On April 20, 2021, the U.S. Department of Energy (DOE or the “Department”) issued an order1 revoking its Prohibition Order Securing Critical Defense Facilities, issued December 17, 2020,2 which we summarized here. DOE’s actions come exactly 90 days after President Biden’s Executive Order 13990 on Protecting Public Health and the Environment and Restoring Science to Tackle the Climate Crisis, issued January 20, 2021.3 EO 13990 suspended former President Trump’s Executive Order 13920 on Securing the United States Bulk-Power System,4 issued May 1, 2020, for 90 days, and directed the Secretary of Energy and the Director of the Office of Management and Budget (OMB) to “consider whether to recommend that a replacement order be issued.”5 Following the expiration of the 90-day suspension, EO 13920 is back in effect.6 Also on April 20, 2021, DOE issued a Request for Information (RFI) intended “to develop a strengthened approach to address the supply chain security of the U.S. electricity subsector,”7 and kicked off a new, 100-day plan to address cybersecurity risks to the U.S. electric system.8
The Revocation Order and RFI are generally positive developments for utilities subject to the Prohibition Order, some of which struggled to develop compliance strategies to address vague and ambiguous aspects of EO 13920 and the Prohibition Order, as well as other electric industry players who do business with such utilities. Overall, the RFI represents significant progress in that it seeks feedback from diverse groups to inform whether and how to advance the Biden-Harris administration’s electric system security priorities—which did not occur before EO 13920—and seems likely to produce better-developed, targeted policy than EO 13920, which many viewed to be so overly broad as to be unworkable, and the Prohibition Order. However, certain of DOE’s questions in the RFI suggest the possibility of expansion of the scope or requirements of potential future actions similar to EO 13920 and the Prohibition Order, which could subject additional entities or business activities to restrictions. Thus, it will be critical for interested parties to make their views known to DOE in response to the RFI and to encourage any future action to be clearly explained and implemented.
EO 13920 “declared an emergency that authorized the Secretary of Energy . . . to, among other actions, prohibit the acquisition, transfer, or installation of certain [bulk-power system (BPS)] electric equipment sourced from foreign adversary countries for one year.”9 In the Prohibition Order, DOE exercised its EO 13920 authority and prohibited the “acquisition, importation, transfer, or installation of specified [BPS] electric equipment that directly serves Critical Defense Facilities”10 (CDFs), which are facilities designated as such by the Secretary of Energy that are “located in the 48 contiguous States and the District of Columbia that are—(1) critical to the defense of the United States; and (2) vulnerable to a disruption of the supply of electric energy provided to such facility by an external provider.”11 The Prohibition Order targeted certain equipment and components “manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of” the People’s Republic of China.12
The Revocation Order
The Revocation Order recognizes that “[a]dversarial nation-state actors are targeting our critical infrastructure, with increasing focus on the energy sector,”13 and notes that DOE, to address such threats, “is engaged in partnership with the electricity subsector and other Federal agencies . . . in a comprehensive set of actions to strengthen supply chain risk management.”14 DOE also states that it “is developing recommendations to strengthen requirements and capabilities for supply chain risk management practices by the Nation’s electric utilities . . . to enable an approach that builds on, clarifies, and, where appropriate, modifies prior executive and agency actions.”15 The purpose of the Revocation Order, DOE states, is “to create a stable policy environment before the emergency declaration made by [EO 13920] expires on May 1, 2021, and while [DOE] conducts a Request for Information to develop a strengthened and administrable strategy to address the security of the U.S. energy sector.”16
The New RFI
Also on April 20, 2021, DOE issued the referenced Request for Information (RFI).17 The RFI states that the “United States Government recognizes the immediate imperative to secure our electric infrastructure” and that “[t]he electric power system is vital to the Nation’s energy security, supporting national defense, emergency services, critical infrastructure, and the economy.”18 Accordingly, the focus of the RFI is “[p]reventing exploitation and attacks by foreign threats to the U.S. supply chain.”19
The RFI explains that, in the process of developing recommendations as required by EO 13990, DOE “identified opportunities to institutionalize change, increase awareness, and strengthen protections against high-risk electric equipment transactions by foreign adversaries, while providing additional certainty to the utility industry and the public.”20 Accordingly, DOE “is seeking information from electric utilities, academia, research laboratories, government agencies, and other stakeholders on various aspects of the electric infrastructure” to inform consideration by the Biden-Harris administration regarding “whether to recommend a replacement Executive Order that appropriately balances national security, economic, and administrability considerations.”21 The RFI also notes that the Biden-Harris administration “is addressing critical infrastructure security through various actions and considers the protection and resilience of energy infrastructure to be a part of that comprehensive strategy,” which includes the “100-day sprint” to identify and develop recommendations regarding various supply chain risks initiated by Executive Order 14017 on America’s Supply Chains, issued February 24, 2021.22
The RFI includes a number of specific questions for stakeholders. Some topics include:
- Recommendations for how DOE, in coordination with “the utility industry and appropriate regulators at all levels of government,” can develop a comprehensive, long-term strategy to address security concerns arising from foreign threats to the U.S. supply chain for electric power system equipment so that “procurement practices and requirements evolve to match changes in the threat landscape and best protect critical infrastructure.”23
