Amidst all the “noise” at the end of last year (tense Russian-Ukrainian and Russian-American relations, including the threat of war, and the Log4J vulnerability), the latest US move on supply chain vulnerabilities, which received attention especially after the SolarWinds attack, barely reached the threshold of the public.
Probably the longest post so far tries to give an idea of this.
The DOE issued a highly detailed Request for Information (RFI) on 29 November.
It makes for incredibly fascinating reading, as the questions alone
give a true picture of where the US government sees national security risks.
The RFI covers the following main topics:
- Cross-cutting issues related to the energy industrial base
- Solar PV technology
- Wind energy technology
- Energy storage technology
- Electrical grid transformers and HVDC
- Hydropower and pumped storage technology
- Nuclear energy technology
- Fuel cells and electrolysers
- Semiconductors
- Neodymium magnets
- Platinum group metals and other materials used as catalysts
- Carbon capture, storage and transport materials
- Cyber security and digital components
- Commercialisation and competitiveness
All of these are exciting topics, but let’s focus on the ones that concern the SeConSys focus area!
Due to the likely hw backdoors in some Chinese-made large transformers, the issues in e.g. topic area 5 are particularly pronounced:
Theme 5: Electrical Grid – Transformers and HVDC (equipment and networks)
- What are the current and future supply chain vulnerabilities in view of … … the expected increase in demand for high power transformers (LPT) and high voltage direct current (HVDC) technology? Which of these vulnerabilities are the ones that the United States most needs to address and focus on, and why?
- …
- … What conditions are needed to provide incentives for companies in the LPT and HVDC supply chain to build and expand domestic manufacturing capacity?
- …
- …
- …
The questions in Theme 9 are noteworthy in the light of the global chip shortage:
Area 9: Semiconductors
- What is the current state of the US and global supply chains for both conventional semiconductors used in data and sensing applications related to the energy sector and broadband semiconductors used in power electronics applications to control power flow? What are the current and future vulnerabilities in the semiconductor supply chain as we step up our efforts to transform the energy sector (power supply, energy efficiency, demand-side technologies, grid, fuels, etc.) to support decarbonisation? Which of these vulnerabilities should the United States address and focus on most, and why?
- … Where in the supply chain do you see an opportunity for the US to build domestic capabilities for semiconductor manufacturing? …
- What are the challenges that limit the U.S. ability to take advantage of opportunities to build domestic semiconductor manufacturing? What conditions are needed to provide incentives for companies in semiconductor supply chains to build domestic manufacturing capabilities and expand production? …
- How can government help the private sector and semiconductor manufacturing communities to build domestic manufacturing capacity and scale up semiconductor manufacturing?
- What specific government policies or investments will be most important in supporting semiconductor manufacturing and supply chain resilience?
- …
- …
And finally, let’s look at the issues that concern us most:
Area 3: Cybersecurity and digital components
From a supply chain perspective, digital components in the energy industrial base include firmware, software, virtual platforms and services, data and industrial control systems. Please comment on this scope in your response.
How should the government approach strengthening the digital component supply chains of the energy industrial base against physical and virtual manipulation and national security threats? How should the federal government prioritize protecting digital component supply chains?
The explosion in cyber threats to critical infrastructure, including ransomware attacks, is a growing national security concern that may be enabled by vulnerabilities in digital component supply chains, and there are a number of national initiatives underway to address this threat. Are there any energy sector-specific considerations or priorities that the government should take into account to increase the resilience of digital component supply chains to cyber threats, including the use of ransomware?
What steps should the government take to improve the reliability of digital components within the power sector industrial base and reduce reliance on unreliable software suppliers, integrators and maintainers?
Global digital component supply chains are highly dynamic and complex. What policies should the government pursue to shed light on the origins of digital components used in energy sector systems? For example, who developed the software, who operates the digital platforms or curates the data sets, and in which countries? Who maintains these digital assets (if any) and who has ongoing access to their maintenance? How should the government approach the prioritization of digital components and/or systems to illuminate or scrutinize components to address supply chain risks?
Digital component providers may not have the same supply chain security requirements as asset owners in the energy sector. Given the interconnectedness and cross-cutting risk between the various digital components that make up energy sector systems, how should government address gaps and/or ensure consistency in supply chain security requirements for digital components?
Remote operation of systems is a growing trend in the energy sector. What policy steps should the government take to ensure the supply chain security of platforms and services used to run critical functions in the energy sector?
