The U.S. electric power sector’s reliance on outsourcing and offshoring has grown over the years, raising serious security concerns for vital grid systems. In search of lower costs and specialized skills, utilities and vendors more frequently source essential equipment and software development from abroad. Today, many key components of the grid—from large transformers to control system software—are designed or manufactured overseas. For example, industry analysis shows that capacitor film for grid applications is almost entirely produced overseas, with about 75% made in China, and estimates indicate that the U.S. spends nearly $200 billion annually on imported capacitor film and other critical grid materials.
————————————————-
No time to read the full article? Listen to Vedeni Energy’s Deep Dive podcast at vedenienergy.podbean.com
————————————————-
This heavy reliance on foreign supply and expertise creates strategic risks. If geopolitical tensions or cyber threats disrupt these supply chains, the consequences for grid reliability and national security could be severe. Ensuring a resilient power grid now requires industry leaders to consider not just cost and efficiency, but also the hidden security costs of outsourcing critical infrastructure.
Outsourcing Trends in Critical Grid Systems
Outsourcing in the electric power industry grew in the late 20th century as companies looked for cost savings and global expertise. General Electric (GE) was among the early leaders, actively offshoring engineering and IT tasks. This essentially meant that a large portion of software development and support for GE’s energy and grid operations was handled overseas. These partnerships leveraged skilled labor in India and other countries at a fraction of U.S. costs. Over time, many utilities and equipment manufacturers followed by contracting large consulting and IT services firms for system implementation, maintenance, and data management.
Today, multinational IT companies like Accenture, TCS, Cognizant, Wipro, Infosys, and others play key roles in utility IT/OT environments. These outsourcing giants have most of their workforce outside the U.S.; for example, TCS employs nearly 600,000 people worldwide, and public data show that only a small single-digit percentage of its staff is based in the U.S. This model has offered efficiencies and access to talent, but it also means that critical grid software, databases, and even real-time control systems are often developed or managed overseas. Outsourcing in grid operations now spans a wide range, from software support contracts and cloud services to engineering design and equipment manufacturing. While the benefits include cost savings and faster project delivery, the downsides involve reduced control and visibility over the very systems that keep the lights on.
Cost vs. Security Trade-Offs
The widespread outsourcing of grid components and services has created a built-in tension between cost savings and security. Global supply chains and remote development teams introduce potential points of failure or manipulation that domestic operations could avoid. For years, low cost was the priority—utilities operating under tight budget pressures eagerly offshored tasks and bought cheaper hardware from abroad. Only recently have executives and regulators begun asking tough questions about security issues. The economics are compelling: developing a grid software module or manufacturing a transformer in regions with lower labor costs can save millions. However, those short-term savings could be wiped out by a single prolonged outage or cyber incident traced to compromised foreign-sourced equipment.
Decision-makers in the power sector now need to consider hidden costs. If a critical contractor’s network is hacked, or if a geopolitical conflict halts access to replacement parts, the utility bears the operational risk. As a result, outsourcing essential grid systems creates a risk dependency—the grid’s reliability hinges on the weakest foreign link in the chain. This trade-off has become more evident as nation-state cyber threats and supply chain disruptions, such as the COVID-19 pandemic, have shown that overseas dependencies can quickly lead to crises. An outsourced service or component might be cheaper, but it could also act as a Trojan horse that undermines grid resilience. Finding a balance between cost and security has become a top priority for industry leaders.
Threats to National Security and Reliability
Outsourcing critical grid systems is not just a business issue—it’s a matter of national security. High-voltage transformers, protection relays, SCADA control software, and other essential grid components form the backbone of our critical infrastructure. If hostile actors gain control over their manufacturing or programming, they could exploit that access to cause widespread power disruptions. U.S. intelligence assessments have openly warned about this risk. A 2021 report from the U.S. intelligence community stated that China is the leading worldwide supplier of advanced grid components for ultra-high-voltage systems—such as transformers, circuit breakers, and inverters—and warned that this concentration creates cyber vulnerabilities for nations reliant on them, including the United States. In a worst-case scenario, an adversary could intentionally supply equipment equipped with hidden “kill switches” or backdoors to disable it during a conflict. Concerns about this are not just theoretical: in 2019, federal authorities seized a Chinese-made high-voltage transformer at the Port of Houston and transferred it to a national laboratory for detailed inspection. While public reports confirm the seizure, they do not include the full technical findings, and no official forensic report has been released. Some experts and a former National Security Council official have claimed that hardware capable of remote manipulation was found in the device and suggested it could allow someone in China to turn it off, though these claims lack publicly available technical evidence.
