On May 1, 2020, President Trump issued an “Executive Order on Securing the United States Bulk-Power System,” aimed at preventing cyberattacks to and interference by foreign adversaries with the US power grid. Specifically, the Order prohibits certain transactions for the procurement of bulk-power system1 (BPS) electric equipment if the US Department of Energy (in coordination with other national security and intelligence agencies) determines that the BPS equipment was produced by, or has another connection with, a foreign adversary and the transaction presents a heightened security risk.2 This Order is one of a series of recent actions of the US government to address cybersecurity concerns over the United States’ critical infrastructure.3
Under the Order, persons (and property) subject to US jurisdiction are prohibited from acquiring, importing, transferring, or installing BPS electric equipment supplied by a foreign party or containing non-US components if the US Department of Energy (DOE) (in coordination with other agencies, such as the US Department of Defense and US Department of Homeland Security) determines that: (i) the BPS electric equipment was “designed, developed, manufactured, or supplied, by persons” who are owned, controlled, or subject to “the jurisdiction or direction of a foreign adversary”; and (ii) the transaction presents a heightened security risk. DOE must find both that the BPS electric equipment was produced by a foreign adversary and that one of the specified types of security risk exists for a transaction to be prohibited.
There are three types of security risks that could trigger a determination from DOE that the transaction should be prohibited. They are specifically: (a) “an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of the bulk-power system in the United States;” (b) “an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the economy of the United States”; or (c) “an unacceptable risk to the national security of the United States or the security and safety of United States persons.” The third risk category provides DOE extremely broad discretion to make a finding, as national security is not defined for purposes of the Order.
The types of BPS electric equipment covered by the Order is limited to the items specifically listed. The listed equipment includes: “items used in bulk-power system substations, control rooms, or power generating stations, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems.” Unless the transaction involves one or more of the items listed above, it is not covered by the Order.
DOE is required to publish rules or regulations implementing the Order within 150 days from the date of the Order (May 1, 2020). Those rules or regulations may identify persons and governments considered to be foreign adversaries under the Order, equipment that presents particular security concerns, and/or procedures for licensing transactions. Additionally, DOE may implement other measures to lessen the potential impact on transactions that would otherwise be subject to DOE’s review (“covered transactions”). For example, DOE may exempt whole classes of covered transactions, and/or establish criteria to create a “pre-qualified” list of particular equipment and vendors that are approved under the Order.
As a result of the Order’s broad grant of authority to DOE, it will be difficult to determine the full impact of the Order until DOE implements rules and regulations or issues detailed explanatory guidance. (DOE has published a press release, FAQs, and short overview all of which generally describe the Order’s purpose and requirements.).4 Until then, businesses should be apprised of the following key aspects of the rule and consider whether a transaction may be covered under the rule.
1. What transactions are covered?
The Order states that its restrictions apply to persons and property “subject to the jurisdiction of the United States” but does not define that phrase or provide any clarity on what transactions are subject to US jurisdiction for purposes of the Order. Because the language is broad and undefined, the Order could theoretically apply to both US and non-US companies’ transactions for BPS equipment for use outside the United States. (Companies incorporated or headquartered in the US are clearly subject to US jurisdiction, and a non-US company’s transaction with a sufficient US connection could be covered as well.) However, given the purpose and aim of the Order, it is unlikely that it would apply to a transaction involving BPS electric equipment for use outside the United States.
The Order is aimed at protecting the United States’ power grid from cyberattacks and foreign adversaries. For example, it describes the national security threat, stating that to “address this threat, additional steps are required to protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.” Further, the Order declares a national emergency “with respect to the threat to the United States bulk-power system.” (Emphasis added.). There is little indication that the Order was intended to have extraterritorial effect, such as by covering a US company’s transaction for BPS equipment that would be used or installed in a location outside the US (i.e., a foreign country). Additionally, DOE is likely to find it difficult to make the required security risk finding where the BPS equipment would be installed outside the United States.
2. When will new requirements apply?
For a transaction to be subject to the Order, it must to have been “initiated after the date of this order” (May 1, 2020). While this language would likely implicate the purchase for BPS electric equipment when an offer is made, or negotiations have begun, after May 1, it does give rise to questions about when a transaction would be treated as having been “initiated.” For example, it is not clear whether the Order would apply to the transfer of BPS electric equipment where commercial negotiations have already begun but a formal procurement agreement has not been drafted.
