Category: Perspective

By Andrea Little Limbago

On March 2, the Biden Administration announced a new National Cybersecurity Strategy. The need for a strategic change should not come as a surprise — Interos’ 2022 Resilience survey of 1,500 procurement and cybersecurity leaders revealed supply chain disruptions from cyber incidents alone cost enterprises $37M annually. Estimates of the global annual cost of cybercrime exceed ten trillion dollars.

Interos is closely monitoring the rising costs of cyber disruption and the continuously changing state of play, among other factors. We’ve refined and updated our cyber risk factor, one of the six factors within the Interos i-Score^TM, in light of these and other trends shaping cybersecurity. The enhancements include a new cyber behavior model to detect potentially harmful cyber activity regardless of public disclosure, along with commercial cyber ratings, vulnerability information (CVEs), threat assessment (Mitre ATT&CK®), cyber events, regulatory compliance, and operating country regulations and risks into a single score.

You can read about those details in our press release. This blog will focus on those strategic factors driving these changes and the challenges in developing a solution that delivers cybersecurity insights to non-experts, all within the backdrop of the generational shift underway in the international system.

Trends Driving the New Model

To address the growth in scope and scale of cyberattacks (and their ripple effect across the supply chain) the Biden administration’s new National Cybersecurity Strategy is putting more responsibility on vendors and service providers. This is part of a larger trend prompting organizations to prioritize long-term collective investment in cyber resilience – and is reflective of Interos’ collective resilience approach to cyber.

Cyber leaders are also increasingly acknowledging the human element and assessing those risks through a socio-technical lens. This has led to both a focus on user interactions as well as the growth in new compliance frameworks and regulations. That’s why the enhanced Interos cyber risk factor accounts for compliance with CSF V1.1, NIST SP 800-53, PCI DSS V3.2.1 and other standards, as well as the global expansion of data privacy and cybersecurity regulations.

To that end, an organization’s geographic location plays a crucial role in both compliance as well as data risk levels. This variation stems from differing levels of data sovereignty which depend on the localized cyber and privacy environment. Risks surrounding the concentration of the physical infrastructure underpinning the internet also pose a significant challenge, as seen in the case of Russia’s cyberattack on ViaSat’s services in Ukraine or the disconnection of undersea cables which happened in Scotland and France.

The adoption of collective resilience (creating shared supply chain and operational strength) is accompanying our broader understanding of the range of cyber risks, which is why collaboration is prioritized in national and international cyber strategies. As Alejandro Mayorkas, the Secretary of Homeland Security, noted, “We have to drive the entire ecosystem to be more cyber vigilant.”

Developing Interos’ Enhanced Cyber Model

Tackling Key Challenges in the Cybersecurity Landscape

Development of this new model address two core challenges:

1. Aggregating Data into Intuitive Formats: The difficulty of integrating disparate data sets in a timely manner and presenting them in an intuitive, explorable format. We recognize that many cybersecurity tools are designed for information security professionals, making them inaccessible to others involved in risk management.
2. Understanding Behavior: The importance of understanding both threat actors’ and defenders’ behaviors and integrating that knowledge to identify the most relevant risks.

Cyber has an interesting data problem in that there is a data deluge and a data desert at the same time – meaning there is so much data, but it’s not always the relevant data. The Interos model addresses the above challenges by focusing on integrating and presenting the range of these trends (over individual data points) to capture the core areas of vulnerabilities, threats, compliance, and adverse cyber events. Through this holistic approach we can provide a comprehensive view of cybersecurity risks across the entire supply chain ecosystem, from vendors and service providers to critical infrastructure and sensitive data.

We also utilized the extensive community work and expertise from federal organizations like NIST CVE and MITRE’s ATT&CK framework while accounting for both opportunistic and targeted threats by identifying industries/groups most susceptible to targeting, and vulnerabilities most likely to be exploited. Our approach also focused on quantifying data risks across locations by merging different data types to capture the diverse data sovereignty and global risk environments — a project we presented at Black Hat cybersecurity conference a few years ago.

