May 30, 2018
On May 30, 2018, the Atlantic Council’s Cyber Statecraft Initiative launched an issue brief, Supply Chain Vulnerabilities in the Software Era. Welcoming remarks were provided by Magnus Nordenman, Director of the Transatlantic Security Initiative and Deputy Director of the Scowcroft Center for Strategy and Security at the Atlantic Council. As the energy sector’s supply chain becomes more complex and industrial control systems more reliant on software, cyber threats to the energy supply chain with national security implications pose increasing challenges for the energy industry and for governments responsible for the protection of national critical infrastructure.

The launch convened a panel of multidisciplinary professionals from various governmental, nonprofit and private sector organizations to discuss the complex issues, including threat assessment and mitigation, of supply chain vulnerabilities. Panelists at the launch included Andy Bochman, Senior Grid Strategist at Idaho National Laboratory’s National and Homeland Directorate; Joyce Corell, Assistant Director of the Supply Chain and Cyber Directorate within the Office of the Director of National Intelligence; Jesper Gronvall, Director for Business Development in Civil Security Systems at SAAB North America, and Cynthia Quarterman, Distinguished Fellow in the Atlantic Council’s Global Energy Center. The panel was moderated by Beau Woods, Cyber Safety and Innovation Fellow at the Atlantic Council in the Snowcroft Center for Strategy and Security’s Cyber Statecraft Initiative.The launch also featured a hacking demo from ICS Village, demonstrating a real-time remote access ransomware attack on an industrial control systems model of an oil refinery. The simulated attack shut down the temperature control mechanism used during the refinery process.

Following the demonstration, the panel discussed the critical nature of supply chain vulnerabilities as the number of entry points for potential cyberattacks has increased within multiple sectors of the energy industry. Potential solutions, such as supply chain certification or application of existing cybersecurity standards, which could be used to mitigate the risk of cyber breaches were also explored. The panel discussed the importance of individual stakeholders from the energy sector, government, cybersecurity realm and private sector working together to bring viable recommendations for mitigating the threat to the energy sector to policymakers as Congress is focusing more on these issues.