Taking its first major step to act on President Trump’s May 1 executive order (EO) to limit foreign bulk power equipment transactions in the U.S., the Department of Energy (DOE) has issued a definitive list of six foreign “adversaries” that pose threats to the U.S. bulk power system (BPS): China, Cuba, Iran, North Korea, Russia, and Venezuela.
The list is just one part of a detailed request for information (RFI) the DOE Office of Electricity published in the Federal Register on July 8. While the RFI action is part of a formal effort to identify and understand vulnerabilities in current energy industry practices, it hints at possible next steps the federal government may take to execute President Trump’s sweeping May 1–issued Executive Order 13920.
Power entities continue to seek direction on the EO, and speculation is mounting about what prompted the Trump administration to issue the broad measure. Declaring a national emergency over BPS threats, the EO essentially seeks to ban the “acquisition, imports, transfers, or installation” of any risk-ridden BPS electric equipment in which a foreign adversary or a citizen of countries deemed adversaries has any interest, including “through an interest in a contract for the provision of the equipment.”
The Bigger Concern: ‘Near Peer’ Foreign Adversaries
The DOE’s official determination of which countries are considered “foreign adversaries” is important because while the original EO prohibits transactions covering pending and future deals for BPS equipment that have been designed, developed, manufactured, or supplied by vendors and individuals subject to the jurisdiction of a “foreign adversary”—or, essentially, governments that have repeatedly threatened national security—it doesn’t specify which governments or entities will fall under the U.S. scrutiny.
The ban on pending or future transactions is just one of four pillars in the broad order. EO 13920, notably, also directs the DOE to consult with the heads of other agencies to develop criteria to determine which BPS equipment and vendors should be designated as “pre-qualified” for future transactions, as well as to identify existing BPS electric equipment in which a “foreign adversary” has an interest—and which, therefore, poses “an undue risk to the BPS.” The emphasis on existing BPS equipment under the third pillar is especially notable, because the EO also tasks the DOE with developing recommendations to “identify, isolate, monitor, or replace” risk-ridden equipment across the vast, sprawling BPS “as appropriate.”
More clarity on possible mandates is likely over the coming months. The departments of Energy, Defense, Homeland Security, and the director of National Intelligence are expected to publish rules implementing their authority as doled out in the order, as required within 150 days of the EO’s date—or by Oct. 1, 2020.
The DOE’s RFI provides some insight, at least, on why the federal government deemed the EO necessary, and how the process may unfold. The action itself appears to be a direct response to the EO’s call for broad identification of which entities or persons are “owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries,” as well as which BPS equipment transactions “warrant particular scrutiny.” The DOE’s next steps will likely be to establish procedures “to license transactions otherwise prohibited” by the order, as well as to identify “a mechanism and relevant factors for the negotiation of agreements to mitigate concerns raised in connection” with the equipment ban.
In the Wednesday action, the DOE notably appears specifically concerned about foreign threats on the BPS from China and Russia, which it considers “near-peer foreign adversaries.” These countries “possess highly advanced cyber programs” and “both nations pose a major threat to the U.S. government, including, but not limited to, military, diplomatic, commercial, and critical, infrastructures,” it says. “The BPS is a target of these adversaries’ asymmetric cyber and physical plans and operations.”
The DOE also warns that China and Russia “have the capability and integrated plans necessary to launch cyber-attacks causing localized, disruptive effects on critical infrastructure—such as the disruption of a natural gas pipeline and electric infrastructure for days to weeks—in the U.S.” It adds: “These near-peer foreign adversaries continue to map U.S. critical infrastructure with the long-term goal of being able to cause substantial damage.”
Citing the February 2020-issued 2020–2022 National Counterintelligence Strategy, the DOE suggests the two countries are actively “employing innovative combinations of traditional spying, economic espionage, and supply chain and cyber operations to gain access to critical infrastructure. They are also attempting to access our Nation’s key supply chains at multiple points—from concept to design, manufacture, integration, deployment, and maintenance—by, among other things, inserting malware into important information technology networks and communications systems.”