Implications and Value: Uncovering Hidden Risks and Enabling Proactive Measures

The implications of this new model are vast. It highlights areas of risk that often are not brought together, allowing users to take action to decrease cyber risk. This may include reaching out to critical suppliers that may be at risk and coordinating a plan to elevate their defensive posture, or identifying those key parts of their supply chain located in areas where the data may be more at risk due to an adverse regulatory environment.

The Interos model surfaces a range of cyber risks, while contextualizing those risks within a broader supply chain risk framework. For instance, users can identify who might be at high cyber risk as well as high financial risk, since these suppliers may not have the resources to grow their defensive posture or could be extremely vulnerable to insolvency if attacked given the cost of breaches.

Personal Observations: Expanding Access to Cyber Risk and Addressing Global Challenges

Two particular aspects of this project are especially important to me, in terms of their ability to address broader systemic challenges across the industry that have significant implications for the future :

• Addressing the cyber industry’s gatekeeper problem, which restricts risk assessment access to those with information security technical expertise. Interos’ updated model marks a significant stride towards broadening access to cyber risk assessment outside of an enterprise’s Security Operations Center.
• Further integrating supply chain risk and cyber risk, particularly in the context of a re-globalized world economy, technological bifurcation, and the geopolitical fracturing of the internet. This integration is essential for fostering cyber vigilance and tackling the challenges presented by emerging technologies and global competition.

A modernized approach to cyber risk will be an essential tool for organizations exploring how to adapt to a changing global order whose shifts are being felt across supply chains, geopolitics, and technology development. Interos’ enhanced model for evaluating cybersecurity risk across supply chains signifies a significant step towards that goal.

By expanding access to meaningful cybersecurity information, through a multi-factor, supply chain-wide approach, we can enable organizations to proactively manage and mitigate risks on a far greater scale than ever before, bringing non-cyber experts into the decision room, and fostering resilience and success in this ever-evolving global landscape.

By Nicolas de Zamaróczy

Hundreds of thousands of American and European companies that rely on imported products from Nigeria’s supply chain face a heightened risk of disruption as a result of the protracted political and economic crisis gripping the country.

A presidential election held on February 25^th proved contentious, with widespread irregularities in voting and significant violence.  The national election commission declared  on March 1^st ruling party candidate Bola Tinubu as the winner with 36.6% of the votes cast.  However, opposition parties have thus far refused to accept the results and called for a redo, pointing to the fact that many polling places opened late on election day.  Meanwhile, the country has been reeling for months from a botched currency reform which has completely paralyzed Nigeria’s cash-dependent informal economy.

Western Oil and Agricultural Firms at Risk from Nigerian Supply Chain Disruption

Many foreign companies are at risk of having their imports from Nigeria disrupted. Nigeria’s main export is petroleum, with crude oil, petroleum gas, and refined oil collectively accounting for around 86% of exports by value. However, the country’s cash cow has suffered greatly in recent years with production down to nearly half of its level in 2020.

Nigeria LNG—a natural gas joint venture between the Nigerian state and energy majors Shell, Total, and Eni—has been unable to fulfill export orders for its European customers in recent months. Nigeria’s main other exports are agricultural goods (most notably, cacao beans) and small maritime craft, both of which are at significant risk from the economic turmoil in the country.

Global relationship data in the Interos platform indicates that:

• Roughly 700 American and 400 European companies have at least one Tier-1 (T1) supplier based in Nigeria.
• More than 127,244 American companies have an affected Nigerian company indirectly in their supply chains at Tier 2 (T2), with almost 300,000 at Tier 3 (T3).
• More than 236,000 E.U. and British companies have an affected Nigerian supplier at T2, with over 510,000 at T3.

As has been the case during the last three election cycles (see chart below), Nigeria’s exports to the US had been dropping in the leadup to the election, with the volatile on-the-ground situation complicating normal operations and logistics. (The one-time surge in Nigerian exports to the US in early 2022 was due to re-routing petroleum from other destinations following the breakout of the war in Ukraine.) The lack of clarity in the presidential election suggests that low exports will continue for the foreseeable future.

