Implementing Partnerships in Energy Supply Chain Cybersecurity Resilience

: This study describes the implementation of an energy sector community to examine the practice of cybersecurity for operational technology environments and their supply chains. Evaluating cybersecurity from the perspectives of different actors participating in the energy sector, the progress and challenges of operators and suppliers in delivering cybersecurity for the sector are explored. While regulatory frameworks incentivize individual organizations to improve their cybersecurity, operational services contain contributions from many organizations, and this supply chain of activity needs to be inﬂuenced and managed to achieve desired security and resilience outcomes. Through collaborations and systems engineering approaches, a reference model is created to facilitate improvements in managing the cybersecurity of supply chains for different actors, including service operators, maintainers, manufacturers, and systems integrators. This study provides an illustration of implementing a common vision of cybersecurity improvement across a community of actors. It utilizes a collaborative framework that has facilitated the co-production of cybersecurity guidance for energy sector participants.


Introduction
Critical infrastructure operators are continually challenged by the complexities of considering the security position of their supply chains. This paper describes the implementation of communities of interest in energy supply chain cybersecurity to progress sector-wide approaches to the challenge of overseeing, managing, and influencing supply chains for critical infrastructure.
Operators of critical infrastructure hold responsibility for the impact of cybersecurity events in their operational environment and on the essential services they provide. Regulatory frameworks such as the Security of Network & Information Systems (NIS Regulations) in the UK [1] and the European NIS Directive [2] place cybersecurity expectations on individual organizations, but the operational services deployed utilize components, products, and services coming from multiple supplier companies. Dividing up cybersecurity responsibilities and transferring risk between organizations and between customers and suppliers proves to be a challenge. As a result, regulators further propose to broaden the application of NIS Regulations to organizations supplying critical infrastructure services [3][4][5]. However, these regulatory tools can only focus on the cybersecurity obligations of individual organizations rather than defining end-to-end security for the technical solutions and services that encompass multiple actors.
This study emphasizes cooperation between interdependent organizations as an essential aspect of cybersecurity governance. It aims to set the foundations for a mutual commitment to agreed cybersecurity objectives and supporting practices. Through addressing the multiple

Related Work
Kumar's research on the impact of cybersecurity on operations identifies a critical need for companies to develop a strategy to secure their global supply chains [6]. Ghadge identifies generic research into supply chain cybersecurity and points out the need for more contextualized studies in specific domains [7]. Melnyk calls for more research into cybersecurity across the supply chain and highlights the importance of alignment to a common vision in both a vertical plane, through various actors within an organization agreeing on common goals for cybersecurity, and through horizontal alignment across interdependent organizations working together on common cybersecurity objectives [8].
Messenger [9,10] researches the cultural dynamics at play with the sharing of cybersecurity information across organizational boundaries and proposes the following model of beliefs that are necessary for sharing cybersecurity information:  [10].
Rather than information sharing between parties, Borchert [11] recommends joint information ownership and co-production, involving relevant stakeholders by providing a framework to engage them, fostering good relations and trust, and a dedicated focus on developing content together, ideally setting up information co-production per sector to address specifics [11].
Shaked et al. [12] recommend a holistic assessment of cyber resilience using whole systems thinking and proposes "a progression path" to outline how a sector can evolve from one maturity level to the next. This study captures expressions of cyber resilience in the constituents of a sector and in their relationships, and recommends coordinating cyber resilience across a system's constituents rather than relying on self-evaluation by individual entities [12].
Sitton and Reich [13] compare systems engineering methods for improving interoperability across enterprises where existing assets and systems have been developed at different times and places leading to a lack of synchronization. The integration of complex emergent systems is considered from a process design perspective, presenting cross-enterprise processes and information flow as being key to seeing the broader view necessary to lead the way from uncoordinated unsynchronized systems and domains towards new integrated capabilities at the process level. This tends to be hindered by there being no allocated responsibility for defining operational process requirements across organizations. Sitton and Reich recommend viewing 'both ends' by combining top-down strategic thinking and standardization across organizations with a bottom-up evaluation of a continuously evolving environment. This research calls for future projects to demonstrate the planning and management of operational processes to achieve integrated capabilities for complex emergent communities [13].
Carr [14] identifies a "governance gap" in cybersecurity and the need for a coordinating framework, and especially recommends greater engagement between policy and technical communities [14]. Kroger [15] recommends that processes transcend existing organizational boundaries and follow an "all actors approach" to address the multi-faceted risks of critical infrastructures more holistically [15]. This paper examines the practice of collaboration among energy sector participants and the co-production of guidance to improve cybersecurity assurance of suppliers and their services to the energy sector. It addresses the gaps identified in the literature by providing a contextual study of co-producing cybersecurity guidance with an energy sector community, and by enabling a more integrated cyber capability across different energy sector actors. The collaborative effort also proposes a framework by defining a partnership approach with shared goals for improving cybersecurity across organizational boundaries.

