U.S. President Donald Trump signed an executive order on May 1, 2020, that establishes oversight of foreign-made equipment used in the United States bulk-power system. The order stated that Energy Secretary Dan Brouillette would assemble a task force to examine current procurement policies, identify threats to security, and establish risk-management protocols to inform future procurement.
This direction comes as little surprise to the power industry, following the Administration's previous crackdowns on telecommunications providers sourcing foreign-made systems and equipment deemed by the Secretary of Commerce as posing a national security risk.
The order will affect future power equipment purchases and potentially existing installed and commissioned components at the generation and transmission level. It builds on a July 2019 North American Electric Reliability Corp. request for bulk-power system asset owners to inventory telecommunications devices manufactured by Chinese technology companies, as part of an investigation into components made by Chinese firms Huawei and ZTE Corp.
"This is much broader; it reaches across the entire industry, not just the telecommunications infrastructure," said Jason Johns, an energy market attorney with Stoel Rives, LLP. "At the same time, it is particularly broad and imprecise in terms of its application."
Still, many electric utility industry stakeholder groups took a favorable stance toward the order. In a May 1 statement, Edison Electric Institute President Tom Kuhn said, "EEI and our member companies appreciate that President Trump, through his new Executive Order, continues to make energy grid security a priority for his Administration and our nation. We have long maintained that grid security is a shared responsibility, and addressing dynamic threats to the grid requires vigilance and coordination that leverages both government and industry resources."
"This is primarily about information systems," Johns said. According to a 2018 report by Protect Our Power, a not-for-profit organization focused on advancing cybersecurity in the U.S. power grid, the convergence of IT and OT poses the most significant threat to the security of bulk power. The report, co-authored by Ridge Global, states that "[IT/OT] integration can provide greater and more efficient ease of access for a wide array of malicious actors if modern IT/OT system components are not properly secured across their 'cradle-to-grave' life-cycle."
The report warns of the "globally distributed, highly complex, and increasingly interconnected set of supply chains," including products and services, that pose a risk at many points. Additionally, it states that "the process of maintaining hardware and updating or 'patching' software products that support IT/OT systems within the U.S. electric industry also represent critical points of vulnerability." Integration, maintenance, and updates pose potential areas of risk once installed.
"A lot of the connected devices [used by utilities] are assembled in the United States," said Jeff Pack, a senior product engineer and cybersecurity expert with POWER Engineers, "but each component will have something, whether it be memory chips, boards, or processing chips, that are manufactured in foreign lands." Pack indicated that this is an area that we can start to investigate relatively quickly.
The value this order will add to existing cybersecurity frameworks, namely NERC CIP, and particularly CIP-013, which establishes supply chain standards, is still unclear. "Perhaps after the Task Force is able to issue some guidance or directives, we will be able to determine if the Executive Order provides any risk reduction or resilience to the BPS beyond what the scope of CIP-013 provides," Pack said.
The degree to which the order will establish oversight and regulation of pre-installed infrastructure is also unclear. "It could pose substantial challenges to utilities if asset owners are required to rectify existing installed infrastructure that may have technological components embedded from one or more 'adversarial countries,'" said Chuck Newton, principle at Newton-Evans Research, who tracks power equipment supply chain.
At the bulk power level, experts say many utilities are already highly informed about the equipment that exists today. "Utilities are mindful of components and equipment, and where many of the underlying parts originate. Many utilities, especially larger ones, have done a lot of supply chain investigation," Pack said.
According to Newton, very few Chinese or Russian assets exist in the field today. "Utilities are not willing to invest in Chinese equipment at this time," he said. "Over the past several years there have been some new plants built to produce large and very large power transformers in the United States, which include SPX, Hyundai, VA/GA Transformers, and MEPPI. Subsequent M&A activity has expanded foreign ownership of [United States-based] plants."
Pack was optimistic that "If [utilities] are directed to take a risk-based assessment, a lot of existing equipment could be grandfathered in and left in place if due diligence was done at the time of procurement."
"Right now, the biggest impact is uncertainty across the industry as far as the impact it will have on transactions," Attorney Johns said. "However supportive the industry, clarity must be provided as soon as possible, long before the 150 days allotted to the [Secretary of Energy Brouillette's] task force."
This can create perplexity for anyone who is currently sourcing components. "What about those facilities that have already signed agreements before the May 1 order? How are those impacted? Utilities will struggle to meet their current timelines, and capital expenditure planning will be impacted," Johns said.
POWER Engineers' Pack points out that the devil is in the details. "Overall, the order is probably overdue, but right now there are a lot of missing details as to what types of assets, owned by who is involved and how [Secretary Brouillette's] task force starts to put its arms around [the order] and issue guidance or directives on how it will be implemented. If the task force takes a risk-based approach, we won't see as much disruption to the industry, but right now, we don't know."