Safeguard
Software Supply Chain Security

Software supply chain security for critical energy infras...

From Ukraine's 2015 blackout to Volt Typhoon's grid intrusions, attackers exploit trusted vendor software. Here's what utilities need to know about supply chain risk.

James
Principal Security Architect
7 min read

In March 2024, CISA and the FBI warned that pro-Russia hacktivist groups had compromised human-machine interfaces at US water utilities, spinning pumps and controllers using nothing more sophisticated than default credentials and unpatched firmware. That warning is a preview of a much larger problem: critical energy infrastructure software supply chain security has become one of the most consequential and least understood risk categories in industrial cybersecurity. Power plants, transmission operators, and regional utilities now run on the same open-source components, commercial SCADA platforms, and third-party firmware that power ordinary enterprise software — except a compromised dependency here can cut electricity to hospitals and traffic systems, not just leak customer records. From the 2015 Ukraine grid attack to the 2020 SolarWinds breach that reached multiple US energy agencies, the pattern is consistent: attackers rarely break in — they walk in through a trusted vendor. This piece breaks down where the real exposure sits and what utilities can actually do about it.

Why is critical energy infrastructure software supply chain security different from ordinary IT security?

Because a single compromised update can trip breakers and cut power to a city, not just expose a database. On December 23, 2015, attackers used stolen credentials and malware — including a component called KillDisk delivered through remote-access tooling that vendors used to service client systems — to open breakers at three Ukrainian distribution companies, cutting power to roughly 230,000 customers for up to six hours. The tooling wasn't exotic; the operators' own trusted remote-access software was the entry point. That's the defining trait of energy-sector risk: a grid control environment mixes 20-to-30-year-old SCADA and energy management systems with modern IT and cloud tooling, so a vulnerability introduced anywhere in that chain — a firmware update, a vendor-supplied library, a poorly-vetted patch — can propagate straight into physical process control. In a retail SaaS breach, the worst case is usually data exposure and a disclosure notice. In a generation or transmission environment, the worst case is a multi-hour blackout, a damaged turbine, or a safety system that fails to trip when it should.

How exposed is the power grid to software supply chain risk?

More exposed than most operators would like to admit, and the exposure runs across generation, transmission, and distribution alike. In February 2024, CISA, the NSA, and FBI disclosed that Volt Typhoon, a China state-sponsored group, had been pre-positioned inside US critical infrastructure networks — including electric utilities — for as long as five years, using "living off the land" techniques that blend into normal administrative traffic rather than deploying obvious malware. That kind of dwell time is only possible because power grid software risk is distributed across dozens of trust boundaries: a typical utility's operational technology environment depends on software and firmware from 50 or more third-party vendors, many of whom have limited visibility into their own upstream dependencies. Layer on the 2021 Colonial Pipeline ransomware incident — which forced a shutdown of a 5,500-mile fuel pipeline and disrupted supply along the entire US East Coast after attackers compromised a single legacy VPN account — and it's clear the exposure isn't hypothetical. It's already been exploited, repeatedly, across different parts of the energy value chain.

What is an energy sector SBOM, and why do utilities need one?

An energy sector SBOM is a machine-readable inventory of every component — open-source library, commercial module, firmware package — bundled inside the software that runs grid control and monitoring systems, and utilities need one because they currently can't answer "are we affected?" fast enough when a critical vulnerability breaks. That gap became painfully visible in December 2021, when CVE-2021-44228 (Log4Shell) surfaced: several SCADA, historian, and energy management system vendors took weeks — in some cases months — to confirm whether their products embedded the vulnerable Log4j library, because neither the vendors nor their utility customers had a reliable component inventory to check against. Regulation has started to catch up. Executive Order 14028, signed in May 2021, requires software vendors selling to federal agencies (including the Department of Energy) to provide SBOMs, and NERC CIP-013-1, which took effect in October 2020, obligates registered entities to manage supply chain risk for Bulk Electric System Cyber Systems, including vendor software integrity and authenticity. An SBOM doesn't prevent a vulnerability from existing, but it turns "we don't know" into a five-minute query the next time a Log4Shell-scale event hits.

Why does utility control system security lag behind IT security?

Because control system hardware and software are built for 15-to-25-year operational lifespans, while the software supply chain feeding them moves on an annual or even weekly release cadence. Utility control system security suffers as a direct result: a safety instrumented system installed in 2010 may still be running firmware that hasn't been recertified since, because patching it means a maintenance outage, a vendor re-validation cycle, and sometimes a regulatory filing. Attackers understand this asymmetry well. The 2017 Trisis (also called Triton) malware targeted Schneider Electric's Triconex safety instrumented systems at a Saudi petrochemical facility, specifically going after the safety controllers whose job is to shut a process down before it causes physical harm — the malware was designed to disable that last line of defense. It was later linked to systems with software that had gone years without a security-focused update. Energy operators aren't slow to patch because they're careless; they're slow because the cost of a failed or rushed patch on a live safety system is measured in potential loss of life, not downtime.

What happens when a supply chain attack actually hits energy infrastructure?

Outages, safety-system compromise, and cascading fuel or power shortages — and the record now spans nearly a decade. The 2015 and 2016 Ukraine grid attacks knocked out power to hundreds of thousands of customers using compromised vendor access. The 2020 SolarWinds Orion compromise, distributed through a trojanized software update to roughly 18,000 organizations, reached networks at the US Department of Energy and the National Nuclear Security Administration, though officials stated the malware itself was isolated from mission-critical systems. The 2021 Colonial Pipeline attack didn't touch operational technology directly, yet the company shut down its OT pipeline as a precaution, triggering fuel shortages and price spikes across a dozen states within days. Each incident traces back to the same root cause: a trusted piece of third-party software, hardware, or remote access was the entry point, not a novel zero-day against the grid itself. That's the throughline defenders need to internalize — the fix isn't only better perimeter defense, it's knowing what's actually running inside every vendor component before an adversary finds out first.

How Safeguard Helps

Safeguard is built for exactly this gap between what utilities and energy operators run and what they can actually verify. Our platform continuously generates and maintains SBOMs across both IT and OT-adjacent software estates, so when the next Log4Shell-scale disclosure hits, the question "are we exposed, and where" is answered in minutes instead of weeks. We track component provenance and vendor patch history so that firmware and control-system software updates can be verified before deployment, reducing the chance that a compromised update — the same vector used in the Ukraine and SolarWinds incidents — reaches production. Safeguard also maps discovered risk directly to compliance frameworks utilities already answer to, including NERC CIP-013-1 supply chain risk management requirements and Executive Order 14028 SBOM obligations, turning audit prep from a quarterly scramble into a standing, evidence-backed process. For security and compliance teams managing critical energy infrastructure, that combination — continuous inventory, verified provenance, and mapped compliance evidence — is what turns software supply chain risk from an unknown into something that can be measured, prioritized, and closed before it becomes the next headline.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.