The post DOE Seeks Power Sector’s Input on Bulk-Power Foreign Adversary Rules appeared first on POWER Magazine.
The Department of Energy (DOE) wants the electric power industry to help the DOE draft rules that will prohibit the U.S. bulk-power electric system from using equipment sourced from, or otherwise susceptible to, harmful influence by “foreign adversaries.”
Asset owners, utility operators, equipment vendors, and other interested parties can voluntarily provide information to the DOE by August 7. The DOE’s solicitation suggests that the forthcoming rules will delve considerably deeper than merely considering bulk-power equipment’s country of origin or the identity of its manufacturer when asking whether equipment is sourced from a “foreign adversary.” Instead, it appears the DOE is considering an evaluation of the entire supply chain used to procure and install a piece of equipment, including involvement from sub-tier suppliers and the development history of associated firmware and source code.
Background Information
President Trump on May 1, 2020, issued Executive Order 13920 (the “Bulk-Power Order”) which prohibits the acquisition, importation, transfer or installation of “bulk power system electric equipment” in the U.S. when the U.S. Secretary of Energy and other government officials have determined that equipment has been designed, developed, manufactured or supplied by persons owned or controlled by or subject to the jurisdiction of “foreign adversaries”, and the transaction poses an unacceptable risk to the U.S. bulk power system, the nation’s critical infrastructure, or U.S. national security.
The Bulk-Power Order defined “bulk-power system electric equipment” as:
“[I]tems used in bulk-power system substations, control rooms or power generating stations, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems and safety instrumented systems.”
The Bulk-Power Order also required the Energy Secretary to issue rules or regulations to formally implement the order no later than September 28, 2020. Shortly after Trump issued the Bulk-Power Order, the DOE published a set of frequently asked questions, which stated that the DOE would “work closely with stakeholders” as it prepared these rules and regulations.
Request for Information
The DOE published a Request for Information (RFI) in the Federal Register on July 8, 2020, which clarified several aspects of the Bulk-Power Order and asked for public input on a series of approximately 25 specific questions. The RFI established that the DOE will treat the governments of China, Cuba, Iran, North Korea, Russia, and Venezuela as “foreign adversaries” under the Bulk-Power Order.
Among that group, the RFI specifically noted that the DOE considers the governments of China and Russia to be “near-peer foreign adversaries” who are “attempting to access [U.S.] key supply chains at multiple points—from concept to design, manufacture, integration, deployment and maintenance—by, among other things, inserting malware into important information technology networks and communications systems.” The RFI did clarify that its designation of the Chinese, Cuban, Iranian, North Korean, Russian and Venezuelan governments as “foreign adversaries” was only relevant for purposes of the Bulk-Power Order.
In the RFI, the DOE explained that it is “seeking information to understand the energy industry’s current practices to identify and mitigate vulnerabilities in the supply chain for components of the bulk-power system.” The RFI splits its information requests into separate categories: (1) questions addressing the bulk-power system electric equipment supply chain, and (2) questions addressing the Bulk-Power Order’s potential economic effects. Although the RFI specifically states that “the [Bulk-Power Order] rulemaking process will allow the opportunity for stakeholder comment and input on the substance of the rule,” interested parties might be better served to submit responses to the RFI at this time rather than waiting to comment on the rules at a later date. Submitting a response to the RFI could provide respondents with the opportunity to hopefully influence the DOE while the rules are in a formative state instead of waiting until later in the rulemaking process when the DOE might be less inclined to make substantive changes.
Questions Focused on Supply Chain
The DOE modeled the supply chain section of the RFI using existing best practices supply chain risk management (SCRM) frameworks, drawing particular influence from the SCRM framework tool developed by the National Counterintelligence and Security Center. The DOE also stated that when it does enact the Bulk-Power Order’s implementing regulations, it “does not plan to develop a SCRM tool or repeat questions already deemed best practices from well-established frameworks and tools” but rather “will build upon efforts by standards development organizations.”