This startling discovery confirmed long-held fears: outsourced grid hardware can be sabotaged during design or manufacturing. The consequences of a malicious shutdown are severe. Power outages could spread through cities, disrupting hospitals, communications, water supplies, and other critical services. In an interconnected grid, even a single compromised transformer or control system could cause widespread blackouts. For example, a substation transformer taken offline during a coordinated cyber-physical attack might overload other parts of the network, leading to regional outages. Such scenarios highlight how outsourcing, if not carefully managed, threatens grid reliability and, by extension, public safety and the economy. U.S. authorities now prioritize supply chain security for the energy sector; the Department of Energy and Department of Defense have identified foreign-made grid equipment as a strategic risk. The lesson is clear – a nation that outsources the construction and maintenance of its power system may, in effect, also outsource its security and sovereignty.
Embedded Cybersecurity Vulnerabilities
Modern grid systems rely heavily on software, firmware, and digital communications—areas where outsourced or foreign-developed components pose significant cybersecurity risks. When a utility installs a new substation control system or hires an overseas firm to develop grid automation code, it may unintentionally introduce vulnerabilities. Malicious code might be embedded in control software or malware hidden in firmware updates without the utility’s knowledge. Supply chain attacks—where an attacker sabotages a product before it reaches its destination—are on the rise worldwide. The power sector is not immune; in fact, it’s a primary target for espionage and disruption. A foreign contractor with access to grid operational technology (OT) systems could be pressured by their home government or compromised by intelligence agencies. There have been instances of malware found in utility networks originating from contaminated vendor software.
Hardware is also a concern: “bugged” components can remain dormant until activated. The transformer incident mentioned earlier illustrates hardware backdoors, but software backdoors are just as dangerous and often harder to detect. For example, a widely used SCADA software library developed abroad could secretly exfiltrate data or accept remote commands through a hidden feature inserted by a rogue developer. These embedded threats are often not identified until after an incident—if at all. Due to the complexity of grid software and the secrecy of proprietary vendor code, utilities often lack the ability to thoroughly audit what they deploy. This makes trust in suppliers essential. In outsourcing arrangements, cybersecurity diligence must go beyond verifying a vendor’s reputation; it requires confirming the integrity of every chip, line of code, and update integrated into critical systems. Unfortunately, full verification is highly challenging, so utilities generally rely on trust and hope that vendors (and their sub-suppliers) have not been compromised. The risk rises when those vendors are overseas, beyond U.S. oversight. A sobering reality for power sector leaders is that an undetected vulnerability introduced through an outsourcing relationship could stay in the grid for years, ready to cause chaos at the worst possible moment.
Dependence on Multinational Grid Vendors
Even when not directly facing adversaries, U.S. utilities rely on many foreign-based companies for essential grid technology. A few multinational corporations supply most of the high-voltage equipment and control systems for American power utilities; many of these companies are headquartered abroad. For example, Hitachi Energy, which offers advanced grid control software and large transformers, is a subsidiary of Japan’s Hitachi Ltd. Siemens Energy, another major provider of grid infrastructure and automation, is based in Germany. These firms (ABB, Schneider Electric, etc.) are well-established partners to U.S. utilities and generally operate in open, friendly markets. However, their foreign ownership raises strategic concerns: in a time of international crisis or trade conflict, might there be pressure on them that could influence U.S. grid projects or support?
Additionally, if most R&D and manufacturing of critical grid components happen overseas, the U.S. could become vulnerable to global supply disruptions or foreign government export controls. We’ve already seen warning signs. During recent supply chain shortages, lead times for transformers—many of which are imported—expanded from months to years. Commerce Department data and subsequent industry analyses show that imports made up over 80% of U.S. transformer consumption in 2019 and are expected to supply about 80% of U.S. power-transformer demand again in 2025. Federal advisory bodies have warned that this heavy reliance on foreign transformers poses a significant national security risk. This dependence on overseas vendors for essential grid parts is being addressed through new policies and investments: for instance, Hitachi Energy and Siemens Energy have announced significant investments in U.S. facilities to produce large power transformers domestically.
These developments will be helpful, but they also highlight how dependent the U.S. has become on foreign suppliers for critical infrastructure. Power sector leaders must face a paradox – the best technology for modernizing the grid often comes from global companies with worldwide supply chains. Eliminating that dependence isn’t realistic in the short term; instead, the focus is shifting to managing and reducing the risks of working with international vendors. This includes strict contract terms on cybersecurity, diversified sourcing (avoiding putting “all eggs in one basket” with a single foreign supplier), and building closer partnerships to promote transparency in the supply chain. Even trusted international partners can be targets for cyberattacks or face political pressures abroad. Therefore, utilities should treat all external technology as potentially vulnerable and plan accordingly.
