It is long overdue to secure the United States’ bulk power system supply chain. As early as 2007, researchers demonstrated how digitization of power systems introduces vulnerabilities that can cause physical damage. In 2015, intruders, likely sponsored or directed by the Russian government and known colloquially by the name Sandworm, breached multiple Ukrainian electric utilities and shut off power for hundreds of thousands of residents. A year later, Sandworm attacked Ukrainian electric utilities with even more advanced capabilities in an operation designed to disable protective systems and induce long-term outages. In 2017, likely Russian-directed threats attempted — but failed — to gain access to US nuclear power-generating facility control systems by compromising electric utility vendors. Ensuring the integrity of control systems that operate and protect the bulk power system is critical to our economy and the safety of the men and women who work in our utilities.
On May 1, 2020, the US government issued an executive order prohibiting the acquisition or installation of any bulk power system equipment such as protective relays and safety instrumented systems from risky foreign suppliers. The US government also created the Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security. The task force is led by the Department of Energy and includes representation from national security agencies as well as the Departments of Commerce, Interior, and the Office of Management and Budget. The task force will consult with both the Electric Subsector Coordinating Council and Oil and Natural Gas Subsector Coordinating Council in developing recommendations and evaluation criteria — a good example of public-private partnership to help secure the United States power supply from adversaries.
The Wall Street Journal revealed in late May 2020 that US authorities seized a transformer en route to a US utility company from a Chinese company in mid-2019. The May 2020 executive order mentions transformers three times in the list of “bulk-power system electric equipment,” underscoring the importance of these components. Currently, there are more questions than answers on the executive order and this transformer seizure.
New regulations are also influencing the US power supply industry. On July 1, 2020, NERC CIP-013-1 supply chain risk management becomes enforceable. Some asset owners feel that CIP-013-1 hasn’t been effective at changing behavior. While NERC is the reliability organization for the US and Canada (and a small part of Mexico), the Canadian government has not issued a similar order, leaving open the possibility of Canadian electric utilities procuring the same risky equipment that the US government has just prohibited.
Unanswered questions relating to this executive order include:
- When will the task force issue guidelines and the list of prohibited suppliers?
- Who is accepting liability from canceling existing contracts with the entities on the prohibited list — especially for firms that integrate these systems on behalf of their utility clients?
- What will the evaluation criteria look like?
- Since this only affects new procurement, what efforts are being undertaken to replace existing high-risk control systems in the bulk power system?