Issues and Challenges in Supply Chain Cybersecurity Resilience
Contributions to cybersecurity come from a broader set of organizations than individual energy operators. There are many organizations that need to understand their place in critical infrastructure and their role in securing energy services. Extensive supply chains necessitate having some generic approaches in place (usually through adopting published standards) to make the management of vast supply chains achievable. However, a bespoke, individually developed, and blanket approach from companies' procurement processes has increased workloads for suppliers in responding to each customer's individual but often all-encompassing question sets that oftentimes are largely irrelevant to the actual component or service they are providing.
Once supply is agreed, some aspects can be controlled by having a security detail within formal agreements and contractual arrangements. However, some aspects (such as changing solutions when threats change) can merely be influenced and so depend on the quality of relations and goodwill between customer and supplier. Awareness and understanding, as far as achievable, of what is outside of an operator's control or influence is also important, such as sub-contracting and subsidiary tiers in the supply chain or the make-up of software systems. On the other side of the equation, operators know the context (and hence criticality) of the operational environment in which they host supplier products and services and need to effectively communicate the resulting cybersecurity requirements to their suppliers. The quality of relations between operators and their suppliers also contributes to the ongoing resilience of the solution, especially where suppliers need to be engaged during incident response and recovery.

Materials and Methods
Topping's review of contrasting global approaches to managing supply chain cybersecurity calls for more collaborative approaches and more consistent security assurance across borders and sectors [16]. Our paper investigates the feasibility of a common approach to cybersecurity across interdependent organizations. This was progressed through a collaboration with relevant actors from the UK energy sector to jointly design a common and consistent approach to improving the cybersecurity resilience of energy systems.
In 2009 [17], the US Department of Energy and US Department of Homeland Security came up with the idea of helping energy operators in how they specify cybersecurity requirements by providing wording to include in procurement requests and (potentially) in contracts. This was subsequently refined in more focused publications such as one aimed at Energy Delivery Systems [18].
A group of UK electricity and downstream gas companies known as the Energy Emergencies Executive Cybersecurity Task Group (E3CC) saw the value in this approach and in 2018 were supported by the UK Government Department for Business, Energy and Industrial Strategy (BEIS) to work with the Energy Networks Association (ENA) and develop 'Energy Delivery Systems Cyber Security Procurement Guidance' [19]. This took the idea of a procurement language and placed it into the context of procurement processes as well as referencing relevant UK and international standards and guidance.
In consideration of the significant growth of new entities in the deployment of energy renewables and more locally managed networks, the group further recognized that grid stability and reliability could potentially be impacted by systemic cybersecurity risk to multiple distributed energy resources. Adopting the concept of 'code of connection' where the energy network defines the rules of connection in order to protect the network, the development of 'Distributed Energy Resources (DER) Cyber Security Connection Guidance' [20] was commissioned in 2020. This defines the cybersecurity expectations for distributed energy resources according to their scale and criticality. European energy operators have also produced a Network Code on Cybersecurity clarifying common cybersecurity requirements and defining roles and responsibilities for actors in the European synchronous grid area [21].
The E3CC also saw that carrying out cybersecurity assurance of third parties is becoming common practice for energy operators both at the time of acquiring services or systems and periodically through the life of ongoing contracts. It was recognized that developing, maintaining, and operating such assurance processes are costly and time-consuming. The type of assurance required is similar for every operator, but if everyone 'does their own thing' there are inevitably variations in questions and the format and processes used to collect or audit/review information. This diversity of approaches creates a significant overhead for the suppliers being assured.
As a result, the group agreed to a more consistent and potentially shared approach to make the process more efficient for the industry and its supply chain as a whole. Work initially started with a subset of interested operators sharing their internal company methods and questionnaires with a view to creating a common set for the sector, and during the work some key suppliers were also engaged. A collaborative approach ensued involving both operators and suppliers co-producing standard question sets to be used during the procurement process for the assurance of supplier companies. The group then applied an engineering approach by categorizing different parties and co-designing guidance for the assurance of products and services.