A Broad Approach
The DOE’s RFI suggests the agency is taking a broad approach to thwart these threats. It says the RFI is based on the Office of the Director of National Intelligence’s National Counterintelligence and Security Center’s (NCSC’s) supply chain risk management (SCRM) framework, which means that the DOE does not plan to develop an SCRM tool or seek to establish best practices, because they are already “well-established” in SCRM frameworks.
Instead, the DOE plans to build upon the frameworks using standards such as the NIST 800 series standards, ISO standards, ISA/IEC 62433, and NERC CIP standards. “The Department is focused on improving utility owner/ operator’s asset/operations risk assessment by incorporating the identification of enterprise risk associated with supply chain vendor/ services into the acquisition systems process,” it says. One tool that the DOE highlights that utilities could apply to continuously assess their cybersecurity posture, for example, is a voluntary evaluation process developed under a public-private partnership program called the Cybersecurity Capability Maturity Model (C2M2).
Along with collecting “evidence-based cybersecurity maturity metrics,” the DOE says it will use the RFI to ascertain “foreign ownership, control, and influence (FOCI).” That’s important, it says, because the DOE is considering making limited procurements, “select build versus buy,” “consequences of insufficient SCRM,” and “evidence-based performance metrics that support a continuous improvement process” part of the federal acquisition process and the NERC CIP standards.
However, the DOE’s rulemaking process will include opportunities for stakeholder comment “and input on the substance” of a rule to implement authorities under the EO. That rule will seek, presumably, to safeguard the BPS supply chain from threats and vulnerabilities, as well as to establish an economic analysis for the rule. Both are aspects for which the DOE is soliciting views under the RFI.
A Probe Into the Vulnerabilities
Among questions the agency is asking energy sector asset owners and vendors to answer voluntarily by Aug. 7, 2020, are whether they conduct enterprise risk assessments on a periodic basis, and whether they identify (and mitigate) foreign adversary ownership, control, and influence with respect to “company and utility data, product development, and source code (including research partnerships).” Those questions are presumably to understand if and how the industry actively addresses foreign influence when it makes sensitive decisions.
But the DOE is also asking owners and vendors about potential supply chain risks from “sub-tier suppliers”—or suppliers’ suppliers—recognizing that some sub-tier supply chain manufacturers could have FOCI with respect to foreign adversaries. Some questions explore the governance of sub-tier vendors. The DOE asks, for example: “Is contract language for Supply Chain Security included in procurement contracts? Are metrics for supply chain security, along with cost, schedule, and performance maintained?”
Other questions explore physical and logistical access that foreign adversaries could exploit. For example: “What physical and logistical role-based access control policies have been developed to monitor and restrict access during installation when a foreign adversary, or associated foreign- owned, foreign-controlled, or foreign-influenced person is installing BPS electric equipment at a BPS site in the U.S.?”
Some questions suggest the DOE wants more insight on whether incentives and existing standards are working to help identify risks, and whether they are counterproductive. It asks, for example, about soundness of existing non-standard incentives, software component transparency, authentication practices, and sub-tier supplier monitoring and tracking. It also asks if there are any existing “insecure by design” or vulnerable communication protocols that “should be retired or cannot be disabled or mitigated from BPS electric equipment (examples of protocols include Distributed Network Protocol 3 [DNP3], File Transfer Protocol [FTP], Telnet, or Modbus)?” Several questions also explore information-sharing and private partnerships dedicated to shed more awareness about component vulnerabilities, but also about supply chain risks.
The DOE’s RFI is also looking for insight on the economic impact that EO 13920 could have on BPS stakeholders. The DOE asks stakeholders, for example, to estimate one-time and recurring costs for “developing, implementing, and periodically revising compliance plans and procedures associated with the Executive Order.”
The RFI suggests future DOE rules may include evaluation requirements, and compliance plans and frameworks for supply chain documentation, foreign involvement evaluations, risk assessments, and process reviews. That in turn may require new supplier processes and contractual provisions, as well as supplier audits.
