Cyberattacks on the U.S. energy system threaten our national security and way of life. While the sources of such risks may be debatable, the threats are real and the potential consequences are grave.
Former President Trump in May 2020 surprised the power sector with Executive Order (EO) 13920, which sought to limit the use of certain foreign-sourced electric equipment on the bulk-power system. The Department of Energy (DOE) in December 2020 banned the acquisition and installation of certain Chinese equipment by utilities that serve critical defense facilities. Since then, stakeholders have grappled with just what cybersecurity and supply chain measures the government might require to address these risks.
Confusion abated somewhat in January, when President Biden suspended EO 13920 for 90 days. When that pause expired in April, the DOE revoked the December 2020 prohibition order to “stabilize the policy environment” before the national emergency declared in EO 13920 expired on May 1. At the same time, the DOE issued a Request for Information (RFI) on “Ensuring the Continued Security of the United States Critical Electric Infrastructure.” Its aim, the DOE said, is “preventing exploitation and attacks by foreign threats to the U.S. supply chain” as “part of a larger coordinated effort … to develop a strengthened and effective strategy to address the security of the U.S. energy sector.”
The RFI sought “input on developing a long-term strategy that includes technical assistance needs, supply chain risk management, procurement best practices, and risk mitigation criteria,” as well as on potential future prohibition authority. Dozens of parties responded, including the Electric Power Supply Association (EPSA), trade association for U.S. competitive power suppliers, and the Edison Electric Institute (EEI), trade association for U.S. investor-owned electric companies, some of which are generators.
EPSA noted that many generators already address, monitor, and report supply chain issues under existing standards and business practices, such as enterprise-wide risk assessments under North American Electric Reliability Corp. reliability standard compliance programs. They also already exchange threat information with the U.S. intelligence community and participate in various information-sharing programs and training exercises.
EPSA also said many generators employ contract provisions to help ensure the cybersecurity of components they and their vendors acquire, but that it could be helpful for the DOE to provide standard, non-negotiable contract terms and procurement practices to reduce legal and negotiating burdens, or to pre-approve suppliers. EEI urged a targeted, long-term strategy that “emphasizes identification, analysis, and mitigation” for the most vulnerable facilities whose compromise could cause the most severe impacts, and that complements existing tools, rather than “prescriptive methods which are potentially unfeasible and impractical to implement” (as some viewed EO 13920).
Meanwhile, after the high-profile Colonial Pipeline ransomware attack in May, energy system cybersecurity has more national focus. That includes bipartisan passage of several bills in the U.S. House, such as House Resolution (H.R.) 3119 (Energy Emergency Leadership Act), which seeks to elevate energy emergency and cybersecurity responsibilities as a core DOE function, and H.R. 2931 (Enhancing Grid Security through Public-Private Partnerships Act), which would direct the DOE, in consultation with states, other agencies, and industry, to implement a voluntary program to enhance the physical security and cybersecurity of electric utilities.
Biden on July 28 issued a memo on Improving Cybersecurity for Critical Infrastructure Control Systems, which arose from a 100-day cybersecurity “sprint” kicked off in April. It establishes a voluntary Industrial Control Systems (ICS) Cybersecurity Initiative to improve critical infrastructure cybersecurity through more deployment of technologies for threat visibility, indications, detection, and warnings, as well as response capabilities for cybersecurity in essential control systems and operational networks. The ICS initiative began with a power sector pilot, and the administration reports more than 150 utilities are already deploying or have agreed to deploy control system cybersecurity technologies.
The ICS memo also directs the Department of Homeland Security (DHS), in coordination with other agencies, to publish preliminary cross-sector cybersecurity “performance goals” for power, water, and transportation services, with final cross-sector and sector-specific goals due by late July 2022. While the ICS initiative is voluntary, administration officials said they “hope and expect” responsible critical infrastructure owners and operators will apply the performance goals, and have not ruled out future mandatory requirements. In addition, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) recently announced a Joint Cyber Defense Collaborative, which CISA describes as a “new agency effort” to develop and execute “whole-of-nation cyber defense plans” in coordination with various stakeholders to “drive down risk before an incident and to unify defensive actions should an incident occur.”
As of this writing, the DOE has not acted on the RFI, and there likely will be further regulatory process before any mandatory rules or requirements would take effect. U.S. generators can continue to do their part to protect the power system by evaluating and enhancing supply chain diligence and contracting processes; continually assessing and working to understand and mitigate cybersecurity risks; planning for and practicing responses to potential incidents; sharing information with peer firms; and engaging with relevant agencies and the administration as this regulatory landscape evolves.
—Scott Daniel Johnson is senior counsel at Akin Gump Strauss Hauer & Feld LLP. He represents utilities and other electric power sector entities in transactions and a variety of energy regulatory matters.