Aggregated and organised data has become a valuable global commodity (e.g. data as a service) and is now a critical part of global digital supply chains. Data poses cyber supply chain risks similar to software; specifically, malicious manipulation can cause significant and almost undetectable system failures. With the increasing use of artificial intelligence/machine learning capabilities in energy sector systems, what policy steps could government take to address cyber supply chain risk associated with data?
How could the government encourage and/or incentivise private sector owners and operators of critical infrastructure in the energy sector to better consider national security risks in their business risk decisions?
What specific skills are needed to develop and grow the workforce supporting the deployment, operation and maintenance of secure digital components of the energy industrial base? For example, are there skills and/or supply gaps in the workforce developing and maintaining software for industrial control systems? What are the skills that are lacking in current education/training programmes? What resources (including time) and structures would be needed to train the cybersecurity workforce? Which employee groups, post-secondary educational institutions and other stakeholders could be valuable partners in these training activities? What new educational programs should be involved (developed?) to prepare the workforce?
What other inputs should the federal government consider to support cybersecurity and a resilient supply chain for digital components?
Each of these would be worth at least a separate blog post!
Area 3: Cybersecurity and digital components
From a supply chain perspective, digital components in the energy industrial base include firmware, software, virtual platforms and services, data and industrial control systems. Please comment on this scope in your response.
- How should the government approach strengthening the digital component supply chains of the energy industrial base against physical and virtual manipulation and national security threats? How should the federal government prioritize protecting digital component supply chains?
- The explosion in cyber threats to critical infrastructure, including ransomware attacks, is a growing national security concern that may be enabled by vulnerabilities in digital component supply chains, and there are a number of national initiatives underway to address this threat. Are there any energy sector-specific considerations or priorities that the government should take into account to increase the resilience of digital component supply chains to cyber threats, including the use of ransomware?
- What steps should the government take to improve the reliability of digital components within the power sector industrial base and reduce reliance on unreliable software suppliers, integrators and maintainers?
- Global digital component supply chains are highly dynamic and complex. What policies should the government pursue to shed light on the origins of digital components used in energy sector systems? For example, who developed the software, who operates the digital platforms or curates the data sets, and in which countries? Who maintains these digital assets (if any) and who has ongoing access to their maintenance? How should the government approach the prioritization of digital components and/or systems to illuminate or scrutinize components to address supply chain risks?
- Digital component providers may not have the same supply chain security requirements as asset owners in the energy sector. Given the interconnectedness and cross-cutting risk between the various digital components that make up energy sector systems, how should government address gaps and/or ensure consistency in supply chain security requirements for digital components?
- Remote operation of systems is a growing trend in the energy sector. What policy steps should the government take to ensure the supply chain security of platforms and services used to run critical functions in the energy sector?
- Aggregated and organised data has become a valuable global commodity (e.g. data as a service) and is now a critical part of global digital supply chains. Data poses cyber supply chain risks similar to software; specifically, malicious manipulation can cause significant and almost undetectable system failures. With the increasing use of artificial intelligence/machine learning capabilities in energy sector systems, what policy steps could government take to address cyber supply chain risk associated with data?
- How could the government encourage and/or incentivise private sector owners and operators of critical infrastructure in the energy sector to better consider national security risks in their business risk decisions?
- What specific skills are needed to develop and grow the workforce supporting the deployment, operation and maintenance of secure digital components of the energy industrial base? For example, are there skills and/or supply gaps in the workforce developing and maintaining software for industrial control systems? What are the skills that are lacking in current education/training programmes? What resources (including time) and structures would be needed to train the cybersecurity workforce? Which employee groups, post-secondary educational institutions and other stakeholders could be valuable partners in these training activities? What new educational programs should be involved (developed?) to prepare the workforce?
- What other inputs should the federal government consider to support cybersecurity and a resilient supply chain for digital components?
Each of these would be worth at least a separate blog post!
And from a domestic perspective, it is
particularly interesting to think that a similar set of questions would be issued by domestic government agencies in the fields covered by the DOE.
Responses were due to DOE by 15 January 2022. On this basis, the Secretary of Energy is required to prepare a report on supply chain issues in the energy sector by the end of February. If published, it will be instructive to learn how electricity stakeholders view their preparedness to address supply chain vulnerabilities and the actions they believe the government should take to address them.
Needless to say, all of these are high profile issues (in the US).
[30]
***
We welcome messages either agreeing or disagreeing with the above. For example, by responding to them in a new post, a substantive professional exchange of views could be initiated.