Power Sector, Federal Entities Scramble to Close Supply Chain Security Gaps
Marking another major federal effort to address potential supply chain risks to the bulk power system (BPS), the Federal Energy Regulatory Commission (FERC) on Sept. 17 sought industry’s perspective on a number of important considerations, including possible actions the regulatory body could take to address security gaps. The U.S.-based power sector, meanwhile, has moved quickly to safeguard itself against supply chain risks, but it continues to grapple with myriad technical and legal challenges, key stakeholders said.
FERC issued a notice of inquiry (NOI) (Docket No. RM20-19-000) to gauge industry input on six key supply chain security challenges to better understand “the risks to BPS reliability” posed by equipment and services provided by “entities identified as risks to national security,” as well as how the federal entity should move forward to address any identified risks.
While the NOI broadly casts risk-ridden vendors that could pose national security risks as “certain entities,” it specifies two examples: Chinese firms Huawei Technologies Co. and ZTE Corp. (ZTE), citing their inclusion in the August 2018–enacted John S. McCain National Defense Authorization Act for fiscal year 2019. FERC last week said it identified these companies “because they provide communication systems and other equipment and services that are critical to BPS reliability.”
FERC, specifically, is seeking more clarity on the extent that the equipment and services these national security–threatening entities are used in BPS operations, but it also wants to know what risks they pose. Notably, it also asked whether existing Critical Infrastructure Protection (CIP) reliability standards adequately mitigate the identified risks, and what other “mandatory actions” FERC should consider to counter these risks. It also asked specifically how it could raise more awareness about the issue, including how it could collaborate with industry to help with mitigating risks. Finally, FERC wanted to know what the power sector has done or plans outside CIP compliance to address these risks.
FERC’s NOI Reflects Information Sought by DOE
With the NOI, FERC became the latest federal entity to formally act on power sector supply chain security, an issue that has ricocheted into a key priority for the Trump administration owing to its vast implications on the national security front.
As Christopher Krebs, director of the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) explained during a conversation with Edison International’s CEO Pedro Pizarro at the Edison Electric Institute’s 2020 Virtual Leadership Summit on Sept. 9, the issue shot to prominence on May 1, when President Trump issued a broad and controversial executive order (EO) that limits foreign influence in the U.S. energy grid.
The sweeping measure targets grid suppliers potentially compromised by “adversary governments,” with emphasis on China and Russia. But it notably also covers pending and future transactions related to these suppliers, as well as existing risk-ridden equipment across the vast, sprawling BPS that is supplied by persons considered foreign adversaries. However, more details about how the federal government will ban specific BPS vendors are expected in rules that the DOE could roll out before Oct. 1, as specified under the EO.
Before that, Pizarro clarified, cybersecurity supply chain risk management was not new for the power sector, but it “really burst into the national consciousness” over the last year owing to increased awareness within the power industry that its most critical components, like supervisory control and data acquisition (SCADA) systems and transformers, depend on a vast, risk-ridden global supply chain.
The EO appears to have triggered a frenzy of federal action. FERC’s NOI issued last week, for example, closely mirrors a detailed request for information (RFI) the Department of Energy (DOE) Office of Electricity published in the Federal Register on July 8.
Among questions the DOE asked energy sector asset owners and vendors to answer voluntarily by Aug. 7, 2020, are whether they conduct enterprise risk assessments on a periodic basis, and whether they identify (and mitigate) foreign adversary ownership, control, and influence with respect to “company and utility data, product development, and source code (including research partnerships).” The DOE also asked owners and vendors about potential supply chain risks from “sub-tier suppliers”—or suppliers’ suppliers—recognizing that some sub-tier supply chain manufacturers could have “foreign ownership, control, and influence” with respect to foreign adversaries.
At the same time, FERC and the North American Electric Reliability Corp. (NERC) are readying to make CIP-013-1 effective on Oct. 1. NERC delayed implementation of the cybersecurity supply chain risk management standard for three months to provide a brief reprieve during the COVID pandemic, even though the move was decried by grid resilience advocacy groups.
On July 31, FERC and NERC also published a joint white paper to help the power sector identify one “well-known and often targeted component,” a network interface controllers (NIC), which takes the form of an integrated circuit chip integrated into a motherboard or upon a host bus adapter card. Research has shown “numerous avenues to compromise systems using NICs as a method for undetected access for an attacker,” the joint white paper says.
Exploring Incentives for Grid Cybersecurity
In late August, meanwhile, FERC closed its public comment period on another white paper introduced in June on whether transmission incentives should be offered to utilities that make cybersecurity enhancements to the electric grid. FERC’s call for comments asked stakeholders to weigh in on a range of questions including whether there are enough incentives to make significant cybersecurity investments that exceed the requirements of the CIP reliability standards, which as Daniel Skees, a partner at Morgan Lewis explained, “are seen as a baseline level of security requirements.” A wider call for comments on potential enhancements to the CIP reliability standards also concluded on Sept. 22.
