“To maintain energy security, one needs a supply system that provides a buffer against shocks. It needs large, flexible markets. And it’s important to acknowledge the fact that the entire energy supply chain needs to be protected.”– Daniel Yergin
On May 1, 2020, President Trump signed the Executive Order on Securing the United States Bulk-Power System. The Order targets foreign adversaries, vulnerabilities in the United States bulk-power system, and malicious acts including cyber activities. To many, an external threat to our electricity system may seem pedantic, esoteric, and even theoretical. Yet a number of utilities have been experiencing these attacks and public/private efforts have been working to understand how to defend against them. President Trump’s Executive Order continues ongoing efforts to protect the grid by limiting foreign access to the supply chain and undoing insidious penetration that already has occurred. What could be wrong with that?
The bulk-power system includes generation and transmission facilities as well as their control systems. The electrical system that delivers energy to industry, commercial businesses and homes supports our economy, communications, and interactions. National security depends on a secure, functioning power grid.
Nation states pose the greatest threat to U.S. critical energy infrastructure, but there are other bad actors. Russia generally uses its cyber capabilities to engage in cold-war tactics to collect information and technology to support its own economic development and security. China’s efforts are more competitive, focusing on military, commercial, and corporate information to support its economic growth, technological prowess, and strategic advantage. Iran’s cyber warfare capability seems more terroristic — targeting corporate secrets for ideological protest or profit. Independent cyber criminals and hacktivists sell illegally-gained access codes and proprietary information through an extensive black market to the highest bidder. Active enemies exist.
Unrestricted Foreign Supply
The physical supply chain for equipment supporting the bulk power grid has become increasingly international. Supervisory Control and Data Acquisition (SCADA) systems have been a known risk for at least twenty years. Although most of the SCADA systems used by U.S. utilities reportedly are manufactured in Europe, component parts and software are developed and produced elsewhere. Potential risks tied to SCADA systems have become an even greater issue as U.S. energy infrastructure becomes more digitized and operational and informational technologies converge [see Power Grid International — Is Your SCADA System Safe?]. On the generation side, China has taken the lead in manufacturing solar panels and wind turbines, and most leading power generation equipment manufacturers have factories overseas. Computer components and software similarly come from overseas companies or manufacturers.
Unusual and Extraordinary Threats
The threat from foreign adversaries is ongoing. Examples abound related to breach of firewalls, unauthorized software updates, operational control through internet communications, embedded code or malware in vendor software, counterfeit equipment, and remote access. In 2019, the FBI publicly identified more than a dozen U.S. utilities operating in eighteen states as targets of cyber attacks. These external attempts at infiltration may be easier to recognize than internally embedded malware that hibernates in foreign components until they strike. Digital misrepresentation of grid operations could have disastrous consequences as automated controls and manual operators respond to incorrect software signals. The Executive Order directly addresses these risks.
Responsibilities and Scope
Equipment supplied and supported by foreign adversaries serve as a means for bad actors to enter and exploit the power grid. The Executive Order declares a national emergency with respect to this threat and restricts acquisition of equipment and component parts purchased for the bulk-power system from or developed by foreign entities. The Secretary of Energy has new authority for establishing rules tied to power grid acquisitions from foreign entities in order to mitigate threats. The order also establishes a task force composed of senior members of the Executive Branch to establish an approach to mitigate existing equipment and to address potential weaknesses tied to distribution systems. Similar oversight already is in place for the country’s nuclear plants; applying these rules to the rest of the bulk power system makes sense.
Despite the clear threat and need to act to protect the grid, this Executive Order could be perceived as a back-door way to achieve some of the Administration’s earlier efforts to support fossil fuels and domestic manufacturing. Imports of certain generation equipment, including solar panels and wind turbines, could be prohibited — no need for tariffs. Smart grid communications equipment that is not vetted from pre-qualified vendors could become illegal to import — no need to implement sanctions or quotas. Software for demand response and microgrids may need to be developed domestically — no need to disband trade agreements. Although the Executive Order takes bold and needed steps towards limiting foreign exposure in the bulk-power system, thoughtful implementation will be key to realizing the objective of a safe grid without sacrificing progress. It would be a shame if an increasingly smart grid has to dumb down in the name of security.