Helping Utilities Avoid Buying Risky Technology
If utility companies can avoid procuring risky technology, our nation’s overall cybersecurity profile will improve dramatically. This is the message US regulators are conveying as they work to create something akin to a blacklist that will help utilities purchase new technology only from reputable sellers.
The Growing Focus on Avoiding Risky Technology
The director of FERC’s Office of Energy Infrastructure Security, Joseph McClelland, is spearheading the initiative to create “an open-source procurement list” to help utilities determine where to buy the technology they need. This is part of a broader effort by the federal government to improve transparency around high-risk technology, especially in the energy industry where there is a growing concern around protecting the grid against system hacking.
This is not the first attempt government officials have made to help steer companies away from purchasing risky technology. In 2017, the Department of Homeland Security (DHS) ordered federal agencies to stop using technology from Kaspersky Lab, a Russian antivirus company, due to cybersecurity concerns. NERC quickly followed suit by communicating the warning to US electric utilities.
Since then, other technology has been blacklisted, including telecom equipment from China-based companies Huawei and ZTE. And in late 2018, FERC and NERC published supply-chain security protocols for large electric utilities, requirements that will be enforceable beginning in 2020.
The main downside of this growing level of transparency is that blacklisted companies could fight back in a court of law, exposing government agencies to litigation risk. However, in my opinion, the benefits of the blacklist approach will far outweigh the litigation risk.
All of this is great news for utility emergency preparedness. Technological backdoors represent a huge risk for our industry, probably more so than natural disasters thanks to the increasingly connected nature of the world we live in. A bad purchase decision on risky technology could literally take the grid down for an unpredictable amount of time. Preventing questionable technology from being purchased in the first place will go a long way toward reducing the risk.