NERC is preparing to issue a Level 2 alert in “two to three weeks” in response to President Trump’s recent declaration of a national emergency regarding foreign threats to the bulk power system, CEO Jim Robb said in a presentation Wednesday.
The ERO’s alert follows Trump’s lead in focusing on BPS equipment developed, manufactured or supplied by entities connected to “foreign adversaries,” defined as any foreign government or nongovernment person connected with threats against the U.S. or its allies. (See Trump Declares BPS Supply Chain Emergency.) It will require registered entities to report the extent of such equipment connected to their systems and report back to NERC, which will use the information to determine strategies for mitigating any potential damage from these components.
The Level 2 alert will be NERC’s second this year; the first was issued in March to address the COVID-19 pandemic. (See Coronavirus, Cybersecurity Top WECC Board Discussion.) Currently, NERC is working with FERC and the U.S. Department of Energy to identify the manufacturers subject to its data request. Information gathered in the alert will help DOE determine “whether this is a huge problem or a very surgical problem,” and how strong a response is needed as a result.
“We’re going to take a very prudent, risk-based approach to this,” Robb said. “This isn’t going to be rip and replace — [we want to] assure ourselves that we don’t have untoward activity going on out on the system.”
Hardware Attacks More Likely
Trump’s executive order was welcomed by NERC when it was issued earlier this month, with the organization saying the declaration would “help support activities already underway in NERC’s supply chain standards and other work” to provide security to the BPS. But some in the industry have expressed concerns about the broad wording of the order and warned of a “cloud of uncertainty” that will exist until DOE has clarified its application.
Sukesh Aghara, a professor of chemical and nuclear engineering at the University of Massachusetts Lowell who participated in the briefing with Robb, said the decision to declare a national emergency reflected both concerns about hardware-related cybersecurity threats that have been building for years and alarm from the strain placed on supply chains by COVID-19 that has resulted in shortages of basic supplies across the U.S.
Those long-term fears have a number of causes: Robb pointed out that the supply chain for electrical equipment used in the BPS has almost entirely moved overseas. This trend could give foreign governments a degree of leverage over U.S. critical infrastructure that they never could have hoped for in previous years.
Aghara also pointed to a 2018 report in Bloomberg Businessweek that China’s intelligence services had inserted microchips in circuit boards manufactured in the country that were eventually used in computing equipment used by almost 30 U.S. companies including Amazon and Apple, as well as government agencies. The chips reportedly gave attackers the ability to monitor any network to which the altered equipment was connected.
Questions have been raised about that story — both Amazon and Apple have denied that any hostile hardware was found in their equipment and said the report was riddled with inaccuracies — and Aghara acknowledged that the reported vulnerabilities “may or may not have led to … a malicious outcome.” However, he said that even if this incident was less severe than first believed, the idea of a supply chain-based hardware attack is plausible and troubling enough that leaders would want to get in front of it as much as possible.
“Milton Friedman [commented] that when a crisis occurs, the actions that are taken depend on the ideas that were lying around,” Aghara said. “So I think it is not surprising that this might be the critical moment where something like an executive order … might lead to a significant change in what we do.”
A Good First Step
In light of these long-building issues, Robb said industry reaction to the executive order has been positive overall. Though many continue to call for more clarity, most see it as a first step toward providing utilities with the tools they need to level the playing field with their greatest threats.
“You’re getting attacked by nation-state actors, but as [Southern Co. CEO] Tom Fanning, one of the co-chairs to the [Electric Subsector Coordinating Council], said, ‘I’m a company — I can’t hit back. I don’t have the authority to go and punch North Korea on the nose, and yet they’re coming after me,’” Robb said. “So therefore, government help here is very important and very welcome.”