Isiah Jones has spent the last 15 years working in various sectors of the cybersecurity world, from building automation and the energy sector, to manufacturing and life sciences. With expertise in operational technology and industrial control systems, his experience includes time spent at the United States Federal Energy Regulatory Commission, United States Navy and in the private sector at companies like Siemens.
During his career, Jones has grown to understand the devastating impact a cyber attack could have on the energy sector. After a 2015 cyber attack on the Ukrainian power grid temporarily disrupted electricity supply to end consumers, he returned to work in the public sector to help ensure his country’s power grid was protected.
So last month, when U.S President Donald Trump signed an executive order addressing the threat of cyber attacks targeting the nation’s power grid, Jones was relieved.
The executive order is designed to limit the use of foreign-supplied components in the United States’ bulk-power system. Under the current procurement system, component contracts are usually awarded to the lowest bidder, creating a vulnerability that could be exploited by malicious actors.
This is an issue Jones has been highlighting for years, so he was glad to see the federal government taking action to protect the energy sector. But then he read the executive order.
“A lot of the stuff they put in there were things we all asked for years ago to address the supply chain issues, but I don’t know how they’re going to actually enforce it,” Jones tells Industrial Cyber.
The executive order enables the secretary of the U.S. Department of Energy to prohibit the acquisition, importation, transfer or installation of power equipment from an adversary that they determine poses a risk of sabotage to the United states. power system. This equipment includes items used in substations, control rooms, or power plants, including nuclear reactors, capacitors, transformers, large generators and backup generators and other equipment.
“A lot of our equipment is foreign,” Jones says. “The supply chain is open. So when they say in the executive order, we’re not going to use foreign equipment, are we going to be willing to pay for that? I’m not knocking it, but where it falls flat is how are we actually going to get foreign equipment out of the supply chain?”
According to the executive order, in order to address supply chain security, the federal government. will establish a task force on procurement policies for energy infrastructure. The government will also establish and publish criteria for recognizing particular equipment and vendors as “pre-qualified”. They will also identify any now-prohibited equipment already in use. According to the executive order, this will allow the government to develop strategies and work with asset owners to identify, isolate, monitor, and replace this equipment as appropriate.
However, Jones says the federal government doesn’t have the power to enforce these measures at the state level where they’re needed.
“These issues are cross cutting jurisdictions. What I think the executive order should have done is mention more specific requirements for the federal government to work with the states, the governors, and the state utility commissions to apply similar executive orders at the state level,” Jones says. “I like the spirit of the executive order, but there’s gaps. How are they going to encourage states and major municipalities to follow some of the language in the executive order like creating an approved products list.
“We need to convince the governors to put the same kinds of order in place and then we have to pay for it.”
Jones isn’t the only one raising questions about how the executive order will be enforced. FERC, the agency Jones once worked for, is usually responsible for regulating the electricity industry. The agency has spent several years developing security standards for utilities, and cybersecurity standards for the industry are enforced by the North American Electric Reliability Corporation.
Enforcement of the new executive order will fall on the U.S. Department of Justice and the DOE. Companies who violate the executive order could incur a penalty of up to $250,000 per violation and willfully violating the order or assisting a violation would be considered a felony. This takes enforcement out of the hands of FERC and NERC.
Beyond the issues Jones has with what’s in the executive order are what isn’t in the executive order. Jones says the executive order’s scope is too limited because it fails to address other vulnerabilities within the energy sector that actors can use to cause damage. Without meaningful action to address each and every attack vector, he says the energy sector will remain at risk.
“The executive order is excluding regions that aren’t part of the transmission grid directly. They still believe if we protect the transmission grid everything is fine. They think adversaries are trying to take down transmission grids to cause the widest impact. They’re not. They can just go directly after the pipelines in certain regions in the country,” Jones says. “They’re not just going after the transmission grid, they’re going after the ability to generate power, period. They’ve gotten more sophisticated over the last 10 years.”