Interos analysis of Panjiva data. Vertical red lines indicate prior election periods.

Nigeria’s Supply Chain Election-Related Disruptions Likely to Persist into Mid-March

Nigeria voted in a tight three-way presidential election on February 25^th amidst an atmosphere of intimidation and election-related violence.

ACLED, an NGO which tracks political violence, has counted at least 193 incidents of election-related violent activity since January 1^st, 2022 (see map). Human rights observers have issued warnings that Nigeria has not implemented any structural reforms since 2019, when several hundred people died during the last presidential election. These warnings have taken on new urgency following the assassination of a prominent Senate candidate on February 22^nd.

Locations of Election-Related Violence in Nigeria (Jan. 2022 through Feb. 2023)

Source: ACLED’s Nigeria Election Violence Tracker. Latest data available is February 17. The size of the circle indicates the number of violent events at that location, the color of the circle indicates the specific form of violence (e.g. orange = “violence against civilians” Image Copyright: © Mapbox, © OpenStreetMap and Improve this map).

Given that state elections will not conclude until March 11^th, high levels of violence and uncertainty are likely to persist through mid-March, with a consequent impact on economic activity.

 “Cash Crisis” Makes Business-as-Usual Impossible

As if the political chaos were not enough, Nigeria is also suffering from the aftermath of a poorly implemented currency reform. When the Nigerian central bank announced the reform in October 2022, the hope was to combat corruption by redesigning the currency bills most used by criminal organizations. But an overly aggressive window for citizens to redeem their old banknotes combined with an extremely short supply of the new banknotes has left the entire Nigerian economy effectively without cash for several months. This has pummeled the Nigerian informal sector, which according to the IMF accounts for over 50% of GDP and over 80% of employment.

• Riots have been widespread across the country, with at least 7 local bank branches being destroyed. Paradoxically, mobile payment alternatives to brick-and-mortar banking have also stopped working, overwhelmed by a surge in demand.
• Truckers have stopped accepting old currency notes, leaving cash-strapped farmers in a lurch and unable to move their goods; cacao exports have been especially hard hit.
• Foreign airlines have faced particular headaches, routinely clashing with Nigeria’s central bank over the release of their funds, leading Delta Air Lines, British Airways, and Emirates to suspend service to Nigeria in 2022.

Nigerian Exports Likely to Stay Low in the Short Term

American and European firms with Nigerian suppliers in their extended supply chains should stay wary. Interos recommends taking the following actions to promote supply chain resilience:

• Communicate frequently with key Nigerian suppliers (or suppliers you know to be reliant on Nigeria) to determine the production impacts of the election and cash crisis.
• Identify which tier-2 and tier-3 Nigerian suppliers are critical to your direct suppliers.
• Ascertain whether suppliers in Nigeria are prepared for the extended elections period and the likely disruptions it will entail.

Organizations looking to understand where the next big supply chain shock is coming from – and which suppliers they need to engage with to mitigate the impact – should consider investing in supply chain visibility and operational resilience solutions. In times of turmoil, knowing who you are connected to, and how those parties will be impacted by unfolding events, can make the difference between continuity of operations and disaster.

By Alberto Coria and Trent Chinnaswamy

A growing number of attacks on the United States’ critical electricity infrastructure threatens to cause supply chain disruption to thousands of businesses across the country.

In 2022, the U.S. electrical grid sustained at least 103 deliberate physical and cyber-attacks – the highest level in a decade.

Two recent attacks on electricity substations in North Carolina, and four in Washington, have raised alarm among experts at the U.S. Department of Homeland Security (DHS). These attacks resulted in over 45,000 homes as well as businesses in the surrounding area losing power.

In each case, the modus operandi was similar: intruders carrying firearms gained access to the facilities and disabled them. This has led experts to believe that the attacks, which occurred within a short time of one another, may have been coordinated.

