On May 1, United States President Donald Trump declared a national emergency to address the threat of cyber attacks targeting the nation’s power grid. The executive order signed by Trump will limit the use of foreign-supplied components in the U.S.’s bulk-power system.
“Today, President Trump demonstrated bold leadership to protect America’s bulk-power system and ensure the safety and prosperity of all Americans,” Energy Secretary Dan Brouillette said in a press release. “It is imperative the bulk-power system be secured against exploitation and attacks by foreign threats. This Executive Order will greatly diminish the ability of foreign adversaries to target our critical electric infrastructure.”
Recent cyber attacks have demonstrated that hackers are targeting supply chains in an effort to infiltrate critical infrastructure they wouldn’t otherwise be able to penetrate. Currently, the U.S. government’s procurement rules often result in BPS component contracts being awarded to the lowest bidder. This provides a vulnerability that can be exploited by malicious actors.
“[T]he unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects,” the Trump administration wrote in the executive order. “To address this threat, additional steps are required to protect the security, integrity, and reliability of bulk-power system electric equipment used in the United States.”
The executive order enables the energy secretary to prohibit acquisition, importation, transfer or installation of power equipment from an adversary that they determine poses a risk of sabotage to the U.S. power system. According to the document, bulk power equipment includes items used in substations, control rooms, or power plants, including nuclear reactors, capacitors, transformers, large generators and backup generators and other equipment.
As part of the executive order, the U.S. will establish a task force on procurement policies for energy infrastructure. The government will also establish and publish criteria for recognizing particular equipment and vendors as “pre-qualified”. They will also identify any now-prohibited equipment already in use. This will allow the government to develop strategies and work with asset owners to identify, isolate, monitor, and replace this equipment as appropriate.
“[F]oreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system, which provides the electricity that supports our national defense, vital emergency services, critical infrastructure, economy, and way of life,” the administration wrote in the executive order. “The bulk-power system is a target of those seeking to commit malicious acts against the United States and its people, including malicious cyber activities, because a successful attack on our bulk-power system would present significant risks to our economy, human health and safety, and would render the United States less capable of acting in defense of itself and its allies.”
The recently signed executive order is part of ongoing efforts by the U.S. government to protect the nation’s power grid. In March 2019, hackers used firewall vulnerabilities to create blind spots for grid operators in California, Utah and Wyoming. While the attack failed to cause a power outage it served as a warning of the growing power of hackers to disrupt critical infrastructure operations in the energy sector.
Later that year, in an effort to better secure the U.S. power grid, the U.S. Senate passed the Securing Energy Infrastructure Act. The legislation was aimed at removing vulnerabilities that could allow hackers to access the energy grid through holes in digital software systems. Specifically, it prompted the government to examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators.
“As our world grows more and more connected, we have before us both new opportunities and new threats,” said Senator Angus King said in a press release. “Our connectivity is a strength that, if left unprotected, can be exploited as a weakness. This bill takes vital steps to improve our defenses, so the energy grid that powers our lives is not open to devastating attacks launched from across the globe.”