Industry participants support federal efforts to limit acquisition of foreign-manufactured hardware but warn that rooting it out of existing systems “presents significant challenges,” according to responses to FERC’s inquiry on reliability risks from such bulk electric system equipment (RM20-19).

FERC issued its Notice of Inquiry in September in response to President Trump’s executive order last May declaring a national emergency regarding foreign threats to the BES and restricting purchases of BES equipment from suppliers suspected of connections with “foreign adversaries,” which the Department of Energy later clarified to include China, Russia, Iran, Cuba, North Korea and Venezuela. (See Trump Declares BPS Supply Chain Emergency.) Prominent in the NOI were the Chinese hardware manufacturers Huawei Technologies and ZTE, which are widely believed by law enforcement to cooperate with China’s security services. (See FERC Opens Supply Chain Cyber Risk Inquiry.)

The commission sought comments from industry on:

• the extent of the use in BES operations of equipment and services provided by entities identified as risks to national security;
• the potential risks to BES reliability and security posed by such equipment and services;
• whether NERC’s Critical Infrastructure Protection (CIP) standards adequately mitigate those risks;
• what mandatory actions by the commission might mitigate those risks;
• strategies that entities have implemented or plan to implement to address such risks, in addition to compliance with CIP standards; and
• other methods the commission may employ to address this matter.

Searching for Threats Poses Problems

On the extent of the grid’s exposure to equipment from foreign adversaries, many respondents asserted that utilities are proactive in keeping their infrastructure clean of potentially dangerous hardware. Bonneville Power Administration (BPA) said that identifying equipment branded by a specific company such as Huawei or ZTE is “relatively straightforward” and that it had already verified its systems are free of devices from both companies and others named in the NOI.

NERC and the regional entities echoed BPA’s assessment, observing that their data indicated “minimal exposure” to the manufacturers in the BES, and the Electric Power Supply Association — which represents independent power producers and marketers — reported that its members “have extensive procurement protocols in place.”

But finding equipment from ZTE, Huawei and other suspect manufacturers is not as simple as it might at first seem because a piece of hardware made by another company may contain components from one of those firms; for example, network interface controllers (NIC) made by Huawei and ZTE are found in many devices made by other companies.

NERC and FERC acknowledged this in a joint white paper last year presenting techniques utilities can use to identify the manufacturer of NICs on their systems, though they acknowledged it is not totally foolproof. (See FERC, NERC Offer Cyber Supply Chain Guidance.) But even if these problematic components are discovered, removing and replacing them is still a major challenge; BPA said that it has “thousands of [NICs] in service … and physical inspection would require an enormous amount of manpower.”

CIP Standards Seen as Effective

Sentiments toward the CIP standards were generally positive, with the North American Generator Forum saying the standards “provide a sufficient risk-based, defense-in-depth approach to cybersecurity of the BES.” The Edison Electric Institute concurred, praising CIP-013-1 (Supply chain risk management) in particular for not requiring “any specific controls or mandate[ing] one-side-fits-all requirements … [instead taking] a flexible approach to allow responsible entities to establish” their own frameworks for assessing cybersecurity risk.

Exelon agreed that CIP-013-1 provided “a framework for addressing the risks” posed by foreign-connected hardware providers and further asserted that “the nation’s electric utilities have gone above and beyond the requirements of the standard” by jointly developing a risk assessment tool for the entire industry. This ensures that utilities can evaluate vendors’ cybersecurity practices efficiently, while giving vendors a standardized set of requirements to respond to.

Some respondents shared this positive assessment but felt the CIP standards as a whole could go further. The DOE noted that the issue of hardware vulnerabilities “goes beyond the narrow confines of” ZTE, Huawei and the other companies named in the NOI. It urged the commission to order an investigation of the CIP standards by NERC that would “identify any gaps in application.”

The Bureau of Reclamation said the current CIP standards “do not adequately mitigate the identified risks,” but recommended against modifying them. Instead, the bureau suggested that the commission order the National Institute of Standards and Technology’s (NIST) Cyber Security Framework be applied to all BES cyber systems.

“The focus should not be on what is wrong with the CIP standards or how to better align them with NIST, but what is right with the NIST standards and how a convergence on a single set of standards would improve BES resilience and security,” the bureau said.

NERC and the REs cautioned against drawing conclusions about the efficacy of the CIP standards, noting that standards relating to supply chain risk management only went into effect on Oct. 1, 2020 and that the ERO Enterprise “has only just begun assessing” their performance. The organizations requested that FERC wait until NERC has completed the supply chain effectiveness review as well as a planned study of electronic access controls for assets containing low impact BES cyber systems before it attempts any assessment of the standards’ adequacy.