On September 17, 2020, the Federal Energy Regulatory Commission (FERC or the “Commission”) issued a Notice of Inquiry (NOI) seeking comments on “potential risks to the bulk electric system posed by using equipment and services produced or provided by entities identified as risks to national security.”1 The NOI focuses on certain entities that have been designated as risks to national security (“Covered Companies”)2 that are owned, controlled or otherwise connected to China and “other nation-state adversaries.”3
FERC stated that, since it approved the first set of supply chain risk management Reliability Standards in Order No. 850 in October 2018,4 “there have been significant developments in the form of Executive Orders, legislation, as well as federal agency actions that raise concerns over the potential risks posed by the use of equipment and services provided by [such] entities.”5 These include President Trump’s May 2019 Executive Order 13873 on “Securing the Information and Communications Technology and Services Supply Chain” and May 2020 Executive Order on “Securing the United States Bulk-Power System,” the latter of which we addressed here and here.
Citing the “critical role played by communications networks in maintaining bulk electric system reliability by, among other things, helping to maintain situational awareness and reliable bulk electric system operations through timely and accurate measurement, collection, processing of bulk electric system status and information exchange among control centers,” FERC found it “necessary . . . to understand the risk to bulk electric system reliability posed by the use of equipment and services provided by . . . entities identified as risks to national security.”6 Equipment of concern includes networking and telecommunications equipment and components as well as other “electrical equipment commonly used in substations, generating stations, and control rooms.”7
FERC seeks comments on the following six issues:
- The extent of the use of equipment and services provided by Covered Companies related to bulk electric system operations.
- The risks to bulk electric system reliability and security posed by the use of such equipment and services provided by Covered Companies.
- Whether current Critical Infrastructure Protection (CIP) Reliability Standards adequately mitigate the identified risks.
- What mandatory actions FERC could consider taking to mitigate the risk of equipment and services of concern.
- Strategies that entities have implemented or plan to implement—in addition to compliance with the mandatory CIP Reliability Standards—to mitigate the risks associated with use of equipment and services of concern.
- Other methods FERC might employ to address its concerns, including working collaboratively with industry to raise awareness about the identified risks and assisting with mitigating actions (i.e., such as facilitating information sharing).8
FERC included a set of specific questions for commenters to address, but noted that commenters need not address every issue or answer every question.9 Chairman Neil Chatterjee noted during FERC’s open meeting on September 17, 2020, that, “although the [bulk-power system] executive order did not include any directives to this Commission, I believe it is incumbent on us as the agency overseeing the reliability and security of the grid to fully understand these risks and take appropriate action. That is exactly what we are doing by issuing today’s Notice of Inquiry. Once comments are filed, we will review the record and determine what further actions the Commission should take.”
Commissioner Richard Glick added that he believes “it is likely that [FERC] will need to do more than [it] and NERC have already done with regard to protecting the supply chain,” noting that while the NOI repeatedly references equipment provided by certain entities with ties to China, FERC’s “inquiry goes further than that. We also need to consider threats from equipment and services provided by other entities, including companies with ties to Russia and Iran.” He also noted that he is pleased that FERC is “looking beyond hardware equipment” because “software provided by entities with connections to adversaries [may] also pose a threat.”
Comments on the NOI are due November 23, 2020, and reply comments are due December 22, 2020.10
1 Equip. & Servs. Produced or Provided by Certain Entities Identified as Risks to Nat’l Sec., 85 Fed. Reg. 59,785, at P 1 (Sept. 23, 2020) (NOI).
2 Id. PP 11, 19.
3 Id. P 14.
4 Supply Chain Risk Mgmt. Reliability Standards, Order No. 850, 165 FERC ¶ 61,020 (2018) (approving Reliability Standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security – Electronic Security Perimeter(s)), and CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments)).
5 NOI at P 3.
6 Id. P 16.
7 Id. PP 17, 18.
8 Id. P 4.
9 Id. P 20.
10 Id. P 21.