Electrical disruptions in the U.S. caused by intentional human interference are rising. Vandalism accounts for the majority of outages, but suspicious activity – where the intention is unknown – and sabotage are also on the increase (see chart).

The previous peak in vandalism was mostly caused by individuals stealing and selling copper wires. But the industry standard has since changed to use a less profitable kind of copper.

Why then are these attacks increasing and what risk do they pose to businesses?

Electrical Grid Failure: Supply Chain Implications

Regional blackouts, defined as power loss in an area, can affect not only households, but also industry and logistics operations. However, the degree to which different entities are affected varies. Owing to their typically higher demand for power, manufacturing facilities are more exposed to power surge issues and accustomed to experiencing power failures, with one in four experiencing a power failure once a month.

Manufacturing facilities are also more likely to have backup and stress-tested generators, and have a coverage plan. However, these are generally focused on short-term power outages caused by high energy demands. In the case of a physical attack on a substation, a manufacturing site may have to deal with a longer-term power outage. So they can still face moderate levels of risk in the case of a physical attack.

Non-manufacturing facilities that are part of a supply chain are also likely to be affected by power outages, with the industries most reliant on electricity at the highest risk. These include financial corporations, IT services providers, data centers, perishable item producers, control centers and medical .

Rural Substations are Key Vulnerabilities

The U.S. electrical grid is broken up into three large, connected networks (Texas Interconnection, Western Interconnection, and Eastern Interconnection) that operate fairly autonomously with eight regions seen (see map).

The U.S. Federal Energy Regulatory Commission has determined that transformers in rural substations are most vulnerable to physical attacks. Substations in urban areas typically have higher levels of monitoring and protection, while rural substations are completely unguarded.

The Eight U.S. Electricity Generating Regions

While substations in rural areas are at high risk of attacks, and the surrounding areas are at risk of a power outage, only 10.8% of the U.S. electrical grid is subject to “cascading” blackouts.

This means that attacks on substations in rural areas are likely to affect only the surrounding areas, and not cause blackouts in other areas of the country. This likelihood of power outages remaining contained to smaller areas places a greater emphasis on assessing supply chain risk exposure in rural areas.

Transformers at high-voltage and rural substations are prime targets for physical attacks, as transformers are difficult to protect and replacement parts are difficult to obtain.

In many of the higher-risk rural areas, substations are considered “dead-end”. Dead-end structures are where the line ends or angles off, meaning there is no backup power connection. The pink dots on the map below indicate the propensity of dead-end substations across the US. The darker the area, the more likely there is no backup power connection in the case of disruption.

What Companies Should Do

To get ahead of this critical infrastructure risk, Interos recommends that companies do the following:

• Use supply chain mapping and operational resilience tools like Interos’ Resilience platform and global relationship data to identify suppliers in industries and locations at the highest risk of being affected by potential power disruptions, and which agencies are responsible for power restoration.
• Engage key suppliers in high-risk regions to understand what impact, if any, they have experienced as a result of physical and/or cyber-attacks.
• Assess high-risk suppliers’ mitigation plans in the case of a regional blackout, and develop business continuity plans or workarounds for such disruptions where possible.

By Nicolas de Zamaróczy

Thousands of U.S. and European companies are facing supply chain disruptions as a result of the ongoing political violence engulfing Peru.

The six-week-long unrest has seen at least 50 people killed and 700 wounded, while exposing the country’s deep societal cleavages.

Supporters of ousted President Pedro Castillo are demonstrating to secure his return to office, facing off against members of the Peruvian police and military who have routinely employed heavy-handed tactics.

The government recently extended a 30-day state of emergency in the capital Lima, as well as the regions of Cusco, Puno and Callao, which will further disrupt business.

Peru: a Key Commodity Exporter, Gridlocked

Peruvian companies, which are experiencing disruptions owing to the protests and associated road blockades, supply thousands of international businesses.

From a geographical analysis of the affected regions of Peru, Interos identified 2.95 million Peruvian entities whose business operations are likely disrupted.

