The order uses the term “bulk-power system” and defines it to be (i) facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof); and (ii) electric energy from generation facilities needed to maintain transmission reliability. For the purpose of this order, this definition includes transmission lines rated at 69,000 volts (69 kV) or more.
Currently the order does not include facilities used in the local distribution of electric energy but does allow the Task Force to consider distribution facilities for inclusion in the future.
Any acquisition, importation, transfer, or installation of any bulk-power system electric equipment (transaction) by any person, or with respect to any property, subject to the jurisdiction of the United States, where the transaction involves any property in which any foreign country or a national thereof has any interest is prohibited.
There is concern that any bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary will pose a risk of sabotage to the bulk-power system in the United States. While the order does not define “foreign adversary” it allows for a list or other definition to be made by the Secretary of Energy in consultation with other US Government security agencies.
The order allows the Secretary of Energy to establish and publish criteria for recognizing pre-qualified equipment and vendors for the bulk-power system electric equipment.
The order creates a Task Force to coordinate Federal Government procurement of energy infrastructure and the sharing of risk information and risk management practices to inform such procurement.
The Task Force will be charged with developing a set of energy infrastructure procurement policies and procedures for agencies to ensure that national security considerations are fully integrated across the Federal Government. These policies and procedures will be submitted to Federal Acquisition Regulatory Council (FAR Council) to evaluate the methods and criteria used to incorporate national security considerations into energy security and cyber security policy making.
While the executive order is very broad in nature, it has potential far reaching impacts to electric utilities that own and operate parts of the bulk power system. This order may be used to expand the NERC Supply Chain Management requirements under CIP-013 to include entities with Low Impact BES Cyber Systems and will establish supply chain regulations for non-NERC registered entities due to the 69-kV threshold.
Additionally, the executive order and subsequent polices and regulations have the potential to impact the availability of devices and systems that are used to monitor and control the BPS. The order specifically defines bulk-power system electrical equipment as: “items used in bulk-power system substations, control rooms, or power generating stations, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems.”
This definition brings almost every component that is used to monitor and control the BPS into scope. This has the potential to cause major issues with the spare equipment availability and readiness. For example, if the upcoming regulations and policies prohibit use of equipment manufactured by a certain company, but the utility already purchased spare BPS electrical equipment from that company, then that equipment would go to waste and not be allowed to be used on the BPS.
The GDS Cyber Security Team will continue to follow the development of the rules and regulations from this executive order and the impact that it will have on our clients. We are available to assist in development or updates to supply chain management policies and programs. If you have any questions regarding the executive order, NERC Reliability Standards, or general utility security questions, please contact the GDS Cyber Security Team:
Bill Bateman Bill.Bateman@gdsassociates.com
Kevin Goolsby Kevin.Goolsby@gdsassociates.com
James Fenstermaker James.Fenstermaker@gdsassociates.com
Dex Underwood Dex.Underwood@gdsassociates.com