Communication Technology, Cybersecurity, Distribution Automation / Substation Automation, Generation, News, Outage Management, T&D, Transmission

Utility supply chain cybersecurity is focus of Trump’s latest executive order

On Friday, May 1, the U.S. President declared a national emergency related to the cybersecurity of the bulk power system, saying that certain components that are used in the grid could represent threats to national security because they could be compromised by bad actors looking to bring down our critical infrastructure.

In the resulting executive order, a laundry list of potentially affected equipment was listed, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems. 

The order directs a task force headed by Dan Brouillette, Secretary of Energy, to come up with a list of approved and disapproved vendors, essentially a white list and a black list of equipment vendors, which could then be used for future purchases as well as the removal of equipment that is currently in use on the grid.

According to Jim Cunningham, Executive Director of Protect our Power, an advisory panel focused on strengthening the nation’s electrical power grid, the order is a great first step in locking down the security of our national grid.

While the task force has until September 28, 2020 to come up with a plan, Cunningham said they could model it after a protocol already in place for the Department of Defense, which says that the onus of responsibility for a secure product lies with the supplier.

“So if I am buying a widget from a certain manufacturer, the liability of the integrity of it lies with the final supplier,” he said in an interview. He explained that if the product contains chips and if they come from, say China, the responsibility for ensuring that those chips are safe, would fall on the manufacturer.

Related coverage:

“We are not saying confine yourself to tradition forms of power, but as you branch out into different forms of power, pay attention to the components and where they are coming from and the integrity of those products,” he added.

Protect our Power is currently working with Ridge Global on a supply chain report that will examine the controls that are in place now for maintaining a secure supply chain.

“We are trying to bring together the sellers, the buyers and the regulators into a collaborative to discuss the protocol that could be put in place as quickly as possible that the industry would follow both at the bulk level and at the retail level,” said Cunningham. He added that while it seems ambitious, he’s hoping to have those recommendations out by the end of the year.

Covid-19 comparisons

Cunningham says we can’t ignore one threat (cybersecurity) because we are dealing with another threat (the pandemic) and added that it is the pandemic itself that highlighted the urgency of having a supply chain you can trust. He said the pandemic forced the medical community to reevaluate its supply chain.

“The pandemic brought this on loud and clear — you need a reliable supply chain. It is a global market, it is a global economy, but you have to trust your suppliers,” he said.

“If that means making some or more of it in the U.S., then that’s good… And if it means that our allies will be beneficiaries of this type of a policy, then that’s good too,” he added.  

Scott Sternfeld, chair of the Cyber-securing the Grid Track at DISTRIBUTECH International said that the order could be very valuable for utilities. Since most of the electricity sector is privately owned, having a list of approved vendors could be helpful when sourcing components for projects.

“Cybersecurity is not always considered when you are awarding an RFP based on the lowest bidder,” he said.

But looking down the entire supply chain is quite complex, said Sternfeld.

“When it goes down to the chip level, that’s where sometimes people might throw their hands up at supply chain security,” he said. “You go to first tier, second tier, third tier suppliers and at some point, it goes out of your hand if it’s not 100 percent made in the U.S.”

While some might believe the order is politically motivated, Sternfeld said he doesn’t think the issue is a reaction to current events, but one that has been building for years, reflected by the fact that this has been an important topic during past DISTRIBUTECHs. He said the topic of supply chain security is one that has been addressed at several past DISTRIBUTECH conferences.

“Threats that have been discussed at previous conferences are reflected in the executive order,” he said. continues to collect industry insight and commentary related to the new order. If you have a tip, comment, or expertise in this area, feel free to contact Jennifer Runyon.

DISTRIBUTECH International is accepting abstracts for the 2021 event, which takes place in San Diego, California from February 9-11, 2021. Learn how to submit your presentation idea at this link.