Implementing Energy Sector Partnerships in Supply Chain Cybersecurity
The community of UK energy sector operators in electricity, downstream gas, and oil and gas, as a community considered to have common suppliers and interests, convened to develop the common cybersecurity procurement guidance for operators and eventually establish industry-wide dialogue with the supply chain. The collaboration of this group, working together with members of the supplier community, has improved standardization in cybersecurity to the benefit of suppliers and operators alike.
The initial stages of this work just involved UK energy operators and policymakers. During the process of designing a common approach to supplier assurance, a decision was taken to have 'validation' discussions about cybersecurity challenges with key suppliers of systems and services to the energy sector. These meetings proved to be very frank, open, and helpful in understanding the tensions and dynamics of the procurement process and how cybersecurity requirements can be delivered.
For example, suppliers explained how the procurement processes used by some customers could actually inhibit free discussion of cybersecurity concerns if the introduction of additional security context went beyond bidding rules. The suppliers also stressed the importance of a shared responsibility model between suppliers and operators as being key to achieving secure outcomes. The operators took the opportunity to give their opinion that cybersecurity should be an inherent part of any proposal and should not be presented as an optional addition at extra cost.
As a result of working together, the group of suppliers and operators identified that there would be value in an agreement on future standards and approaches. Based on the positive experiences of establishing the collaboration between electricity and gas service operators which formed the E3CC, the operators proposed a Code of Practice and Partnership (CoPP) approach which could form the basis of supply chain cybersecurity assurance and standardization activity in the future. The CoPP proposal was well received by the collective group of operators and suppliers, and work was started together to agree an initial set of 3 Core Principles for cybersecurity in the supply chain along with 12 supporting Practices shown in Section 3.5. However, despite the interest in collaboration, the group did not gain further traction during 2021. It is interesting to note that although aspiring to work together for a common interest the putative CoPP group differed from the E3CC in at least 2 characteristics. Firstly, it had no resources for facilitation and relied entirely on self-nominating volunteers making time available, and secondly it was formed during the pandemic when physical meetings and opportunities to build personal and social relationships were greatly limited.

Formation of a Community of Interest Expert Group in Supply Chain Cybersecurity (SCEG)
As a result of the UK National Centre for Cyber Security (NCSC) wishing to promote greater capability in cybersecurity management for the industrial control/operational technology environment, a new group has been established. The initial CoPP work from the energy sector has been used as a catalyst for this cross-sector initiative and has formed an expert group in supply chain cybersecurity. The group aims to progress sector-wide approaches to the challenge of overseeing, managing, and influencing supply chains to critical infrastructure. This includes identifying the progress made so far to determine needs and requirements and provide recommendations on how best to support industry with the challenges experienced in supply chain cybersecurity. The group is exploring the following themes while scoping the need for further guidance and support: • Establishing commitments to action and maintaining accountability in supply chains.