“One of the things that FERC has historically done is used its power for mandatory cybersecurity requirements for electric utilities to continually set a higher bar, and those standards kind of focused on a handful of things. Over time, they applied a higher level of cybersecurity requirements generally but also to a broader scope of assets,” Skees told POWER in August. “But I think there’s a recognition that maybe it’s time for some carrot in addition to the stick.”
Skees noted the August filings focused on incentives that are transmission-oriented, possibly because FERC is looking to act under Section 219 of the Federal Power Act, which is specifically focused on transmission. Both FERC and NERC regard the transmission system as high-risk BPS infrastructure that functions like a set of regional arteries. But “whether or not you call a piece of your network ‘generation’ or ‘transmission’ or a ‘corporate network,’ it’s all connected,” Skees pointed out. In exploring incentives as options, FERC, like the DOE and other federal agencies, is essentially acting to address threats posed by foreign adversary—an issue “which has bipartisan support”— beyond statute limitations, he added.
The comments, filed by a diverse array of power sector entities, show incentives have industry’s backing, too. “They all relate to the way in which regulated utilities like transmission companies make money,” Skees said. He described two major “buckets” in which comments generally urged FERC action. One relates to a “traditional capital investment approach,” in which utilities asked for incentives that could allow cybersecurity investment recovery from ratepayers.
The other—which Skees highlighted as “interesting”—involves suggestions that utilities be able to capitalize costs that otherwise wouldn’t be treated as capital investment. “And so that could be a lot of operating and management–type costs,” which could ultimately help utilities attract the necessary cybersecurity expertise, Skees said.
How soon FERC will formally act remains uncertain, Skees said, though he suggested that because the issue has adequate political backing, the issue will remain a priority “regardless of what happens in [the November general election].”
Ultimately, while it’s up to the commissioners to make a formal decision, “I could see them either doing a formal policy statement that says, ‘we’re going to issue a policy for seeking investment incentives under Section 219.’ That’s relatively straightforward and they can do that expeditiously because they’re not actually changing regulations,” he said.
“They might also choose to issue specific regulations on this point, in which case they’d have to go through notice-and-comment rule making,” he said. “ I wouldn’t be surprised if sometime in the next 12 to 18 months, utilities had enough guidance from FERC to be able to come forward with a proposal and say, ‘Consistent with either your regulations, or consistent with your policy statement that you issued, we would like a transmission incentive for whatever that particular cybersecurity enhancement happens to be.”
DHS Steps up Engagement with Power Sector
The DHS, too, has amplified its focus on BPS cybersecurity, acting mostly through CISA, a standalone agency under DHS created by Congress in November 2018. As CISA head Krebs emphasized at the EEI conference earlier this month, CISA styles itself “as the nation’s risk advisor,” and it is focused on crafting solutions gleaned through public-private partnerships. Its current activities span five interrelated disciplines: information technology (IT) security; operational technology (OT) security; supply chain security; insider threats; and physical security.
Of these, OT security, especially as it concerns industrial control systems (ICS), and supply chain issues “have really come to the forefront,” of the agency’s efforts, but supply chain issues have merited specific attention of late owing to the NotPetya attack in Ukraine in 2017, which “was a compromise of a trusted upload process for a software,” Krebs said. Today, threats have grown even more complex “when you fold in where the majority of both IT products and [where] some of our hardware comes from—it does come from China.”
Krebs noted CISA is also monitoring and acting on actions by other countries, like Russia. “A great example is something we did in September 2017 with a binding operational directive to remove Kaspersky Lab’s anti-virus products from U.S. federal networks,” he said. CISA’s analysis wasn’t focused on Russian aggression, he said. It took into account that a Russian company was selling a product to the U.S. government that “has really root-level access to systems based on the way an antivirus product works. It takes what it finds and sends it back to Moscow for big data analytics.”
The two key issues that underlie supply chain threat analysis, he explained, are technical and legal, and CISA typically applies them as a framework for evaluating many products from many organizations and companies. Related to the Kaspersky example, the legal issue is that “there are a series of laws in Russia that compel access of anyone that holds data and moves data around by law enforcement and intelligent services,” he said.
Ever-Shifting Threat Landscape
Since its inception, CISA has worked on the basis of this evaluation to identify risk-ridden components—like control systems—whose security could benefit from pubic-private cooperation, Krebs said. However, because the nature of critical infrastructure is shifting away from a “monolithic approach” defined by companies, CISA has also veered toward an “approach where the critical infrastructure community is defined by the services and functions it provides.”
