Power sector supply chains, hard hit by the COVID-19 pandemic, are feeling the double whammy of uncertainty posed by a broad U.S. executive order.
As was clear at the Federal Energy Regulatory Commission’s (FERC’s) July two-day virtual technical conference to assess the pandemic’s impact on the energy industry, COVID-19 has introduced multiple uncertainties for the power sector. Summarized by the North American Electric Reliability Corp. (NERC), the most crucial risks posed by what it called a “people” event, focus on maintaining critical staff needed to operate and maintain the bulk power system (BPS) and mitigating supply chain issues. The latter, as the Edison Electric Institute’s Philip D. Moeller noted, has been vastly compounded by financial troubles posed by “decreased demand, lower commodity prices, reduced access to credit and reduced market liquidity, increased delinquencies, insolvent customers/unrecoverable defaults, lower and/or more volatile stock prices, construction delays, and lags in rate recovery.”
As a number of participants at the conference pointed out, supply chain issues haven’t yet cropped up in any substantial way, mainly owing to rigorous planning by industry for emergencies affecting the BPS. Pandemic planning, which is pervasive across the industry, has also prompted a majority of companies to review their supply chain needs, and many participants remain ready to support mutual aid requests. Still, the industry appears to be bracing for long-term implications, and NERC itself has warned that constraints involving staffing and material shortages could ramp up risks related to the completion of major construction and maintenance projects. These risks include potential equipment and fuel supply chain disruptions.
Those risks are real and have affected global sub-sectors in varying ways, warned the International Energy Agency (IEA) in a series of reports surveying the power sector’s global sub-sectors over the first few months of the pandemic. Much of the initial pain came from the sharp slowdown in manufacturing owing to stringent lockdowns to contain infections. Early production slowdowns in China, which accounts for 70% of global photovoltaic (PV) module manufacturing, posed logistical delays, though these have since been resolved. Perhaps harder hit was the wind sector, which saw disruptions from lockdowns in countries that harbor major manufacturing hubs, such as in China, Italy, and Spain. At the end of March, the Global Wind Energy Council said its forecast of continued growth across the next five years—more than 355 GW of additions—would “undoubtedly be impacted by the ongoing COVID-19 pandemic, due to disruptions to global supply chains and project execution in 2020.”
The IEA warned that challenges remain for the industry. “Before the crisis, equipment manufacturers faced financial pressures, with tighter margins stemming in part from competitive bidding and lower renewables prices,” it said. Given new uncertainties, some governments and utilities are delaying procurement, which means reduced order books and cash flow for suppliers. While it’s too soon to assess a long-term impact, some analysts suggest that in the immediate future, several entities may shift priorities and business models, looking into repowering existing assets, for example, and adopting more flexible payment terms.
1. How supply chains will fare, owing to a projected fall in energy investment, is uncertain. In its May 2020–released World Energy Investment report, the International Energy Agency (IEA) suggested that fuel supply investments have been hit hardest in 2020 while utility-scale renewable power has been more resilient—but that the pandemic has “touched every part of the energy sector.” Courtesy: IEA
Owing to financial hits, some analysts also project that consolidation of smaller manufacturers with weaker balance sheets may accelerate. Cost-cutting may be inevitable all over the power supply chain (Figure 1), as the IEA pointed out: “This may also raise questions over research and development budgets,” which could boost the fragility of clean energy innovation, “for which there has been good spending progress in recent years.”
Supply Chain Risks Examined
COVID-19 has undoubtedly compounded an already complex business and operating backdrop in which power companies have been functioning as a critical industry to keep the lights on 24-7. But even before the pandemic prompted close scrutiny of existing supply chains in the context of geopolitical risk, the industry was grappling with the growing threats posed by an ever-expanding pool of suppliers.
Boston Consulting Group (BCG), a global firm that has said many of its clients rank among the 500 largest corporations, suggested the increasing reliance on more suppliers is rooted in a “sweeping range of demands” on utilities, which requires a “breadth of expertise, skills, and work capacity necessary to meet them.” It added: “Indeed, for many utilities, contracted labor now accounts for more than half of their total labor hours and for spending that is equivalent to as much as half of the utility’s revenues: many large utilities now spend multiple billions of dollars each year on suppliers.”
