On July 8, 2020, the U.S. Department of Energy (“DOE”) released a Request for Information (“RFI”), requesting public comments by August 7 on Executive Order 13920 that President Trump issued on May 1, 2020, entitled: “Securing the United States Bulk-Power System,” (the “EO”). The EO declares a “national emergency” with respect to U.S. electrical grid infrastructure threats and institutes a broad prohibition on bulk-power system (“BPS”) electric equipment that could be manipulated or exploited by “foreign adversaries.” The EO and RFI formally set in motion a regulatory process for the issuance of regulations by the U.S. Department of Energy (“DOE”) by September that will likely include ‘blacklisted’ and ‘pre-qualified’ foreign equipment suppliers, and criteria for the U.S. government to evaluate and approve or block individual commercial transactions.
National Security Context and Prohibition
Without providing many details, the EO invokes existing national security powers and finds that the U.S. faces numerous national security threats from the “unrestricted acquisition or use” of BPS electric equipment “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries.” The RFI explicitly identifies China and Russia maintaining advanced “cyber programs” and malware capabilities, which could be used in ‘Trojan horse’ scenarios, for example, in which backdoor controls or other vulnerabilities are built into equipment that can be exploited by foreign entities to damage U.S. interests through power outages or more targeted disruptions, including military and other national security communications. The EO marks the first time that the U.S. government has used powers under the International Emergency Economic Powers Act (“IEEPA”) to address homeland security risks involving critical infrastructure.
Consistent with past IEEPA executive orders that precede the issuance of more tailored regulations, the EO institutes a broad prohibition on the “acquisition, importation, transfer, or installation” of any BPS electric equipment by any person if the U.S. Secretary of Energy (the “Secretary”) has determined (in consultation with other federal agencies) that such transaction:
- Is “initiated” after May 1, 2020;
- Involves any property in which a foreign country (or a national thereof) has any interest (including through an interest in a contract for the provision of such equipment);
- Involves “bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”; and
- Poses an unacceptable risk to the physical or economic well-being of the nation.
Definitions and Covered Equipment
The EO provided few details on what persons qualify as foreign adversaries, but the RFI clarifies that the current list consists of the governments of the following countries: The People’s Republic of China, the Republic of Cuba, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Russian Federation, and the Bolivarian Republic of Venezuela.
Under the EO, the term “bulk-power system” is defined as “(i) facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof); and (ii) electric energy from generation facilities needed to maintain transmission reliability,” including transmission lines over 69 kV, but excluding “facilities used in the local distribution of electric energy.”
“Bulk-power system electric equipment” is defined as “items used in bulk-power system substations, control rooms, or power generating stations, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems.” Items not included in the preceding list and “that have broader application of use beyond the bulk-power system are outside the scope of [the EO].”
The EO places the Secretary, and thus the DOE, in charge of implementing many of the regulatory prescriptions of the EO, including requiring DOE in consultation with other federal agencies to publish rules or regulations within 150 days of the date of the EO (September 28, 2020). The EO expressly contemplates regulations that could (among other things):
- Identify particular countries or persons that qualify as “foreign adversaries” or “owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” for purposes of the Order;
- Identify a ‘blacklist’ of particular equipment or entities that warrant particular scrutiny;
- Designate particular equipment and vendors as “pre-qualified” for transactions;
- Establish criteria for pre-qualification; and
- Establish procedures to license transactions otherwise prohibited, including mitigation procedures or other actions as a pre-condition to DOE approval of a “single transaction or class of transactions.”
The EO also creates an interagency Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security to coordinate U.S. government procurement of energy infrastructure and the sharing of risk information and risk management practices.
In subsequent informal briefings to energy industry stakeholders, DOE officials stressed that the blacklist will be applied surgically and strategically using a risk-based approach. Officials indicated they intend to bolster their inter-agency collaboration with industry input through the RFI, inviting companies to submit information to be considered for pre-qualification. Such RFI and pre-qualification process could include government testing of equipment. In a subsequent Q&A from early May of 2020, (the “Q&A”) the DOE stated that mitigation measures may also include inspecting manufacturing plants. Aside from formal RFI comments, questions and comments may be submitted to firstname.lastname@example.org. DOE plans to publish answers to questions online.
RFI Seeks Public Input and Provides More Insight into Contemplated Threats
DOE’s RFI focuses on gathering input on safeguarding supply chains and understanding the economic implications of the EO.
With respect to BPS supply chains, the RFI seeks system-wide information and specific component-level company practices. The RFI asks how the energy sector and vendors consider and evaluate enterprise risk assessments, including a cyber maturity model evaluation on a periodic basis. Noted areas of concern are company and utility data, the integrity of the software/firmware development lifecycle, and source code protection (including research partnerships). The RFI requests information on the challenges with working with "sub-tier suppliers," the quality of bill of materials, and practices utilized to prevent tampering, unauthorized production, and counterfeits. The RFI also requests information on the capability of the energy sector to share information within the sector on such vulnerabilities. The RFI also requests feedback with respect to equipment construction and commissioning, which may preview how EPC or other construction contracts could be revisited along with equipment supply contracts to account for eventual DOE regulations:
- What physical and logistical role-based access control policies have been developed to monitor and restrict access during installation when a foreign adversary, or associated foreign-owned, foreign-controlled, or foreign-influenced person is installing BPS electric equipment at a BPS site in the U.S.?
