Executive Order on Securing the United States Bulk-Power System

A new EO will result in the systems and equipment from certain nations, most likely including China, being barred from the U.S. electric grid on account of the risk they pose to national security.

Late last week, President Donald Trump signed an executive order (EO) that would direct the Secretary of Energy and other officials to take steps to ensure the United States’ bulk power sector is protected from the threats posed by the manufacture of components by foreign adversaries, most likely the People’s Republic of China (PRC). This EO is of a piece with two Administration priorities: desired changes in trade policies with the PRC and defending the United States from vulnerabilities arising from an information and communications technology (ICT) supply chain that largely originates in the PRC. Trump declared a national emergency with respect to the bulk power system, triggering a range of powers to address this situation. The EO would establish a blanket ban on bulk power utilities from buying systems and equipment from yet to be named foreign adversaries except if allowed by the Department of Energy along with required mitigations.

Even though the EO and related materials released by the Trump Administration do not spell out the predicate for this action, the likely policy background was informed by broader concerns about possibly compromised ICT coming from the PRC and possibly more specific information about such equipment, hardware, software, and systems.The EO is also of a piece with the Trump Administration’s aggressive policy initiatives to protect the U.S. and rebuff alleged Chinese efforts to lace U.S. supply chains and critical systems with compromised technology that could later be used for espionage or cyber-attack.

Over the last few years, the Trump Administration reported of intrusions and penetrations of the U.S. electric system by hackers sponsored by or related to the Russian government. In 2018, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released an advisory in which they “characterize[d] this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” DHS and the FBI stated, “[a]fter obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).” At about the same time, the Department of the Treasury announced sanctions against five Russian entities and 19 Russian nationals for “Russia’s continuing destabilizing activities” including “U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” as detailed in “the recent technical alert issued by the Department of Homeland Security and Federal Bureau of Investigation.”

The year before, DHS and the FBI advised critical infrastructure operators of a penetration of a nuclear energy operator in Kansas and others throughout the U.S. The agencies jointly claimed, “[t]here is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

And yet, these forays could easily be precursors to the sorts of attacks Russia has waged against its neighbors. For example, in 2015, Russian hackers were identified as the culprits who compromised part of Ukraine’s electric grid, but it appears access was gained and havoc was wreaked through the acquisition of employees’ credentials and not likely through exploitation of weaknesses or backdoors in the utility’s systems. In the Director of National Intelligence’s public 2019 Worldwide Threat Assessment, it was claimed

Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016.Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.

Moreover, risks to the energy sector have long been recognized. In a 2017 report prepared by the Idaho National Laboratory, “ICS   attacks   are   becoming   increasingly   more   targeted   and   sophisticated, with trusted communications  networks,  remote  access,  mobile  devices,  vendors,  and  supply  chains  are  the most likely routes of ingress.” In 2014, a U.S. think tank claimed

Vulnerabilities arise when utilities procure hardware and software from third-party vendors, including hardware or software that is intended to support smart grid and cybersecurity initiatives. New products and software may not be sufficiently secure in their design or implementation; they may be subject to malicious manipulation or be compromised by the use of counterfeit parts. Suppliers may not face market pressures or requirements to incorporate cybersecurity features in the design of their systems and devices. In some cases, products sold to the power sector may be insecure by design or insufficiently supported as new risks are identified. These issues are further complicated by the global nature of supply chains, which offer multiple possible entry points for cyber attacks. For example, numerous SCADA (supervisory control and data acquisition) devices are manufactured overseas, including in China, where external cyber threats have originated in the past.

In the EO, Trump found “that the unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects.” He added that “I therefore determine that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States, which has its source in whole or in substantial part outside the United States.” Trump wrote, “[t]o address this threat, additional steps are required to protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.” He declared that “[i]n light of these findings, I hereby declare a national emergency with respect to the threat to the United States bulk-power system.”

The EO would bar the purchase of “any bulk-power system electric equipment” from unspecified foreign nations if the transaction poses unacceptable risks to the U.S. electric grid specifically and the U.S. generally. The EO defines foreign adversary as a “foreign government or foreign non-government person engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or its allies or the security and safety of United States persons.” Presumably countries that have well-developed offensive cyber capabilities like the PRC, Russia, Iran, and North Korea would be designated foreign adversaries.

However, the Secretary of Energy could identify and require the use of mitigation measures that could render otherwise banned equipment to be bought and used. The Department of Energy “may establish and publish criteria for recognizing particular equipment and particular vendors in the bulk-power system electric equipment market as pre-qualified for future transactions; and may apply these criteria to establish and publish a list of pre-qualified equipment and vendors.”

More broadly, the Secretary of Energy is directed to use the full authority conferred on his department by Congress and all the powers available under the International Emergency Economic Powers Act (IEEPA), the basis for Presidents to impose sanctions and other economic measures in peace time. Pursuant to the use of these powers, the Department of Energy will likely identify countries as foreign adversaries for purposes of the EO and the companies they own, control, or have a stake in. Furthermore, the Department should also identify those foreign adversaries or companies that deserve additional scrutiny and a licensing process for those transactions that would otherwise be banned under the EO but are allowed to proceed with mitigation measures.  The Department of Energy must also identify any existing bulk power system electric equipment that poses a threat to national or economic security and determine the means by which this equipment could be monitored, isolated, or replaced. The EO would also create a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security (Task Force) that “shall work to protect the Nation from national security threats through the coordination of Federal Government procurement of energy infrastructure and the sharing of risk information and risk management practices to inform such procurement.”

Finally, regarding the thrust of the EO, it bears mention that the Federal Energy Regulatory Commission (FERC) granted a petition to “defer the implementation of several Commission-approved Reliability Standards that have effective dates or phased-in implementation dates that fall in the second half of 2020,” including CIP-013-1 (Cyber Security – Supply Chain Risk Management), which was designed “to help ensure that responsible entities establish organizationally-defined processes that integrate a cybersecurity risk management framework into the system development lifecycle.” The deferral of this and related standards was on account of the COVID-19 pandemic’s effect on the energy sector. When the rule was adopted, FERC explained “Reliability Standard CIP-013-1 addresses information system planning and vendor risk management and procurement controls by requiring that responsible entities develop and implement one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact Bulk Electric System (BES) Cyber Systems. The required plans must address, as applicable, a baseline set of six security concepts: (1) Vendor security event notification; (2) coordinated incident response; (3) vendor personnel termination notification; (4) product/services vulnerability disclosures; (5) verification of software integrity and authenticity; and (6) coordination of vendor remote access controls.”

This EO could serve as a template for future actions to more tightly regulate other critical sectors. It is not hard to imagine Trump or a future president deciding that the threats posed by the PRC or other adversaries justifies a heavier role in the regulation of supply chains and even cybersecurity.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.