How Trump grid orders ran aground

Source: By Peter Behr, E&E News reporter • Posted: Tuesday, October 13, 2020

In the past two years, President Trump has issued two executive orders meant to break through obstacles to developing defenses against unlikely but potentially devastating attacks on the nation’s electric power networks.

With time running out in Trump’s first term, neither order has opened a clear path toward meeting the shadowy threats the policies targeted. The executive orders haven’t met with executive action, according to critics of Trump’s handling of the grid security risks.

Order 13920, issued May 1, directed the Energy Department to prepare a ban on future purchases of foreign-made grid controls and components that could be infected with concealed malware (Energywire, May 4).

Order 13865, signed March 26, 2019, pledged to accelerate decisions on hardening the grid against electromagnetic pulse (EMP) shock waves, which can cripple power network equipment. In dire crisis scenarios, the EMP waves would be triggered by a nuclear detonation in the atmosphere over the United States, fired by North Korea or another nuclear power (Energywire, March 27, 2019).

But the orders are behind schedule, their outcomes uncertain.

Administration agencies have missed major deadlines in both orders that have come due this year. Key officials at DOE and the White House National Security Council who had been leading implementation of the two orders have switched jobs or left the Trump administration altogether.

DOE is expected to issue a notice of proposed rulemaking on the cyber executive later this fall, but the scope of the order has been sharply downsized, industry officials confirm. While research on the EMP threat continues, the lack of White House attention to that order frustrates its strongest supporters. Any actions triggered by the orders aren’t on track to come until after the inauguration of the next U.S. president Jan. 20.

Cybersecurity surprise

The May 1 bulk power supply chain security order caught the grid industry by surprise.

Although the possibility had been discussed, neither the White House nor DOE informed a high-level group of grid officials about the directive before its public announcement, despite its implications for industry security and purchases of multimillion-dollar grid equipment sourced in China. Members of the Electricity Subsector Coordinating Council (ESCC), who take pride in the close collaboration between top power-sector executives and government agency leaders, are not used to being caught off guard by a key cyber policy move (Energywire, May 29).

The order created the possibility that DOE was planning to issue a list of foreign equipment vendors whose products would be barred, or a list of approved vendors, or both.

Some industry leaders welcomed the administration’s concern about the threat.

However, when DOE solicited comment about the plan, there was pushback over its lack of detail and potential costs (Energywire, July 9).

“A new and unnecessary regulatory regime would result in enormous increased costs for manufacturers of equipment used in the U.S. bulk power system,” said Siemens AG, a grid equipment manufacturer with 50,000 U.S. employees. “It could cause the needless reengineering of existing products, longer product lead times, adverse impacts to existing project schedules, increased costs to our customers, and ultimately, increased costs to the American energy consumer, without a commensurate security benefit.”

Some industry officials said privately that they still don’t know when or whether DOE may issue “good” and “bad” vendor lists.

But one detail is known: Instead of covering the entire U.S. interstate bulk-power grid, it is now expected to apply to a small subset of defense critical electric infrastructure, defined as power plants and substations delivering electricity directly to U.S.-based military installations with essential missions.

“The priority in the eyes of the Department of Energy has been specifically defense critical electric infrastructure,” said Scott Aaronson, vice president for security and preparedness at the Edison Electric Institute, representing investor-owned utilities. Aaronson is secretary of ESCC.

“The government has been working to identify defense critical electric infrastructure pathways, from a generation facility through transmission lines to a substation into distribution and into a defense facility,” Aaronson said in an interview.

One reason for the downsizing, several industry officials said: Congress gave DOE specific responsibility for protecting grid facilities serving critical defense sites, but the agency’s authority for imposing much wider restrictions on vendor sales across the entire bulk power grid is far from clear.

Even on this reduced scale, the executive order’s approach lacks a strong process for sharing classified intelligence on cyber adversaries’ capabilities and intentions — both keys to effective defense of U.S. power infrastructure, said Paul Stockton, former assistant secretary of Defense for homeland defense.

The initiative is headed for failure without major changes, he said. “No organizational framework exists to coordinate DOE’s implementation efforts,” Stockton wrote in a recent critique of the executive order.

