsibilities of the stakeholders in a distributed energy system, where many endpoint devices are in customers’ homes or buildings. Given how many people are delinquent on their computer software updates, it is hard to imagine users reliably applying patches to a battery storage system.

“We’ll need more cyber-informed engineering to achieve the security by design we need to meet these challenges,” said moderator Cheri Caddy, a senior advisor for cybersecurity for CESER. Cybersecurity traditionally focuses principally on legacy asset owners, but we will need to incorporate more emphasis on endpoint device manufacturers and third-party integrators. Even when individual private sector entities practice strong cyber hygiene for their own assets, it is often unclear who owns the security interface between those products, a space Caddy referred to as the “seams” of these interdependent systems.

NREL’s Cybersecurity Program Director Jon White also addressed these seams in his closing remarks, describing the program’s focus on optimizing the advanced control systems that sit between utilities and devices and understanding grid integration beyond renewable power.

The NREL mission for cybersecurity, he said, “is to think about everything associated from a system-of-systems perspective; to get from where we are today to a decarbonized future in a secure-by-design manner.” Improving supply chain visibility and understanding the interdependence of operational technology will help manufacturers, distributors, and government officials adapt to the current reality—in which network security is national security.

Learn more about CESER and NREL’s research in cybersecurity.