FERC Opens Supply Chain Cyber Risk Inquiry

Sep 18, 2020

FERC began an inquiry into the reliability risks posed by equipment originating overseas, seeking comment on utilities' use of equipment provided by entities associated with U.S. adversaries.

Seeking “a better understanding of the risks to bulk electric system reliability posed by … entities identified as risks to national security,” FERC on Thursday issued a Notice of Inquiry regarding reliability risks posed by BES equipment originating overseas (RM20 -19).

The NOI seeks comments from utilities on:

the extent of the use in BES operations of equipment and services provided by entities identified as risks to national security;
the potential risks to BES reliability and security posed by such equipment and services;
whether NERC’s Critical Infrastructure Protection (CIP) standards adequately mitigate those risks;
what mandatory actions by the commission might mitigate those risks;
strategies the entities have implemented or plan to implement to address such risks, in addition to compliance with CIP standards; and
other methods the commission may employ to address this matter.

FERC’s NOI was formulated in response to President Trump’s executive order in May declaring a national emergency regarding foreign threats to the BES and restricting purchase of BES equipment by federal agencies, citizens and companies from suppliers suspected of connections with hostile nations. (See Trump Declares BPS Supply Chain Emergency.)

NERC responded to the order in July with a Level 2 alert seeking data on the presence of foreign-provided equipment in the BES, while at the same time, the Department of Energy issued a request for information on utilities’ practices for identifying and mitigating supply chain vulnerabilities. (See NERC Issues Level 2 Supply Chain Alert.) At FERC’s meeting on Thursday, Chairman Neil Chatterjee said the commission felt obligated to keep itself informed to the same level as other agencies.

“Although the executive order did not include any directives to this commission, I believe it is incumbent on us as the agency overseeing the reliability and security of the grid to fully understand these risks and take appropriate action,” Chatterjee explained.

Huawei, ZTE Prominent Concerns

Given their widespread use in BES-connected computer systems, Chinese hardware manufacturers Huawei Technologies and ZTE figure prominently in the NOI. The companies, which like other Chinese hardware makers are alleged to cooperate with China’s security services, have been viewed with concern by U.S. policymakers for some time. Sen. Angus King (I-Maine) asked NERC CEO Jim Robb last year whether he knew if any utilities had equipment manufactured by Huawei or ZTE in their systems, with Rob admitting he did not. (See Senators Call for Urgency on Energy Cybersecurity.)

FERC Supply Chain Risk — Huawei headquarters in Shenzhen, China | *Brücke-Osteuropa*

However, Commissioner Richard Glick emphasized that FERC’s concern “goes further than” Huawei and ZTE, and that respondents should consider threats from a wider range of companies and countries, “including companies with ties to Russia and Iran.” He also noted that despite the frequent mentions of Huawei and ZTE, the NOI does not focus solely on hardware. Glick urged utilities to consider “software provided by entities with connections to adversaries” as equally dangerous and to give it due consideration in their responses.

Comments on the NOI are due 60 days after its publication in the Federal Register, with another 30 days for reply comments.

FERC & Federal