'Cyber-hygiene' - firewalls, anti-virus software, etc. - is often conflated with cybersecurity. But this neglects an urgent vulnerability: the software supply chain.
Utilities must secure the software supply chain on their own behalf. Complying with federal standards, like NERC’s CIP-013, isn’t enough.
On average, software contains 135 components - each one creating a potential vulnerability. In a 2018 survey of senior IT, 66% reported a software supply chain attack. In fact, the high-profile WannaCry and NotPetya hacks - which affected 25% of utility professionals - are both attributed to supply chain vulnerabilities. The average cost of such an attack: $1.1 million.
To face the next wave of cybercrime, utilities need to...
● Pursue a Software Bill of Materials (SBOM) in all software procurement
● Invest in a thorough cyber supply chain risk management plan (C-SCRM)
● Collaborate closely with vendors, security consultants, and the government
● Build a culture of security, transparency, and clear communication
The software supply chain is vulnerable, and utilities must take the lead in securing it.