Global relationship data in the Interos platform indicates that:

• More than 7,500 North American companies have at least one Tier-1 (T1) supplier among the affected Peruvian companies.
• More than 1,600 European Union and British companies have at least one T1 supplier among the affected Peruvian companies.
• More than 116,000 North American companies have an affected Peruvian company indirectly in their supply chains at Tier 2 (T2), with almost 355,000 at Tier 3 (T3).
• More than 144,000 E.U. and British companies have an affected Peruvian supplier at T2, with over 483,000 at T3.

Peru’s main exports are agricultural products and minerals, and supply chains reliant on these could be hit hard. The Peruvian agricultural producers’ association, for example, estimated in mid-December that its members had already lost $150m in potential exports due to the political crisis, and those numbers will have grown since then.

From an industrial perspective, Peru is the world’s second-largest producer of copper and zinc, and also a major player in silver and gold production.

On 12 January, a major Swiss-owned copper mine near Cusco was attacked by protestors, while a tin mine announced it was suspending operations for the time being.

While most of Peru’s minerals are exported to China and other Asian economies, disruptions could affect commodity prices and inputs availability worldwide. This would be a blow for downstream industries as well as direct purchasers—copper and silver are both widely used in renewable energy and vehicle manufacturing, while zinc is critical to the production of galvanized steel and iron.

Metals and Minerals Are at Risk

Source: Interos analysis of various industry reports

Transportation Infrastructure is a Main Target

Despite being primarily located in the country’s more indigenous and poorer southern regions, President Castillo’s supporters have nevertheless achieved a nation-wide impact though the deliberate targeting of critical transportation networks.

One of the protesters’ main tactics has been blockading the highways on which national and international trucking depend. As of 17 January, the Peruvian Ombudsman’s Office reported 96 roadblocks, across 14% of country’s provinces, primarily in the country’s lightly populated but mineral-rich south.

Since the start of the crisis, all of Peru’s airports have experienced temporary closures, rail service in the country’s south has been suspended (including at tourist destination Machu Picchu), and commercial truckers continue to  struggle to enter or exit the key southern port of Matarani.

Cross-border commerce with neighboring Bolivia is at a standstill, leaving companies in eastern Bolivia scrambling to find alternate export routes through Chile.

Growing Polarization within South American Countries Complicates Friendshoring

Peru’s ongoing troubles are part of a broader pattern of political upheaval within South American countries. In 2022, large-scale protests occurred in Brazil, Argentina, Bolivia, and even normally peaceful Chile, worrying NGOs that track political violence in the region.

While historically geopolitical tensions in the region were driven by differences between left- and right-leaning countries, increasingly the turmoil is emerging within societies themselves.

Political scientists use the concept of “group grievances” to understand how schisms between different groups in society — particularly divisions based on social, ethnic, or political characteristics — play a role in governance. Group grievances in Peru are currently the highest among all major South American countries (see chart).

Note: Group grievances scores range from 0-10, where 0 = best
Source: Interos analysis of Fragile States Index data from the Fund for Peace

This increasing inability of many South American governments to maintain domestic order complicates hopes that the region could become a hub for “friend-shoring”, the trend whereby Western companies are seeking to move production out of inhospitable locations to more stable and less geopolitically charged destinations.

Ultimately, any attempt at relocating production or sourcing sites must assess their long-term potential for political instability.

How to Mitigate Supply Chain Disruptions

Expect roadblocks to hit your supply chains in 2023. Chief Procurement Officers can mitigate impacts from the Peru protests by:

• Better understanding their extended supply chain dependencies on Peru and identifying those at highest risk of being disrupted.
• Discussing the impact of the protests with T1 suppliers, with an eye towards developing business continuity plans and workarounds where possible/needed.
• Cultivating alternative sources for the products affected in other countries, and potentially looking to see if the orders/volumes in existing contracts need to be adjusted.
• Invest in tools that can integrate geopolitical risk into their supply chain risk management process.

