The FISMA Focus IPD

For years, policymakers have been concerned about a catastrophic cyberattack that could disrupt the electric grid, causing widespread power outages and impacting national security, the economy and public safety. As electric utilities and the government grapple with the myriad of cybersecurity challenges affecting critical electric infrastructure, a new challenge has emerged: cyber risk to the thousands of different businesses, vendors and suppliers that make up the electric sector supply chain.

Corporations and government agencies alike are increasingly focused on cyber risk to the supply chain because data breaches affecting critical vendors, contractors and other business associates can cause direct harm to the first-party organization. These third-party incidents represent a growing attack trend. There is perhaps no more famous incident than the 2013 breach affecting the retailer Target. In that incident, attackers penetrated the network of Target’s HVAC (heating, ventilating and air conditioning) contractor, which had a direct connection into Target’s network in order to observe refrigeration units in each of the stores. Gaining access to the HVAC contractor, the attackers rode directly into the Target network and stole millions of credit card numbers. The result was not only a material financial loss for Target, but also the ousting of Target’s CEO, chief information officer and the near-dismissal of several key board members.