Why Your Next Industrial Control System Assessment Needs a Supply Chain Audit

TLDR: Critical infrastructure is undergoing a massive digital transformation, shifting from isolated legacy hardware to cloud-connected industrial control systems. This shift introduces significant supply chain risks, as seen in the reliance on third-party smart inverters and IoT devices. Security researchers and pentesters must pivot from traditional network-level testing to evaluating the integrity of the software and hardware supply chain using tools like Cirrus.

Digital transformation in the power grid is no longer a theoretical roadmap. It is happening at a breakneck pace, driven by the urgent need for decarbonization and the integration of distributed energy resources. For the security community, this means the attack surface of critical infrastructure has fundamentally shifted. We are no longer just looking at air-gapped PLCs or proprietary serial protocols. We are looking at cloud-managed inverters, massive data lakes, and IoT devices like robot dogs patrolling substations. If you are still focusing your assessment solely on perimeter firewalls, you are missing the point.

The Shift to Cloud-Connected Infrastructure

The core issue is that we are connecting legacy industrial environments to the cloud to manage the complexity of modern energy delivery. This creates a bridge between the operational technology (OT) world and the internet. When a utility company deploys thousands of smart inverters or cloud-based management systems, they are effectively outsourcing a portion of their security posture to vendors.

This is where the Cyber-Informed Engineering (CIE) framework becomes essential. CIE forces a shift in mindset: instead of trying to bolt security onto a finished product, we must integrate it into the design phase. For a pentester, this means your engagement should start with an analysis of the system architecture and the supply chain dependencies before you ever touch a keyboard to run a scan.

Supply Chain Risk is the New Perimeter

The most significant risk in this new landscape is the supply chain. We are seeing a massive influx of hardware and software components from global suppliers, often with little visibility into their security provenance. When you assess a power grid component, you need to ask: where did the firmware come from? Who wrote the libraries? What are the dependencies?

The Software Bill of Materials (SBOM) is the baseline requirement for any modern assessment. If a vendor cannot provide an SBOM, you should treat their product as a black box with unknown vulnerabilities. The same logic applies to hardware. We are seeing an increased focus on Hardware Bill of Materials (HBOM) to track the physical components that make up these critical systems.

During your next engagement, use Cirrus, a tool developed by Idaho National Laboratory to help entities assess their grid modernization deployment strategy. It provides a structured way to evaluate the consequences of a compromise, which is far more effective than chasing individual vulnerabilities in a vacuum.

The Reality of "Blackstart" and Manual Overrides

One of the most critical scenarios in power grid security is "blackstart"—the process of restoring a power station or a grid segment after a total blackout. Historically, this was a manual, physical process. Today, it is increasingly automated. If an attacker can compromise the management software that controls the blackstart sequence, they can prevent the grid from coming back online or, worse, cause physical damage to the equipment during the restart process.

When you are testing these systems, look for the "manual override" capabilities. If the digital management system fails, is there a secure, verified path to manual operation? If the answer is no, you have found a high-impact finding. The goal of an attacker here is not just to disrupt service; it is to ensure that the disruption is prolonged by preventing the restoration process.

Defensive Integration

Defenders are struggling to keep up with this pace of change. The DOE CESER Supply Chain Cybersecurity Principles are a good starting point for organizations looking to formalize their vendor requirements. As a researcher, you can provide immense value by helping these organizations map their technical debt. Don't just report a missing patch; report the lack of visibility into the component's supply chain.

The industry is moving toward a model where security is a shared responsibility between the utility, the cloud provider, and the hardware manufacturer. However, the reality is that the utility remains the one holding the bag when the lights go out. Your job as a pentester is to expose the gaps in that shared responsibility model.

What to Do Next

Stop treating industrial control systems as static, isolated targets. They are dynamic, cloud-dependent, and supply-chain-heavy. Start your next assessment by mapping the dependencies. Ask for the SBOM. Use the CIE framework to identify the most consequential functions in the system and focus your testing there.

If you find a vulnerability in a third-party component, don't just stop at the CVE. Investigate how that component is integrated into the broader grid management system. The most interesting bugs are not in the code itself, but in the assumptions made about the security of the supply chain. Keep digging into the architecture, and you will find the real risks.