The Trump Administration, the U.S. Department of Energy, the Federal Energy Regulatory Commission, and the North American Electric Reliability Corporation all acted in 2020 to protect the bulk power system against attacks by foreign adversaries.
Executive Order on Securing the Bulk Power System
On May 1, 2020, President Trump issued an Executive Order on Securing the United States Bulk-Power System (“EO”) declaring threats to the U.S. bulk-power system a national emergency. President Trump determined that “unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States . . .” As reported by the Wall Street Journal, the EO “reflects a consensus among senior intelligence officials that foreign adversaries including Russia and China have secured hidden footholds in the electric system and could use that access to cause blackouts at some future date.”
To address this threat, the EO prohibits the acquisition and installation of bulk-power system electric equipment designed, developed, manufactured, or supplied by foreign adversaries and initiates a process to identify, isolate, monitor, or replace existing bulk-power system assets. Substantial authority is delegated to the Secretary of Energy (“Secretary”) to implement the EO. While the EO is expected to mitigate threats to electric infrastructure and enhance grid resiliency, it could impose additional burdens and costs on electric utilities and electric equipment suppliers.
The EO, available here, issued pursuant to the President’s authority under the Constitution, the International Emergency Economic Powers Act (50 U.S.C. § 1701 et seq.), the National Emergencies Act (50 U.S.C. § 1601 et seq.), and 3 U.S.C. § 301, prohibits any acquisition, importation, transfer, or installation of any bulk-power system electric equipment by any person, or with respect to any property, subject to U.S. jurisdiction, where the transaction involves property in which any foreign country or national has an interest (including through a contract for the provision of the equipment). To fall within the scope of this prohibition, the Secretary, in coordination and consultation with certain other federal agencies, must determine that the proposed transaction:
- involves bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary (i.e., any foreign government or foreign non-government person engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security of the United States or its allies or the security and safety of U.S. persons); and
- (1) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of the bulk-power system in the U.S.; (2) poses an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the U.S. economy; or (3) otherwise poses an unacceptable risk to U.S. national security or the security and safety of U.S. persons.
“Bulk-power system” is defined to include: (i) facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof); and (ii) electric energy from generation facilities needed to maintain transmission reliability. For the purposes of the EO, this definition includes transmission lines rated at 69 kV or more, but does not include facilities used in the local distribution of electric energy.
“Bulk-power system electric equipment” means items used in bulk-power system substations, control rooms, or power generating stations, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems. Items not included in the preceding list and that have broader application of use beyond the bulk-power system are outside the scope of the EO.
The EO explains that the Secretary has discretion to design or negotiate measures to serve as a precondition to the approval of a proposed transaction or a class of transactions that would otherwise be prohibited pursuant to the EO. The Secretary, in consultation with the heads of other agencies as appropriate, also may establish a list of pre-qualified equipment and vendors. To implement these authorities, the Secretary is authorized to direct the timing and manner of the cessation of pending and future transactions prohibited under the EO, adopt appropriate rules and regulations, and employ all other powers granted to the President as may be necessary. Rules and regulations may, among other things:
- determine that particular countries or persons are foreign adversaries exclusively for the purposes of the EO;
- identify persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries exclusively for the purposes of the EO;
- identify particular equipment or countries that warrant particular scrutiny under the provisions of the EO;
- establish procedures to license transactions otherwise prohibited pursuant to the EO; and
- identify a mechanism and relevant factors for the negotiation of agreements to mitigate concerns raised in connection with the EO.
FERC and NERC Issue White Paper
On July 31, 2020, staff of the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation issued a Joint Staff White Paper on Supply Chain Vendor Identification-Noninvasive Network Interface Controller (Staff Paper) warning the electric utility sector that it may be unwittingly using devices that could be targeted and exploited by foreign adversaries. The Staff Paper urges the electric sector to take certain “non-invasive” actions to identify potential vulnerabilities and address and mitigate threats to the Bulk Power System (BPS).
