The ‘Weakest Link’ in Supply Chain Security
The energy transition will bring with it a new generation of cybersecurity challenges for the power sector. While information-sharing has been valuable, strategies to address issues related to vendor security, cyber talent, and lagging investment will also be critical, a former utility supply chain executive who led the development of an industry-wide cybersecurity risk exchange told POWER in an exclusive interview.
Betsy Soehren-Jones, who led Exelon’s Security Strategy before joining Fortress Information Security as its chief operation officer (COO), during a wide-ranging interview warned challenges “are coming from all different directions” as the world grows more interconnected. Solutions will require a keen awareness promoted by a common model, trust with suppliers, informed investments, and key talent, she said.
Soehren-Jones helped Exelon pioneer an industry model for cyber risk assessment and shared that expertise as co-chair of the Supply Chain Committee for the Edison Electric Institute (EEI), as well as while the committee lead for Supply Chain at the North American Transmission Forum (NATF). Both organizations now have standards for evaluating cybersecurity attributes of devices and the exchange of information to the electric utility industry. Soehren-Jones said she joined Fortress, a supply chain cybersecurity provider for critical infrastructure organizations, as a “next step” to help promote the firm’s “holistic approach” to connect information technology and operational technology (OT) assets, and vendors. As the firm’s new COO, Soehren-Jones will focus on the expansion of Fortress’ information exchange, the Asset to Vendor (A2V) Library, a platform that currently hosts information on more than 40,000 vendors and products utilized by more than 40% of the U.S. power grid.
This interview has been edited for length and clarity.
POWER: The power sector is a diverse critical infrastructure industry that is facing a spate of changes—transition changes, fuel changes, regulatory policy, and more. Everywhere you look, there’s some kind of flux. Why is this the right time to join a security company, coming from a utility?
Soehren-Jones: Let me take you back about five years and bring you through my journey on the ‘utility side’ of the house. I came from Exelon, one of the biggest investor-owned utilities (IOUs) in the country. We had six different utility companies across the country, lots of unregulated generation assets, a trading organization, and then obviously, a corporate function. So just about every flavor of cybersecurity was running through Exelon at that point. We needed to make some critical business decisions. Whenever you have a ‘problem’ within the utility industry, one of the things that the utility industry is really good at is getting together and trying to collaborate on solutions. If you think about environmental standards or safety standards, or any others, we all typically come together around the table and say, ‘how should we approach this?’ And we do that because we don’t have to compete for customers.
So, if you just think about the just the regular nature of what [the utility sector does], we’re very collaborative. We started to have conversations related to cyber, and they fell into really two buckets. The first ‘look’ at cyber was information protection. When we are sending information out of our environments into critical suppliers—so think about your engineering firms, law firms—that posed a pretty big cyber risk to us because if that information went outside of our doors or our walls, there wasn’t really a way to protect it. We had to really look at how to come up with a consistent methodology across the industry, considering that many of us use the same types of firms and strategic partners. It wasn’t an Exelon problem. It was an industry problem.