Mixed Reactions on Looming DOE NOPR for Bulk Power System Security
The Department of Energy (DOE) will issue a notice of proposed rule-making (NOPR) to implement President Trump’s broad bulk power system (BPS) security executive order (EO) “later this fall,” a DOE official confirmed to POWER on Oct. 5. Though the NOPR is delayed beyond the 150-day timeframe set by the EO, various BPS stakeholders are awaiting the agency’s next move, noting ambiguity arising from the May 1-issued EO 13920 has prompted crippling uncertainty about component procurement.
The agency official said the DOE is still reviewing the 98 comments submitted by an assortment of individuals and entities, including power sector trade and grid security groups, in response to a request for information (RFI) that its Office of Electricity issued on July 8.
Comments submitted to the RFI, which closed on Aug. 24, show deep concern on a number of issues about how the DOE will implement the controversial EO. Declaring a national emergency over BPS threats, the broad measure essentially sought to ban the “acquisition, imports, transfers, or installation” of more than 20 risk-ridden BPS electric equipment categories in which a foreign adversary or a citizen of countries deemed adversaries has any interest, including “through an interest in a contract for the provision of the equipment.”
What the NOPR Could Entail
More information about the unprecedented NOPR will be published within the coming weeks in a press release, as well as on a page dedicated to its activities related to the BPS EO, the DOE official said.
However, the DOE, which is acting as the lead agency for the energy sector, has also previously said the NOPR will satisfy the EO’s mandates to “mitigate major threats” that affect equipment used in substations, control rooms, or power generating stations that are owned and operated by public and private sector entities.
For now, according to the agency, that equipment “strictly” includes: reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high-voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems.
The EO also specifies that the DOE will “develop and publish rules and regulations prohibiting certain acquisitions, import, transfer, or installation” of these BPS components “where there is a credible threat that could compromise the BPS.” The DOE has also said it is working closely with its federal and industry partners to develop “a mechanism to pre-qualify equipment and vendors for the BPS supply chain.”
A timeframe for when a final rule could emerge is harder to pin down because the DOE says it expects to “work closely with stakeholders” as well as the heads of other agencies to craft associated rules and regulations for the energy sector.
This May, however, the agency underscored that “as of today, no equipment is prohibited.” Because the EO is focused on ensuring the national security of critical infrastructure within the U.S. BPS—“which is just a portion of the country’s entire energy infrastructure”—any “immediate steps by owners or operators would not only be premature, but may be unnecessary,” it said.
“Further, before DOE could prohibit actions involving the equipment identified in the Executive Order, there would need to be a nexus between a foreign adversary and an undue risk to the BPS, critical infrastructure, the economy, the security and safety of Americans, or national security,” it adds. “Thus, for many stakeholders, there will be no impact. And even for affected stakeholders, DOE will consider procedures for mitigation measures that may allow for the use of equipment that would otherwise be prohibited,” it said.
What the DOE’s Request for Information Reveals
More details about possible pathways the agency could pursue in the NOPR are outlined in detail in its July 8 RFI.
Though the document sought to mainly gather industry’s input on safeguarding supply chains and understanding the economic implications of the EO, it also identified China and Russia as “near-peer foreign adversaries,” indicating the NOPR will focus on equipment and transactions related to these countries.
These countries “possess highly advanced cyber programs” and “both nations pose a major threat to the U.S. government, including, but not limited to, military, diplomatic, commercial, and critical, infrastructures,” the RFI says. “The BPS is a target of these adversaries’ asymmetric cyber and physical plans and operations.”
In the RFI, the DOE also sought to collect “evidence-based cybersecurity maturity metrics,” and it moved to ascertain “foreign ownership, control, and influence (FOCI).” To justify those requests, the DOE said it was considering making limited procurements; “select build versus buy”; “consequences of insufficient supply chain risk management”; and “evidence-based performance metrics” part of a “continuous improvement process” that would apply to federal acquisitions, as well as the North American Reliability Corp.’s (NERC’s) critical infrastructure protection (CIP) standards, with which industry must already comply.
Industry Responds: Uncertainty Is Crippling
In their responses to the RFI, many stakeholders lauded the DOE for its efforts to assess risks to the U.S. power system supply chain. However, many submitters also urged quick action to provide much more clarity on how the DOE expects BPS facility owners, operators, and equipment vendors to assess and mitigate risks related to FOCI within their companies and suppliers.
