New DOE document names China, Russia as threats to US bulk power system

A US Department of Energy RFI seeks information on energy industry's supply chain security practices following executive order to develop industry regulations.

On May 1, the Trump Administration issued an Executive Order on Securing the United States Bulk Power System that seeks to remove from the power grid crucial electric equipment supplied by vendors from foreign adversarial nations. Yesterday, the Department of Energy (DOE), Office of Electricity issued a request for information (RFI) “seeking information to understand the energy industry’s current practices to identify and mitigate vulnerabilities in the supply chain for components of the bulk-power system (BPS).”

The RFI is a follow-on to the executive order (EO), which directs the Energy Department, in consultation with other agencies, to develop regulations implementing its goals through a rulemaking process. The EO defines electric equipment as items used in substations, control rooms and power generating stations, including reactors, capacitors, substation transformers, large generators, voltage regulators, along with several other defined pieces of electrical equipment.

Russia and China named “adversarial nation threats”

Unlike the executive order, the RFI explicitly names China and Russia as the biggest adversarial nation threats to the bulk power system because they both “possess highly advanced cyber programs and…both nations pose a major threat to the US government, including, but not limited to, military, diplomatic, commercial and critical infrastructures.” Relying on an assessment by the Office of the Director of National Intelligence’s (ODNI) National Counterintelligence and Security Center (NCSC), the RFI says that the US bulk power system is a target for both of these “near-peer adversaries” who are mapping “US critical infrastructure with the long-term goal of being able to cause substantial damage.”

The RFI further says that these adversaries are attempting to access critical infrastructure supply chains at multiple points by inserting malware into technology networks and communications systems. To address the national security implications of the bulk power supply chain, DOE's RFI focuses on "evidence-based cybersecurity maturity metrics" and foreign ownership, control, and influence (FOCI) to limit procurements and assess the consequences of insufficient supply chain control.

DOE seeks industry input on priorities, processes

In its RFI, DOE narrows the EO’s broad equipment focus to “enable a phased process by which the department can prioritize the review of BPS electric equipment by function and impact to the overall BPS.” The particular categories of equipment that DOE has narrowed its focus on are:

  • High-voltage transformers (including generation step-up transformers)
  • Reactive power equipment (reactors and capacitors),
  • Circuit breakers
  • Generation (including power generation that is provided to the BPS at the transmission level and back-up generation that supports substations).

The department seeks answers to many specific, exacting and complex questions from utility owners and operators and their vendors. These questions cover a vast amount of supply chain territory ranging from whether utilities and vendors conduct enterprise risk assessments to the level of governance of subcontractors to the access control policies that apply to vendors that have foreign ownership, control or influence.

NERC issues supply chain alert

DOE wants all interested parties to answer these and other questions within a month, by August 7. Adding to the challenge utilities and vendors could face in answering these questions so quickly is a separate but concomitant effort by the North American Electric Reliability Corporation (NERC), a quasi-governmental organization that has already established mandatory security standards for the electric industry. Yesterday NERC issued an alert, “Securing the United States’ Bulk Power System, Supply Chain III,” simultaneous with the release of DOE's RFI.

Although the contents of the alert are confidential and restricted to electric utilities, NERC tells CSO in a statement that it issued the document to “continue gathering information on the use of foreign BPS equipment.” Electric utilities are required to acknowledge receipt of the alert by July 16 and respond to the alert’s recommendations by August 21.

Energy security RFI well received

“I think [the DOE’s RFI] a good first step,” Patrick Miller, founder of energy security consortium EnergySec and now managing partner of energy consulting firm Archer Security, tells CSO. “I think it’s good that they’re asking the industry for input.”

Founder and CEO of ICS security consulting firm Digital Bond, Dale Peterson, agrees. “It is expected and good that DOE is putting out this RFI in response to the executive order,” he says. Peterson is particularly pleased that DOE is asking what communications protocols exist in the power grid that are insecure by design, such as, for example, Distributed Network Protocol 3 [DNP3], File Transfer Protocol [FTP], Telnet, or Modbus. “I have been beating that drum since 2012,” he says.

One utility, the Western Area Power Administration (WAPA), a federally owned power company that is managed by DOE, naturally supports what the administration is trying to achieve through the executive order. “Anything we can do to protect the bulk electric system from potential adversaries is very much needed and required these days when there are continuous threats to the most critical infrastructure in the United States,” Mark Gabriel, CEO of WAPA, tells CSO. “Both its [the EO’s] spirit and its intent fits with what we need to do to protect the bulk electric system.”

“There has been increasing evidence and experience on threats to the bulk electric system,” Gabriel says. “Consider the fact that those of us who run the bulk electric system deal with threats every day, usually in the form of storms or squirrels. When you think of it in terms of national security, this is an area where we all need support.”

Competing critical infrastructure frameworks

In its RFI, DOE relies heavily on a framework, the ODNI’s NCSC Supply Chain Risk Management Best Practices, rather than NERC's industry-developed framework, NERC-CIP [Critical Infrastructure Protection] 13, which was approved on October 18, 2018, and became effective starting July 1, 2020. “To me, this introduces an enormous number of questions in terms of how does this interplay, if it does, with CIP-13,” Archer’s Miller says. "These two agencies are doing things that look similar in some ways but look different in other ways. Are we required to do one thing? Are we required to do two things? Are they sharing information behind the scenes? “

“DOE linked the EO to NERC’s supply chain efforts, but it didn’t provide any explanation of how those two efforts converge or diverge,” Miller continues. “Where’s the overlap in the Venn diagram for these two things? What is allowed and not allowed? If you do one thing that matches the NERC standard but doesn’t match what at DOE would be a quote-unquote regulation, what would enforcement look like? Is DOE going to lean on NERC in some way so they can align this? All these questions come up.”

DOE says the department is working cooperatively with NERC. “The Department of Energy works closely with both NERC and FERC [Federal Energy Regulatory Commission], as protecting the security of the grid is a vital mission for all,” a DOE official tells CSO. “Following the signing of the executive order, Bruce Walker, Assistant Secretary for the Office of Electricity, briefed NERC and FERC. The Department of Energy appreciates NERC's efforts to help industry understand the risk of bulk-power system equipment that is manufactured or supplied by foreign adversaries.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies