INSIGHTi E O 13920 and Bulk-Power System Supply Chain Security June 5 2020 On May 1 2020 President Trump issued Executive Order E O 13920 titled “Securing the United States Bulk-Power System ” The E O states that it is protecting “the security integrity and reliability of bulk-power system electric equipment used in the United States” from “foreign adversaries” who are creating and exploiting vulnerabilities in the bulk-power system BPS In the E O the President “declared a national emergency with respect to the threat” to the U S bulk-power system with the goal of limiting the acquisition or use of “equipment designed developed manufactured or supplied by” entities subject to the control of foreign adversaries According to the Department of Energy DOE E O 13920 authorizes the Secretary of Energy to    establish and publish criteria for recognizing particular equipment and vendors for a prequalified vendor list identify any now-prohibited equipment already in use and develop strategies in working with asset owners to identify isolate monitor and replace this equipment as appropriate and work with other appropriate federal agencies to carry out the authorities and responsibilities outlined in the Executive Order The order requires that the Secretary of Energy issue implementing regulations by September 28 2020 Bulk-Power System Security The electric grid relies on a number of electronic devices switches and circuit breakers to monitor and regulate the flow of electricity Together these pieces of mechanical and automated equipment constitute the grid’s industrial control system ICS network managing power plant controls transmission and distribution substations There have been increasing reports about foreign hackers targeting ICS on the U S grid While these intrusions have not been reported as causing significant disruptions concerns are increasing over the potential of such intrusions to result in damaging cyberattacks Natural gas pipelines critical to BPS operation have also been targeted Congressional Research Service https crsreports congress gov IN11417 CRS INSIGHT Prepared for Members and Committees of Congress Congressional Research Service 2 Electric power industry operational technology OT and information technology IT systems rely on hardware devices and software systems procured from a variety of manufacturers and vendors Many systems come from international sources due to competition between providers Many mechanical systems used in the grid such as power transformers also are sourced from international vendors or incorporate components from such vendors The security of the design manufacture and patch management practices of these devices and systems is a potential vulnerability due to their international sourcing and a perceived lack of consistent oversight of standards and practices to prevent impaired or compromised functionality If bad actors were to gain access to such devices especially during the manufacturing process software could be covertly inserted in the device and activated to impair or take over its functioning FERC Supply Chain Risk Management Requirements In 2016 the Federal Energy Regulatory Commission FERC issued Order No 829 directing the North American Electric Reliability Corporation NERC to develop a Critical Infrastructure Protection CIP reliability standard requiring affected entities e g bulk-power system owners operators and users to develop and implement a plan that includes security controls for supply chain management for ICS hardware software and services associated with grid operations In 2017 NERC submitted a petition for approval of the new Reliability Standard CIP-013-1 addressing supply chain risk management and proposed revisions to two existing reliability standards FERC approved the standards in an October 2018 order with compliance plans originally required by July 2020 Due to the COVID-19 emergency FERC has approved a delay in implementation of the reliability standards until October 2020 The standards would require affected entities to develop and implement security controls for ICS hardware software and services associated with BPS operations FERC said that the new standards respond to supply chain risks including the insertion of counterfeit or malicious software unauthorized production tampering and theft However FERC acknowledged in its 2018 order that more needs to be done as the new standards do not address Electronic Access Control and Monitoring Systems EACMS which include firewalls authentication servers security event monitoring systems intrusion detection systems and alerting systems FERC directed NERC to develop modifications to the CIP standards to include EACMS within 24 months of the effective date of the order Potential Implications of E O 13920 E O 13920 does not reference the FERC-NERC supply chain reliability standard nor does it require the involvement of the electric power industry or its vendors in the establishment of DOE’s pre-qualified vendor list While it may be expected that DOE’s processes would involve industry stakeholders in meeting its obligations under the executive order Congress may consider the implications of having two ongoing processes with potentially divergent goals Regulations to be issued by DOE would likely determine the level of inspections that may be required An event in 2019 may be informative regarding the Administration’s concerns prior to the issuance of E O 13920 A report in the press said that DOE ordered the transfer of a large power transformer to a national laboratory last year A Chinese manufacturer made the transformer for the Western Area Power Marketing Administration a DOE power marketing administration DOE was reported to be concerned that a software backdoor or other cyber vulnerability in the device could cause a failure of the unit On the vendor side agreements between companies resulting in joint ventures or other alliances are often used to reduce business risks and lower costs especially when manufacturing high-cost but seldomordered components like large high voltage power transformers Globalization is a reality in the electric power industry supply chain with international vendors providing components for products for U S Congressional Research Service 3 company use and product lines International alliances are often formed to address increasing development costs capture advances in technology and take advantage of production economies of scale to remain competitive As federal agencies and affected entities act to protect the reliability of the nation’s electricity Congress may consider the potential for increased costs to consumers and delays to acquisition of equipment from the development and maintenance of a pre-qualified vendor list as selection testing and qualification occurs in an environment of evolving cybersecurity requirements Congress may also consider issues with recently acquired equipment already in service that may be viewed as suspect or in violation of the executive order Author Information Richard J Campbell Specialist in Energy Policy Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material IN11417 · VERSION 2 · NEW