Declaring a national emergency over threats to the U.S. bulk power system (BPS), President Trump in an executive order (EO) on May 1 issued a sweeping ban on transactions by U.S. persons for electric equipment sourced abroad if the U.S. government determines they pose undue security risks.
Because foreign adversaries are "increasingly creating and exploiting vulnerabilities" in the U.S. power system, which is critical infrastructure, the executive order deems the "unrestricted foreign supply" of BPS electric equipment as an "unusual and extraordinary threat" to U.S. national security, foreign policy, and the economy. And though the Trump administration recognizes that "maintaining an open investment climate" in BPS electric equipment is beneficial for "overall growth and prosperity" in the U.S., "such openness must be balanced with the need to protect our Nation against a critical national security threat," the order reads.
That's why, beginning on May 1, the order bans the "acquisition, imports, transfers, or installation" of any risk-ridden BPS electric equipment by any person or property subject to U.S. jurisdiction of any property in which a "foreign country or a national" has any interest, including "through an interest in a contract for the provision of the equipment."
The risk aspect of such transactions, however, will be determined by the Energy Secretary, who will coordinate with the director of the White House's Office of Management and Budget (OMB), and consult with the Defense Secretary, the Homeland Security Secretary, the director of National Intelligence, and other agency heads.
Notably, the order also explicitly gives the Energy Secretary the discretion to "design or negotiate measures to mitigate concerns identified" as they pertain to foreign transactions. And, as significantly, it suggests that the Energy Secretary and other agency heads will soon publish criteria for recognizing particular equipment and vendors as "pre-qualified" for future transactions.
What the Supply Chain Ban Covers
Prohibited transactions primarily cover pending and future deals for BPS equipment that have been designed, developed, manufactured, or supplied by vendors and individuals subject to the jurisdiction of a "foreign adversary"–or, essentially, governments that have repeatedly threatened national security.
Banned transactions must also pose undue risks of "sabotage or subversion of design, integrity, manufacturing, production, distribution, installation, operation and maintenance" (O&M) of the U.S. BPS; pose undue risks of "catastrophic effects" on the security or resiliency of the U.S. critical infrastructure or the U.S. economy; and pose unacceptable risks to U.S national security and American safety.
The order does not, however, cover transactions that have been sealed before May 1, nor transactions that are bolstered by statutes, regulations, other orders, and license directives.
As significantly, though the term "BPS" implies full coverage of the nation's power system, the ban will only apply to generators and control systems that are interconnected and are needed to maintain transmission reliability. "For the purpose of this order, this definition includes transmission lines rated at 69,000 volts (69 kV) or more, but does not include facilities used in the local distribution of electric energy," the order notes.
The definition of BPS "electric equipment," meanwhile, appears limited. It covers:
- control rooms
power generating stations, to include:
- substation transformers
- current coupling capacitors
- large generators
- backup generators
- substation voltage regulators
- shunt capacitor equipment
- automatic circuit reclosers
- instrument transformers
- coupling capacity voltage transformers
- protective relaying
- metering equipment
- high-voltage circuit breakers
- generation turbines
- industrial control systems (ICS)
- distributed control systems (DCS)
- safety instrumented systems (SIS)
Though the order does not explicitly identify them, "foreign adversary" countries presumably include Russia, China, and Iran. Agency rules issued pursuant to the order, however, may lay out which countries it has determined are "foreign adversaries" in relation to BPS threats, it says. Future agency rules may also identify particular people and equipment that warrant scrutiny under provisions of the order. Under the order, federal agencies may also move to establish licensing procedures to allow transactions banned by the order.
More clarity on what rules and regulations may entail will likely come when the departments of Energy, Defense, Homeland Security, and the director of National Intelligence publish rules implementing their authority as doled out in the order, as required within 150 days of the order's date–or by Oct. 1, 2020.
For now, the order directs these agencies–along with the Department of Interior, and the Board of Directors of Tennessee Valley Authority (TVA)–to begin identifying BPS electric equipment that may fall under the ban. It also directs them to recommend ways to "identify, isolate, monitor, or replace" that equipment "as soon as practicable."
At the same time, the EO establishes a new task force dedicated to "federal energy infrastructure procurement policies related to national security." The interagency task force will work to "protect the nation from national security threats," primarily by sharing risk information and risk management practices. It will ultimately develop a "consistent set" of energy infrastructure procurement policies and procedures for agencies in consultation with the private power, oil and gas, and distribution system sectors. The task force will also evaluate methods and criteria to incorporate national security considerations into energy security and cybersecurity policies.