•
Identifying where controls or cooperation/partnerships are required with important suppliers to establish some points of governance within supply chains.

•
Reducing the impact and consequences of potential cybersecurity incidents in supply chains to critical infrastructure.
In progressing the new group, the dynamics of collaboration and lessons learnt from the previous groups are being taken into account, and the outcomes and outputs of the new group will be detailed in future work.

Collaborative Energy Community
From its initial establishment as a cybersecurity knowledge-sharing group of operators, the group (now known as E3CC) has been able to work collaboratively, and with the support of their overseeing government department (the Department of Business, Energy and Industrial Strategy), has achieved some key outputs. Table 1 shows the development of the group and its key external achievements beyond knowledge sharing.  [22,23] A review by the Chair of the E3CC outlined the key factors which have contributed to the success of the group; these markedly reflect the views of the literature and can be summarized as: A. Invest time in members building personal relationships and trust-including learning together and socializing. B. Find common goals that deliver value to all. C. Accept that tactical responses will slow down strategic process and plan for contingency. D. Think big and look for great (industry-wide) opportunities beyond what single members can achieve. E. Do not underestimate the effort required to drive and facilitate the group (it needs some dedicated resources).

Request for Information
A common information-gathering questionnaire was created by analyzing themes and questions already being posed to suppliers by energy operators. This was tested for completeness by comparison with ISO 27001/2 [24], NIST Cyber Security Framework [25], NIS Regulation Cyber Assurance Framework [26], UK HSE OG86 [27], and guidance from the UK National Cyber Security Centre [28]. A common set of questions was agreed upon which was aimed at the corporate level of suppliers to help create initial company short-lists at the Request for Information (RFI) stage of procurement [22]. The intention is for this Company Initial Questionnaire to become widely adopted for RFIs and thereby make supplier cybersecurity assurance information responses re-useable across different operator engagements.

Request for Proposal
The cybersecurity status of a company (surveyed by RFI) in terms of its own networks and systems is indicative of corporate security posture but usually falls short of describing the specifics of a service running on different networks and (often) with different cybersecurity management. Therefore, risk-based guidance that focused on particular services or product types was also co-produced to assist the Request for Proposal (RFP) stage of procurement. Figure 1 summarizes the RFI and RFP outputs. The Company Initial Questionnaire in Part 1 provides a general assessment of the cybersecurity capability and posture of a vendor company. Part 2 focuses on the risks relevant to six types of products or services provided and aims to suggest topics for the assurance questions to be asked by operators. For example, security relating to the products and software provided is underpinned by how they are designed and built. RFP questions focus on the relevant risks for the specific product and/or service being provided. Different vendor types bring different cybersecurity risks that can impact the energy operator depending on the activities the vendor performs and the system and data they have access to. Once companies have been short-listed for selection, more specific information is therefore likely to be required about the cybersecurity status of the service or product being procured, e.g., in response to an RFP. This level of service or product cyber assurance may also be performed through the life of a contract.
Unlike a company RFI, it was considered that RFPs will need to be developed for each situation but would benefit from drawing from a common set of references and standards. That formed the basis of the Guidance for Energy Operators for Cyber Security Assurance as part of a Request for Proposal (RFP) [23]. Unlike a company RFI, it was considered that RFPs will need to be developed for each situation but would benefit from drawing from a common set of references and standards. That formed the basis of the Guidance for Energy Operators for Cyber Security Assurance as part of a Request for Proposal (RFP) [23].
In the guidance, cybersecurity risks are considered in the context of the different services, and six generic types of service are covered to help operators decide which cybersecurity control topics and standards should be explored. These are: A. Service Operator-operates the operational technology (OT) system(s) or closely connected IT-OT system(s) on behalf of the energy company operator. B. Maintainer-provides support and maintenance of OT systems. C. Manufacturer-provides OT or closely connected IT-OT system/component design, development, and build. D. Integrator-provides system integration/configuration/bespoke design. E. IT Support Services-support services for IT when acting as an adjunct to OT. F. Consultant-provides consultancy such as the assessment of system status including security assessments.
The standards chosen reflect the different risk situations each service might introduce (as shown in Figure 2).
Following the production of the RFI and RFP guidance, the development and delivery of adoption training was progressed to help operators, including their procurement and project professionals, to understand the materials and how to use them. In the guidance, cybersecurity risks are considered in the context of the different services, and six generic types of service are covered to help operators decide which cybersecurity control topics and standards should be explored. These are: A. Service Operator-operates the operational technology (OT) system(s) or closely connected IT-OT system(s) on behalf of the energy company operator. B. Maintainer-provides support and maintenance of OT systems. C. Manufacturer-provides OT or closely connected IT-OT system/component design, development, and build. D. Integrator-provides system integration/configuration/bespoke design. E. IT Support Services-support services for IT when acting as an adjunct to OT. F.
Consultant-provides consultancy such as the assessment of system status including security assessments.
The standards chosen reflect the different risk situations each service might introduce (as shown in Figure 2).

