Supply Chain Security

Supply Chain Security

Secure critical mineral supply chains.

Supply Chain Security Overview

In this context, supply chain security refers to the physical and cyber security of the underlying global supply chains of technologies, software, equipment, services, and other products. Supply chain security is at the center of many of today’s challenges to the security of individual firms as well as to national security.

The Trump Administration identifies critical infrastructure’s supply chains as key to maintaining the nation’s cybersecurity. The Cyber Strategy for America (March 2026) identifies 6 policy pillars, one of which is “Secure Critical Infrastructure.”

“We will identify, prioritize, and harden America’s critical infrastructure and secure its supply chains, including defense critical infrastructure and adjacent vendors, private companies, networks, and services—such as the energy grid, financial and telecommunication systems, data centers, water utilities, and hospitals—securing information and operational technology supply chains.”

Supply chain threats may manifest as the theft/loss of sensitive data, insertion of malicious software or hardware, disruption of operations or services, or any other compromise of an organization’s systems or services. For example, equipment procured from a company in an adversarial nation may have embedded surveillance technology.  Outdated technology used by an industrial control systems software provider could put its customers at risk of ransomware attacks. An insider working for a system integrator might steal intellectual property, resulting in loss of a major competitive advantage.

Source: ODNI NCSC, 2024

One important center of federal supply chain security activity is the Supply Chain and Cyber Directorate (SCD) of the National Counterintelligence and Security Center (NCSC), under the Office of the Director of National Intelligence (ODNI). The NCSC Supply Chain and Cyber Directorate (SCD)’s mission is “to enhance the nation’s supply chain and cyber security, leveraging multidisciplinary counterintelligence and security expertise.” Energy is also one of the 16 critical infrastructure sectors that the Department of Homeland Security (DHS)’s Cybersecurity & Infrastructure Security Agency (CISA) is tasked with safeguarding. Within DOE, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is responsible for leading efforts to secure U.S. energy infrastructure against cyber and physical threats.

Acquisition, Cyber, and Enterprise Security

NCSC promotes three supply chain risk management pillars: acquisition security, cyber security, and enterprise security—A.C.E. for short. As a 2024 NCSC report explains, acquisitions risks are passed on from contractors, suppliers, vendors, investors, and customers, while cyber risks are inherited from products and services that support an organization’s own products and services. Enterprise risks stem from insiders—individuals with authorized access to an organization’s information and assets that can cause harm through economic espionage, sabotage, fraud, negligence, and other misuse of enterprise resources.

Threat Vectors

Per NCSC, common threat vectors include:

  • Adversarial ownership – e.g., suppliers may be owned, controlled, or influenced by adversarial nation-state actors, state-influence competitors, criminal organizations, etc.
  • Cyber – e.g., bad actors may target suppliers to gain unauthorized access to IT assets and systems
  • Geographical – e.g., countries in which suppliers are located may be able to legally access their business assets
  • Insider – e.g., supplier personnel security checks may not be up to the desired standard
  • Physical – e.g., suppliers’ facility security protocols may not be up to the desired standard
  • Technology – e.g., outdated technology may expose an organization and its suppliers to vulnerabilities.

DOE RTES & CESER

For DOE, supply chain security falls under the umbrella of Research, Technology, and Economic Security and entails reducing reliance on countries of concern in favor of allies and preventing exploitation of supply chains. The DOE Office of Research, Technology, and Economic Security (RTES), under the Office of International Affairs, is responsible for protecting DOE’s investments from undue foreign influence through due diligence reviews and risk mitigation “to ensure [that] national security, economic competitiveness, and technological leadership imperatives are duly incorporated into its financial assistance and loan activities.”

Also under DOE, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is responsible for leading efforts to strengthen the security and resilience of the U.S. energy infrastructure against cyber threats, physical threats, economic threats (including supply chain interference), and geopolitical threats. Its work is key to securing U.S. energy sector supply chains. CESER’s strategic plan for 2026-2030, for instance, has as one of its objectives, “Increase CESER monitoring for hardware and software vulnerabilities in energy supply chains to improve cybersecurity, operational planning, and energy resilience.”

Market Research by Desirae Zingarelli-Sweet

Updated June 24, 2026

Key Challenges

Two sets of key challenges to energy supply chain security center on transparency and traceability, and industrial control systems and supervisory control and data acquisition control systems (ICS/SCADA).

ICS/SCADA

Industrial control systems and supervisory control and data acquisition control systems (ICS/SCADA) are key areas of vulnerability in the energy sector. In 2024, DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), in conjunction with Idaho National Laboratory (INL), released new Supply Chain Cybersecurity Principles, calling upon energy ICS suppliers and end-users to take action to enhance the security of these systems. DOE CESER also leads the Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, a cybersecurity vulnerability testing and enumeration program for priority energy system component software and firmware, which leverages the testing and analysis capabilities of DOE National Laboratories. CyTRICS is one of numerous efforts under CESER’s Energy Cyber Sense Program umbrella.

DOE CESER’s recommendations for ICS or operational technology (OT) cybersecurity monitoring technologies for the energy sector include, for example:

  • Built specifically for ICS networks with integration compatibility with ICS protocols and communications.
  • Provide sensor-based continuous network cybersecurity monitoring, detection, and facilitate response capabilities for ICS/OT (e.g., deep packet inspection).
  • ICS sensing technology works with correlation and aggregation technologies to allow for OT/IT sensing cross-correlation and analysis.
  • Able to detect unauthorized movement from the IT to OT environment, including via non-IP pathways.
  • Does not collect or store sensitive data off the participants’ site (e.g., perform analysis at the edge), but certain insights or analysis outputs, such as whether a threat was present and relevant indicators of compromise, may be stored off premises.

