Expert Witness Case of the Month

For 30 years, David Steven Jacoby has advised oil, gas, power, transportation, automotive, retail and legal clients in over 50 countries on procurement, contracting, and supply chains management. A five-time author on supply chain management, he has worked with clients in the United States, Dubai, Sao Paulo, Hong Kong, Paris, and elsewhere. He also taught Operations Management at Boston University’s graduate business school, served as a contributing editor at the Economist Intelligence Unit, and consulted to the World Bank.    

Counsel frequently seeks out Mr. Jacoby to serve as a consultant and expert witness. His legal work typically focuses on these major areas:

  • Contract interpretation, contract administration, and contract dispute
  • Transfer pricing
  • Price manipulation
  • Monopoly pricing and market dominance
  • Procurement processes and best practices
  • Market economics
  • Logistics and transportation, including pipelines and terminals

For more information, click here.   

Thanks and Regards,

David Steven Jacoby
Global Supply Chain Management Consultant
Twitter: @dsjacoby

A Single Cyber Attack can Cause up to over $60b Loss for the US Economy

Attacks on control systems for critical infrastructure have risen by more than 250% over the past four years in the US, as web linked communication systems have proliferated and nation-states seeking geo-political and economic supremacy added to the incidence of amateur hacking. Of all the critical infrastructures targeted, power grids have become the ripest target because most or all sectors of economy depend on them: cyber attacks on power grids can be exponentially effective by crippling vast swatches of the industrial and commercial sectors. Furthermore, the absence of power paralyzes many national security systems, making physical terrorist attacks much more effective and more likely.

The Crippling Costs and Risks of Cyber Attack in Power Generation, Transmission, and Distribution

The US power grid has recently suffered three major cyber attacks. In 2012 and 2013, Russian hackers were able to successfully send and receive encrypted commands to U.S. power generators. In 2015, unauthorized cyber hackers injected malicious software into the grid operations that allowed spying on U.S. energy companies. And also, in 2015, US law enforcement officials reported a series of cyber attacks that were attempted by ISIS targeting the U.S. power grid. 

The costs of these cyber attacks are massive. A cyber attack targeted at 50-100 generators that supply power to 15 Northeastern United States, including Washington D.C., would leave almost 93m people without electricity and cause $62 billion to $228 billion in economic losses in the first year. Damage to turbine generating power plants and metering systems would cost $1 billion to $2 billion. Loss of electricity revenue would cost the utilities $1 billion to $4 billion. And loss of revenue to electricity consuming customers of the utilities would cost $60 billion to $222 billion. If recovery takes longer than a year, these costs would multiply. This damage assessment is according to a study by the Centre for Risk Studies at the University of Cambridge.

The U.S. power system is more vulnerable than most. It was never designed for network security. Moreover, since U.S. power plants are now connected to the internet as a part of setting up advanced grid and metering infrastructure, a wide range of new attack points are now available to attackers. Finally, the US electrical grid is also a decentralized network owned by numerous local operators, and security standards vary from utility to utility. More permanent damages, such as those inflicted by the Stuxnet virus in Iran’s nuclear program, cannot be ignored.

However, attacks are taking place in other countries, too. On December 23, 2015, three Ukrainian electricity distribution companies suffered power outages due to a massive cyber attack. The attackers used BlackEnergy and Killdesk malware to disable both control and non-control system computers. The attackers simultaneously flooded the utility call centers with automated telephone calls, impacting the utilities’ ability to receive outage reports from customers and decelerating the response effort. Altogether 30 substations were disconnected for more than three hours, causing approximately 225,000 customers to lose power across various areas. BlackEnergy malware had first appeared in the Russian underground for use in distributed denial-of-service attacks. An evolved version of it, BlackEnergy3, is a distinctive tool and has only been used for cyber espionage.

Areas of Particular Vulnerability

All three segments of the power sector supply chain are vulnerable to cyber attacks:

  1. Generation: SCADA systems in power plants are vulnerable through hardcoded passwords, weak authentication solutions, firmware vulnerabilities and ladder logic. Viruses such as ‘Stuxnet’ can be used to exploit these vulnerabilities to execute cyber attack on the computerized control systems in a well-targeted manner. Some of these sophisticated malwares can cover hide its presence until well after the damage is done.
  2. Transmission: Transmission systems have been the most targeted sub-system in the power system value chain..The relays on the transmission sub-system are time sensitive, and delays of even a few milli-seconds can negatively impact the performance of power transmission. The common cyber attacks in this area include Distributed Denial of Service (D-DOS), which can cause the network and communication channels send delayed responses and cause the malfunction of the Smart Grids.
  3. Distribution: Smart meters, which are increasingly common in network infrastructure, connect to the central control or Network Operating Centre (NOC) room of the utility to transmit and receive data. Poor security implementations in the smart meters could make it possible for an unauthorized third-party to intrude the NOC. The consequence can be disastrous if the meter has the “switch off” capability. Given the scale of utilities, which for large utilities could run into millions of smart meters, security vulnerabilities in this area can lead to widespread damage.

