Buyer beware
Minnkota has strengthened its supply chain to navigate COVID-19 and new cybersecurity standards.
As businesses began closing their doors and scaling back operations in March, Scott Schreiner admits he was getting nervous. He and others in Minnkota’s procurement department began following the numerous supply chains that weave through the cooperative’s operations in search of any potential failure points as the global pandemic began to take hold.
Nine months later, Schreiner has found the links to Minnkota’s suppliers and vendors are even stronger than he realized.
“We’ve been really happy with the resiliency of our supply chain,” said Schreiner, Minnkota’s procurement manager. “We haven’t had any major issues outside of a few delays. And those delays have only been a week or two. We haven’t seen the complete shutdown of a factory or any major items become unavailable.”
The purchasing of everything from bottles of hand sanitizer to power plant machinery is managed through the cooperative’s procurement department. Many items, specifically at the generation facilities, are unique to the industry and can’t be found on a shelf at the local hardware store. Long-term planning and coordination is vital to keeping projects on track and power flowing into local communities.
Although Minnkota’s supply chain has remained strong throughout 2020, Schreiner was quick to remind that the circumstances can change quickly and a keen focus must be maintained.
“We’re part of a global supply chain,” Schreiner explained. “So we see the impacts, not only of COVID, but also of wildfires in California and other major events around the world.”
New standards for supply chain
Electric utility supply chains have been under the microscope in recent years as cybersecurity risks continue to grow. The concern relates to installing software or equipment that could potentially be corrupted or accessed virtually by a hacker or foreign adversary. As the operation of the U.S. electric grid becomes increasingly digital, utilities have had to respond with robust plans to ensure security.
On Oct. 1, the North American Electric Reliability Corporation (NERC) implemented requirements for utility supply chains under its Critical Infrastructure Protection- (CIP-) 013-1 standard. Each utility was required to develop plans for procuring hardware, software and computing and network services associated with bulk electric system operations.
“We were tasked with evaluating our supply chain from the manufacturer through the various hands it may touch along the supply chain route,” Schreiner said. “We need to understand everyone’s role in process.”
Minnkota assembled a cross-section of employees to learn the security protocols and processes of the manufacturers, value-added resellers and others who interact with the product. From there, risk assessment scores were given and an approved vendor list was generated.
“We developed a questionnaire to help us understand the potential vulnerabilities for each vendor and their supply chain processes,” said Brandon Trontvet, system operations and energy management system (EMS) manager. “As you go through the process, you find there’s multiple different ways a vendor distributes or even produces a specific product.”
Trontvet’s group oversees high-impact areas, such as Minnkota’s energy control center, where personnel are operating and monitoring the bulk electric grid. If equipment were to be installed with malicious code or software already included, wrongdoers are one step closer to creating havoc.
The most notable utility supply chain alert was issued in 2019 when federal officials seized an electrical transformer manufactured in China as it was heading toward Denver due to grid security concerns. While the United States has not experienced a major cyberattack on the electric grid, the risks are real and inching closer. But each time, the electric utility has responded.
“The standard doesn’t eliminate our risks, but it provides the opportunity for us to better understand them,” Trontvet said. “As our plan is implemented, we mitigate as many risks as we can and learn from the process as we get more data. It’s a process that continues to evolve.”
Collaboration is key
As security risks in the electric industry grow, NERC standards have followed suit and are now impacting numerous processes and procedures throughout Minnkota. Noncompliance isn’t an option, as NERC has the authority to issue fines of $1 million per day, per violation.
As utility supply chains come into focus, Minnkota’s employees, vendors and other entities have received a crash course in utility compliance obligations and grid security. Katherine Anagnost, a Minnkota NERC compliance coordinator, credited the North American Transmission Forum for helping bring the nation’s utilities and prominent vendors together and providing a roadmap to ensure consistency across the industry.
“The collaboration internally and externally has really been amazing to witness,” Anagnost said. “I don’t know if we’ve seen this level of collaboration on a NERC standard before. With supply chain, it affects so many different people and everyone needs a voice in the process.”
Although the cooperative has dedicated more than a year to meeting compliance, the work is not done. Coordination with vendors, risk assessments and other activities will continue. And a new version of the NERC supply chain standard is already in development.
“We didn’t stop working when the standard became effective,” Anagnost said. “These groups are still meeting on a scheduled basis to further enhance our processes and help make them less burdensome for our vendors.”
Main image: (Left to right) Brandon Trontvet, system operations and EMS manager; Katherine Anagnost, NERC compliance coordinator; and Scott Schreiner, procurement manager; collaborate on a tablet inside Minnkota’s Grand Forks warehouse.
...