The Order Addresses Industry Concerns–but It Goes Much Further
The order is certain to have reverberations throughout the U.S. power industry, which has since its establishment depended on a vast global supply chain for equipment and technology development. While past supply chain disruptions have been mostly small and regionally constrained, the ongoing COVID-19 pandemic has highlighted a need for supply chain resiliency, and the industry has banded together to ensure it can secure crucial equipment as supply operations in more areas are disrupted.
Supply chain security, on the other hand, has always been an industry priority, especially as it relates to core power plant controls. Acting to address supply chain security risks on the BPS, for example, the Federal Energy Regulatory Commission (FERC) in October 2018 issued a critical infrastructure protection (CIP) reliability standard (CIP-013-1 – Cyber Security - Supply Chain Risk Management). Though the standard's implementation was delayed to October 2020 (owing to the industry's COVID-19–related challenges), it essentially seeks to thwart counterfeits or malicious software, unauthorized production, tampering, or theft, as well as poor manufacturing and development practices. FERC noted a global supply chain offers significant benefits to customers–including low cost, interoperability, rapid innovation, and product and feature variety. However, it also creates "opportunities for adversaries to directly or indirectly affect the management of operations of companies with potential risks to end users," it said.
In an April 30 briefing, the DOE reportedly told reporters that the EO was not based on specific new threats. As E&E News reported, officials highlighted findings in the 2019 Worldwide Threat Assessment report that underscore Russian and Chinese capabilities to disrupt parts of the electric and gas supply network via cyberattacks.
In a statement on May 1, the DOE again stressed that the security of the BPS is integral to national defense, emergency services, related infrastructure, and the economy. "Each year the Federal government spends millions of dollars on a wide range of BPS components. Current government procurement rules often result in contracts being awarded to the lowest-cost bids, a vulnerability that can be exploited by those with malicious intent," it said.
Notably, however, Friday's EO comes just two weeks after Energy Secretary Dan Brouillette emphasized national security motivations as he unveiled recommendations made by the White House's Nuclear Fuel Working Group (NFWG), which mostly sought to prop up the domestic nuclear fuel cycle–and was focused on efforts related to uranium mining, conversion, and enrichment. The group also urged the federal government to more aggressively limit activity in domestic nuclear markets by Russia and China, countries to whom the U.S. has lost global leadership because their nuclear industries are dominated by state-owned enterprises (SOEs).
In one part of the report, for example, to keep the nuclear fuel fabrication subsector from erosion "due to strategic action of Russian or Chinese SOEs," the group recommends "swift action, via Executive Order to limit or ban the import of nuclear fuel fabricated in Russia or China, on national security grounds, in so far as fuel imports adversely impact the physical and economic security of the United States." The effort could enable the Nuclear Regulatory Commission to deny imports of nuclear fuel fabricated in Russia or China for national security purposes, it suggests.
The working group's recommendation is just one of several DOE directives of late that prioritize national security. In a directive in June 2019, for example, the agency prohibited its personnel from participating in talent recruitment programs operated by certain foreign countries. And in January, a DOE official told lawmakers that the agency had drawn up a list of technologies it may not want agency scientists to share with researchers from other countries.
NERC Describes Order as a ‘Critical Initiative'
According to Tom Kuhn, president and CEO of the Edison Electric Institute (EEI), a trade group representing investor-owned utilities, the May 1 EO may have its roots in efforts spearheaded by the CEO-led Electricity Subsector Coordinating Council, which "works closely with the DOE to address underlying threats to supply chain security," he said. In a statement to POWER on May 4, he said: "This EO reflects this ongoing collaboration with the federal government and provides new ways to mitigate threats to electric-sector critical infrastructure." However, he also stressed the need for public-private coordination, recognizing industry's ownership of and responsibility for the grid. "We look forward to our continued partnership with the Administration and to working with DOE and other government stakeholders to implement this new EO, and we will continue to ensure that we are sourcing critical equipment from reputable manufacturers," he said.
The North American Electric Reliability Corp. (NERC)–the designated U.S. Electric Reliability Organization (ERO), and an entity tasked with watching BPS reliability and security through the enforcement of standards it establishes–also appears optimistic that the order is a good move. On May 1, NERC described the "supply chain executive order" as a "critical initiative to secure the bulk power system." It added that efforts in the order are in line with activities already underway in NERC's supply chain standards and other work. "The order is a positive step forward to improve reliability and security of the bulk power system supply chain. NERC looks forward to working with industry and government stakeholders toward effective implementation of the executive order," it said.
It is notable that the statement comes days after NERC released a comprehensive report that surveys how the pandemic could affect summer BPS reliability. In that report, NERC highlighted supply chain interruptions as key risks through summer 2020, at least. It noted, however, that a large majority of registered entities have already reviewed supply chain needs per NERC's recommendations.
