Trump’s grid security executive order will create vendor ‘black list,’ complicate equipment sourcing
Foreign adversaries are “increasingly creating and exploiting vulnerabilities” in the United States bulk-power system, according to the executive order, with “potentially catastrophic effects.”
“This is a well known issue within the electric sector,” Shawn Wallace, vice president of energy at IronNet Cybersecurity, told Utility Dive in an email. “The U.S. has virtually lost its capability to manufacture large high voltage transformers on which the grid critically depends. Increasingly, we are having to import the equipment from countries like China, making it easy targets for foreign governments to tamper with.”
According to the executive order, unrestricted foreign supply of BPS electric equipment “constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
The order declares a national emergency with respect to the BPS, and blocks federal agencies and U.S. persons from “acquiring, transferring, or installing” BPS equipment in which a foreign adversary has an interest. It also authorizes the U.S. Department of Energy to establish criteria for recognizing particular equipment and vendors as “pre-qualified” and to identify any now-prohibited equipment already in use.
Hardware from an untrusted source “could arrive with backdoors built into the firmware, or it could be tampered with in transit,” James Evelyn, vice president of compliance solutions for risk-management firm Force 5, told Utility Dive. The order “is aimed at eliminating buying bulk power systems with built-in security or surveillance threats.”
A task force led by Secretary of Energy Dan Brouillette will develop energy infrastructure procurement policies while consulting with the industry through the Electricity Subsector Coordinating Council and the Oil and Natural Gas Subsector Coordinating Council.
Utilities have already been working strengthen supply chain security, in part to comply with the new vendor rules NERC was forced to delay last month. Those requirements, which include utilities completing an assessment of their vendor networks, had been set to go into effect on July 1 but will now be on hold until October.