On May 1st President Trump signed an Executive Order on “Securing the United States Bulk-Power System.” The order cites foreign adversaries and their increased creation and usage of vulnerabilities against the power grid as the primary driver. In my opinion, perhaps more interesting is the inherent ties to the NERC standards, namely CIP-010 R4 and CIP-013, that the order makes. The EXO goes on to say that the acquisition of equipment designed, developed, manufactured or even supplied by organizations owned, controlled or even affected by the jurisdiction of foreign adversaries presents risk that could result in catastrophic events. If that doesn’t scream “Supply Chain Risk Management,” I don’t know what does. By declaring a national emergency on the topic, Trump prohibits the acquisition, importation, transfer or installation of any equipment where a foreign adversary country or national has any interest. I’ll take some liberty to succinctly summarize the order here. The first section specifies that bulk-power electric equipment (as well as transactions involving such technology) are in scope where there might be an undue risk of sabotage. It introduces an undue risk of catastrophic effects on security or resiliency. This section also gives power to the Secretary of Energy to implement mitigating controls and publish criteria for pre-qualifying vendors of electric equipment. Section 2 further allows the Secretary to implement rules and regulations to support the order as well as develop recommendations to identify, isolate, monitor or replace devices as soon as possible. A provision for a Task Force is established in Section 3 with marching orders to develop procurement policies and procedures, evaluate the implementation of national security considerations into energy security and policy-making as well as work with distribution system industry groups, amongst other items. Several components were of particular interest to me. First, there are similarities to the intent of the recently postponed CIP-013, the newly minted standard that addresses supply chain risk management in the bulk electric system. You can learn more about CIP-013 here. It makes me curious whether the delay could have contributed to the timeliness of this order. Second, in terms of the ability for vendors to become certified, this appears to me to be an unprecedented step for the feds to put a “cybersecurity stamp of approval” on any commercially available piece of equipment or a whole vendor at large. Third, the suggestion to replace equipment that poses risk would be a massive undertaking in terms of cost and the amount of required work. Fourth, I've been waiting for the moment when it would be required for a task force to work with distribution system industry groups. Before now, all focus was put on all systems supporting 69Kv and above – just transmission, power generation and associated control centers. And finally, a key takeaway is the intent to reduce vulnerabilities introduced to the grid, which historically had been addressed by CIP-010 R3. (This requires asset owners to perform an active vulnerability assessment every 36 months and before the introduction of a new asset.) Perhaps the 36-month requirement was, rightfully so, identified as being far too lenient; any mature vulnerability management program advocates for much more frequent assessment of vulnerabilities. I think industry will be anxiously awaiting the impact of the order and exactly what the task force comes up with.
Image