The Importance of Energy Risk Management
The world is more interconnected today than ever before. Our dependencies on global systems and geopolitical issues are increasing. Businesses today rely on complex and multi-tiered supply chain networks. A small event in the supply chain creates a ripple effect that produces negative effects on a much larger scale and that is especially true in energy supply chains.
The energy sector has a far-reaching impact on almost every aspect of our lives as a component of critical infrastructure. It supplies electricity to households and businesses and provides fuel for our transport systems, defense establishments, and emergency services. A stable energy sector is essential for industrial production and economic growth and integral to the health and welfare of citizens.
In this article, we’ll look at why it is mission-critical for energy companies to have complete visibility into the various layers of their supplier ecosystems for supply chain risk management.
The prominence of the energy sector makes it susceptible to malicious attackers looking to gain visibility and political advantage by disrupting critical infrastructure. Disruptions in the energy supply can have severe consequences. A single successful attack can create shockwaves far beyond the initial point of compromised security, creating global headlines and inviting scrutiny from the highest authorities.
Risks & Key Drivers for Change in the Energy Industry
Here are the main types of risks that threaten energy supply chains:
FOCI Risk in the Energy Industry
The U.S. Defense Counterintelligence and Security Agency states that a company is considered to be operating under FOCI (Foreign Ownership, Control, or Influence) if a foreign interest has the direct or indirect power to direct or decide matters relating to its operations or management. For example, FOCI may allow the foreign entity to obtain unauthorized access to classified information or adversely affect the performance of classified contracts.
U.S. Bulk Energy Suppliers (BES) are vulnerable to FOCI risk since they source components from international suppliers, most notably China.
Foreign entities may potentially exploit BES supply chains to threaten critical national infrastructure in several ways:
- Foreign governments can force equipment manufacturers or software developers to insert a ‘backdoor’ that creates vulnerabilities
- Entities may intentionally introduce counterfeit components into distribution channels to degrade system performance.
- Entities may compromise systems during maintenance and repair activities, such as software upgrades or parts replacements.
- Entities may coerce developers to include malware in the industrial control system devices and then access and use the data to disrupt security controls.
In 2015, some U.S. companies discovered that Chinese subcontractors had inserted backdoors into components which were not part of the original product design.
These potential vulnerabilities make it imperative for energy companies to have visibility into several tiers of suppliers. They need information about the owners, ultimate beneficiaries, and key management personnel of sub-tier suppliers to ensure that none of those individuals are on an Specially Designated Nationals And Blocked Persons List (SDN List) that could create indirect exposure.
Many geopolitical issues also introduce risks to our critical infrastructure and influence energy management decisions. The energy sector in the U.S. has seen a significant impact due to the economic and trade sanctions imposed on Russia during the recent Ukrainian conflict, disrupting the flow of goods and services from Russia and Ukraine.
For example, neon, a key element in manufacturing microchips, is largely sourced from Ukraine. The U.S. also uses outsourced engineering services from Ukraine. Shortages of these goods and services are causing supply chain disruptions. Similarly, Gazprom’s decision to shut off natural gas supplies to Poland and Bulgaria leaves a void in supply.
There is an urgent need to secure alternative supply channels for essential goods and services. Energy companies must ensure that they can procure commodities from other jurisdictions that are not impacted by sanctions.
Read our energy supply chain report for more information on key recent regulations addressing FOCI risk.
Apart from FOCI risks, cybersecurity is an important element in energy risk management (ERM) strategies.
BES companies are venturing into digital transformation initiatives to make OT and IT systems interoperable. However, this may provide an opportunity for malicious actors at sub-tier levels to gain access to the company’s data and systems.
A spate of recent cyberattacks on the energy sector prompted the Institute for Critical Infrastructure Technology (ICIT) to name a new category of malware called ‘disruptionware,’ in which adversaries disrupt business operations and affect asset efficiencies.
Here are recent incidents that have implications for managing risks in the energy sector:
- In 2018, Russian hackers targeted over a dozen U.S. power plants across seven states using malware, spear phishing and remote access to networks.
- In January 2022, the Delta-Montrose Electric Association (DMEA) – a Colorado energy company, had to shut down 90% of its internal controls due to malware that wiped out 25 years of historical data, affecting its ability to support payments and billing processes.
- The Colonial Pipeline hack in 2021—the largest publicly disclosed cyber attack against critical infrastructure in the U.S.—is a classic example. The pipeline’s operational technology systems that move the oil were not directly compromised, but attackers stole 100 gigabytes of data within two hours and infected the Colonial Pipeline IT network with ransomware that affected multiple computer systems, including billing and accounting. Colonial Pipeline shut down the pipeline to prevent ransomware from spreading. President Biden declared a state of emergency in 17 states to help manage the crisis. Colonial Pipeline’s CEO approved a ransom payout of $4.4 million in an effort to get the pipeline re-started.
