I do not know what precipitated the issuance of the May 1st, 2020 Executive Order. However, this new Executive Order is long overdue, and addresses many longstanding concerns. The Executive Order demonstrates a high level of technical details and detailed knowledge of existing gaps and vulnerabilities in bulk power equipment and Operations including identifying a specific minimum bulk power voltage level. As a result, the Executive Order will reopen much needed dialogue to address security and policy issues between regulators, policy makers, manufacturers (OEMs) and owner/operators. More specifically, we can expect to see a growing debate on authorities and responsibilities between the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), the Nuclear Regulatory Commission (NRC), etc. Additionally, the Executive Order will directly challenge core NERC Critical Infrastructure Protection (CIP) cyber security requirements that previously excluded the specific bulk electric equipment identified in the Executive Order. Conversely, much of the equipment in scope for the NERC CIPs and supply chain requirements are explicitly identified as out-of-scope for the Executive Order. If the intent is to secure the Bulk Electric Systems with a more balanced approach to securing networking (IT/Operational Technology-OT) and engineering systems, this Executive Order is on target and represents a more comprehensive approach to securing the grid.
China and Russia have directly attacked the control system vendor supply chains since at least 2010. Many of the systems exploited and affected by adversaries are still used in the U.S. bulk and distribution power systems. Moreover, vendors supplying bulk (and distribution) electric equipment for the U.S. electric system also supplied similar (often the same) bulk and distribution electric equipment to other countries, including China, Iran, Russia, and Pakistan. (I include distribution systems, as it often uses the same equipment as transmission systems, and transmission directly “talks” to distribution – more discussions on distribution follows). Even bulk power equipment manufactured in the U.S. often use servers, processors, software, etc. that come from China which makes assuring supply chain integrity so difficult.
Concerns about the bulk power system and its supply chain aren’t new. I had occasion to write, on Wednesday, April 29, 2020, a blog about the lack of cyber security in the electric grid - https://www.controlglobal.com/blogs/unfettered/energycentral-article-the-continuing-gap-in-control-system-cybersecurity-of-the-electric-industry/. The blog stated: “I helped start the control system cyber security program for the electric industry in 2000 while at the Electric Power Research Institute-EPRI (I left EPRI in 2002). The program was based on three pillars – physical security (“guns, gates, and guards”) which already existed, network security (needed to be addressed by the IT community), and control system cyber security (which can only be addressed by the control system community including the electric utilities). The program was about “keeping lights on and water flowing”. Keeping Internet Protocol (routable) networks available was not the ultimate goal.”
Specific to the Executive Order, May 30, 2019, I wrote about counterfeit transmitters - https://www.controlglobal.com/blogs/unfettered/the-ultimate-control-system-cyber-security-nightmare-using-process-transmitters-as-trojan-horses/. Counterfeit transmitters from China were making their way into the North American market and the major sensor vendors (not just one) were affected. These counterfeit devices were, and continue to be, a significant safety issue. August 6, 2019, I wrote about the July 25-26, 2019 Cyber War Games at the US Naval War College which a number of major US electric utilities, NERC, and many government organizations participated (representatives from FERC and NRC were not there) -https://www.controlglobal.com/blogs/unfettered/the-gap-between-war-games-and-reality-observations-from-the-2019-naval-war-college-cyber-war-game/. The issue of “counterfeit SCADA parts” was introduced into the exercise by the Red Team (attackers) resulting in the acting President of the United States (POTUS) issuing a grid security emergency declaration. The Executive Order is essentially a replay of the July Cyber War Games. Is there a direct correlation? I do not know though there were many from the military and intelligence community participating. Additionally, much of the technical input in the Executive Order looks very familiar.
While I applaud the Executive Order as a major step forward, there remains a significant gap surrounding the security and resilience of local distribution. This is a legacy problem going back to 1996, when FERC deregulated the electric utilities. Securing bulk power must be followed up by tackling the gaps and vulnerabilities associated with processes, technology and policies associated with local distribution if we are to ultimately create a more secure and resilient electric grid. Case in point, a simple example explains this quandary. An electron is “generated” in a power plant and then follows the path of least resistance onto various high voltage transmission lines to lower voltage distribution lines to your house, factory, or military base. There is no way to track the individual electron. The converse can be true. The electron is “generated” on your rooftop solar system and then follows the path of least resistance onto the local distribution electric lines and potentially onto higher voltage transmission lines. The electrons, like the hackers don’t have organization charts to follow or regulations to meet. Yet, the defenders have refused to address this obvious cyber security gap.
Another glimmer of hope is from the Executive Order is that it touches upon more than just the U.S. Bulk Electric systems. The author’s deep understanding of the complexity of the Energy Grid were made apparent by requiring consultation with the Oil and Natural Gas Subsector Coordinating Council in developing the recommendations and evaluation. This is important as one type of equipment explicitly identified in the Executive Order is Safety Instrumented Systems (SIS). Bulk Power Systems, whether nuclear or fossil, do not use SIS, but SIS are used throughout Oil and Natural Gas for process safety. In fact, I am working with two others on a joint process safety/cyber security standard for the process sensor and sensing systems used in SIS.
If the Executive Order does nothing more than provide a coherent approach to identifying and assessing the scope and scale of adversary presence in the U.S. energy sector, it will have achieved a key national security objective that has eluded us for more than a decade. If it brings a more balanced approach and collaboration between IT/OT cyber security investment and plant engineers and operators, we will have added to that success. If the Executive Order further creates new measures of confidence in our committees and measures of performance in security and protection against adversary intrusion and exploitation, it will be a landmark achievement for this administration. That is because "adversaries" (China, Russia, etc.) are on many U.S. and international bulk and distribution standards committees (e.g., IEEE, ISA, ASME, IEC, CIGRE, etc.) as well as policy/research organizations (e.g., the Edison Electric Institute -EEI, EPRI, etc.).
The issues being addressed are not new. The Executive Order is long overdue if we want to “keep the lights on” and “water flowing”. I testified before several Congressional committees on these issues starting in 2007. Some of these issues are described in my book – Protecting Industrial Control Systems from Electronic Threats that was published in 2010. Many policy, technical, and commercial issues associated with cyber security of the electric grid require reconsideration, including, as we have discovered, the participation and leadership of the engineering community.
For further discussion, please contact me at [email protected]
Joe Weiss