Trust and Partnership in Energy Cybersecurity
Energy providers recognize that cybersecurity is a risk which they need to manage in order to run resilient energy systems, and they can be required to demonstrate cybersecurity management to comply with regulation. Energy operators therefore have security Following the production of the RFI and RFP guidance, the development and delivery of adoption training was progressed to help operators, including their procurement and project professionals, to understand the materials and how to use them.

Trust and Partnership in Energy Cybersecurity
Energy providers recognize that cybersecurity is a risk which they need to manage in order to run resilient energy systems, and they can be required to demonstrate cybersecurity management to comply with regulation. Energy operators therefore have security requirements, some of which they can define themselves, but some need an open dialogue with their systems and service suppliers.
Partnership is therefore essential for effective cybersecurity in the supply chain: • Partnership addresses information asymmetry where suppliers understand their products in depth, but it is the operator who knows the criticality and context of the application and the impact of potential incidents.

•
Partnership recognizes collective and individual roles and responsibilities. For example, vendor products need to have security designed into them, and customer operations need to manage the security of products and how they are used.

•
Partnership recognizes fair commercial balance where foundational security is part and parcel of any reliable service or product, and value-added security that brings efficiencies or opportunities such as greater resilience may gain additional reward. • Partnership enables shared outcomes including working together during incident response and recovery.

•
Partnership promotes honesty and transparency in communication to achieve security goals and improve resilience together.

Code of Practice and Partnership Model
The group of suppliers and operators proposed a Code of Practice and Partnership model (CoPP) as a foundational approach to the assurance of supply chain cybersecurity. This work was inspired by other projects producing codes of practice statements on the security goals for OT, IT, and IoT supplier and customer relationships [29][30][31]. The aim was to create an energy sector CoPP for cybersecurity, to be more specific to the energy industry, and to help guide actions across the supply chain.
Commercial reality in a supply chain requires that for anything to be supplied there needs to be a demand, either naturally in the market or enforced through regulation. To be delivered as a reality, security therefore needs to be something which is genuinely demanded by the customer and not be the subject of 'lip service' or something which is removed during negotiation.
Suppliers have expressed concerns that security requirements: • Are not really a priority in procurement decisions. • Create a risk of putting suppliers at a competitive price disadvantage on bids or in sustaining an unrealistic product life. • Are ill-defined and so run the risk of a supplier 'over-egging' or underestimating the risk and the matching security requirement.
Operators have expressed concerns that security engagements with suppliers can result in: • An attempt at raising costs that goes beyond fair return for investment (such as charging bespoke fees for a common security requirement).