- The 2022 attack on the Amsterdam-Rotterdam-Antwerp (ARA) refining hub crippled shipments to and from Europe’s largest oil hub, and the 2021 cyber attack on the Australian entity C.S. Energy, which threatened to cut off power to millions of households.
There is a strong need to create a trusted providers network through SCRM best practices. This will not only reduce risks of disruptions in critical infrastructure but will also reduce cybersecurity costs.
ESG Regulatory Risks
Another major risk for the energy sector is sourcing components or services from regions that violate human rights, don’t conform to environmental controls or don’t follow fair or ethical practices.
As the energy industry pivots from hydrocarbons to renewable energy sources to fuel the growing demand in the power markets, there are many ESG regulations around climate change and reducing emissions that companies must comply with.
Several laws have been implemented recently to address the Environmental, Social and Governance (ESG) issue of forced labor.
- China’s use of low-cost slave labor from the Uyghurs community produced an unfair economic advantage. The Uyghur Forced Labor Prevention Act enforced compliance for companies, requiring them to certify that no goods made using forced Uyghur labor would enter the United States. Watch our on-demand webinar for a discussion with supply chain experts on the Uyghur Forced Labor Prevention Act.
- Many rare earth minerals and materials for American manufacturers are sourced from countries like China and Russia that fall within the gambit of ESG regulations. Such minerals include metals like dysprosium and terbium, important in defense, and neodymium and praseodymium for motors, turbines, and medical devices.
Energy companies must assess the impact of social and environmental risks across their supply chains.
Two key energy supply chain needs will drive change in third-party risk management practices:
1. Supply chain transparency: Many energy companies only have visibility into the first layer of their supply chain—these may be suppliers they work with directly. But what about the ecosystem of vendors and suppliers who provide services or product components to this first layer in the procurement cycle? Energy suppliers need to have information and transparency into third parties they deal with indirectly, and should develop a methodology for third-party risk measurement.
2. Monitoring cybersecurity risk: When companies have visibility into multiple layers of suppliers and vendors, it allows them to proactively pinpoint vulnerabilities in the ecosystem and gives them the ability to quickly mitigate the risk of cybersecurity breaches before they happen.
Approaches to Energy Risk Management in BPS
BPS (Bulk Power Supply) supply chain vulnerabilities can escalate rapidly into national security issues, making it an imperative for energy companies to monitor high-risk sub-tier suppliers or OEMs. With increasing volatility in supply chains and energy markets, companies must also look at ways to mitigate financial risks and strive for sustainability. Foundational pieces for energy supply chain risk management include conducting risk assessments, developing a compliance framework, conducting regular training and continuously monitoring.
Risk assessment and compliance framework
As a baseline, energy companies should conduct an initial third-party risk assessment to identify FOCI exposure, ESG risks, and cybersecurity threats within their supply chain.
Organizations can engage outside third party risk management (TPRM) and supply chain risk management (SCRM) experts like Exiger Managed Services to study relevant regulations and compliance requirements and to identify where infrastructure changes or new compliance programs are required.
After the risk assessment is complete, the consultant typically provides a final report with the recommended SCRM best practices to effectively address the company’s known and identified risks.
New or updated policies or processes for third-party vendor risk management may include vendor due diligence questionnaires, risk assessment forms, and key metrics to monitor supplier performance.
The solution usually involves enhancing existing policies or incorporating new procedures, with regular monitoring to address fast-changing geopolitical and ESG landscapes.
Training and continuous monitoring
Once new vendor risk management policies and SCRM best practices are in place, training the company’s employees to create response teams is equally important. When an incident occurs, teams must be able to identify the exposure, incident or transaction, report it to the appropriate authorities, react quickly, and take immediate measures to initiate the resolution procedures recommended by the risk management consultant. In addition, a consultative approach helps teams proactively develop policies and align their processes and SOPs with various industry regulations.
Exiger’s Supply Chain Explorer is the Solution to Gain Visibility into All Levels of Your Supply Chain
With unprecedented social, geopolitical and supply chain volatility, organizations across the energy sector must prepare to face new challenges. A key ingredient is a modern security and compliance regime to effectively protect against business disruption and maintain the integrity of the BPS ecosystem by addressing a variety of supply chain risks.
Contact us to arrange for your free trial to see how Supply Chain Explorer provides third-party vendor transparency and monitors your multiple-tiered supply chains.