As the Solar Energy Industry Association underscored in its response, “the ambiguity arising from the Bulk Power System E.O. has caused a great amount of uncertainty for developers of solar power plants, their investors, and their potential off-takers,” it said. “This additional risk increases the financial burdens on each project, as developers reconsider their parts suppliers and the financiers require the developer to shoulder the risk of parts needing to be replaced. Owners and operators of existing solar power plants, like many others in the electric sector, are concerned that existing equipment may require replacement—a completely unanticipated cost. To put it plainly, the ambiguity regarding acceptable equipment is hampering investment today.”
The ISO-RTO Council (IRC), an association of the nation’s regional transmission organization and independent system operators, said it more bluntly: “While the IRC agrees with the general direction of the order, the IRC is concerned that prohibiting any transaction involving equipment with one or more components manufactured by companies with links to countries preliminarily identified as ‘foreign adversaries’ could itself pose a reliability risk to the BPS.”
That’s because “a vast majority of BPS equipment includes at least some components manufactured by Chinese companies or companies with operations in China,” it explained. “In the event new equipment is needed to replace failed equipment or to meet new load growth or other transmission system needs, it is possible that no compliant equipment would be available to an affected utility.” The IRC urged that the DOE to address this by conducting a risk assessment based on the equipment’s “relative impact on grid reliability and difficulty of replacement,” among other factors.
New Complexities for International Suppliers
Zurich, Switzerland-headquartered multinational enterprise ABB, a vendor that manufactures multiple types of equipment outlined in the EO, stressed in its response that it is “most affirmatively not under FOCI with respect to foreign adversaries,” adding that it is committed to ensuring the company and supply chain remains free from risks associated with foreign adversaries.
But, it added: “like most companies who do not provide top secret defense products and services, we are not equipped to conduct counter-intelligence activities.”
While ABB can track some pieces of information to make a FOCI determination relating to its components—such as requesting suppliers to disclose their ownership structure (which it already does)—it does not have access to information and intelligence about other listed factors, it explained. “If the U.S. Government is able to share information about companies or actors in our supply chain that meet the criteria of being under FOCI with respect to foreign adversaries, ABB would take appropriate action to mitigate or eliminate associated risks just as we do with trade and export control regulatory frameworks,” it said.
Emerson, another key BPS equipment vendor known for its Ovation Control Center and DeltaV distributed control system, urged the DOE to keep vendors in the loop as it sets out to implement the EO. “There is a lot of room for additional clarity in implementation, which would give vendors more comfort in serving this key industry,” the company said. “For example, the final rule should establish clarity by identifying Commercial Off-the-Shelf (COTS) components as exempt or simplify the process for approval, including but not limited to qualification processes and qualified vendor lists.”
Finnish equipment giant Wärtsilä also urged paring down the EO’s equipment focus. “Certain categories of BPS electric equipment such as industrial control systems and any logic-based components capable of networking communication could be exposed to external forces without adequate protection, making these components vulnerable to intrusion, attack, and manipulation,” it said. “By contrast, passive primary equipment and isolated, discrete components with no communication or control capability—such as the batteries used in energy storage—present little to no risk of attack.”
Leveraging Familiar Frameworks
Many stakeholders also urged the DOE to reference and leverage existing industry standards in its development of final rules.
General Electric (GE), one of the largest U.S. power sector vendors, service providers, and advisors, urged the DOE to leverage “proven cybersecurity framework and regulatory mechanisms to engender adoption of best practices” found in NERC CIP, ISA/IEC 62443, NIST CSF, and internationally recognized cybersecurity certifications, including ISO 27001—Information Security. But GE also touted a collaborative effort and heightened awareness.“Effective cybersecurity requires a holistic approach that includes people and process efforts,” it wrote.
The Cybersecurity Coalition, a group of vendors that provide components and solutions to the power sector, also asked the agency to “align with NERC terminology” to “provide utilities with explicit equipment and functions in scope.” Without that clarity, the group said, “the EO could have significant economic impact on vendors whose equipment has broader application beyond bulk-power systems.”
