SUPPLY-CHAIN SECURITYScientists Address Risks to Supply Chain in a Connected World

Published 9 November 2024

In a world where billions of lines of computer code are intertwined with critical physical systems whose electronic components come from suppliers across the globe, there is a new kind of risk. The combination of a connected world and a complex supply chain creates opportunities—and vulnerabilities.

Scientists gathered at the Department of Energy’s Pacific Northwest National Laboratory for a first-ever conference to consider ways to protect critical systems such as our electrical grid, water treatment plants and financial networks that are vulnerable in new ways.

The Cyber Supply Chain Risk Management Conference, known as CySCRM 2024, was held on the PNNL-Richland campus Oct. 29-30. 

It was a new kind of science meeting, one that scientist Jess Smith and colleagues felt compelled to create as they eye a new kind of risk—a world where billions of lines of computer code are intertwined with critical physical systems whose electronic components come from suppliers across the globe. The combination of a connected world and a complex supply chain creates opportunities—and vulnerabilities.

“It used to be that physical systems, such as the devices that open valves or turn on or off transformers, were distinct from traditional computer systems. That is no longer the case,” said Smith. “There is no longer a line between these functions, and anything that is digital could be vulnerable to being hacked. We need to be vigilant about every single device in these incredibly complex networks.”

Imagine a new car which typically has more than 1,000 computer chips embedded within, managing everything from fuel efficiency to a smooth ride. Understanding the supply chain, reliability and manufacturing history of every part of the car, including those computer chips and the software that runs them, is a massive challenge.

Now consider the U.S. electrical grid with its millions of components, assembled and maintained by more than 40,000 partners who work cooperatively to keep the electricity humming. Not only the chips but also the software come from all over the world, with source codes created by thousands of developers embedded into the larger codes that run the system.

Tracking the fidelity of code from thousands of developers is challenging. But even the opposite is a problem: If there is a limited number of suppliers, just one hack can affect many different products, resulting in trouble for millions of people.

In both cases, keeping track of the reliability and authenticity of such codes, of the supply chain behind the software—what officials refer to as “software bill of materials” or SBOM—is a major focus for security experts.

The conference focused not just on the grid but on other critical systems that span the physical and digital worlds, such as water treatment plants, food producers and scientific research.

Scientists at Lawrence Livermore National Laboratory and the University of Texas at El Paso were among the organizers of the conference, with support from NetRise, a company whose focus is on supply chain detection and response. Officials from academia, industry, government and national laboratories attended. A conference hosted by Livermore is already planned for next year. 

Tom Rickey is senior science writer at the Pacific Northwest National Laboratory (PNNL). The article was originally posted to the website of PNNL