- What policies and practices exist to ensure installers/integrators effectively protect the systems and components during installation and commissioning?
- What policies and practices are in place to ensure that service providers (including those providing remote monitoring and management of systems) effectively maintain the security protections of the systems and components they are monitoring?
- Does an insider threat program exist?
It is also noteworthy that DOE expressly inquires about how DOE should address transformers (including generation step-up transformers), reactive power equipment (reactors and capacitors), circuit breakers, and generation (including power generation that is provided to the BPS at the transmission level and back-up generation that supports substations). The RFI notes this includes both the hardware and electronics associated with equipment monitoring, intelligent control, and relay protection. The RFI also clarifies that only transformers rated at 20 MVA and with a low-side voltage of 69 kV and above are included.
With respect to DOE's economic analysis, DOE requests information on one-time and recurring costs of compliance, from developing compliance plans to negotiating agreements to mitigate concerns generated by the EO. DOE also seeks to clarify if there are certain categories of BPS electric equipment that are more reliant on vendors that are likely to become the subject of transaction reviews. DOE also directly invites the public to identify and explain the services, components, and systems that should or should not be covered by the EO. Lastly, the RFI asks for any challenges posed by the EO that are unique to small businesses.
Impact – Equipment and Commercial Applications
The exact universe of equipment and vendors covered by the EO is unclear. On one hand, the EO consistently refers to bulk power and exempts listed items that have “broader application of use beyond the bulk-power system.” In addition, the EO expressly covers only transmission lines rated at 69 kV or more, and expressly exempts “facilities used in the local distribution of electric energy.” The DOE clarified in the Q&A that they chose 69 kV because “[d]istribution line voltage typically does not exceed 69-kV in the United States; the Executive Order’s definition is designed to cover transmission lines including those operating in the lower voltage range of 69-kV to 110-kV. The Department’s Power Marketing Administrations, as well as some smaller utilities, utilize 69-kV lines for transmission.” This would appear to exempt generation facilities like renewables and traditional power.
On the other hand, the BPS is also described to include “electric energy from generation facilities needed to maintain transmission reliability” and includes items used in “power generating stations.” Moreover, the RFI clearly identifies generation step-up transformers among the universe of transformers at issue. More generally, the EO specifically lists over 20 bulk-power components, and the DOE stated in the Q&A that any components not included in the EO list or “that have a broader application of use beyond the bulk-power system” are not covered by the EO. It is unlikely that a solar PV module would be blacklisted, for example, but it is less clear how the regulations would characterize onshore wind projects that often have higher-voltage connections and regularly source related components from Chinese suppliers. The EO does not appear to distinguish between types of energy generation. The Q&A clarifies that “the Administration supports an ‘all of the above’ approach to generation. [The] Executive Order applies only to the bulk-power system, which would include electric energy from generation facilities needed to maintain transmission reliability.”
By comparison, application of the EO to energy storage is even more uncertain given the more dynamic interaction between batteries and the electrical grid. Utility-scale energy storage systems often operate, on a standalone basis or paired on-site with renewable energy generation like solar and wind, to provide grid services like frequency regulation to balance the electrical grid in real-time, as well as smooth the operational profile of intermittent renewable resources. Storage systems can also be used to provide black start capabilities, and the RFI identifies black start systems as a specific essential reliability service of interest. Energy storage projects can be interconnected at various stages of generation, distribution, and transmission. Furthermore, many commentators have interpreted the EO to generally exempt components used in behind-the-meter applications for residential and commercial solar+storage projects, but installers are already executing utility contracts to provide grid-level services with aggregated batteries installed at homes and office buildings. Just as the energy sector is navigating the transition of the grid to a more distributed, de-centralized, and interactive network, it remains to be seen how DOE regulations will evaluate the associated security implications of consumer systems on an aggregated basis.
Impact – Commercial Transactions
The EO provides no interim guidance to parties initiating transactions with suppliers between May 1 and the issuance of regulations. On a practical level, however, it has been the federal government’s practice to focus enforcement on commercial transactions occurring after regulations set forth clear rules for blacklisted and pre-approved entities or equipment. The DOE stated more directly in its Q&A that, “As of today, no equipment is prohibited.”
Unlike other federal interventions like trade tariffs that are customarily assessed when components enter the United States, the EO makes clear that DOE’s forthcoming restrictions can be applied to newly-executed contracts and importation of components, as well as the subsequent transfer of equipment already in the United States, and, finally, the construction/installation of such equipment. Therefore, a party may import certain BPS electric equipment before May 1, 2020, but may be restricted from transferring the equipment to another party if the DOE blacklists such equipment before the transfer. The EO does not specify whether restrictions would apply to upstream changes in control. Similarly, sponsors and construction service providers could be stuck with unusable equipment if they are ready to begin constructing facilities and certain equipment or suppliers to the project are blacklisted.
However, until regulations are issued, parties contracting with foreign equipment suppliers should consider counterparties’ risk for being blacklisted, as well as evaluate internal capabilities and third-party construction vendors’ practices to incorporate more robust national security assessments of electrical infrastructure projects going forward.