Following the decree of the Trump administration on the protection of the American electricity production system, the Department of Energy made a request for information on questions related to the equipment provided by foreign nations. The minister took the opportunity to qualify Russia and China as the main threats to national security.
On May 1, the Trump administration issued a decree on securing the U.S. electricity system that aims to remove essential equipment supplied by suppliers from foreign nations from the grid. In the middle of the week, the Department of Energy (DOE) issued a request for information (RFI) “seeking information to understand current practices in the energy industry in order to identify and mitigate vulnerabilities in the supply chain of bulk energy production system (BPS) components. “
The RFI follows the decree, which instructs the DOE, in consultation with other agencies, to draw up regulations implementing its objectives through a regulatory process. The decree defines electrical equipment as the items used in substations, control rooms and power plants, including reactors, capacitors, substation transformers, large generators, voltage regulators, as well as several other defined pieces of electrical equipment.
Russia and China described as “threats”
Contrary to the decree, the DOE explicitly designates China and Russia as the two most threatening nations for the electricity generation system, because they “both have very advanced computer programs and … these two nations pose a threat major for the US government, including, but not limited to, military, diplomatic, commercial and critical infrastructure. ” Based on an assessment by the office of the Director of National Intelligence (ODNI), the National Center for Counterintelligence and Security (NCSC), the DOE says that the American electricity system is therefore a target for these two. “Close adversaries” who map “critical American infrastructure with the long-term goal of being able to cause significant damage”.
These adversaries would try, according to the American ministry, to access the supply chains of critical infrastructures in multiple points, by inserting malware into technological networks and communication systems. In order to address the implications of the energy supply chain for national security, the DOE RFI focuses on the maturity of cybersecurity and a PCIE assessment: Participation, control and influence from abroad.
Responses expected before August 7
In its RFI, the DOE restricts the general objective of the equipment decree to “allow a gradual process by which the ministry can give priority to the examination of the electrical equipment of the BPS”. The specific categories of equipment on which DOE has reduced its field of action are the following:
– High voltage transformers (including step-up generation transformers);
– Reactive power equipment (reactors and capacitors);
– Circuit breakers;
– Production (including the production of electricity supplied to the BPS at the transport level and the emergency production which supports the substations).
The United States Department is seeking answers to many specific questions from utility owners and operators and their suppliers. These range from knowing whether utilities and suppliers should carry out risk assessments, to knowing what levels of governance to give to subcontractors, including access control policies that apply to suppliers who have foreign ownership, control or influence. DOE wants all interested parties to answer these and other questions within one month, before August 7.
The RFI well perceived
The North American Electric Reliability Corporation (NERC), a quasi-government organization, which has already established mandatory safety standards for the electrical industry, has issued an alert, “Securing the electricity generation system in the United States, supply chain III ”, simultaneously with the publication of the DOE request for information. Although its content is confidential and limited to electricity companies, NERC tells the CSO that it has published this document to “continue to collect information on the use of foreign BPS equipment”. Electricity companies are required to acknowledge receipt of the alert before July 16 and respond to the alert recommendations before August 21.
“I think the Ministry of Energy inquiry is a good first step,” said Patrick Miller, founder of the energy security consortium EnergySec and now managing partner of the energy consulting firm Archer Security at the OSC. . “I think it’s a good thing that they’re asking the industry to contribute.” Dale Peterson, founder and CEO of security consultancy ICS, Digital Bond, agrees: “DOE is expected and good to initiate this request for information in response to the decree.” Peterson is particularly pleased that DOE is asking which power network communication protocols are not secure in their design, such as, for example, the Distributed Network Protocol 3 [DNP3], the File Transfer Protocol [FTP], Telnet or Modbus. “I’ve been trying to ask this question since 2012.”
Storms and squirrels, more daily threats for grid managers
The Western Area Power Administration (WAPA), a federal electricity company managed by the DOE, naturally supports what the administration is trying to achieve through the decree. “Everything we can do to protect the electrical system from potential adversaries is very necessary and required these days, while the most critical infrastructure in the United States is under constant threat,” said its CEO, Mark Gabriel. “There is a growing body of evidence and experience on the threats to the American electrical system,” he continues, “but the daily threats faced by those of us who manage the mass electrical system.” are usually storms or squirrels gnawing at cables. In terms of national security, this is an area where we all need support. ”
Competitive critical infrastructure frameworks
In its request for information, the DOE relies heavily on a framework, ODNI’s supply chain risk management best practices, rather than on the framework developed by NERC, the Critical Infrastructure Protection ( CIP) 13, which was approved on October 18, 2018 and came into effect on July 1, 2020. “To me, that brings up a lot of questions about interactions with CIP-13,” says Miller, who continues: ” If you do something that meets the NERC standard but does not meet the DOE standard? Will the latter rely on NERC in one way or another in order to be able to align with this standard? All of these questions arise. ”
DOE responds that it “works closely with NERC and FERC [Federal Energy Regulatory Commission], because protecting network security is a vital mission for everyone. After signing the decree, Bruce Walker, assistant secretary to the Bureau of Electricity, briefed NERC and FERC. The Department of Energy appreciates NERC’s efforts to help industry understand the risk posed by equipment in electricity generation systems that is manufactured or supplied by foreign adversaries. ”