That’s why CISA released a national critical functions toolkit that breaks down systemic risk by function and service, and which is “completely agnostic to individual companies,” he said. In addition, CISA implements a cross-sectoral “visibility” approach to help critical infrastructures sectors harden against adversarial attacks, which he said can be “purposeful campaigns” that move from interrelated sector-to-sector and function-to-function.
Asked by Edison International’s Pizarro about supply chain security best practices and gaps that CISA perceived within the power sector, Krebs lauded industry’s level of engagement. “I can’t tell you that there’s another sector that engages in that level and that’s a true credit and testament to how you’ve prioritized risk management,” he said. Leadership awareness, he noted, is crucial. “And that’s important because leadership awareness leads to investment, and investment leads to capacity and capability development.”
Another laudatory aspect unique to the power sector is its emphasis on collaboration and information sharing. If there were a gap, it’s how to ensure all entities on the grid are aware of best practices. “How do we facilitate this knowledge transfer from the ‘haves’ to the ‘have nots,’ because ultimately, we’re all in this together,” he said.
Industry Navigating Complexities Through Collaboration
But according to Pizarro, for its part, industry has stepped up information sharing under the Electricity Subsector Coordinating Council (ESCC). It is also banding together to ramp up supply chain security best practices.
One prominent example he cited is the Asset to Vendor Network (A2V), a group convened by security firm Fortress Information Security in November 2019, and which has since essentially grown into a partnership of power companies committed to sharing cybersecurity information to secure the North American grid. According to Alex Santos, CEO and co-founder of Fortress, the effort underscores a level of transparency and trust, which are emerging as core supply chain security values.
Among notable companies that joined the A2V collaboration this year are American Electric Power (AEP) and Southern Co., as well as Zurich-headquartered Hitachi ABB Power Grids, a major BPS vendor with a global supply chain. “Through its collaboration with Fortress, Hitachi ABB Power Grids will share responses to cybersecurity assessment requests from the company with members of the A2V Network, such as AEP and Southern,” Hitachi ABB Power Grids told POWER earlier in September. “This will help to simplify the process of information gathering and confirmation of compliance with key cybersecurity standards and protocols.”
David Goddard, head of Digital at Hitachi ABB Power Grids added that a key benefit to sharing assessments is it simplifies the process and “reduces the amount of effort and cost involved in completing multiple, similar assessments. This in turn frees up resources for all concerned, enabling them to focus on their core businesses, maintaining strong, reliable and resilient grids.”
Technical, Legal Challenges Hamper Industry Efforts
However, even with growing efforts to join forces on supply chain security, Pizarro highlighted several hurdles industry faces. The first relates trust concerns related to new equipment. “One area that we’ve been working on with a number of other larger utilities has been this idea of conducting security testing of critical components and systems before they go into the grid,” he told Krebs. Work has been ongoing, for example, at the Idaho National Laboratory’s Cybercore Integration Center under the DOE’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, he said. Under CyTRICS, however, the DOE has mainly prioritized ICS components for testing and enumeration.
The second hurdle, “harder” even than the technical ones, are legal ones, Pizarro said. “A classic example is that utilities may be supplying equipment for these tests, but they may be prohibited by their contracts with vendors from sharing the grid equipment that’s in our systems currently. We can’t share it with the government labs to be able too reverse-engineer for vulnerabilities per the contract,” he said.
However, Congress may be poised to make significant inroads in addressing that issue, as well as prioritizing supply chain domestication, Pizarro noted. He pointed specifically to the 2021 National Defense Authorization Act (2021 NDAA), versions of which the House and Senate passed versions in July. Though a bipartisan compromise and vote on the bill isn’t now likely before the Nov. 3 election, many industry observers suggest that the supply chain provisions will find bicameral support and remain a critical component of the final bill.
But even if Congress acts on the NDA provisions, industry will still grapple with liability protection issues, Pizarro said. “The quick version of that is that we recognize that utilities are being asked, and frankly have an obligation to support government in the interest of national security, but sometimes that means government might be requesting utilities for something that they might not have the authority to do otherwise, or they might create liability for us. And under current federal law, I don’t think the agencies have had the ability to provide that liability protection,” he said.
Industry has attempted to find resolution for this on the Hill, urging lawmakers to introduce legislation that would enable the Energy Secretary to afford liability protection when a security emergency has been called, he noted.
He asked Krebs what the DHS or CISA could help “ensure that electric utilities never have to make a choice between national security and other corporate responsibilities.”
Krebs responded: “For us, it’s all about getting you the information you need to put you in a position from an operational posture to be successful in managing risk to your networks to your customers, but also being part of this national security team. We continue to work with Congress on various bits and pieces of legislation … and hopefully we get something that’s meaningful and helpful to cross the finish line.”
—Sonal Patel is a POWER senior associate editor (@sonalcpatel, @POWERmagazine).