Electricity providers urgently need access to classified intelligence about adversaries seeking to plant malware inside foreign-made grid equipment, Stockton said. The intelligence can reveal the most likely paths and targets of attack, and that knowledge can enable grid operators and DOE experts to hone searches for infected software and hardware. There must also be a consensus on which equipment is most important to protect, Stockton added.

Key to this analysis is understanding how and why an adversary might risk a confrontation with the United States, Stockton said.

“Adversaries are going to attempt to coerce U.S. leaders into backing down in a regional crisis” by threatening to trigger cyberattacks on critical infrastructure, Stockton said in an interview. That implies that an adversary must install cyber backdoors that enable it to time precisely when to launch hidden malware.

Such a backdoor has never been publicly found in grid equipment, nor is a cyberattack known to have ever caused a blackout in the United States.

But understanding how such attacks would have to be designed is key to thwarting them, Stockton said. That requires a closely organized and coordinated defense, he said.

“The [executive order] will fail,” he wrote, unless high-voltage grid operators and vendors “get the data they need to contribute to the order’s implementation. However, data on supply chain threats is often highly classified and very few private sector personnel and state regulators have the clearances required to receive it.”

EMP order adrift

Demands for defenses against a possible EMP attack have been driven by committed advocates originating in a commission chartered by Congress in 2003 and led by former U.S. missile defense officials and experts. Under their “black sky” EMP scenario, rogue electric currents triggered by an atmospheric nuclear explosion would overheat and destroy transformers that move electric power across transmission systems, leaving the nation facing a catastrophic version of “nuclear winter” without life-sustaining energy supplies.

Industry-backed researchers say that doomsday analysis is dated and inaccurate. And some national security experts challenge the scenarios that would cause a North Korea or an Iran to risk its own destruction by triggering an EMP attack.

Trump, with his March 2019 order, put the White House on point to find and address potential gaps in EMP defenses.

“The order represents a big step forward for national preparedness,” said George Baker, a former senior adviser to the EMP commission, following the order’s release.

“The order breaks the bureaucratic logjam. A big problem has been overlapping responsibilities within federal departments,” he said. “The order clarifies responsibilities and establishes timelines for infrastructure prioritization and protection program initiation.”

Congress followed up by directing the Department of Homeland Security to conduct a series of assessments of the risk.

But congressional deadlines for plans and reports have been missed, staff leading the effort have left the administration, and the policy is adrift, some of its strongest backers complain.

The White House did not set itself up as a referee empowered to make hard science decisions and take on the challenge of how EMP defenses would be paid for, according to people close to the issue. “At the end of the day, somebody needs to articulate the economics of this: Here is the risk. Here is the cost of the mitigation,” one former official said.

“When the executive order came out … I was thinking, this is so heavily dependent on the White House and the National Security Council, if the NSC loses interest in the topic, the executive order loses force,” said Thomas Spoehr, security policy director for the Heritage Foundation and a retired Army lieutenant general.

He said he has been waiting for reports on EMP issues called for by Congress that would “give me some confidence the administration is doing what Congress directed it to do.” He said he is still waiting.

For its part, DHS said in an August status report on the EMP threat that it has identified “initial” energy and communications infrastructure that faces the highest risk.

“While the development of these [risk] models took longer than initially envisioned, additional time was needed to validate the concepts and ensure the efficient application of resources to progress to subsequent tasks within the E.O.,” DHS said.

The North American Electric Reliability Corp., the bulk power grid’s security monitor, separately appointed a task force of industry and private-sector experts to draft policy recommendations for EMP defense.

That work continues, as does research needed to define the impact of an atmospheric nuclear blast, says Bill Lawrence, NERC’s vice president and chief security officer.

“There’s a great deal of information that’s out there. The task force is going to be doing its best trying to piece it together,” Lawrence said in an interview. It aims to identify the ways to reduce the threat to the grid, he added, “over the next months and years.”

But there are limits to what more EMP reports can accomplish, he added. “Just because a government report says something shall be so, it’s challenging enough across the department and agencies to make that happen, much less influence the industry to adopt the recommendations from a report.”

Asked when EMP defenses may actually be installed on grid equipment, Lawrence replied, “That is a good question. I don’t have an answer for you.”