On May 1, 2020, President Trump issued Executive Order 13920 on “Securing the U.S. Bulk-Power System” (EO), the most public and potentially far-reaching action to address the long-standing U.S. governmental concern about security of the U.S. electrical grid. (For more information about the EO and how it could be interpreted based on prior Executive Orders, see here.) Among other things, the EO requires the Department of Energy (DOE) to create and implement new rules that will govern the procurement, importation, transfer and installation of bulk-power system (BPS) equipment in which a “foreign adversary” is determined to have an interest.

“Foreign Adversaries” – China, Russia, Iran, North Korea, Cuba, and Venezuela

The EO initially referred to threats to the BPS by “foreign adversaries” without identifying specific countries or bodies. Following issuance of the EO, the DOE conducted conference calls with interested stakeholders, in which it could be inferred that foreign adversaries referred to China, Russia, Iran, and/or North Korea. Recent guidance now expressly lists those four counties, as well as Cuba and Venezuela, as foreign adversaries for purposes of the EO.[1]

In particular, China and Russia appear to be a significant focus. A DOE notice dated July 2, 2020 (July Notice), states that the “Office of the Director of National Intelligence’s (ODNI) National Counterintelligence and Security Center (NCSC) assesses that China and Russia (near-peer foreign adversaries) possess highly advanced cyber programs and that both nations pose a major threat to the U.S. government . . . The BPS is a target of these adversaries’ asymmetric cyber and physical plans and operations.”[2]

While the July Notice expressly references the specified countries, the authority under the actual EO is still broader and covers BPS equipment that any foreign adversary has an interest in. The EO defines foreign adversary to include “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or its allies or the security and safety of United States persons.”[3]  Thus, the DOE’s current focus could shift as other countries are added to (or one of the aforementioned countries is removed from) the list.

Request for Information (Deadline – August 7, 2020)

The DOE has issued a Request for Information (RFI) seeking information to better understand the existing practices of the U.S. electric industry to identify and mitigate vulnerabilities in the BPS supply chain. A copy of the RFI is available here. In particular, the DOE seeks responses to the questions outlined on Annex A below.

The deadline for responding to the RFI is August 7, 2020.

ANNEX A

In the RFI, the DOE seeks responses to the following questions:

1. Supply Chain
   General Note: With respect to the following questions, the DOE primarily seeks information about transformers, reactive power equipment (reactors and capacitors), circuit breakers, “generation (including power generation that is provided to the BPS at the transmission level and back-up generation that supports substations),” and “hardware and electronics associate with equipment monitoring, intelligent control, and relay protection.”
   1. Do energy sector asset owners and/or vendors conduct enterprise risk assessments, including a cyber-maturity model evaluation on a periodic basis?
   2. Do energy sector asset owners and/or vendors identify, evaluate, and/or mitigate the following:
      1. foreign ownership, control, and influence (FOCI) with respect to foreign adversaries with respect to access to company and utility data, product development, and source code (including research partnerships);
      2. potential supply chain risks from sub-tier suppliers, recognizing that some sub-tier supply chain manufacturers could have FOCI with respect to foreign adversaries; and
      3. assets and services critical risk tolerance regarding protecting these assets and services from FOCI?
   3. Are non-standard incentives or changes to established standard development organizations’ SCRM standards (including NIST 800 series, ISA/IEC 62443, NERC-CIP, and other Cyber Risk Maturity Model evaluations/practices) necessary to build capacity to protect source code, establish a secure software and firmware development lifecycle, and maintain software integrity? How are benchmarks documented and tracked, including:
      1. the ability to provide software, firmware, and hardware “bill of materials” (e.g., NTIA Software Component Transparency [see https://www.ntia.doc.gov/SoftwareTransparency] or equivalent industry norm) and track supply chain provenance and white-labeling;
      2. authentication practices that prevent tampering, unauthorized production, and counterfeits; and
      3. monitoring and tracking sub-tier supplier’s adherence to security requirements as part of the SCRM?
   4. What information is available concerning the following: BPS electric equipment cyber vulnerability testing standards, analyses of vulnerabilities, and information on compromises of BPS electric equipment over the last five years, including results of independent BPS electric equipment testing and penetration testing of enterprise systems for vulnerabilities (including methodology for discovery and remediation)?
      1. What process does the energy sector have to share information with utilities regarding vulnerabilities and vice versa? Are contingency plans in place? How is the effectiveness of vulnerability testing and mitigation efforts monitored, tracked, and audited?
      2. Is a record of an analysis of component vulnerabilities and any compromises of components and systems maintained for a specific period of time (e.g., five years)? If yes, are the results of independent component testing and penetration testing of enterprise systems for vulnerabilities (including timeline for discovery and remediation) also maintained?
      3. How are the results of independent component testing and penetration testing of enterprise systems for vulnerabilities (including timeline for discovery and remediation) maintained?
      4. How are vulnerabilities identified by external entities addressed? How is the distribution of information regarding patching security vulnerabilities in the supply chain facilitated?
      5. What insecure by design/vulnerable communication protocols exist today that should be retired or cannot be disabled or mitigated from BPS electric equipment (examples of protocols include Distributed Network Protocol 3 [DNP3], File Transfer Protocol [FTP], Telnet, or Modbus)?
   5. What governance of sub-tier vendors do energy sector asset owners and/or vendors have in place? Is contract language for Supply Chain Security included in procurement contracts? Are metrics for supply chain security, along with cost, schedule, and performance, maintained? What specific guidance should be developed for Integrator/Installer/Maintenance Service provider activities?
   6. Can energy sector asset owners and/or vendors document the level of engagement in information sharing and testing programs that identify threats and vulnerabilities and incorporation of indicators of compromise (e.g., Information Sharing and Analysis Center, Information Sharing and Analysis Organization)? Does the energy sector participate in a community for sharing supply chain risks? Does the energy sector encourage security-related information exchange with external entities, including the Federal government?
   7. What physical and logistical role-based access control policies have been developed to monitor and restrict access during installation when a foreign adversary, or associated foreign-owned, foreign-controlled, or foreign-influenced person, is installing BPS electric equipment at a BPS site in the United States? What policies and practices exist to ensure installers/integrators effectively protect the systems and components during installation and commissioning? What policies and practices are in place to ensure that service providers (including those providing remote monitoring and management of systems) effectively maintain the security protections of the systems and components they are monitoring? Does an insider threat program exist?
   8. Are there critical mineral or supply chain materials, and, if so, what are they?

2. Economic Analysis
   1. Within the BPS electric equipment definition[4], what are the estimated one-time and recurring costs of developing, implementing, and periodically revising compliance plans and procedures associated with the Executive Order, including, but not limited to:
      1. evaluating requirements.
      2. developing compliance plans and frameworks: Supply chain documentation, foreign involvement evaluations, risk assessments, and process reviews.
      3. implementing plans: New supplier processes and contractual provisions and supplier audits.
      4. supporting transaction reviews: Records retention and responding to information inquiries.
      5. negotiating agreements to mitigate concerns raised in connection with transactions.
      6. other compliance costs.
   2. Within the BPS electric equipment definition, are there categories of BPS electric equipment that are more reliant on vendors likely to become the subject of transaction reviews, and, if so, what are they? What are the sourcing challenges and cost impacts for companies facing prohibited transactions for those BPS electric equipment categories?
   3. Does the energy sector have a procedure to identify services, components, and/or systems that are or should be covered by EO 13920?
   4. What unique challenges could EO 13920 present to small businesses?

[1] Source: https://www.regulations.gov/document?D=DOE_FRDOC_0001-4018

[2] Id.

[3] Source: https://www.whitehouse.gov/presidential-actions/executive-order-securing-united-states-bulk-power-system/

[4] As defined in the EO, “bulk-power system electric equipment” means items used in bulk-power system substations, control rooms, or power generating stations, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems.

[View source.]