By Geraint John and Daniel Karns

Solar panels (and the solar panel supply chain) have an important role to play in the global transition to clean energy, but China’s use of forced labor to produce key components represents a tangible supply chain risk for U.S.-based companies.

Polysilicon – an essential material in the solar photovoltaic supply chain – is one of three items specifically targeted by the Uyghur Forced Labor Prevention Act (UFLPA), which took effect in June. It gives U.S. Customs and Border Protection (CBP) officers the right to detain imported products suspected of being made or partly made in the Xinjiang region of China.

A delayed and much-anticipated report on the situation in Xinjiang published in August by the UN High Commissioner for Human Rights accused China of “serious human rights violations” that “may constitute international crimes”.

As of the end of September – three months into implementation of the UFLPA – CBP commissioner Chris Magnus said that almost half of the 3,000-plus shipments detained by his agency were covered by the new law, with an estimated value of nearly $500 million. He didn’t specify the products affected, but several leading Chinese solar panel suppliers are reported to have had shipments detained or sent back.

Failing to comply with the UFLPA, knowingly or otherwise, presents serious financial, operational and reputational risks for American solar energy and other firms that need to be addressed.

China Continues to Dominate the Solar Supply Chain

Xinjiang, which is home to the predominantly Muslim ethnic minority Uyghur population, produces about 40% of the world’s supply of polysilicon, a high-purity grade of silicon mined from quartz. This is cast into ingots, which are then cut into wafers and used to make the solar cells that are, in turn, assembled into finished panels (modules).

Action by successive U.S. administrations over the past decade has largely halted the direct import of these products from China:

• Starting in March 2012, the U.S. Department of Commerce imposed tariffs of up to 165% on Chinese solar cells and panels in an effort to stop the dumping of low-cost products into the U.S. market. These measures were ratified and extended in 2014, 2018 and in February of this year.
• In June 2021, the U.S. Department of Labor added polysilicon from Xinjiang to its annually updated List of Goods Produced by Child Labor or Forced Labor. It joins nine other product groups thought to involve the use of forced labor in the region, including cotton, tomatoes, footwear and textiles.
• Later that same month, the CBP issued a Withhold Release Order (WRO) against Hoshine Silicon Industry Co. Ltd, a Xinjiang-based firm accused of using intimidation, threats and restricted movement practices against its workforce. The WRO instructs U.S. port officers to detain shipments of silica-based products made by the company and its subsidiaries.

The U.S. Solar Panel Supply Chain

As a result of these actions, U.S. imports of solar panels now come mainly from other countries in Asia. In the final quarter of 2021, Vietnam, Malaysia and Thailand accounted for more than 80% of shipments (see chart).

However, as with lithium-ion batteries, China dominates solar supply chains. Seven of the world’s 10 biggest solar panel makers are Chinese, and according to U.S. government agencies:

• China owns 72% of global manufacturing capacity for polysilicon (with 54% of total output produced in Xinjiang).
• In addition, China controls 98% of global manufacturing capacity for ingots, 97% for solar wafers, 81% for solar cells and 77% for solar panels.
• Three-quarters of solar cells installed in the U.S. are made by subsidiaries of Chinese firms operating in Vietnam, Malaysia and Thailand, which import large quantities of solar materials from China.

An analysis of Interos’ global relationship platform data in August found:

• 120 direct, tier-1 relationships between U.S. buyers and Chinese solar panel suppliers.
• Almost 9,500 indirect, tier-2 relationships, with the vast majority accounted for by four suppliers: JinkoSolar Holding Co. Ltd; JA Solar Holdings Co. Ltd; Trina Solar Co. Ltd; and Suntech Power Holdings Co. Ltd.
• Hoshine Silicon Industry Co. Ltd – the subject of last year’s WRO action – had just five direct relationships with U.S. buyers, but more than 160 tier-2 connections.

Guilty Until Proven Innocent

Unlike some previous supply chain-oriented legislation, the UFLPA puts on the onus on importers to demonstrate that solar products have not involved the use of forced labor.

