A cybersecurity expert has asked the Federal Energy Regulatory Commission (FERC) to direct the North American Electric Reliability Corporation (NERC) to conduct a comprehensive survey of all registered entities in the bulk power systems (BPS) to determine what Chinese equipment or systems are currently in use in the BPS, and how they are being used.
The equipment identified can be also used in many other critical infrastructures, including water and wastewater systems, pipelines, oil and gas, and manufacturing, Joe Weiss wrote in a blog post, following submission of his motion to intervene and comment, in a FERC complaint on the buying of critical equipment from the People’s Republic of China in the U.S. BPS and the electric grid.
“The existing FERC, NERC, and DOE responses are not addressing the problems identified in Emergency Presidential Executive Order 13920 (“suspended” on 1/20/2021). There has been no guidance from DOE or the industry on how to respond to the Chinese equipment already in the US grids and some utilities are continuing to buy Chinese equipment despite Executive Order 13920,” he added.
“The equipment explicitly identified in the EO is out-of-scope for the NERC CIPs and the NERC Supply Chain criteria,” Weiss said. “Conversely, the equipment and networks identified as being in scope for the NERC CIPs and the NERC Supply Chain effort are out of scope for EO 13920. That is, the network devices such as firewalls were not included in the EO as they are ineffective with embedded hardware vulnerabilities that can initiate communications from inside the firewall-protected perimeter,” he added.
Additionally, software bills of materials (SBOMs) are not effective means of mitigation when the equipment is coming from China yet that has become a focus for grid supply chain cyber security, he added.
Weiss further pointed out that the NERC Critical Infrastructure Protection (CIP) standards are not capable of addressing the Chinese hardware implants. He also said that industry leaders, such as EPRI, have participated with companies representing China on US grid projects.
The motion moved by Weiss comes after a FERC complaint filed by Michael Mabee, a private citizen who conducts public interest research on the security of the electric grid, which called for the issuance of an appropriate order to the Electric Reliability Organization (ERO) to strengthen the security of the bulk power systems. Mabee also said that U.S. entities in the bulk power systems and the electric grid, are buying critical equipment from China to install into the U.S critical electric infrastructure that the regime’s state-sponsored and state-supported hackers are already probing and attacking.
Mabee also said that there currently is no requirement that existing Chinese equipment or systems already installed in the electric grid be checked and tested for risks and vulnerabilities. In addition, there is no requirement that newly imported Chinese equipment or systems be checked and tested for risks and vulnerabilities before being installed on the electric grid.
Weiss demands that the FERC should direct NERC to revise the NERC CIPs and supply chain requirements to explicitly include the equipment identified in the EO 13920. “This should include technology to authenticate the integrity of process sensors to minimize the impact of the hardware backdoors and potential man-in-the-middle cyberattacks,” he added in his motion.
“FERC should direct NERC to develop cybersecurity procurement guidelines for the equipment identified in EO 13920. FERC should direct NERC to assess the potential grid impacts from compromise of critical grid monitoring and control equipment and develop appropriate recovery options,” Weiss added.