Citing growing concern over security threats posed by Chinese telecommunications companies like Huawei and ZTE, the Staff Paper urges the electric sector to perform measures to identify devices that could be used by foreign adversaries to adversely impact the BPS. Specifically, the Staff Paper sets forth a number of techniques that could be employed to identify the origin of Network Interface Controllers (NICs). NICs—integrated circuit chips in a motherboard or a host adapter card—are often-targeted components that enable bad actors to compromise critical systems without detection. For example, adversaries can use NICs to bypass virtually all commodity firewall and host-based intrusion detection software; once accessed through a “backdoor,” a malicious actor can exfiltrate data and load tools to exploit vulnerabilities.
The Staff Paper reflects a number of congressional and agency reports issued over the last decade that have warned against the growing threat from Chinese manufacturers. These reports include:
- A 2013 Government Accountability Office Report that found there “are a number of ways to potentially exploit vulnerabilities in the communications equipment supply chain, such as placing malicious code in the components that could compromise the security and resilience of the networks."
- A 2019 Defense Innovation Board report warning of backdoors and other security vulnerabilities that “seem to be related to requirements from the Chinese intelligence community” and recommending “options for defending against a compromised supply chain, where Chinese semiconductor components and chipsets are embedded across multiple systems.”
The electric sector relies on networking and telecommunications equipment to operate the BPS, and Huawei and ZTE (and their subsidiaries) have recently gained the largest market share of vendors globally. Exacerbating this risk is the fact that components made by Huawei or ZTE are often embedded in equipment produced by other unaffiliated vendors under a different label. As a consequence, there is a high probability that electric utilities are using equipment manufactured by Huawei or ZTE.
To identify vendors of NICs—a necessary precursor to assessing associated risks to the BPS—the Staff Paper recommends that electric utilities employ four techniques to assess whether potentially vulnerable NICs exist within their infrastructure. These techniques identify NIC vendors from Media Access Control (MAC) addresses which, in turn, identifies vendors through the IEEE Standards Registration Authority. These techniques include:
- NMAP Passive ARP Scans (using an open source tool for network exploration and security auditing);
- Listing of the ARP Cache Table (using the “ARP Command” to list MAC addresses);
- DCHP Client Table (use of the Dynamic Host Configuration Protocol to provide information regarding vendors’ MAC addresses); and
- Port mirroring (monitoring of network traffic passing through a switch port).
The Staff Report does not impose any obligations on the electric sector. However, the report recommends that electric utilities discuss NIC-related supply chain risks with their cybersecurity professionals and implement the techniques listed above. If vendors of concern are identified, the Staff Report recommends that the electric sector take further measures to determine whether devices or components of concern exhibit any malicious activity. More broadly, the Staff Report recommends that industry collectively develop and implement a process to identify vendor suppliers and periodically review and update prior assessments.
DOE and FERC Action
On December 17, 2020, DOE and FERC took separate actions to protect the bulk power system from foreign adversaries and malicious actors. Specifically, the Secretary of Energy issued an order prohibiting utilities that own or operate defense critical infrastructure, and who serve critical defense facilities, from acquiring or using certain equipment (including software) manufactured by China or its agents. The effective date of the Secretary’s order is January 16, 2021 and there are civil and criminal penalties for non-compliance, including fines of up to $1 million and imprisonment for up to 20 years upon conviction. DOE action follows an assessment by the National Security Agency that “one of the greatest threats to U.S. National Security Systems, the U.S. Defense Industrial Base, and Department of Defense information networks is Chinese state-sponsored malicious cyber activity.”
In a separate but complementary action, FERC proposed an incentive-based framework to encourage utilities to invest in cybersecurity measures. FERC’s proposal recognizes that the energy sector faces numerous and complex cybersecurity challenges and the risks of cyber exploitation are increasing. If finalized, the proposal would enable utilities to seek FERC approval of incentives that would allow for a greater return on equity or deferred cost recovery. The incentives would be available for investments that go above and beyond mandatory Critical Infrastructure Protection Reliability Standards.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.