On July 31, 2020, staff of the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation issued a Joint Staff White Paper on Supply Chain Vendor Identification-Noninvasive Network Interface Controller (Staff Paper) warning the electric utility sector that it may be unwittingly using devices that could be targeted and exploited by foreign adversaries.  The Staff Paper urges the electric sector to take certain “non-invasive” actions to identify potential vulnerabilities and address and mitigate threats to the Bulk Power System (BPS). 

The Staff Paper follows President Trump’s May 1, 2020 Executive Order on Securing the Bulk Power System directing the Department of Energy to issue regulations by September 28, 2020 to address the threat posed to the BPS by foreign adversaries, and reflects the Intelligence Community’s growing concern over technology manufactured by Chinese companies. The government’s attention to electric sector supply-chain risks will continue to be a focus of U.S. utility executives as they evaluate their respective systems and implement measures to protect the reliability and security of the interstate transmission grid. 

Staff Paper Overview 

Citing growing concern over security threats posed by Chinese telecommunications companies like Huawei and ZTE, the Staff Paper urges the electric sector to perform measures to identify devices that could be used by foreign adversaries to adversely impact the BPS.  Specifically, the Staff Paper sets forth a number of techniques that could be employed to identify the origin of Network Interface Controllers (NICs).  NICs—integrated circuit chips in a motherboard or a host adapter card—are often-targeted components that enable bad actors to compromise critical systems without detection.  For example, adversaries can use NICs to bypass virtually all commodity firewall and host-based intrusion detection software; once accessed through a “backdoor,” a malicious actor can exfiltrate data and load tools to exploit vulnerabilities.  

The Staff Paper reflects a number of congressional and agency reports issued over the last decade that have warned against the growing threat from Chinese manufacturers.  These reports include:

• A 2013 Government Accountability Office Report that found there “are a number of ways to potentially exploit vulnerabilities in the communications equipment supply chain, such as placing malicious code in the components that could compromise the security and resilience of the networks."

• A 2019 Defense Innovation Board report warning of backdoors and other security vulnerabilities that “seem to be related to requirements from the Chinese intelligence community” and recommending “options for defending against a compromised supply chain, where Chinese semiconductor components and chipsets are embedded across multiple systems.”

The electric sector relies on networking and telecommunications equipment to operate the BPS, and Huawei and ZTE (and their subsidiaries) have recently gained the largest market share of vendors globally.  Exacerbating this risk is the fact that components made by Huawei or ZTE are often embedded in equipment produced by other unaffiliated vendors under a different label.  As a consequence, there is a high probability that electric utilities are using equipment manufactured by Huawei or ZTE. 

To identify vendors of NICs—a necessary precursor to assessing associated risks to the BPS—the Staff Paper recommends that electric utilities employ four techniques to assess whether potentially vulnerable NICs exist within their infrastructure.  These techniques identify NIC vendors from Media Access Control (MAC) addresses which, in turn, identifies vendors through the IEEE Standards Registration Authority.  These techniques include:

• NMAP Passive ARP Scans (using an open source tool for network exploration and security auditing);

• Listing of the ARP Cache Table (using the “ARP Command” to list MAC addresses);

• DCHP Client Table (use of the Dynamic Host Configuration Protocol to provide information regarding vendors’ MAC addresses); and

• Port mirroring (monitoring of network traffic passing through a switch port).

Implications

The Staff Report does not impose any obligations on the electric sector.  However, the report recommends that electric utilities discuss NIC-related supply chain risks with their cybersecurity professionals and implement the techniques listed above.  If vendors of concern are identified, the Staff Report recommends that the electric sector take further measures to determine whether devices or components of concern exhibit any malicious activity. More broadly, the Staff Report recommends that industry collectively develop and implement a process to identify vendor suppliers and periodically review and update prior assessments.

We anticipate that electric sector infrastructure and supply chain risks will continue to be a focus of the Intelligence Community and other federal agencies that have oversight over security risks to the BPS.  While the Staff Report sets forth only recommended actions, it may signal the advent of additional regulatory initiatives to protect the nation’s electric grid.  

Baker Botts will update the evolving security landscape when the Department of Energy issues its regulations next month implementing President’s Trump’s Executive Order regarding the protection of the Bulk Power System.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.