The Electric Power Research Institute (EPRI), likewise, called for broader adoption of proven existing tools and resources to avoid “duplication of efforts, provides efficiency gains, takes advantage of existing financial and intellectual leverage and expands the community to foster continuous process improvements.” EPRI said, for example, it has worked with 30 utilities over the past four years to develop a framework based on “quantitative, evidence-based data-driven [operational technology] Security Metrics that can measure the performance of critical infrastructure security programs.”
Siemens and Siemens Energy agreed, but they pointedly asked the DOE to consider “industry-driven security standards and proven best practices” over a “new regulatory regime,” because standards and best practices allow manufacturers and equipment users to reach “a common understanding of how products are securely manufactured and developed, and how they should be securely installed and used.” Though headquartered in Germany, the now-separated companies have spearheaded international efforts to advance cybersecurity through the Charter of Trust, the Center for Threat-Informed Defense, and is currently collaborating on an industrial cybersecurity–focused Center of Excellence with the New York Power Authority, among other efforts, they noted.
An “unnecessary” regulatory construct wouldn’t just chill procurement, essential maintenance, service, and operations, it could result in an “enormous increased costs” for manufacturers of equipment used in the U.S. bulk power system, Siemens said. And, it could “cause the needless reengineering of existing products, longer product lead times, adverse impacts to existing project schedules, increased costs to our customers, and ultimately, increased costs to the American energy consumer, without a commensurate security benefit,” it said.
Regulatory Redundancy Concerns
Regulatory redundancy also meant a heavier regulatory burden to the Nuclear Energy Institute (NEI). In its response, the industry trade group underscored that the nation’s nuclear power industry has been stringently regulated since its inception, and that its current cybersecurity and quality assurance provisions related to safety-related structures, systems, and components are deeply entrenched in “substantial, regulator-approved programs” that were formed with extensive interactions between the Federal Energy Regulatory Commission (FERC) and the Nuclear Regulatory Commission (NRC).
“We believe that the NRC’s cyber security and quality assurance requirements, and the programs developed by the nation’s nuclear power fleet to comply with those requirements, currently address most, if not all, of the concerns that prompted issuance of EO 13920 insofar as they apply to commercial nuclear power plants,” NEI said. “Therefore, we respectfully request that DOE avoid imposing additional, redundant requirements on nuclear power facilities by coordinating with the NRC and NERC to consider whether the current requirements applicable to commercial nuclear power fleet are sufficient to protect BPS equipment located at commercial nuclear power plants from the supply chain vulnerabilities described in EO 13290.”
Responding to a DOE question exploring how industry depends on foreign-sourced critical minerals or supply chain materials, however, the NEI pointed to supplies of Li-7, an isotope of lithium that is typically used as an additive in pressurized water reactor primary coolant to maintain water chemistry. “Supplies that meet the industry’s technical specifications are produced using a mercury-based separation process that is currently conducted on a commercial scale in Russia and China,” it said. However, instead of taking action related to Li-7, the DOE should bolster ongoing efforts by EPRI and the U.S. government to explore “alternative methods” to ensure the isotope’s critical supply, the NEI said.
Some stakeholders notably expressed concerns that a final rule could favor some stakeholders over others. The National Hydropower Association urged the DOE to ensure “equal treatment” that ensured incurred costs or benefits did not “discriminate or provide unwarranted advantages.” It also echoed a number of other stakeholders in calling for flexibility in implementation, noting “some parts and equipment in the hydro supply chain can have long-lead times for procurement.”
Supplier Incentives and Maturity Models
In response to the DOE’s question about whether non-standard incentives or changes may be needed to existing supply chain risk management standards to better protect and maintain software integrity, a number of key industry players submitted interesting suggestions.
American Electric Power (AEP), a company that is both a member of Fortress Information’s Asset to Vendor Network (A2V) and a joint owner (with Berkshire Hathaway and FirstEnergy) of utility industry resilience solution provider Grid Assurance, said it currently had no incentives for suppliers to provide information about how and where products and services originate. But incentives “may be appropriate,” it said.
“Examples might include a ‘Most Favored Supplier’ status within the individual utility or a list provided by a governing or regulating body, or an information exchange, listing those who provide the level of detail needed to make appropriate risk decisions,” AEP said.