But relying on a bigger pool of suppliers poses crucial risks. These include operational risks, where the supplier fails to follow established standards, such as for health and safety, for example. Among noteworthy newer risks are “fourth-party” concerns, where a supplier engages subcontractors that a utility has not vetted; “contractual” risks, where a utility could be prevented by contract restrictions from effectively monitoring the supplier’s work; and “concentration” risks, when a utility becomes too dependent on a single contractor, opening it to higher costs and repercussions if the supplier experiences financial distress.
The Complexity of Supplier-Driven Cyber Risks
However, the most amplified of supply chain risks of late have undoubtedly been supplier-driven cyber risks. In recent years, driven by increasing vulnerabilities and shareholder concerns, power companies have beefed up security measures related to information-based systems—such as internal systems, communications, and customer and employee data—as well as those related to operations, such as those that govern industrial controls or processes. But many experts have warned those efforts haven’t been enough. Concerns about supplier-driven cyber risks have grown so grave, NERC recently issued critical infrastructure protection (CIP) standards to mitigate supply chain risks on the BPS.
On May 1, meanwhile, President Trump signed a broad executive order that limits foreign influence in the U.S. energy grid by targeting grid suppliers potentially compromised by adversary governments, with emphasis on China and Russia. While more details are expected in rules the Department of Energy (DOE) plans to roll out before Oct. 1, the sweeping order covers pending and future transactions related to these suppliers, as well as existing risk-ridden equipment across the vast, sprawling BPS that was supplied by persons considered foreign adversaries.
How the order will affect BPS equipment procurement remains a key concern, and the industry is split about its demands. Joe Weiss, a control systems cybersecurity expert who has warned for years that operational technology (OT) cybersecurity suffers gaps at a basic “level 1” degree, lauded the measure. Of late, the “focus for industrial control system cybersecurity has been on the OT networks, assuming all OT cyber threats have to go through the OT Ethernet networks where they could be detected and hopefully blocked,” Weiss explained. But, “Why would attackers hit defenses head-on when they could simply bypass them?” he asked. “This is a serious problem.”
Some experts expect the order could have wider implications for the sector’s supply chain. Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative, suggested the order stems from “decoupling” efforts, which he defined as “the forcible separation of interdependent and interconnected supply chains,” particularly between the U.S. and China. Because China is able to manufacture specialized components for key equipment, such as power transformers, it has of late gained a crucial foothold in the market.
“In the past decade, China has exported more than 200 large power transformers for use in the U.S. power grid. There are around 2,000 total high-voltage power transformers in the United States, so China’s equipment represents roughly 10% of the total share. That is a significant proportion,” he explained. Also of concern is that established manufacturers of BPS equipment “have moved factories to China as well, underscoring the procurement demand for cheap Chinese components—which also, all too often, have little cybersecurity baked into their design,” he said.
Beyond the decoupling aspect, however, experts note the order could spur much-needed assessments on quality. “Many power companies are often far more concerned with counterfeit or faulty parts in their systems, like the aforementioned transformers, than with adequate security,” said Sherman. “And even if U.S. companies aren’t compromising their energy grid components at the behest of foreign governments, serious supply-chain risks can also come from technically sloppy bulk-power and energy grid components that just have incredibly buggy and terribly managed code. These are potential attack vectors that may be exploited mostly by state actors.”
Mitigation Is Key
So how should the power sector try to mitigate risks in the face of so many disruptions? BCG suggests an effective supplier risk management program may provide a comprehensive solution (Figure 2).
2. An effective supplier risk management program should have six attributes. Courtesy: BCG
An effective program is based on “gaining a thorough understanding of each supplier and its particular mandate with a utility, and it’s grounded in a four-step process: identify, quantify, mitigate, and monitor,” the group says. “The process ensures that all relevant risks are surfaced; that risks are graded according to severity so that management knows where to concentrate its time, energy, and resources; that steps to mitigate risks are identified and shared with the appropriate people at both the utility and the supplier; and that the risks are sufficiently monitored at the management level by both the utility and the supplier.”
Such a program will require a multi-pronged approach in which leaders should commit to the program and make their commitment visible on an enterprise-wide basis. Business and functional units, in turn, must work in close collaboration with the supply chain and procurement functions.
The key is, BCG says, “No stone is left unturned, no base is left uncovered.” If done right, the rewards can range from fewer negative supplier-related incidents to regulatory confidence to boosting internal morale. ■
—Sonal Patel is a POWER senior associate editor.