Utilities weigh in on strategies to secure critical electric infrastructure
The U.S. Department of Energy (DOE) received nearly 100 replies to a Request for Information (RFI) the agency published in April pertaining to steps that electric utilities and government agencies could take to continue protecting the electric power system from foreign threats.
A core concern is whether critical and complex technical components of electric equipment could be deliberately programmed or otherwise sabotaged by foreign adversaries, causing mayhem within the grid itself or for critical customers, e.g., public water systems, pipelines and fuel operations, and Department of Defense facilities.
This is a real threat, now. The RFI warns that “adversarial nation-state actors are targeting our critical infrastructure.” DOE directly calls out China: “The government of (the) People’s Republic of China is equipped and actively planning to undermine the electric power system in the United States.”
Among the public comments received by DOE, Duke Energy and Public Service Electric and Gas (PSEG) filed comments, along with the Edison Electric Institute (EEI).
EEI’s comments focused on six tenets:
Prioritize Critical Facilities
EEI members use a “defense-in-depth” system for supply chain security. EEI suggests that DOE use this same approach and then share their resulting knowledge about critical facilities. “The greatest security improvements,” EEI writes, “can be achieved by collaborating on identifying and targeting facilities with the greatest risk.”
Critical Equipment and Components Must Be Clearly Identified and Described
Next, identify the equipment, components, or subcomponents that, if compromised, would significantly impact grid reliability. Equipment for which there are no alternate suppliers needs specific attention.
The supervisory and control elements in a system present particular concern, EEI writes, in contrast to “the hardware that makes up the bulk of the system such as poles, underground cable, wire and even distribution transformers.” In its comments, PSEG writes that hard-to-replace equipment, such as SCADA (Supervisory Control and Data Acquisition) and relay protection devices, may have no alternative suppliers and deserve “particular scrutiny” and “where warranted, targeted risk-based action.” PSEG also suggests an information database on such equipment.
Duke references a “software bill of materials,” i.e., an inventory presenting the open-source and third-party components within certain software. Companies can request that listing, but there’s no way to ensure complete disclosure. Duke also suggests a national database of components known to present risks.
Intelligence Sharing
EEI writes that DOE, particularly regarding classified material, needs to refine and improve its ability to share information and intelligence with the private sector. EEI suggests new processes that could evaluate concerns regarding foreign ownership, control and influence. There is precedent for this information sharing in Section 889 of the National Defense Authorization Act and within Department of Commerce policy. DOE could build on these existing opportunities, EEI writes, to develop a strong communication partnership.
Industry-Government Collaboration
Utilities already share information with many federal and state agencies. Now, there are new information pathways pertaining to grid security. EEI references CRISP, the Cybersecurity Risk Information Sharing Program, which enables near real-time, machine-to-machine sharing of cyber threat data. Another example is the recently established Energy Cybersecurity Alliance, a forum for electric companies and service providers to discuss safety and security-focused issues.
“DOE should leverage these collaborative programs,” EEI advises.
Complement Existing Industry Tools
EEI notes that utilities are already subject to mandatory and enforceable NERC Reliability Standards. These are, however, relatively new and EEI suggests that further time is needed to evaluate changes or additions. Reliability Standard CIP-005, for example, requires electric companies to manage electronic access sessions with vendors and allows disabling any active remote access sessions in case of a system breach. Reliability Standard CIP-007 mandates managing system security, including ports and services, patches, malicious code prevention, monitoring and access control.
Additionally, EEI has developed a Model Procurement Contract Language document containing a tailorable set of contract provisions to address cybersecurity supply chain risk.
Finally, within this section, EEI notes that supply chain regulation that focuses just on regulated utilities may not provide enough leverage to change upstream, component manufacturing. EEI asks whether “software developers and equipment manufacturers should be required to report vulnerabilities, significant incidents, and other helpful security information.”
Equipment Testing and Domestic Manufacturing
DOE’s RFI includes questions about equipment testing, procurement, and ideas about developing a “strong domestic manufacturing base with high levels of security and resilience.” These topics present particular challenges, EEI writes. With manufacturing, for example, EEI notes that “in many instances, there are no viable or cost competitive domestic sources for critical electric equipment, leaving utilities either without domestic options or with a significant additional cost, which is ultimately shouldered by ratepayers.” Procurements – for example, large transformers – can take months, sometimes years, of budgeting, engineering and planning before equipment is placed in service. A prohibition on certain suppliers, then, could have its own far-reaching grid impacts. EEI suggests that “DOE should explore ways to incentivize the establishment of this domestic supply and consider financial incentives to bridge the cost gap between domestically produced equipment and foreign-sourced critical grid equipment.”
DOE’s Office of Electricity is reviewing the public comments. Next steps, and a timetable, have not been announced.