- How to “enable better testing of critical grid equipment, encourage better procurement and risk management practices, and develop a strong domestic manufacturing base with high levels of security and resilience.”24
- How to “mitigate the risks associated with potentially compromised grid equipment that is already installed on the system, along with the potential costs and benefits of addressing such equipment.”25
- The “advisability and feasibility of an expanded approach that would cover distribution facilities that serve CDFs” due to “the interconnected nature of the U.S. transmission and distribution networks across the U.S.”26
- Whether DOE should, in addition to addressing Defense Critical Electric Infrastructure serving CDFs in a manner similar to the Prohibition Order, “seek to issue a Prohibition Order or other action that covers electric infrastructure serving other critical infrastructure sectors including communications, emergency services, healthcare and public health, information technology, and transportation systems,” and/or other “national critical functions.”27
The New Cybersecurity Initiative
Concurrently with the Revocation Order and RFI, DOE “launched an initiative to enhance the cybersecurity of electric utilities’ industrial control systems (ICS) and secure the energy sector supply chain” to help “safeguard U.S. critical infrastructure from persistent and sophisticated threats.”28 According to a DOE press release, “[t]his 100 day plan—a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA)—represents swift, aggressive action to confront cyber threats from adversaries who seek to compromise critical systems that are essential to U.S. national and economic security.”29
The initiative will “modernize cybersecurity defenses” and:
- “Encourage owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities;”
- “Include concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real time situational awareness and response capabilities in critical [ICS] and operational technology (OT) networks;”
- “Reinforce and enhance the cybersecurity posture of critical infrastructure information technology (IT) networks;” and
- “Include a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems.”30
Comments on the RFI will be due 45 days after its publication in the Federal Register. It appears that DOE anticipates that the deadline will be Monday, June 7, 2021.31
DOE intends to use the comments “to evaluate new executive actions to further secure the nation’s critical infrastructure against malicious cyber activity and strengthen the domestic manufacturing base.”32 DOE also states that, “during the period of time in which further recommendations are being developed, [it expects that] utilities will seek to act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence.”33 Accordingly, while the compliance situation remains in flux, both utilities that were subject to the Prohibition Order and other industry players implicated by the broad strokes of EO 13920 should remain vigilant with respect to potential threats to their systems and facilities and continue to think about ways to mitigate supply chain and operational risks. And because it is likely that stakeholder comments will inform any future Biden-Harris administration actions in this area, stakeholders should take full advantage of this additional opportunity to share their views with DOE.
With respect to the cybersecurity initiative, “[o]ver the next 100 days, DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER)—in partnership with electric utilities—will continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.”34
Additional information regarding DOE’s efforts to secure critical electric infrastructure is available here.
1 U.S. Dep’t of Energy, Revocation of Prohibition Order Securing Critical Defense Facilities (6450-01-P), at 1 (Apr. 20, 2021), https://www.energy.gov/sites/deault/files/2021-04/Revocation%20of%20Prohibition%20Order%200420
2021.pdf (“Revocation Order”).
2 U.S. Dep’t of Energy, Prohibition Order Securing Critical Defense Facilities, 86 Fed. Reg. 533 (Jan. 6, 2021), https://www.govinfo.gov/content/pkg/FR-2021-01-06/pdf/2020-28773.pdf (“Prohibition Order”).
3 Executive Order 13990, Protecting Public Health and the Environment and Restoring Science to Tackle the Climate Crisis, 86 Fed. Reg. 7037 (Jan. 25, 2021), https://www.govinfo.gov/content/pkg/FR-2021-01-25/pdf/2021-01765.pdf (“EO 13990”).
4 Executive Order 13920, Securing the United States Bulk-Power System, 85 Fed. Reg. 26595 (May 4, 2020), https://www.govinfo.gov/content/pkg/FR-2020-05-04/pdf/2020-09695.pdf (“EO 13920”).
5 EO 13990 at 7042.
6 Press Release, U.S. Dep’t of Energy, Biden Administration Takes Bold Action to Protect Electricity Operations from Increasing Cyber Threats (Apr. 20, 2021), https://www.energy.gov/articles/biden-administration-takes-bold-action-protect-electricity-operations-increasing-cyber-0.
7 U.S. Dep’t of Energy, Notice of Request for Information (RFI) on Ensuring the Continued Security of the United States Critical Electric Infrastructure (6450-01-P), at 5 (Apr. 20, 2021), https://www.energy.gov/sites/default/files/
8 Press Release, supra note 6, at 1.
9 Revocation Order at 2 (citing EO 13920 at 26595-96).
10 Prohibition Order at 533.
11 16 U.S.C. § 824o-1(c) (2018).
12 Prohibition Order at 534.
13 Revocation Order at 1.
15 Id. at 1-2.
16 Id. at 3.
17 RFI at 1.
18 Id. at 1.
21 Id. at 1-2.
22 Id. at 3-4; Executive Order 14017, America’s Supply Chains, 86 Fed. Reg. 11849 (Mar. 1, 2021), https://www.govinfo.gov/content/pkg/FR-2021-03-01/pdf/2021-04280.pdf.
23 RFI at 7.
26 Id. at 9.
27 Id. The RFI defines “national critical functions” as “functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Id. at 9, n.12 (citing Executive Order 13865, Coordinating National Resilience to Electromagnetic Pulses, 84 Fed. Reg. 12041 (Mar. 29, 2019)).
28 Press Release, supra note 6, at 1.
31 U.S. Dep’t of Energy, Securing Critical Electric Infrastructure, https://www.energy.gov/oe/securing-critical-electric-infrastructure (last visited Apr. 20, 2021).
32 Press Release, supra note 6, at 1.
33 RFI at 6.
34 Press Release, supra note 6, at 1.