On the first of May, US President Trump declared a national emergency related to the cybersecurity of the country’s bulk power system. He then gave the Secretary of Energy until 28 September 2020 to essentially come up with a set of rules pertaining to which equipment — from which countries — would be allowed on the bulk power system and which equipment would be prohibited from being installed on it.
The order went so far as to say that some equipment already in use may need to be stripped from the grid and replaced.
While the industry waits for clarity on those rules, there are certain preliminary steps that both utilities and the vendors that supply them can take now, according to Belton Zeigler, partner with Womble Bond Dickenson law firm in South Carolina. Zeigler is a senior member of Womble Bond Dickinson’s Data Management and Cybersecurity Team.
Take a look at your contracts
First, he said, both utilities and vendors need to look very carefully at their contracts to see where and how risks are being allocated. Many contracts include a “change of law” provision and he urges both utilities and vendors to re-examine them to make sure they understand what is and what isn’t protected. For example, if a utility has recently purchased a piece of switchgear, for example, but hasn’t installed it yet, it’s conceivable that the utility could receive a notice from the federal government at some point in the near future saying, ‘send it back,’ he said.
Supply chain cybersecurity – the focus of Trump’s executive order
President Trump signs executive order protecting US bulk power system
US: FERC grants NERC grace on rollout of new cybersecurity rules
“Are you comfortable that you know who bears that cost,” he said.
Further, he added that now that the order has been issued, a change of law has already occurred, “so as you are bidding on things after May 1, you can’t really rely on change of law,” he said. “Lawyers can fight about that.”
Understand that it’s an uncertain time for utilities to design, specify or purchase anything
Zeigler pointed out that major improvement projects on the bulk power system take place over a long time. “You have design where you will be specifying equipment typically, you have the procurement process where the pricing may be built around assumptions of particular equipment, and then you’ll have the actual physical manufacturing, shipment, delivery, and installation of the equipment,” he explained.
“There’s a possibility of disruption at any point,” he said.
“The regulations are conceivably very broad and that means a great deal of risk, which has to be considered at all stages in that procurement process in order for people to protect themselves,” he added.
Look at every single component in your product
For vendors, Zeigler recommends they look carefully at where they are sourcing each and every component in their products.
“You may have a piece of equipment which is 85-90% manufactured in a non-adversarial circumstance but if the electronic controls associated with that equipment are coming from an adversarial supplier, I would assume that the rules would apply to it,” he said.
He also recommends that vendors keep a close eye on the development of the regulations and rules “and what the possibilities are for receiving licenses, exemptions, or being whitelisted,” he said.
He also suggested they explore other possibilities for where they could source sensitive electronic equipment so that it would be in compliance if it is determined that the country from which they are sourcing now is a prohibited one.
Zeigler pointed out a number of unanswered questions that utilities and vendors will need answers to in order to continue building out the grid of the future.
- What will the grandfathering or the effective date look like?
- How will DOE treat transactions in process?
- Which nations are going to be considered subject to this? (He added that he thinks everyone has their assumptions — Russia and China — but that it would be very helpful to know definitively.)
- How carefully will the regulations focus only on those electronic components because if that is the case, it may be possible to comply without changing all of the equipment, just a handful of the components.
While 5 months might seem like a very long time to wait for clarity Zeigler pointed out that DOE is aware of and sensitive to just how disruptive this order will be to the utility industry.
“A 150-day window is fairly short from a regulatory standpoint,” he said, explaining that a lot of regulations take much longer than that to be finalized.
“Someone was saying ‘I think this has to be done quickly to minimize risk and uncertainty,’” said Zeigler.
This story first appeared on our sister site, Renewable Energy World.