Shedding some insight on how power sector investors are perceiving it, credit ratings agency Moody's also considers the order positive–but mainly because it addresses some of the cybersecurity risks that relate to the supply chain. In comments to POWER on May 7, analysts said the order could raise corporate governance priorities around cybersecurity defenses, and it promotes needed investments in cybersecurity preparedness.
Because the EO "calls for the development of procurement policies that prioritize the security of the U.S. energy grid, as opposed to current rules that give preference to the lowest-cost bids," it incentivizes critical equipment suppliers to invest in developing and maintaining strong cybersecurity practices, or risk "exclusion from the U.S. market," analysts said. As Moody's has pointed out before, the wide variance in cybersecurity practices between suppliers may pose risks for shareholders, because they expose utility operations and networks to indirect threats that utilities often cannot control.
On Thursday, analysts also pointed out that U.S. is not alone in considering such measures. Countries that so far this year have banned foreign companies' participation in sensitive industries and critical infrastructure include Russia, whose federal service for technical and export control on Feb. 10 banned foreign IT equipment in the country's critical national infrastructure and prevented critical infrastructure companies from using foreign companies' cybersecurity software or consulting services. On April 27, China's Cyberspace Administration, meanwhile, issued new procurement rules requiring rigorous cybersecurity and national reviews of tenders submitted by critical infrastructure operators.
Industry Still Evaluating Impact
However, the bulk of industry BPS participants that POWER asked for reaction expressed uncertainty about the sweeping order, suggesting they were scrambling to assess its impact on their day-to-day operations.
Zurich, Switzerland–headquartered ABB, a technology giant that has cultivated substantial standing in the U.S. as a provider of power plant automation solutions and systems, on May 4 told POWER it was still evaluating the EO. The company "will work closely with regulators and our U.S. customers as a critical supplier for American electrical infrastructure," it said. "Since 2010, ABB has invested over $14 billion in the United States, and the country is the largest market for its products. We employ nearly 24,000 people in the United States with locations in more than 100 communities, including a substantial manufacturing base."
Affected entities in the utility space also said they are reviewing the order. The TVA, an independent federal corporation whose board the EO explicitly directs to "take all appropriate measures" to implement the order, told POWER on May 4 that it is "evaluating the executive order to better understand next steps." TVA for now plans to "continue to work closely with other agencies within the federal government as well as industry groups to address threats to the power grid and ensure we are proactively managing supply chain risks," it said.
The most pronounced pushback perhaps came from the cybersecurity industry, whose services many power generators rely upon to monitor and respond to threats. Edgard Capdevielle, CEO at Nozomi Networks, a firm that promotes network visibility, threat detection, and operational insight for industrial operational technology (OT), the internet of things (IoT), and ICS environments, told POWER the EO is a "step in the right direction, but needs to go further." The positive aspects in the order include its recognition that protecting the BPS is of critical importance owing to the proliferation of threats. "It seeks to address a potential vector of attack in the backdoors and trojans that could be implanted in foreign-sourced infrastructure equipment," said Capdevielle.
"However, there are a few shortcomings," he noted. "Firstly, it ignores the largest problems in the electric cyber environments: lack of visibility in the networks and any nationally enforceable standards. Secondly, it is not immediately actionable. The order does not name countries, or propose specific solutions. Instead, it enables a team to go look into the issue without clear direction around what to do when problems are found. And lastly, even if enforced and specifics were given, i.e. no new equipment from China or Russia in the grid, it does not address all the legacy infrastructure that has been and will be around for a very long time."
Ollie Whitehouse, global chief technology officer at cybersecurity consultancy NCC Group, agreed. "Threats posed to the power grid fall in a spectrum, as with all industries. This ranges from unintentional impact from organized crime, to challenger countries wishing to project their capability and impact into the USA, to sophisticated adversaries. The biggest threats can be summarized as tactical (challengers who have little to lose) and strategic," he explained. "The order as written is very much intended to address the strategic threat."
Still, how it may improve security of the sector going forward will depend exclusively on whether "the corresponding domestic technology is more secure and less open to interference than foreign counterparts," said Whitehouse on May 6. "The power grid's security is not solely based on new technology, but a complex mix of legacy systems, operations and processes as well as new technology," he noted. Whitehouse projected that as with any regulation or legislation, "this will likely raise the cost of operation and compliance within the sector." Of more concern, perhaps, "It could also potentially impact innovation due to impinging free market forces. And it's important to remember this is not a panacea." There are no "short cuts to cyber resilience," he said.
Fortress Information Security CEO Alex Santos, meanwhile, told POWER that the EO prominently highlights the importance of power companies and their suppliers "to work together to share information on risks that will enable the industry to fulfill the spirit and the letter of this Executive Order."
