The US Department of Energy is expected to release detailed proposals by the end of September limiting the use of foreign equipment in the US power grid. These follow a May 1, 2020 Executive Order by President Trump ordering a ban on the use of utility infrastructure manufactured by ‘foreign adversaries’ due to the risk they pose to the power grid’s cybersecurity. Complying with the order will be complex due to the current reliance on foreign suppliers as well as global supply chains which stretch across many countries. In addition, vendor lists for utilities often number in the hundreds or even thousands and ensuring each one is in compliance will be a time consuming—and expensive—task.
Cybersecurity considerations are playing an increasingly central role across most areas of corporate strategy in all industries. The issues surrounding suppliers of critical equipment highlight the complexity facing many companies—not just utilities—as they assess ever-changing cybersecurity risks in their supply chains. As the ‘efficiency’ driven hyper-globalization of the last two decades gives way to a larger focus on ‘resiliency’ in the wake of COVID‑19 and global political tensions, this will impact company Capex and Opex decisions.
While utility grids may face special potential threats from foreign state actors, purely ‘commercial’ companies face similar challenges in actively managing supply chains in order to reduce potential threat vectors and protect against business disruption due to a key supplier suffering a damaging cyber attack or suffering a breach itself.
The acceleration of digital transformation — essential to staying competitive in the increasingly digitized business environment—exacerbate these risks. The merging of OT and IT in the utility and industrial sectors is a perfect example of the difficult balance companies need to strike. Pressure to enhance cybersecurity resiliency may initially have been driven by government regulations. But as C-suites, BoD’s and investors focus on the downside operational risks and become more aware of the divergence in financial and equity price performance between companies that are ‘good’ and ‘bad’ at cyber governance, the increasing centralization of cyber governance on business strategy will also continue to accelerate.