In its guidance to importers, CBP notes that “imports of all goods, wares, articles, and merchandise mined, produced, or manufactured wholly or in part in the Xinjiang Uyghur Autonomous Region (Xinjiang) of the People’s Republic of China (PRC), or by entities identified by the U.S. government on the UFLPA Entity List, are presumed to be made with forced labor and are prohibited from entry into the United States.”

It continues: “The presumption also applies to goods made in, or shipped through, the PRC and other countries that include inputs made in Xinjiang.”

Mapping solar supply chains is therefore an essential foundation for companies to comply with the UFLPA. Speaking to Bloomberg earlier this month, AnnMarie Highsmith, an executive assistant commissioner at CBP, said companies needed tools to identify potential forced labor in their supply chains and avoid unwitting violations of the act.

A particular danger here is “supply chain washing” – where suppliers seek to avoid the UFLPA and other trade restrictions by routing raw materials, components and finished products tainted by forced labor through intermediary countries.

What can you do to safeguard your solar panel supply chain?

Alongside mapping and monitoring activities, CBP’s guidance document stipulates the following in relation to polysilicon:

• “Importers need to provide complete records of transactions and supply chain documentation that demonstrate all entities involved in the manufacture, manipulation, or export of a particular good, and the country of origin of each material used in the production of the products going back to the suspected source of forced labor, i.e., production in Xinjiang or by an entity on the UFLPA Strategy entities lists.
• “Provide a flow chart mapping each step in the procurement and production of all materials and identify the region where each material in the production originated (e.g., from location of the quartzite used to make polysilicon, to the location of manufacturing facilities producing polysilicon, to the location of facilities producing downstream goods used to make the imported good).
• “Provide a list of all entities associated with each step of the production process, with citations denoting the business records used to identify each upstream party with whom the importer did not directly transact.
• “Importers should be aware that imports of goods from factories that source polysilicon both from within Xinjiang and outside of Xinjiang risk being subject to detention, as it may be harder to verify that the supply chain is using only non-Xinjiang polysilicon and that the materials have not been replaced by or co-mingled with Xinjiang polysilicon at any point in the manufacturing process.”

CBP officials acknowledge that more staff are needed to fully monitor and enforce UFLPA requirements at U.S. ports of entry. But experience from its first quarter of operation suggests that companies cannot afford to be complacent about the act, which sets a new and higher bar for supply chain risk management.

By: Trevor Howe, Senior Operational Resilience Consultant

On September 26th, sudden drops in pressure were observed in the natural gas pipeline Nord Stream 2 before undersea leaks were detected in the Baltic Sea. Shortly thereafter, leaks were also detected for Nord Stream 1. While the pipelines are not currently facilitating gas flows from Russia to Europe, they were filled with natural gas which has leaked into the Baltic, creating an operational hazard for vessels in the area. The Prime Minister of Sweden, Magdalena Andersson, disclosed to a news conference on September 27th that seismologists in Sweden, as well as Denmark, had registered two powerful blasts the day prior in the vicinity of the leaks. Moreover, the explosions occurred in the water, not under the seabed, and at relatively shallow depths which would be reachable by divers or unmanned underwater vehicles.

Nord Stream Sabotage Damages European Energy Infrastructure

While these explosions occurred inside the exclusive economic zones of Sweden and Denmark, they have not been considered an attack on either country, which could trigger NATO intervention through Article V of the Washington Treaty. European Officials, including NATO, have claimed that the explosions were the result of sabotage, though the European Union has not yet named a perpetrator or suggested a reason behind the incidents. The Kremlin’s spokesman, Dmitry Peskov, also told reports that the incidents could have been the result of sabotage and that they would promptly investigate the matter.

While investigations are underway to ascertain the cause of the explosions and responsible parties, neither pipeline was active and these incidents should have no immediate effect on the supply of natural gas to Europe, though they have put additional upward pressure on prices.

Operational Threats Against Energy Infrastructure & Supply Chain

What the Nord Stream events highlight is the fact that European critical infrastructure can be a potential target for those seeking to precipitate disruptions and undermine energy security on the continent. This threat is made particularly dangerous amid EU Member States’ efforts to prepare for the winter season without Russian natural gas.

