NERC issued its second Level 2 alert of the year on Wednesday to gather data on the bulk power system’s exposure to “foreign adversaries,” at the same time the Department of Energy published a request for information on the industry’s practices for identifying and mitigating supply chain vulnerabilities for BPS components.
DOE’s request and NERC’s alert are both in response to President Trump’s declaration of a national emergency in May that aimed to restrict the purchase of BPS equipment from suppliers suspected of connections with foreign adversaries — defined as any foreign government or nongovernment person connected with threats against the U.S. or its allies. (See Trump Declares BPS Supply Chain Emergency.) The order also created a task force that would work with the electricity, oil and natural gas industries to develop unified energy infrastructure procurement policies.
NERC Seeks Foreign-made Equipment Data
Details of NERC’s alert are confidential, but a representative of the organization confirmed to ERO Insider that it was drafted “in support of” the emergency declaration. NERC CEO Jim Robb said in May that the aim of the alert would be to determine “whether this is a huge problem or a very surgical problem.”
“This isn’t going to be rip and replace — [we want to] assure ourselves that we don’t have untoward activity going on out on the system,” Robb said. (See NERC Planning Level 2 Supply Chain Alert.)
Further information was provided on Thursday by Mark Kuras, senior lead engineer in PJM’s Reliability Compliance unit, who told the RTO’s Operating Committee that the alert is “broader than the six technologies listed in the earlier alerts” — referring to NERC’s previous supply chain alerts issued in 2017 and 2019.
Kuras said the information requested by NERC focuses on transformer control and protection systems — transformers, load tap changers, cooling systems and sudden pressure relays — that are 10 years old or newer, and that the alert applied mostly to generation and transmission owners and “distribution providers to some extent.”
“This has to do with … trying to restrict your use of equipment that is manufactured outside the U.S.,” he added. “While the countries that are being restricted have not been defined yet, I think you can assume … at least China and Russia will be included in that list.”
DOE Probes Supply Chain Vetting
DOE’s information request also identifies China and Russia as “foreign adversaries,” along with Iran, Cuba, North Korea and Venezuela, though the list is subject to change by Energy Secretary Dan Brouillette in consultation with other agency heads. Inclusion on the list “does not reflect a determination … about the nature of” the countries named except as it relates to Trump’s executive order.
The department based its information request on the National Counterintelligence and Security Center’s supply chain risk management (SCRM) framework and NERC’s critical infrastructure protection standards, in addition to the work of standards development organizations such as the International Organization for Standardization and the National Institute of Standards and Technology. DOE’s interest focuses on entities’ use of evidence-based cybersecurity maturity metrics along with foreign ownership, control and influence (FOCI), and includes the following questions:
- Do energy sector asset owners and/or vendors conduct enterprise risk assessments, including a cyber maturity model evaluation, on a periodic basis?
- Do asset owners and/or vendors identify, evaluate and/or mitigate FOCI risks with respect to company and utility data, potential sub-tier supply chain manufacturers, and assets and services?
- Do changes need to be made to established SCRM standards in order to protect source code, establish a secure software and firmware development cycle, and maintain software integrity?
- How are benchmarks documented and tracked?
Additionally, the department seeks information on the economic costs of compliance with the executive order. This includes developing compliance plans and frameworks, implementation, and periodic review and mitigation of issues. Utilities are also asked whether certain categories of BPS equipment could present more problems under the executive order, and if there are any unique challenges the order could pose for small businesses.
NERC’s alert requires registered entities to acknowledge receipt by July 16; responses are required no later than Aug. 21. Comments on DOE’s information request are due by Aug. 7.