Feds to oversee grid supply chain effort

The Department of Energy's cybersecurity agency is set to begin the process of prequalifying vendors of bulk power equipment for the U.S. electric grid.

The agency's Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is about to kick off an effort to help prequalify the future acquisition of industrial control system equipment that runs energy critical infrastructure, including bulk power grids, according to Nicholas Andersen, deputy assistant secretary for Infrastructure Security and Energy Restoration.

On May 1, President Donald Trump issued an executive order that would prohibit buying or installing bulk-power system electric equipment that comes from certain "foreign adversary" countries deemed a risk. The order said "unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States."

The order doesn't specifically name the countries, but it said electric equipment from those sources could pose significant risks, including cyberattacks. China, Russia and North Korea have typically been associated with the term. In particular, the administration has moved to block U.S. domestic use of Chinese-made equipment in the U.S. telecommunications critical infrastructure.

There is also longstanding concern that industrial control systems can provide an entry point to critical infrastructure systems for threat actors, nation-state and otherwise.

The order puts a process in place to pre-qualify manufacturers of bulk power gear for future use in U.S. energy critical infrastructure. The Energy Department, consulting with other agencies "as appropriate" was charged with setting up and publishing criteria and lists of acceptable equipment and vendors

"A lot of that prequalification and testing work that you see in the Executive Order is going to be focused within our office, within CESER," to provide it to others to support the overall energy infrastructure cybersecurity effort, Andersen said during a June 24 webcast hosted by Venable, LLP.

"There will be a request for information that the Department of Energy is going to be putting out in short order, as well as a Notice of Proposed Rulemaking that will provide a formal opportunity for stakeholder engagement," Andersen said.

The processes won't begin until after the rulemaking process is completed, which includes consultation with Department of Homeland Security, the Commerce Department, the Defense Department and the Office of Management and Budget, as well as industry coordinating councils.

Andersen said he expects the RFI to be issued soon by the agency, with the rulemaking change, which will incorporate input from the RFI, coming in late fall.

The order has caused a lot of anxiety in the bulk power sector. Power providers, he said, "are afraid of 'rip and replace'" in regards to their current equipment. "There is no 'rip and replace,' authority within the executive order," he said. "It's not anticipated to be part of the plan. It's really future-facing, not necessarily focused exclusively what's in place now."