An additional concern regarding timing is the Order’s potential to apply retroactively to previously installed BPS electric equipment. Notably, DOE is required to identify BPS electric equipment that is produced by foreign adversaries and presents a national security risk, and to “develop recommendations on ways to identify, isolate, monitor, or replace such items as soon as practicable.” DOE could make recommendations to the President on types of BPS equipment that present particular concerns, which could lead to additional actions or required measures with respect to existing installed equipment. However, it should be noted that DOE is only authorized to make recommendations on this issue and is not required to implement rules or regulations that would mandate that companies retrofit their facilities.
3. Who are "Foreign Adversaries"?
It is not clear what governments or persons the DOE will consider to be “foreign adversaries” for the purposes of the Order. The Order defines a “foreign adversary” as “any foreign government or foreign non-government person engaged in a long term pattern or serious instances of conduct significantly adverse to the national security of the United States or its allies or the security and safety of United States persons.” Under Section 2(b) of the Order, DOE has the authority (although is not required) to: “determine that particular countries or persons are foreign adversaries exclusively for the purposes of this order,” and “identify persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries exclusively for the purposes of this order.”
While DOE has not published a list of governments or persons that are considered to be “foreign adversaries,” there are some obvious candidates, particularly China. The US government has consistently named China and Russia as foreign competitors that pose cybersecurity threats. (Iran and North Korea have also been accused of presenting a high cybersecurity risk.)5 China is a major producer of electric equipment and therefore Chinese companies and entities are the most likely target(s) that will be considered foreign adversaries by DOE under the Order.
The BPS electric equipment Executive Order is likely to present significant challenges for companies acquiring critical US power grid components, particularly from China. Certain transactions may simply be prohibited by DOE, while others may be specifically allowed through the issuance of a general exemption or pre-qualification approval. The full impact of the Order will not be known until the DOE issues regulations and issues explanatory guidance. However, DOE has stated that it will work with stakeholders during the rulemaking process to clarify issues and concerns presented by the Order. DOE is hosting discussions in the coming days to provide interested parties with an opportunity to ask specific questions relevant to their business.
1 “Bulk-power systems” (BPS) are: “(i) facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof); and (ii) electric energy from generation facilities needed to maintain transmission reliability.” The definition does not include facilities used in local distribution of electricity, but does include transmission lines rated at 69,000 volts (69 kV) or more.
2 Note that the Order additionally establishes an energy infrastructure procurement “Task Force” comprised of the heads of various national security, infrastructure, and US economy focused agencies (including the US Department of Defense, the Department of the Interior, the Department of Commerce, the Department of Homeland Security, the Office of the Director of National Intelligence, and the Office of Management and Budget). The Order authorizes the Task Force to undertake various activities (including conducting studies) and is additionally required to develop energy infrastructure government procurement policies and procedures. The focus of this alert however, is on the Order’s prohibitions on commercial transactions under Section 1, rather than the Task Force and government procurement concerns addressed under Section 3.
3 For example, on May 4, 2020, the US Department of Commerce announced a new Section 232 investigation on imports of laminations and wound cores for incorporation into transformers, electrical transformers, and transformer regulators.The investigation will determine whether these items, critical components in the US energy infrastructure, are being imported into the US in such a way that threatens US national security. DOE has stated that it is working with Commerce to avoid duplicative work efforts and to “leverage the work of the other.” See US Department of Energy, “Executive Order on Securing the United States Bulk-Power System Frequently Asked Questions,” (May 2020).
4 Additionally, DOE is hosting two stakeholder calls – on Thursday, May 14 and May 21, 2020, from 12 pm – 1 pm ET – which will discuss the Order. Interested parties can register online through DOE’s BPS EO webpage. Interested parties may also email specific questions to DOE via bulkpowersystemEO@hq.doe.gov.
5 See the US National Counterintelligence and Security Center, “National Counterintelligence Strategy of the United States of America 2020-2022,” (January 2020); Office of the Director of National Intelligence, “Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community,” (January 2019), President of the United States, “National Cyber Strategy of the United States,” (September 2018); President of the United States, “National Security Strategy of the United States,” (December 2017).