Mitigation Strategies: Strengthening Supply Chain Security
Faced with these risks, the U.S. power sector is adopting several strategies to secure outsourced and imported systems. One approach is supply chain diversification and reshoring — reducing reliance on single sources by qualifying multiple suppliers and bringing more manufacturing back to the United States. Federal initiatives, such as the Bipartisan Infrastructure Law and Defense Production Act funding, are encouraging domestic production of transformers, batteries, and other grid components. Policy analyses indicate that only about 20% of large power transformers are currently manufactured in the U.S., so these efforts clearly aim to increase that domestic share over time. Another strategy involves stricter vendor vetting and continuous monitoring. Utilities are implementing NERC CIP-013 supply chain risk management processes, which require evaluating suppliers’ security practices and verifying the integrity of devices and software before deployment. Some are even conducting “penetration tests” on equipment or using advanced tools to detect tampering in hardware.
Additionally, cybersecurity clauses in contracts now often require things like disclosure of software bill of materials (SBOMs), vendor participation in threat intelligence sharing, and the right to audit code or firmware. These measures help, but they cannot eliminate all risk – so contingency planning is also essential. Grid operators are increasing their spare equipment inventories (for example, stockpiling extra transformers and critical spares) in case a particular supplier’s gear is compromised or sanctioned. They’re also practicing “islanding” parts of the grid and manual control fallbacks to be ready if digital systems built by outsiders suddenly malfunction.
Prioritizing U.S.-Based Staff and Onshore Operations
One notable mitigation measure, increasingly emphasized, is requiring the use of U.S.-based (and in some cases U.S.-citizen) staff for certain critical functions. The idea is to ensure that personnel with direct access to the most sensitive grid control systems are located on American soil and subject to U.S. jurisdiction and background checks. For example, when outsourcing IT support or software development for control centers, utilities might specify that the work be done in a U.S. facility or a secure operations center, rather than offshore. This can reduce some risks—communications remain within U.S. networks, and there is a level of legal accountability and recourse if something goes wrong. Several foreign-headquartered vendors have responded to this demand by establishing U.S. delivery centers or subsidiaries staffed mainly with American engineers. In regulated sectors like defense and energy, it’s common to see contracts that explicitly state, “all project personnel must be U.S. persons,” or that data must reside on U.S. servers. Using U.S.-based staff can indeed lower exposure to foreign espionage or coercion—an engineer in North America is generally harder for an adversary to recruit or pressure than one in a high-risk country. It also simplifies compliance with regulations (such as NERC CIP background checks or DOE requirements) and addresses political concerns regarding offshore access to critical infrastructure.
However, this strategy has limitations. The reality is that large outsourcing firms still keep most of their expertise overseas. Requiring U.S.-only staff can significantly increase costs and often serves more as a contractual formality than an actual security measure. In practice, a vendor might rotate a small team domestically to meet the contract requirements, while most development remains abroad. Additionally, being U.S.-based does not automatically eliminate insider threats or prevent all cyber risks. Executives should view employing U.S.-based staff as one layer of defense—valuable, but best combined with other measures like thorough vetting, access monitoring, and network segmentation. Fortunately, many service providers now offer “onshoring” options, and some utilities have brought previously outsourced functions back in-house or onshore after reassessing the risks. In the long term, investing in domestic talent and workforce development for specialized grid IT and OT roles will strengthen this human element of security. A workforce that is not only U.S.-based but also highly skilled and well-vetted becomes a key asset in defending grid operations against both foreign and domestic threats.
Conclusion
Outsourcing and global partnerships will remain a fundamental part of the U.S. power sector’s structure – the size and complexity of the grid nearly guarantee reliance on international technology and expertise. Still, the goal must be to manage that dependence responsibly. This means balancing the efficiencies gained from global sourcing with the need to protect national security. Power industry leaders and middle managers are on the front lines of this balancing act. They must ask tough questions of their suppliers and contractors: Where is this product made? Who has handled this code? What controls and fail-safes are in place? It’s their duty to ensure that substantial risk mitigation is included in every outsourcing decision. The good news is that awareness is increasing. Industry leaders are beginning to view supply chain security as a key element of reliability, not just a regulatory obligation.
Collaborative efforts between government and industry—from intelligence briefings to technology investments—are helping utilities strengthen defenses where they are most vulnerable. In boardrooms and control rooms alike, the conversation has shifted from “How do we cut costs?” to “How do we cut costs safely?” Executives realize that blindly outsourcing critical grid systems poses too significant a risk to both their companies and the country. The future of the U.S. power grid will still be connected to global innovation and supply, but with stricter safeguards: a more secure sourcing ecosystem, continuous threat monitoring, contingency plans for the unexpected, and a strong domestic capability to rely on. By clarifying contract language, limiting access to critical systems, and strengthening supply chain links, we can enjoy the benefits of outsourcing without compromising our security. The stakes—keeping the lights on and our nation safe—demand nothing less.