DOE Seeks Information on Securing Bulk Power System

Pursuant to Executive Order 13920, “Securing the United States Bulk-Power System” (the EO) issued May 1, 2020, which declared that threats by foreign adversaries to the bulk-power system (BPS) constitute a national emergency, on July 8, 2020, the Department of Energy (DOE) issued a Request for Information (RFI) seeking information regarding the energy industry’s current practices for identifying and mitigating vulnerabilities in the supply chain for BPS components. 

The RFI seeks information regarding three of the EO’s four pillars: : (1) prohibit the acquisition, importation, transfer, or installation of any BPS electric equipment (as defined in the EO) by any person or with respect to any property in which a foreign adversary (or associated national) has an interest, that poses an undue risk to the BPS, U.S. critical infrastructure, or the nation’s economy or security; (2) identify the BPS equipment with respect to which such risks are posed and develop recommendations to identify, isolate, monitor, and replace such equipment; and (3) publish criteria to pre-qualify particular equipment and vendors for future transactions, and publish a list of all such equipment and vendors that are pre-qualified.

The RFI notes that certain foreign adversaries, particularly China and Russia, are attempting to access key U.S. supply chains at multiple points—from concept to design, manufacture, integration, deployment, and maintenance—by, among other things, inserting malware into important information technology networks and communications systems in order to gain access to U.S. critical infrastructure, including the BPS. DOE currently lists the governments of China, Russia, Cuba, Iran, North Korea, and Venezuela as foreign adversaries for the purposes of the EO, although the Secretary of Energy may revise this list at any time.

DOE is seeking information on the evidence-based cybersecurity maturity metrics employed by utility owners and operators, as well as evaluations made in connection with foreign ownership, control, and influence (FOCI) in their acquisition processes. To help prioritize its review of BPS electric equipment and its assessment of the national security implications should it be acquired, DOE seeks comment on the following types of equipment: transformers (including generation step-up transformers) rated at 20 MVA and low-side voltage of 69 kV and above; reactive power equipment (reactors and capacitors); circuit breakers; and generation (including power generation that is provided to the BPS at the transmission level and back-up generation that supports substations). This includes both the hardware and electronics associated with equipment monitoring, intelligent control, and relay protection.

Specific questions from DOE include:

• Do energy sector asset owners and/or vendors conduct enterprise risk assessments, including a cyber maturity model evaluation on a periodic basis?
• Do energy sector asset owners and/or vendors identify, evaluate, and/ or mitigate FOCI with respect to foreign adversaries in connection with access to data, product development, source code, and research partnerships?
• Are changes to current supply chain risk management standards, such as the NERC critical infrastructure protection standards, necessary to build capacity to protect source code, establish a secure software and firmware development lifecycle, and maintain software integrity?
• What information is available concerning BPS electric equipment cyber vulnerability testing standards, analyses of vulnerabilities, and any effort to compromise BPS electric equipment over the last five years?

Comments and the submission of information as addressed in the RFI are due no later than August 7, 2020.

For more information on the EO, see our May 4, 2020 Client Alert entitled, President Declares Threat to Electric Power Grid a National Emergency.