The DOE also asks whether certain categories of BPS electric equipment are more reliant on vendors that could become subject to transaction reviews, and if BPS stakeholders may face challenges and cost impacts to source that equipment.
A ‘Defense-in-Depth’ Phased Approach
As POWER reported in May, the EO’s definition of BPS electric equipment is limited to those used in facilities and control systems required to maintain reliability of the interconnected grid, including transmission lines (of 69 kV or more) and generation facilities. These include:
- substation transformers
- coupling capacitor potential devices [in the May 1 EO, this was expressed as “current coupling capacitors” and “coupling capacity voltage transformers”
- large generators, backup generators
- substation voltage regulators
- shunt capacitor equipment
- automatic circuit reclosers
- instrument transformers
- protective relaying
- metering equipment
- high-voltage circuit breakers
- generation turbines
- industrial control systems (ICS)
- distributed control systems (DCS)
- safety instrumented systems (SIS)
“Items not included in the preceding list and that have broader application of use beyond the BPS are outside the scope of E.O. 13920,” the DOE’s RFI says. However, it also notes that the Secretary of Energy will periodically review the list and amend it “at any time.”
While the RFI covers the full list, the DOE significantly notes it plans to seek comment on specific equipment “to enable a phased process,” so that the DOE “can prioritize the review of BPS electric equipment by function and impact to the overall BPS.” It says that this approach constitutes a “defense-in-depth” strategy that addresses “risk as well as the dynamic nature of threats and vulnerabilities.”
That means, essentially, that the DOE will consider first establishing specific pre-qualification criteria for a set of components that support defense-critical electric infrastructure (DCEI) and other critical loads and transmission feeders as determined by critical infrastructure protection reliability standards formulated by the North American Electric Reliability Corp. (NERC). This could include components to support essential reliability services such as blackstart systems.
Worrisome Incidents: Transformers
Under the RFI’s “supply chain” scope, notably, the DOE is seeking comments specifically on transformers—including generation step-up transformers—reactive power equipment (including reactors and capacitors), circuit breakers, and generation (including power generation that is provided to the BPS at the transmission level and back-up generation that supports substations). “This includes both the hardware and electronics associated with equipment monitoring, intelligent control, and relay protection. Only transformers rated at 20 MVA and with a low-side voltage of 69 kV and above are included,” it says.
Industry sources speculate that the EO’s focus on transformers may stem from concerns about infiltration. As POWER has reported, large power transformers are some of the most vulnerable components on the BPS. They are typically gargantuan, expensive pieces of equipment that are tailored to customer specifications, and because they require intricate procurement and manufacturing processes, they often need very long lead times to obtain.
As the Wall Street Journal reported in late May, federal officials made the unusual move in summer 2019 to seize a 500,000-pound transformer built by Jiangsu Huapeng Transformer Co. (JHTC), a Chinese firm, at the Port of Houston before it was transported to a substation owned by federally owned utility Western Area Power Administration (WAPA), and trucked it “under federal escort” to Sandia National Laboratories in Albuquerque, New Mexico. The DOE did not immediately respond to POWER’s requests to confirm the newspaper’s reporting, as well as to verify conjecture that Sandia’s probe into the mammoth machine likely uncovered something malicious.
But according to control systems cybersecurity expert Joe Weiss, the incident may not have been the only one. In a recent blog entry, Weiss cites an individual familiar with the JSHP-WAPA transformer case, who suggested a “knock-off” load tap changer had been found in a Chinese transformer for another utility, which is investor-owned. The blog entry describes the incident in detail.
For Weiss, both cases clearly illustrate the need for heightened scrutiny of BPS equipment for hardware backdoors. Of late, the “focus for ICS cyber security has been on the OT [operational technology] networks, assuming all OT cyber threats have to go through the OT Ethernet networks where they could be detected and hopefully blocked,” Weiss explained. But, “Why would attackers hit defenses head-on when they could simply bypass them?” he asked. “This is a serious problem,” he said. “It is unclear whether the other 200-plus large Chinese transformers installed in the U.S. grid have similar backdoors, which is the reason for Presidential Executive Order 13920.”