Emerson agreed that maturity models would “better position operator, vendor, and market influence for higher levels of capabilities and product features within the currently available frameworks and standards.” But it also lauded incentives, suggesting the DOE should consider the U.S. Safety Act, where companies could be rewarded for taking higher levels of standard practices for cybersecurity.
Most power companies also highlighted a number of industry information sharing venues—such as the Electricity Information Sharing and Analysis Center (E-ISAC)—but noted these forums are designed to share threat information, not specific vulnerability information.
Getting vendors to provide key component-level information could also prove difficult, as Duke Energy noted. Duke Energy urged the DOE to take the charge on providing the power sector “with intelligence on component level vulnerabilities,” noting such details would allow the industry to “more narrowly focus efforts to obtain information from vendors.” Duke Energy also suggested that while industry generally already assesses assets for vulnerabilities, as well as engages third parties to perform penetration testing, the government’s national laboratories are better suited to analyzing component level vulnerabilities.
“We would support National Labs performing assessments on those components identified as high priority by the DOE and providing the results to the electric industry,” the company said.
The Biggest Issues: Costs and Liability
Marking some consensus on the broad and controversial issue, cost recovery and liability protection emerged as all-around concerns for nearly every stakeholder.
One reason for this is because the equipment outlined in the EO is “complex and interconnected with long lead times for design, procurement, testing and deployment,” explained the Edison Electric Institute (EEI), the trade group that represents the nation’s investor-owned utilities.
That’s why, EEI, said, the DOE should implement the EO “surgically and strategically, with feedback from industry.” That strategy, it said, should be flexible, so that it recognizes the unique threats different power companies face, as well as the existing risk-based, defense-in-depth approaches already integrated in the power sector’s security culture.
DOE’s rulemaking should also exercise “prudence” to avoid cost increases, and crucially, “Avoid actions that affect the market for critical equipment, including disruptions to the use of existing equipment and availability of replacement equipment.” Finally, it must “consider potential impacts to day-to-day grid reliability upon which our communities and customers rely for essential services,” EEI said.
If a final rule banned purchases of certain equipment, the DOE must consider backing protection from liability through legislative action to dismiss cause of action by affected vendors, suppliers, and manufacturers. And if any final rule eliminated specific suppliers—or perhaps more critically, identified existing BPS equipment that needed urgent replacement—industry urged the DOE to consider supporting the necessary cost recovery mechanisms through legislative action.
Costs are such a big concern, Fortress Information Security went further to break down estimated one-time and recurring costs that a “medium-size” utility could incur to develop, implement, periodically revise, and implement compliance plans and procedures associated with the EO. In its example, a utility with two control centers, 80 substations, and five generation facilities would incur a one-time cost of about $9 million and recurring costs of $1.2 million. One way to get around these high costs is through “community sharing” of supply chain risks about common vendors and products, such with its A2V network, it suggested.
“If the top 100 utilities in the country complied with the Executive Order independently, without a community sharing solution, the industry could waste approximately $560 million in one-time costs and $52 million in recurring costs,” it said. “Through community sharing, the one-time costs could be reduced by as much as 62% while the recurring costs can be reduced by 41%.”
However, another critical hurdle outlined by the Secure the Grid Coalition—an ad hoc group of policy, energy, and national security experts, and industry “insiders”—concerns how successful the DOE will be in implementing a good rule. The group said warnings about “perilous danger” to the grid have persisted for more than 30 years, and despite nearly 100 Congressional actions, including hearings and bills, to protect it to since 1997, most have failed.
The group, which claims it is “unbiased” because it receives no energy industry funding” offered fresh perspective on how to resolve complex issue.
It said, for example, that the DOE should place FOCI emphasis on microelectronic components, and consider digital fingerprinting of these tiny critical infrastructure “building blocks” through blockchain technology. It also alleged a conflict between FERC’s recent supply chain order and the EO.
Finally, it offered four main areas that the DOE should focus its immediate efforts. There is urgency to identify and remedy vulnerabilities to large power transformers and “prohibit the use of robotics, including drones,” which introduce and highlight grid vulnerabilities, it said. However, the DOE must also thwart efforts by industry lobbyists, which may urge a “business as usual” approach to grid security. Finally, the agency could “demand” that trusted personnel and organizations immediately “cease ties” with foreign adversaries.
—Sonal Patel is a POWER senior associate editor (@sonalcpatel, @POWERmagazine).