The four most vulnerable types of attack to anticipate are: 1) Intrusion in the intelligent electronic devices through false data injection attack, making SCADA send wrong information to the control systems. This can take place at the site of power generation; 2) Attacking power system control centers (PSCC), typically called DoS (denial of service) attack which causes de-synchronization and delay in the PSCC’s ability to take optimization decisions. Power generation and transmission are most prone to these DoS type of attacks; 3) Crippling electronic AC transmission system which controls power transmission capability of the power network. Both transmission and distribution networks are exposed this type of risk. ; and 4) Use of malwares to steal power network data which could be at the generation, transmission, or distribution points, where data is continuously being stored with respectto peak loads, voltage variations etc.

Supply Chain and Procurement: The Weakest Link

The infrastructure supply chain is particularly vulnerable. Malicious components enter into the supply chain nearly two years before an attack occurs, according to the Cambridge study. Even a slight oversight in procurement could bring the whole system down. Cyber attacks at the supply chain can occur when hardware and software have been counterfeited, tainted, or compromised, resulting in failure of components as designed. Components fitted with rogue malware entering into the supply chain and eventually in the utility, compromising the security mechanisms.

For example, a malicious code could be inserted into software that compromises security or kill-switches/backdoors, enabling attackers to steal data or disable the system. Maintenance and repair activities-software upgrades or equipment services, whether done onsite or remotely, could also allow hackers to corrupt or compromise systems. These compromised components could enter the supply chain from the secondary suppliers or contractors, which are less visible to the utility operators.

Major utility companies are now becoming aware of the risks that cyber attacks pose, and are investing capital to get their systems more secure to attack. Utilities are most vulnerable to cyber threat from a third tier supplier, which has no direct connection to the utility and supplies the equipment through a third party vendor or a distribution channel.  The second tier suppliers also carry the same risk but are more visible and vetted.

What Power Companies Need to Do

Taking into account the above scenarios, the second and third tier suppliers of components and services have to be examined and assessed more strictly.

There are already a number of mandatory standards and requirements for supply chain integrity led by both vendor and government organizations such as NIST, ISO, Common Criteria, and OTTF. While these standards need to become more robust given the growing sophistication of cyber attacks, the least companies can do is to seriously adhere to the existing standards and guidelines.To begin with, the power companies must disclose all features and disable what is not required, limit user capabilities, and block all unauthorized accesses.

As a part of the supply chain cyber security risk mitigation plan of action, the next most important step is to manage procurement risk. This includes joint development of procurement process with representatives from sourcing, legal, technical, and functional subject matter experts.The vendor pre-qualification criteria and all RFPs must clearly specify compliance to vital security standards.

Given the high cyber security risk emanating from second and third tier suppliers, the power companies must make good use of third party certification and accreditation for the vendors, and must also initiate audits as well as scheduled and unannounced inspections for pre-qualified vendors.

Supply Chain Planning Critical to Latin American Oil & Gas Capital Project Profitability

b2ap3_thumbnail_Carnaval1Budgeting and controlling investment costs for Latin American oil & gas projects can be particularly tricky. If investors and owners don’t use reliable information in negotiating with EPCs and equipment suppliers, their projects may suffer from a proliferation of risk buffers and safety margins that cumulatively make them unviable. Or, even worse, they may proceed with the projects and then suffer financially disastrous cost overruns.

Costs vary widely across Latin America, and between Latin America and other regions. Labor costs, third country national participation, and local employee benefit adders are particular to each country. Local productivity differentials, local content requirements, and union regulations together can double or even triple project costs. Steel costs vary widely due to volatile demand and limited supply. Fuel costs are subsidized in some countries and not in others. Finally, high payment risks, the chance of expropriation, hyperinflation, and economic volatility affect terms and conditions of contracting.

Projects like Sea Lion, a joint venture of Premier Oil (60%) and Rockhopper (40%), in Argentina, exemplify the need for supplementary and more methodical cost benchmarking, value chain engineering, tender design, and supplier negotiation. The total capital estimate ($5 billion) is making it hard to fund this project. In addition, Sea Lion’s project budget is fluid and has wide variances: the pre-FEED study on the FPSO plan suggested a required investment of approximately $7b, while new estimates come closer to $5.2 billion.

In order to assure project viability investors in Latin American oil and gas ventures need to access equivalency costs for similar investments in other regions, tapping into specialized expertise if necessary to accurately forecast and mitigate financial and strategic supply chain risks.