Power Grid Cybersecurity: New Rules to Protect Critical Infrastructure

Executive orders are having a moment as President Biden launched his term with a flurry of signings, many of which reversed orders signed by President Trump. Among the orders caught up in the transition is one affecting the nation’s power grid cybersecurity.

In May 2020, Trump issued Executive Order 13920 with the intent of reducing U.S. reliance on foreign components for critical infrastructure, specifically in the Bulk Power System (BPS). Details on its implementation came out in December 2020, and then Biden suspended Trump’s order in February 2021, pending further review.

Regardless of how it all shakes out, the public utility world and its supply chain should take note. The electrical supply chain will see changes from the executive orders and a recent compliance update that strengthens security requirements throughout the electrical supply chain.

This blog provides an overview of where things stand.

Threats to the Power Grid

The power grid plays an obvious role in national security. In its document summarizing Trump’s executive order, the Department of Energy (DOE) reports that “in 2018 alone, cyberattacks on supply chains increased by 78%, which is the most likely vector for adversaries targeting the grid.”

Multiple government organizations have been sounding the alarm for some time about the threat foreign adversaries pose to the United States through highly advanced cyber programs. (The Office of the Director of National Intelligence and the National Computer Security Center are among those who have voiced their concerns.) In late 2020, revelations that Russia had widely compromised United States government systems provided shocking confirmation of the threat’s reality.

Trump’s executive order addressed the fact that importing foreign components into our BPS could open a backdoor to substations, control rooms, and power generating facilities. Hackers may, for example, insert malware directly into electronic devices. They could get control of that system and potentially find a pathway into the larger grid that goes unnoticed until the damage is done. In a report explaining Trump’s executive order, the DOE points to a 2015 attack in which hackers broke into the control systems for 30 Ukrainian substations.

Implications for Power Industry Organizations

The real-world impact of Trump’s executive order became more clear in December 2020 when the Secretary of Energy (who was given authority to implement EO 13920) issued a “Prohibition Order Securing Critical Defense Facilities,” effective January 16, 2021. Biden’s suspension of the order puts many aspects of the implementation—and the future of Trump’s order as a whole—in doubt.

As of this writing in mid-February 2021, here’s what we know about the implications for anyone working within the BPS:

• The original executive order cited potential adversaries including China, Russia, North Korea, Venezuela, Cuba and Iran. However, the Secretary of Energy’s prohibition order involved only China. In the short term, this limits the scope of components that BPS companies will have to replace or procure from other sources.
• Biden’s suspension of EO 13920 for 90 days (that order is tucked into this larger order on climate change) means Trump’s order may never be implemented as written. But during the suspension, the DOE is asking companies to exercise caution via this language, “The Department expects that, during this 90-day review period, Responsible Utilities will refrain from installation of bulk-power system electric equipment or programmable components specified in Attachment 1 of the Prohibition Order that is subject to foreign adversaries’ ownership, control, or influence, and that Responsible Utilities will continue to work with the Department on identifying and mitigating supply chain vulnerabilities.”
• If the DOE implements Trump’s executive order, it will probably use a phased approach in order to minimize supply chain disruptions and make compliance easier. For now, the prohibition order affects only the nation’s most essential utilities—those that supply critical defense facilities (CDF). This means that those who service CDFs with voltage of 69kV or above are banned from acquiring, importing, transferring, or installing BPS electric equipment made in China. It includes the “point of electrical interconnection with the CDF up to and including the next ‘upstream’ transmission substation.” In the months to come, companies can expect to see additional phases rolled out and a greater impact on the overall BPS.
• Even with the limited scope described in the prohibition order, there will surely be cost increases and procurement delays this year as companies adjust to the order.
• The Secretary of Energy will create a “prequalified” list of vendors that are authorized as safe for future transactions.
• The DOE and other agencies will collaborate to monitor any vendor and/or equipment that has posed risks to U.S. national security and will take the appropriate actions (such as replacement) to eliminate any threats.
• The Secretary of Energy will establish a task force that coordinates the Federal Government with private entities in the power and energy infrastructure to manage risk and implementation of the order.

As you determine how these actions impact your business, HBS can help. Contact us to learn about how we can identify the risks in your supply chain and manage the costs of additional security measures.