teissTalk: Geopolitics & Regulation - Reshaping the Energy Sector’s Supply Chain Risk

Views on news

Ratings agencies warn that the U.S. and Israeli bombing campaign against Iran could raise the level of cyber risk for U.S. public finance issuers. Fitch Ratings, in a report released Monday, warned that hacktivists, state-sponsored groups and lone wolf actors could use cyber to target critical infrastructure and U.S. public entities in reaction to the war. A March 4 report from CyberCube shows that 12% of large U.S. firms with annual revenue of more than $1 billion are the most vulnerable to Iran-linked attacks. The firms span seven critical infrastructure categories and include 28 health organizations and 13 energy and utility companies. Although Iranian hackers are regarded as less sophisticated compared to Russia or China, they have already caused a lot of damage. Although the country is cut off the internet, attacks may be coming from affiliates around the world. Countries sympathetic to Iran may also join attackers as fear of attribution and retribution cease. 

How the energy sector is managing risk

Europe has more mature security frameworks than the US which energy providers can rely on. In the US, it was the Colonial Pipeline attack that triggered some heavy-handed regulation – but only for that sector. Regulation often focuses on prevention and neglects the speed with which a business can recover from an attack. While big tech suppliers have the resources to run security and compliance teams for every country they operate in, if they do go down, it’s a global event. For small suppliers, a cyber attack or a fine for non-compliance can become existential and, as a result, your company might lose a supplier that is very hard to replace. Meanwhile, start-ups are often built on a proof-of-concept and cyber security is not a priority for most of them. More risk averse companies may and should say that they don’t do business with them as they have no ISO or SOCs or a full security team. In this context, regulation can be a great nudge for these companies to prioritise security. Even if a business agrees to take risks with its suppliers, their reasons may not satisfy the regulators. 

However, regulating smaller entities will inevitably drive up the prices of their products. It’s great that regulated businesses conduct conversations with their unregulated suppliers about security because that can provide leverage for security professionals there to speed up investment in new security controls. These conversations can also strengthen the position of the regulated business when demonstrating that it was aware of the supplier’s shortcomings and their intention to address the issue – rather than just saying they had no knowledge of the issue whatsoever. In critical infrastructure, the big red button or the lifeboat mode is a central issue, which can temporarily insulate the energy company from external threats, while keeping on serving society adequately. Energy providers must assess whether air-gapping the system is possible or practical and how it can be done. In the absence of unified data bases, auditing fatigue is a real risk, when you get back short, machinelike answers from your suppliers.

The panel’s advice

• Having private-public conversations with regulators is great and can reveal vulnerabilities that, for example, unregulated start-ups can present to the grid.
• You can’t assure thousands of suppliers – only the ones that the business must provide with access to its crown jewels.
• On the level of 2nd, 3rd tier suppliers, it’s hard to influence anything – it’s easier to assess the impact of having to operate without them and make continuity plans for how such a situation can be handled.
• Supplier information should be treated and shared like threat intelligence – but competition law and reputational damage are considerations that prevent this from happening.