The Department of Energy (DOE) has issued a “prohibition order” in line with President Trump’s May 2020 broad bulk power system (BPS) security executive order (EO 13920) that will ban some utility procurement of specific grid equipment from China.
When it takes effect on Jan. 16, 2021, the Dec. 17–issued “Prohibition Order Securing Critical Defense Facilities” will bar utilities that supply critical defense facilities (CDF) at a service voltage of 69 kV from “acquiring, importing, transferring, or installing BPS electric equipment” that is supplied by Chinese entities.
The ban applies to specifically to utilities that own or operate Defense Critical Electric Infrastructure (DCEI) and actively serve a CDF—which the DOE defines as a facility that is “critical to the defense of the U.S.” and “vulnerable to a disruption of the supply of electric energy provided to such a facility by an external provider.”
The prohibition order requires these utilities to file a certification with the DOE—by March 17, 2021, and every three years after that—“under penalty of perjury” that they have not entered into a prohibited transition, and that they have established an internal monitoring process to accurately track future compliance with the prohibition order. However, it also requires designated utilities to act by Feb. 15, 2021, to file a certification that they have taken “all action reasonably available” to designate each CDF they serve “as a priority load in the applicable system load shedding and restoration plans.”
POWER has asked the DOE for more details about which and how many utilities are covered under these designations. The DOE has so far only revealed that utilities subject to the order will be notified “no later than 5 days from the issuance of the order.”
Prohibition Order Explicit About Covered Equipment, Timeframes
The prohibition will apply to specific equipment, from the point of electrical interconnection with a CDF up to and including the next “upstream” transmission substation, and it includes software, firmware, and digital components that control any regulated equipment, the DOE also said on Thursday.
That includes power transformers with a low-side voltage rating of 69 kV or higher, as well as associated control and protection systems like load tap changers, cooling systems, and sudden pressure relays. However, it also includes generator step-up (GSU) transformers with high-side voltage rating of 69 kV or higher, and their associated control and protection systems. Also prohibited are circuit breakers operating at 69 kV or higher, and reactive power equipment, including reactors and capacitors of 69 kV or higher.
The prohibition also applies only specifically to transactions initiated after Jan. 16, 2021, when the order is set to go into effect. That’s especially important for equipment like large power transformers, which are typically gargantuan, expensive pieces of equipment that are tailored to customer specifications, and because they require intricate procurement and manufacturing processes, they often need very long lead times to obtain.
“We understand some equipment has long procurement lead times and that utilities are aware of supply chain risks,” the DOE said on Thursday.
In Line with Trump’s BPS Security EO
The DOE said the prohibition order invokes authority delegated to the energy secretary by Executive Order 13920, Securing the United States Bulk-Power System (EO 13920). The White House rolled out the controversial order abruptly on May 1, 2020, prompting widespread confusion about its implementation across the U.S. power sector, as well as crippling uncertainty about component procurement.
Declaring a national emergency over BPS threats, EO 13920 broadly sought to ban the “acquisition, imports, transfers, or installation” of more than 20 risk-ridden BPS electric equipment categories in which a foreign adversary or a citizen of countries deemed adversaries has any interest, including “through an interest in a contract for the provision of the equipment.”
As POWER has reported in depth, comments submitted to the DOE’s request for information (RFI) that its Office of Electricity issued on July 8 also show deep concern on a number of issues about how the DOE will implement the controversial EO.
Though the RFI sought to mainly gather industry’s input on safeguarding supply chains and understanding the economic implications of the EO, it also identified China and Russia as “near-peer foreign adversaries.”
But in the RFI, the DOE also sought to collect “evidence-based cybersecurity maturity metrics,” and it moved to ascertain “foreign ownership, control, and influence (FOCI).” To justify those requests, the DOE said it was considering making limited procurements; “select build versus buy”; “consequences of insufficient supply chain risk management”; and “evidence-based performance metrics” part of a “continuous improvement process” that would apply to federal acquisitions, as well as the North American Reliability Corp.’s (NERC’s) critical infrastructure protection (CIP) standards, with which industry must already comply.
In their responses to the RFI, many industry stakeholders lauded the DOE for its efforts to assess risks to the U.S. power system supply chain. However, many submitters also urged quick action to provide much more clarity on how the DOE expects BPS facility owners, operators, and equipment vendors to assess and mitigate risks related to FOCI within their companies and suppliers.
The DOE in October told POWER it was poised to issue a notice of proposed rule-making (NOPR) to the EO “later this fall.” More information about the unprecedented NOPR is expected to be published on a page dedicated to its activities related to the BPS EO. It is still unclear when or if the DOE expects to issue a NOPR.
On Thursday, Brouillete noted the prohibition order “is one of several steps this Administration is taking to greatly diminish the ability of our foreign adversaries to target our critical electric infrastructure.” The DOE also generally noted the action is just one of a “phased approach” based on reducing risk to the BPS.
“The Department will continue to balance the need to protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States with the potential for supply chain disruptions to result from any such actions being taken,” it said.
Why Prohibition Order Focuses on China
In documents attached to the prohibition order, the DOE said it focused specifically on China because it has “reason to believe, as detailed in the Prohibition Order, that the People’s Republic of China is equipped and actively planning to undermine the Nation’s bulk power system.”
But in a lengthy “rationale for the order,” the DOE draws a more fearsome scenario. It said the DOE has “determined” that certain BPS electric equipment or programmable components subject to China’s ownership, control, or influence, constitute undue risk to the security of the BPS and to U.S. national security.
Industry sources suggest those determinations involve reports (still unconfirmed by the DOE to POWER) that the DOE seized a 500,000-pound Chinese-built transformer in the summer of 2019. Control systems cybersecurity expert Joe Weiss told POWER the incident may not have been the only one. In his blog, Weiss suggested a “knock-off” load tap changer had been found in a Chinese transformer for another utility, which is investor-owned.
In its order, the DOE said China “has a military rationale for its disruption capabilities.” Broadly speaking, China is “targeting operational systems that can be undermined as a way to degrade an opponent’s capabilities or to coerce an opponent’s decision-making or political will.”
“China calls this ‘system destruction warfare’—a way to cripple an opponent at the outset of conflict, by deploying sophisticated electronic warfare, counter-space, and cyber-capabilities to disrupt what are known as C4ISR networks (command, control, communications, computers, intelligence, surveillance, and reconnaissance), thereby disrupting U.S. military logistics required to defend the homeland, support Allies and partners, and protect key U.S. national security interests,” it says.
Such attacks “are most likely during crises abroad where Chinese military planning envisions early cyberattacks against the electric power grids around CDFs in the U.S. to prevent the deployment of military forces and to incur domestic turmoil,” the order says.
To date, notably, the DOE has identified several other countries as “foreign adversaries.” Along with China, these include Cuba, Iran, North Korea, Russia, and Venezuela. That determination is based on multiple sources, including ODNI’s 2016-2019 Worldwide Threat Assessments of the U.S. Intelligence Community, and the 2020-2022 National Counterintelligence Strategy, the DOE said.