But according to Joseph Weiss, a control systems cybersecurity expert who has helped shape several existing cybersecurity standards, the order could have an even larger impact on the industry's overall security posture, because it would bode well to address many longstanding concerns. Weiss noted that the EO "demonstrates a high level of technical details and detailed knowledge of existing gaps and vulnerabilities in bulk power equipment and operations, including identifying a specific minimum bulk power voltage level." As well as helping to reopen "much-needed dialogue to address security and policy issues between regulators, policy makers, manufacturers (OEMs) and owner/operators," it could also spur "a growing debate on authorities and responsibilities between FERC, NERC, and the NRC," he suggested.
And perhaps more importantly, it could "directly challenge core NERC CIP cybersecurity requirements," which previously excluded the specific bulk electric equipment identified in the EO, and that's because much of the equipment in scope of the NERC CIPs and supply chain requirements are "explicitly identified as out-of-scope for the EO," Weiss explained. "If the intent is to secure the Bulk Electric Systems with a more balanced approach to securing networking (IT/Operational Technology-OT) and engineering systems, this Executive Order is on target and represents a more comprehensive approach to securing the grid."
New Uncertainty for Power Sector Transactions
The EO's broadness and imprecision is also causing significant confusion about how it will apply to power sector transactions that are already in the pipeline, as Jason Johns, energy partner at Stoel Rives, a law firm who advises independent power producers and utilities, told POWER on May 4.
"However, I think that when the dust settles on this whole thing, it will be much narrower in application than the initial reaction indicates, and that's because I think this is related to activities that have occurred over the last couple of years that were specific to the federal power marketing agencies and the utility system as a whole." Last year, the U.S. banned the use of certain telecommunications equipment and other data security equipment and software, Johns noted. "So, there was an expectation in the industry that something like this was underway–but that it would be more tailored to, again, the federal power marketing agencies and not the utility system as a whole."
Stoel Rives began fielding questions from its clients, which comprise the vast gamut of BPS participants, within 10 minutes of the EO's publication on Friday, Johns said. Many immediate concerns were from renewables and energy storage developers, whose products rely on equipment sourced across the world, including from China.
"Renewables transactions are often multi-phased in terms of when they're signed, when they're funded, and when a project goes into commercial operation," he said. "So, one of the questions we have been asked is about the importance of the May 1 effective date of the EO, and how does that apply to a multi-stage transaction," he said. "The answer is, unfortunately, we don't yet know. It's just one of those elements of uncertainty that has been created here."
Johns suggested that the shadow of uncertainty extends to what equipment the EO covers. Among other questions the firm has received are: "What type of components does it cover? Does it cover wind turbines, solar panels? How far back up the interconnection line does it reach to particular generators?" The answers are murky. He said it is "possible DOE may consider smaller generating equipment, such as wind turbines and photovoltaic equipment, to be [bulk power equipment (BPE)] when deployed at utility scale, although such equipment is not generally known to provide transmission reliability." However, smaller scale deployments of renewable technologies, such as residential and commercial solar, "appear to fall outside of the EO. On the other hand, standalone energy storage facilities may fall within the scope of BPE," he said.
Another concern is, "What if [a project includes] components from China, for example, because we expect China will be one of the countries identified, am I required to remove them?" Johns said. Overall, those questions are valid because the impact may "have a pretty chilling effect on investment in that project, and even that project's ability to become operational according to its deadlines and milestones," Johns noted.
More clarity on the expansive EO may come in the rules and regulations the DOE is directed to publish within 150 days–or by Oct. 1. "My expectation is that they will act much sooner than that," Johns said.
But until then, energy project developers will still need to proactively assess transactions "to determine whether they potentially involve affected BPE and a foreign ownership interest that could trigger the prohibitions outlined in the EO, and to consider appropriate steps to address or avoid the risk of later DOE action," he added. "Because the EO appears to require a transaction-specific analysis of security concerns, it is possible that the DOE will establish a notice and review process for transactions potentially falling within the scope of the EO. We also anticipate that foreign investments and acquisitions of U.S. infrastructure with prohibited BPE could encounter mitigation requirements initiated by DOE as part of [the interagency Committee on Foreign Investment in the U.S.] clearance, even before DOE publishes final rules implementing the EO," he said.
However, the power sector should be aware that existing BPE may also be impacted by the order. Johns noted that under the EO, the "DOE is tasked with identifying existing BPE posing significant vulnerabilities for the bulk power system or threats to national security, and developing recommendations on ways to identify, isolate, monitor, or replace such items as soon as practicable, taking into consideration overall risk to the bulk-power system." The coming weeks will likely shed more "details on the EO's true scope, and whether it is as disruptive as it first appears," he said.
Editor's note: Updated May 7 to add comments by control systems expert Joe Weiss, and Moody's ratings agency.