US President Donald Trump last Friday declared a national emergency related to the cybersecurity of the bulk power system, saying that certain components used in the grid could represent threats to national security, open to being compromised by bad actors looking to bring down critical infrastructure.
This article was first published on our sister site, POWERGRID International.
In the resulting executive order, a laundry list of potentially affected equipment was listed, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems.
President Trump signs executive order protecting US bulk power system
US: FERC grants NERC grace on rollout of new cybersecurity rules
Seven cybersecurity trends to watch for in 2020, in spite of the new virus
The order directs a task force headed by Dan Brouillette, Secretary of Energy, to come up with a list of approved and disapproved vendors, essentially a white list and a blacklist of equipment vendors, which could then be used for future purchases as well as the removal of equipment that is currently in use on the grid.
According to Jim Cunningham, Executive Director of Protect our Power, an advisory panel focused on strengthening the country’s electrical power grid, the order is a great first step in locking down the security of our national grid.
While the task force has until September 28, 2020 to come up with a plan, Cunningham said they could model it after a protocol already in place for the Department of Defense, which says that the onus of responsibility for a secure product lies with the supplier.
“So if I am buying a widget from a certain manufacturer, the liability of the integrity of it lies with the final supplier,” he said in an interview. He explained that if the product contains chips and if they come from, say China, the responsibility for ensuring that those chips are safe, would fall on the manufacturer.
“We are not saying confine yourself to tradition forms of power, but as you branch out into different forms of power, pay attention to the components and where they are coming from and the integrity of those products,” he added.
Protect our Power is currently working with Ridge Global on a supply chain report that will examine the controls that are in place now for maintaining a secure supply chain.
“We are trying to bring together the sellers, the buyers and the regulators into a collaborative to discuss the protocol that could be put in place as quickly as possible that the industry would follow both at the bulk level and at the retail level,” said Cunningham. He added that while it seems ambitious, he’s hoping to have those recommendations out by the end of the year.
Cunningham says we can’t ignore one threat (cybersecurity) because we are dealing with another threat (the pandemic) and added that it is the pandemic itself that highlighted the urgency of having a supply chain you can trust. He said the pandemic forced the medical community to reevaluate its supply chain.
“The pandemic brought this on loud and clear — you need a reliable supply chain. It is a global market, it is a global economy, but you have to trust your suppliers,” he said.
“If that means making some or more of it in the U.S., then that’s good… And if it means that our allies will be beneficiaries of this type of a policy, then that’s good too,” he added.
Scott Sternfeld, chair of the Cyber-securing the Grid Track at DISTRIBUTECH International said that the order could be very valuable for utilities. Since most of the electricity sector is privately owned, having a list of approved vendors could be helpful when sourcing components for projects.
“Cybersecurity is not always considered when you are awarding an RFP based on the lowest bidder,” he said.
But looking down the entire supply chain is quite complex, said Sternfeld.
“When it goes down to the chip level, that’s where I sometimes throw my hands up at supply chain security,” he said. “You go to first tier, second tier, third tier suppliers and at some point, it goes out of your hand if it’s not 100% made in the US.”
While some might believe the order is politically motivated as some kind of retaliation against China, Sternfeld said he doesn’t think that is the case. He said the topic of supply chain security is one that has been addressed at several past DISTRIBUTECH conferences.
“Threats that have been discussed at previous conferences are reflected in the executive order,” he said.