The RFI’s bulk-power system electric equipment supply chain questions are focused on evidence-based cybersecurity maturity metrics and foreign ownership, control and influence. This RFI’s supply chain questions address topics that include (but are not limited to):
- The prevalence and frequency of cybersecurity risk assessments within the bulk-power electric system;
- Existing efforts by the electric industry to manage risk from foreign ownership, control and influence in the bulk-power electric system supply chain;
- Whether existing SCRM standards are adequate to maintain software integrity and establish a secure development lifecycle for software and firmware;
- Existing oversight of sub-tier vendors by energy sector asset owners and equipment vendors; and
- Existing access control policies to prevent foreign adversaries from tampering with the bulk-power system during equipment installation and integration.
According to the RFI, the DOE is especially interested in receiving responses that address the following types of equipment: transformers (including generation step-up transformers), reactive power equipment (reactors and capacitors), circuit breakers, and generation (including power generation that is provided to the BPS at the transmission level and back-up generation that supports substations). This includes both the hardware and electronics associated with equipment monitoring, intelligent control and relay protection.
However, the RFI qualified the above list by stating “Only transformers rated at 20 MVA and with a low-side voltage of 69 kV and above are included.” The DOE also stated that, based upon the information it receives in response to the RFI, the Energy Secretary “may establish specific pre-qualification criteria for a set of components that support defense critical electric infrastructure (DCEI) and other critical loads and critical transmission feeders (69 kV and above).” The DOE indicated that it would also consider establishing the same pre-qualification criteria for black start systems.
Order’s Economic Impact
The RFI’s economic impact questions were directed at “the full scope of [bulk-power system] electric equipment as defined in [the Bulk Power Order].” Those questions addressed the following topics:
- The estimated one time and recurring costs of developing, implementing and periodically revising policies and procedures to comply with the Bulk Power Order;
- Whether there are categories of bulk-power system electric equipment that are more reliant on vendors that could be connected to or influenced by foreign adversaries and anticipated sourcing challenges and cost impacts for companies seeking to perform transactions involving those types of equipment;
- Whether the energy sector has a procedure to identify services, components and/or systems which should be covered by the Bulk Power Order, and (if so) which types of services and systems should be covered by or excluded from the Bulk Power Order’s implementing rules; and
- Unique challenges that the Bulk Power Order could present to small businesses.
The RFI’s line of questioning set forth in the third bullet point above is particularly important because it could provide equipment vendors with the opportunity to argue that their equipment should either be pre-qualified for use in the U.S. bulk-power electric system under the forthcoming Bulk Power Order rules or exempted from the rules entirely.
Procedures for Responding to the RFI
To be considered by the DOE, written responses to the RFI must be received on or before August 7, 2020. The DOE will accept responses through the Federal eRulemaking Portal, and through email and physical mail. Information included in RFI responses will be available for review by the general public; however the RFI does allow submitters to request that the DOE omit confidential information from a comment before posting it publicly. Persons responding to the RFI should be aware that the DOE will ultimately make its own determination as to whether data identified as confidential information within a response will be withheld from public disclosure.
While it appears that the DOE will continue to solicit feedback from the electric industry as it develops implementing rules for the Bulk-Power Order, the DOE will have only 52 days between the end of the RFI’s solicitation period and the Bulk-Power Order’s deadline for issuing the rules. Considering this short timeline, if interested parties have feedback that they would like to share with the DOE concerning the Bulk-Power Order, it is suggested they take advantage of the RFI in order to ensure that the DOE will have time to fully consider their comments.
—John Crossley, Cacki Jewart, Grant Leach, and Chris Reeder are partners with the law firm of Husch Blackwell, an industry-focused law firm with offices in 18 cities across the United States. The firm represents clients around the world in major industries including energy and natural resources; financial services and capital markets; food and agribusiness; healthcare, life sciences and education; real estate, development and construction; and technology, manufacturing and transportation.
The post DOE Seeks Power Sector’s Input on Bulk-Power Foreign Adversary Rules appeared first on POWER Magazine.