Trump’s grid security executive order will create vendor ‘black list,’ complicate equipment sourcing

Source: By Robert Walton, Utility Dive • Posted: Monday, May 4, 2020

  • President Donald Trump on Friday signed an executive order halting the installation of bulk-power system (BPS) equipment “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”
  • The order will effectively create a “black list of companies” from which utilities will need to stop purchasing equipment, Alex Santos, CEO of Fortress Information Security, told Utility Dive.
  • The executive order aims to address weaknesses in the utility sector supply chain, which experts say is a well-known vulnerability. The North American Electric Reliability Corp. (NERC) last month delayed implementation of three Critical Infrastructure Protection (CIP) rules designed to increase security controls for vendors​ citing the current burdens on the power sector from the COVID-19 pandemic.

Dive Insight:

Foreign adversaries are “increasingly creating and exploiting vulnerabilities” in the United States bulk-power system, according to the executive order, with “potentially catastrophic effects.”

“This is a well known issue within the electric sector,” Shawn Wallace, vice president of energy at IronNet Cybersecurity, told Utility Dive in an email. “The U.S. has virtually lost its capability to manufacture large high voltage transformers on which the grid critically depends. Increasingly, we are having to import the equipment from countries like China, making it easy targets for foreign governments to tamper with.”

According to the executive order, unrestricted foreign supply of BPS electric equipment “constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

The order declares a national emergency with respect to the BPS, and blocks federal agencies and U.S. persons from “acquiring, transferring, or installing” BPS equipment in which a foreign adversary has an interest. It also authorizes the U.S. Department of Energy to establish criteria for recognizing particular equipment and vendors as “pre-qualified” and to identify any now-prohibited equipment already in use.

Hardware from an untrusted source “could arrive with backdoors built into the firmware, or it could be tampered with in transit,” James Evelyn, vice president of compliance solutions for risk-management firm Force 5, told Utility Dive. The order “is aimed at eliminating buying bulk power systems with built-in security or surveillance threats.”

A task force led by Secretary of Energy Dan Brouillette will develop energy infrastructure procurement policies while consulting with the industry through the Electricity Subsector Coordinating Council and the Oil and Natural Gas Subsector Coordinating Council.

Utilities have already been working strengthen supply chain security, in part to comply with the new vendor rules NERC was forced to delay last month. Those requirements, which include utilities completing an assessment of their vendor networks, had been set to go into effect on July 1 but will now be on hold until October.

In a statement, NERC said the supply chain executive order “launches a critical initiative,” and the efforts “will help support activities already underway in NERC’s supply chain standards and other work.”

NERC’s new CIP standards address similar issues as the executive order, but according to Santos, Trump’s order “could be controversial.”

“It looks like the President is asking utilities to remove equipment that could be in sensitive areas,” said Santos. He said it is too soon to know what companies might be impacted.

Digging down into utility equipment vendors will be like “peeling an onion,” said Santos. “The way the supply chain works, you have [original equipment manufacturers] that install equipment. And they use a multitude of subcontractors, and those have subcontractors, too. Hardware has subassemblies; software has subcomponents.”

Last November, Fortress launched the Asset to Vendor Network (A2V), a joint venture with American Electric Power designed to help utilities address supply chain concerns and reduce the costs associated with cybersecurity regulatory compliance.

“This is a real wakeup call for the vendor community,” Fortress Vice President of Energy Security Solutions Tobias Whitney told Utility Dive. “They will have to be much more transparent on their products and services and where they’re being rendered and how they communicate that to buyers on the electric grid. … You will probably see a higher degree of auditing, and advance certifications of vendors and products.”

“The whole purpose of the A2V network is to get at that information,” Santos said.

Experts say there will likely be additional costs associated with Trump’s order, but it is too soon to know how significant they will be.

“There could certainly be increased costs incurred by requiring domestic versus cheaper international suppliers or forcing companies to purchase from a smaller range of equipment options,” Greg Conti, senior security strategist at IronNet, told Utility Dive. “I hate to see the additional costs, but believe the national security needs are vital.”