The speaker of Lithuania’s parliament, Viktoria Čmilytė-Nielsen pointed out that “these incidents show that energy infrastructure is not safe” and that “[the explosions] can be interpreted as a warning.” If indeed these explosions were intended as a warning, it is possible the threat could be directed towards the Baltic Pipe, a new gas pipeline carrying supplies from Norway through Denmark to Poland which was just opened on September 27. Norway has been a crucial supplier to Europe amid the scramble to replace Russian energy, so disruptions to Norwegian exports could have significant downstream effects. However, it is crucial to note that this threat is not unique to Norwegian energy infrastructure.

Cyber Threats Against Energy Infrastructure

While physical threats to critical infrastructure (as defined by Council Directive 2008/114/EC of 8 December 2008) are a priority for EU Member States, governments must also prepare against cyber threats. According to the Commission, “traditional energy technologies are becoming progressively more connected to modern, digital technologies and networks,” and while this makes the energy system smarter, “digitalization creates significant risks as an increased exposure to cyberattacks and cybersecurity incidents potentially jeopardizes the security of energy supply and the privacy of consumer data.”

One need only look to the disruptions caused in the U.S. in the wake of the ransomware attack against the Colonial Pipeline Company in May 2021 which led to the shutdown of 5,500 miles of pipeline carrying around 45% of fuel supplies on the East Coast. That attack was made possible by a single password being compromised for a legacy virtual private network (VPN) which didn’t use two-factor authentication. A relatively simple theft enabled hackers to disrupt one of the country’s largest and most vital pipelines, forcing President Biden to declare a state of emergency.

Europe is not immune to threats similar to the Colonial Pipeline cyberattack. Early February 2022 saw a slew of cyberattacks against oil transport and storage companies across the continent. These attacks forced an affected company, Oiltanking Deutschalnd GmbH & Co. KG, to operate at a limited capacity and even caused slowdowns at ports in the Netherlands as barges awaited oil deliveries. With supply chains in a state of recovery due to the COVID-19 pandemic, disruption events like this have the potential to set recovery efforts back significantly, especially at a time when energy security in Europe is a top priority.

Russian Hybrid Warfare

Though Russia has wielded energy as a foreign policy weapon, by cutting flows entirely through the Yamal pipeline and Nord Stream 1 the Kremlin has lost leverage in terms of the future damage it can unilaterally instill via energy exports to Europe. As a result, it would be unsurprising if Russia were to employ additional hybrid warfare tactics in the form of cyberattacks, an area in which the Kremlin wields asymmetrically advanced capabilities, to further Russian national interests. These could include attacks which target critical energy infrastructure to further destabilize Europe’s energy security and put more upward pressure on energy prices which threaten business’ operations across the continent.

Multiple entities in Russia are known to possess and deploy advanced cyber capabilities against adversarial targets, this includes Russia’s Federal Security Service (FSB); Russia’s Military Intelligence Agency (GRU); Russia’s Foreign Intelligence Service (SVR); and a private organization, the Internet Research Agency (IRA). These actors can act alone, or in tandem with one another, to devastating effect if they so desired to further destabilize Europe’s energy security.

Supply Chain Risk Management

To guard against physical disruptions, Norway and Denmark have already stepped-up security posturing around their oil and gas industries’ infrastructure, rigs, and buildings after the Nord Stream incidents. However, physical security does not guard against cyberattacks which can be mounted from halfway across the world.

Companies can better-understand their risk exposure to physical and digital infrastructure attacks by gaining greater visibility into their third parties’ risk posture. Doing this at-speed, continuously, and without breaking the budget requires artificial intelligence-driven software like the Resilience platform offered by Interos.

Additionally, entities should implement risk management programs, conduct internal reviews to assess their own security posture, prepare and test resilience plans for likely scenarios, and strengthen collaboration with stakeholders in their respective industries to better manage risk in their supply chains.