Last month, the United States government announced a 100-day plan to address cybersecurity risks to critical electric infrastructure. As part of that effort, the U.S. Department of Energy announced a new request for information focused on preventing exploitation and attacks by foreign threats to the U.S. supply chain.
“Adversarial nation-state actors continue to target the nation’s critical infrastructure, with an increasing focus on the energy sector,” the DOE says. “The Administration is addressing critical infrastructure security through various actions and considers the protection and resilience of energy infrastructure to be a part of that comprehensive strategy.”
Since that time, stakeholders involved in the U.S. electric system have provided insight on supply chain risk management, procurement best practices, and risk mitigation criteria. Their comments shed light on steps the country can take to better secure critical electric infrastructure.
“The power grid is composed of a myriad of devices working in concert to match supply with demand. Many of these devices rely on control hardware and software that are increasingly being networked in order to facilitate management,” wrote representatives from the Department of Software and Information Systems at the University of North Carolina Charlotte. “Another concern with these devices is the fact that many of these controllers are designed and deployed under the assumption that they will only be used on closed networks where security is a secondary concern. However, as Stuxnet has shown, even closed networks are susceptible to compromise. What is needed are tools and techniques that can continuously monitor the behavior of the control devices and provide a range of options for building a more resilient grid.”
UNCC recommends investment in research into comprehensive vulnerability assessment and attack surface mapping, high-assurance resilient software, securing legacy software, and thwarting continually evolving threats.
“What is needed are technologies that will enable robust and trustworthy monitoring of system behavior that can serve as a means of detecting attacks and guide any adaptation that occurs within the system,” UNCC wrote. “Such technologies can serve a number of purposes, including early detection of potential attacks, forensic analysis of successful attacks, root-cause analysis of attacks to determine how the adversary compromised the system, and guidance on techniques to prevent similar attacks in the future.”
The DOE also heard from the American Electric Power Services Corporation which serves approximately 5.5 million residential, commercial, industrial, and wholesale customers in 11 states. AEP operates an interconnected network of critical electric infrastructure that generates, transports, and delivers electricity across the country and is among the nation’s largest generators of electricity.
“We have developed one of the industry’s most recognized and leading Supply Chain Security Programs utilized to identify potential risk from third parties on who we depend to provide products and services for the day-to-day operation of our business and the provision of electric utility services to our customers,” AEP wrote. “Making sure we understand the security posture of our providers is critical to ensuring we provide reliable service to those who depend on us.”
AEP called on the DOE to support a database where utilities can acquire information about assets being purchased and deployed in critical electric infrastructure. They also called on the DOE to support a facility or lab where physical components can be tested for potential risk to critical electric infrastructure.
AEP also recommended membership in its Grid Assurance organization which provides subscribing utilities with access to an inventory of spare transmission equipment dedicated to responding to catastrophic grid emergencies. Grid Assurance maintains an inventory of newly manufactured critical “long lead-time” equipment. “Stockpiling dedicated assets is the only sure way to provide the necessary certainty to appropriately plan for recovering from such catastrophic events – certainty of asset availability, certainty of asset location, certainty of rapid delivery and certainty they will operate when installed,” AEP wrote. “The use of dedicated stockpiles of difficult-to-obtain assets is a best practice used by many industries that also provide critical infrastructure and services to ensure they can recover from significant events.”
As part of the United States government’s recent efforts around critical electric infrastructure, President Joseph Biden’s administration also revoked a prohibition order issued by the previous administration related to the electric system. That order prohibited a limited number of utilities from acquiring, importing, transferring, or installing certain bulk power system electric equipment.
“The Nation’s energy infrastructure supports our national defense, critical infrastructure, economy, and way of life. Adversarial nation-state actors are targeting our critical infrastructure, with an increasing focus on the energy sector. The Department is engaged in a partnership with the electricity subsector and other Federal agencies, in a comprehensive set of actions to strengthen supply chain risk management and recognizes the threat our foreign adversaries pose to our critical infrastructure,” the DOE wrote in the Federal Register. “In order to build on the work the Department has already completed in securing the electric system, the Department is developing recommendations to strengthen requirements and capabilities for supply chain risk management practices by the Nation’s electric utilities. These recommendations are intended to enable an approach that builds on, clarifies, and, where appropriate, modifies prior executive and agency actions.”
To this end, the recent RFI also called for feedback on the prohibition order. In their response, the AEP wrote that while a specific prohibition order may be overreaching, guidance based on intelligence would be beneficial. “A prohibition order may result in removal of a technology that may be necessary to operate but unavailable from any other source,” the AEP wrote. “The utility would be responsible to employ appropriate mitigations where the component may introduce unacceptable risk to the supply of energy to critical facilities. As an alternative, we would suggest a public-private partnership to accelerate the private sectors efforts in the area of supply chain security whereby the Federal Government would strengthen current regulations and encourage transparency by suppliers so that asset owners can assess supply chain cyber risk for themselves through existing solutions.”
The DOE also heard from the EMP Taskforce on National and Homeland Security, a group focused on the vulnerability of the electrical grid and other critical infrastructures. The group called on the government to strengthen the executive order prohibiting the acquisition, transfer, or installation of certain BPS electric equipment sourced from foreign adversary countries and to better enforce its implementation. “[The] purchase of foreign-made equipment such as transformers and sensors for the electric grid adds risk that it could be shut down by foreign adversaries. Therefore, the procurement of all new foreign equipment and components needs to be thoroughly analyzed and tested prior to deployment. In addition, existing foreign-made critical equipment and components need to be analyzed to ensure that they are safe and do not include any flaws on hidden backdoors that could bring down the electric grid.
The task force called for funding to develop and execute plans on hardening the U.S. electric grid against EMP, coronal mass ejections, cyber-attacks and supply chain vulnerabilities.“ The electric grid is key to all critical infrastructures,” the task force wrote. “Adequate funding is needed to immediately mitigate vulnerabilities in the existing grid, and to ensure that all new grid infrastructure such as renewable electric generation, transmission and distribution are protected from EMP/CME events, cyber-attacks, and potential supply chain vulnerabilities.”