•
Lack of transparency in the through-life support of security, including unclear or unresponsive reporting on security status. • Requiring a forced major technology change purely due to security.
Collectively, both operators and suppliers report concern over: • Too much friction in supply chain cybersecurity assurance, such as numerous different operator questions being posed to suppliers. • Lack of clarity on which standards and guidance should be adopted.

•
Lack of mutual understanding of cybersecurity risks in both current operations and emerging business and technology models.
The Code of Practice and Partnership approach has the goal of trying to create an environment of collaboration to help address the above issues. The CoPP applies to all of the supply chain and has three core principles:

•
Basic security is foundational. • Security and resilience needs collective responsibility. • Transparency and communication is key.
For each of the above core principles, four partnership practices were identified as shown in Figure 3.
Operators have expressed concerns that security engagements with suppliers can result in: • An attempt at raising costs that goes beyond fair return for investment (such as charging bespoke fees for a common security requirement).

•
Lack of transparency in the through-life support of security, including unclear or unresponsive reporting on security status. • Requiring a forced major technology change purely due to security.
Collectively, both operators and suppliers report concern over: • Too much friction in supply chain cybersecurity assurance, such as numerous different operator questions being posed to suppliers. • Lack of clarity on which standards and guidance should be adopted.

•
Lack of mutual understanding of cybersecurity risks in both current operations and emerging business and technology models.
The Code of Practice and Partnership approach has the goal of trying to create an environment of collaboration to help address the above issues. The CoPP applies to all of the supply chain and has three core principles:

•
Basic security is foundational. • Security and resilience needs collective responsibility.

•
Transparency and communication is key.
For each of the above core principles, four partnership practices were identified as shown in Figure 3.

Formation of a Supply Chain Expert Group
Since 2022, the implementation of a community of interest in supply chain cybersecurity has been underway, forming a 'Supply Chain Expert Group' (SCEG). Amongst other work items, this group is exploring cross-sectoral views on the CoPP and elaborating on the 12 partnership practices identified by the CoPP with more detailed practice statements. Outcomes from this group will be detailed in future work.

Discussion
Supply chain cybersecurity is a shared problem which needs shared understanding and partnership to address it. This work with supply chain participants in the energy sector has confirmed that there is a benefit in adopting common cybersecurity assurance standards and approaches in order to reduce unnecessary duplicated work in operators and suppliers. A collaborative approach also achieves a much clearer understanding of cybersecurity risk by all participants and helps overcome information asymmetries in the supply chain.
Whilst a common generic set of questions is useful for a Request for Information (RFI) stage of selecting companies for short-listing, the stage of requesting a proposal (RFP) needs to recognize that there are cybersecurity risks which are specific to the product or service being requested, and so the operator will need to specify the requirements in that context. Risks can be related to the types of supply of a product or service (e.g., Service Operator, Maintainer, Manufacturer, Integrator, IT Support, and Consultancy), and there are existing industry standards which can be used to define those requirements which can be referred to rather than each customer having to invent their own for each engagement. Suppliers have a strong preference for using existing published standards so that they can standardize design.
To be successful, collaborative groups working on common standards and approaches need a shared mission and must gain individual value from the work. Experience from E3CC, CoPP, and SCEG has shown that these groups must have committed resources for facilitation and be able to develop personal relationships to establish trust.
The common vision and mission of cyber professionals spurs them to donate effort to endeavors such as E3CC, CoPP, and SCEG but will usually require support from their sponsoring organization to collaboratively resource the necessary activity. A combined governance and facilitation capability, which is typically provided by support from government, academia, institutes, or associations, is also essential for such groups to progress significant outputs together.
Funding: Paul Dorey is retained by National Grid PLC as the facilitator for E3CC and was funded by BEIS to support the development of the RFI and RFP work cited in this paper. This work was funded by the Research Institute in Trustworthy Inter-connected Cyber-physical Systems (RITICS) grant number EP/R022844/1 and EPSRC Impact Acceleration Account EP/X5257161/1. RITICS have provided approval to publish this work. Data Availability Statement: Not applicable.