They say the most inopportune time to buy an umbrella is when it’s raining. That’s exactly what’s happening now to US utilities companies scrambling to procure a critical component required to beef up or repair power lines just as the US hurricane season arrives. At the heart of the headache, for the fourth year in a row, is supply chain. Presently, there is a shortage of power transformers — a critical component for turning high-voltage power into consumable electricity for consumer use. Without transformers, utilities’ ability to restore power after a storm is at risk. But the transformer shortage isn’t limited to the utility sector — it’s a threat to energy reliability of critical infrastructure that, if left unaddressed, will impact the operations and test the resilience of every organization in the US. Here’s what you need to know.

Risks To Operational Technology Are A Perfect Storm With Wide Impact

The shortage of power transformers isn’t the only threat to the power grid, which has seen a surge of physical attacks and cyberattacks in recent months. It’s important to understand, however, that these risks are not limited to the energy/utilities sectors. All organizations, businesses, and government agencies rely on critical infrastructure services in some fashion, so any impact to availability has a potential impact on operations as well as their employees, customers, and partners. For security and risk pros, it may be tempting to stay in the compliance or cybersecurity silo, but any issue that impacts the availability of critical infrastructure services requires an “all hands on deck” attitude.

Five Things Security And Risk Pros Can Do To Prevent Further And Future Disruption

As part of the senior management team, security and risk pros can lend their expertise and demonstrate alignment with the business by being an active part of the solution.

  1. Take a holistic risk management approach across the enterprise. Supply chain issues in operational technology (OT) highlight how easily risks move across risk domains. What may start out as a risk in supply chain or a third party can quickly become an enterprisewide risk. Don’t assess risks in functional silos. Instead, make sure that risk assessments incorporate physical security and cyberthreats and their impact on other areas such as operations, business continuity, customer experience, and third-party partners. The disruption of OT systems could even lead to the loss of human life or destruction of the environment.
  2. Build stronger supplier relationships, and don’t take suppliers for granted. The lack of new transformers highlights the need to fully vet sellers, especially those offering refurbished equipment to avoid the risk of purchasing counterfeit goods, incompatible solutions, and defective materials that go beyond check-the-box questionnaires. Also, engage your most critical suppliers by including them in regular threat modeling and tabletop exercises. Supplier risk management, especially in OT environments, involves more than documenting service-level agreements and liability clauses in the terms-and-conditions language of your contracts. Monetary compensation after a disruption or critical event doesn’t cover the loss of angry customers or the reputational damage to your brand.
  3. Continue to monitor for risk and potential threats. As existing transformers and utility systems reach capacity, the additional load may increase the risk of cascading outages. Threat actors may take this opportunity to target your company with ransomware or other types of cyberattacks. Elevate the level of operational and threat monitoring. Double-check existing security controls to ensure that they are functioning properly. Research OT threat intelligence information for indicators of potential attack. Conduct threat modeling and incident response exercises to increase preparedness.
  4. Create and follow sound quality-control procedures. Avoid the temptation to take shortcuts by skipping pre-deployment testing and vulnerability assessments. Accelerating schedules to reduce backlogs must be balanced against the risk of installing faulty or incompatible equipment. It is much easier to update and patch OT systems before they go into production. Threat actors will often look to take advantage of this stressful situation by introducing potential back doors into new systems while you are distracted.
  5. Build resiliency into cybersecurity strategies and processes. Funding to restock inventories must come from somewhere, and it may be necessary to delay cybersecurity investments. Security and risk pros should develop strategies with alternative initiatives so they can pivot to different projects when funding is affected to keep making progress on overall cyberresiliency. Having a plan B that includes approved alternative security projects that do not require capital expenses allows you to contribute to overall company goals while simultaneously improving cybermaturity.

Cyberattacks targeting OT directly are still relatively rare, but the threats are growing. This OT risk should be on your list of top risks to monitor in 2023. Feel free to schedule an inquiry with me to talk about supply chain or third-party risk or with Brian Wrozek to discuss OT security and threat intelligence.