Transparency & Traceability

The more complex manufacturing and critical infrastructure supply chains become, the more crucial improved traceability is for enhancing risk management, anticipating potential disruptions, and ensuring authenticity of components and products. Supply chain transparency is a challenge with multiple energy technologies, especially in areas dominated by large, vertically integrated original equipment manufacturers (e.g., wind, grid components) or by Chinese firms (e.g., solar, batteries).

This issue is the subject of multiple, ongoing efforts across DOE and other agencies, including NIST’s Computer Security Resource Center, which is developing a meta-framework designed to enhance end-to-end supply chain traceability using blockchain and related technologies. Other efforts, such as Li-Bridge, are focusing on improving transparency and traceability by building out key parts of the U.S.-based supply chain. Li-Bridge is a public-private partnership, headed by DOE Argonne National Laboratory, that was initiated in 2024 to address traceability of critical minerals in the lithium-based energy storage supply chain.

Knowledge Hub

Department of Energy

CESER Strategic Plan, Fiscal Years 2026 to 2030 (2026)

The DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER)’s current strategic plan, issued in February 2026, outlines the office’s guiding principle of providing timely and actionable information to the energy sector, as well as the strategic goals and objectives that follow from it.

CESER Supply Chain Cybersecurity Principles (2024)

The DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER), in collaboration with the Idaho National Laboratory, released this principles document in June 2024.

DOE Topics: Research, Technology, and Economic Security

This topic page briefly outlines DOE’s view of research, technology, and economic security and its principles for evaluating these risks.

Other Agencies

NIST SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2022, updated 2024)

This National Institute of Standards and Technology (NIST) publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain, including risk assessments for products and services.

President Trump’s Cyber Strategy for America (2026)

Issued in March 2026, the Trump Administration’s National Cyber Strategy is a 7-page document that identifies 6 policy pillars, including “Secure Critical Infrastructure.”

Protecting Critical Supply Chains: A Guide to Securing Your Supply Chain Ecosystem (2024)

From the Office of the Director of National Intelligence (ODNI)’s National Counterintelligence and Security Center (NCSC), this report provides a multi-faceted definition of supply chain security and related concepts, emphasizing the role that individual firms can play in managing risks.

Securing Your Ecosystem (Supply Chain Threat Landscape) (2024)

From ODNI’s National Counterintelligence and Security Center (NCSC), this information sheet presents an easy-to-understand model of supply chain threats.

 

Conferences

2026 Energy Supply Chain & Procurement Summit

November 11-12, 2026, Houston, TX

2026 marks the 12th Energy Supply Chain & Procurement Summit, an event that brings together senior procurement, supply chain, and logistics professionals from operators, service and equipment providers, EPCs (engineering, procurement, and construction firms), utilities, and critical suppliers. In 2025, the summit attracted over 300 attendees. (See 2025 agenda for example sessions.)

NIST Software and Supply Chain Assurance (SSCA) Forums

Various

The National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC), in partnership with the Department of Homeland Security (DHS), the Department of War (DoW), and the federal General Services Administration (GSA), holds SSCA Forums several times a year. They are free and open to the public.

ICS/SCADA Conferences

ICS/SCADA Cybersecurity Symposium and Exhibition 2027

TBD, 2027, Chicago, IL

In its 3rd year, this 3-day annual conference, organized by The Smart Grid Observer, focuses on preparing critical infrastructure operators to face emerging challenges to OT and IT systems.

OT SCADA Con 2026

July 22-24, 2026, Houston, TX

This 3-day industrial automation technology conference attracts over 150 end users, system integrators, and original equipment manufacturers of all sizes and across all verticals. It features more than 20 speakers who are integrators, business owners, and subject matter experts.

Supply Chain Management Conferences

CHAINge Conference 2026

September 29-30, 2026, Long Beach, CA

The 2026 edition of the Association for Supply Chain Management’s flagship annual conference, CHAINge, is broken down into 4 core themes: global trade, technology and fundamentals, resilience and risk, and talent and leadership. This 2-day conference features over 50 educational sessions.

CSCMP EDGE 2026

October 4-7, 2026, Nashville, TN

The Council of Supply Chain Management Professionals (CSCMP)’ s 2-day EDGE annual conference attracts over 2,700 supply chain professionals.

ISM World 2027

May 16-18, 2027, Washington, D.C.

The Institute for Supply Management (ISM)’s 3-day annual conference attracts over 2,000 senior supply chain professionals.

Explore Other Energy Sources

Oil & Natural Gas

Supplies the fuel that moves goods, heats homes, and supports manufacturing, petrochemicals, and essential products.
Learn More

Fusion Energy

When one or more lighter elements combine to form a heavier element, releasing energy in the process.
Learn More

Clean Coal

A new generation of energy processes that strive to reduce the harmful environmental impacts of coal mining.
Learn More

Critical Minerals & Materials

The building blocks of modern technology, national security, and clean energy systems
Learn More

Grid Reliability & Affordability

Supplies the fuel that moves goods, heats homes, and supports manufacturing, petrochemicals, and essential products.
Learn More

Supply Chain Security

When one or more lighter elements combine to form a heavier element, releasing energy in the process.
Learn More

Stay in the Know with Dawnbreaker®

Receive valuable industry insights such as our Market Snapshots, SBIR/STTR & TABA updates, & webinar announcements.

Stay in the Know