November 21, 2024
FERC Rejects Mabee’s 2021 Supply Chain Complaint
Commission Says Activist’s Requested Actions Unnecessary
Shutterstock
|
FERC said the activist's request for a grid-wide audit of Chinese-manufactured equipment is unnecessary in light of existing standards.

FERC on Oct. 1 rejected a three-year-old complaint by security gadfly Michael Mabee requesting the commission order an audit of the electric grid looking for potentially harmful equipment manufactured in China and reliability standards requiring any new Chinese equipment to be tested for harmful capabilities (EL21-99). 

Mabee filed his complaint in August 2021, citing contemporary reports from media outlets and government officials that China had conducted “a campaign of cyberattacks” against critical U.S. infrastructure, including the energy sector. Specifically, he warned that U.S. electric utilities bought equipment made in China and installed it on the grid. 

This “could facilitate a cyberattack” by the Chinese government, Mabee asserted, particularly because — as he said — there were no requirements by the U.S. government or in NERC’s standards that entities inspect Chinese equipment for cyber risks and vulnerabilities either before or after installation. 

To address these supposed risks, Mabee requested the commission direct NERC to: 

    • survey all registered entities in the electric grid to find out “what Chinese equipment or systems” are in use; 
    • submit a proposed reliability standard for “testing and security of Chinese equipment or systems” that are in use on the bulk power system or purchased in the future; and 
    • work with state regulators to encourage adoption of the proposed standard or a state equivalent on the parts of the grid under state jurisdiction. 

NERC responded to Mabee’s complaint in 2021, arguing that FERC should deny his request on the grounds that several existing Critical Infrastructure Protection (CIP) standards already required entities to assess risks to the grid when acquiring applicable electronic systems. The ERO said that if the CIP standards identified a specific foreign nation by name, as Mabee requested, it might be harder to apply them to “other nation-states that may pose a threat.” (See “NERC Argues to Dismiss Supply Chain Complaint,” NERC Seeks FERC Approval to Fund Office Move.) 

Other commenters were more sympathetic to Mabee, FERC noted in its order. The Secure the Grid Coalition — a security-focused think tank to whose website Mabee has contributed several articles — suggested FERC conduct a technical conference, possibly in conjunction with a special task force, to “determine the potential threat posed [to the grid] by Chinese transformers and other grid control and monitoring systems.” 

The Foundation for Resilient Societies — a nonprofit aimed at “boosting critical infrastructure resilience and recoverability” — also requested that FERC, NERC and other agencies conduct an investigation into the threat posed by Chinese equipment. In addition, several individuals filed comments expressing support for Mabee’s position and urging the commission to take the threat of Chinese infiltration into the power grid seriously. 

Mabee himself has followed up his original complaint with multiple subsequent filings prodding FERC to take action. His most recent filing was this February, when he submitted data from the Census Bureau purportedly showing the U.S. imported 449 transformers of more than 10,000 kVA from China between 2006 and 2023. 

FERC Sides with NERC

FERC agreed with NERC that “the relief sought [by Mabee] is duplicative of existing reliability standards, as well as past and ongoing efforts by the commission and other federal agencies.” 

In addressing Mabee’s request for an audit of electric utilities for Chinese equipment, FERC observed that NERC can “assess the risks associated with foreign owned suppliers” through existing means such as NERC Alerts. It cited two such alerts, issued in 2019 and 2020, requesting information from registered entities on exposure to cyber risks from equipment manufactured in China, Russia and other foreign adversaries. 

FERC also sided with NERC in its defense of the CIP standards, and noted its own activities, along with other federal agencies, to address the risks posed by equipment manufactured overseas. Since Mabee’s complaint, FERC has held two technical conferences in 2021 and 2022 covering cyber risk management in the power sector and supply chain security challenges in the power grid. 

Concerns over China’s cyber prowess in recent years have focused more on its capabilities in software than in hardware. Last year Volt Typhoon, a cyber actor connected to China by the Cybersecurity and Infrastructure Security Agency and other security organizations, was accused of infiltrating U.S. critical infrastructure organizations disguised as legitimate users. 

In a congressional hearing this year, FBI Director Christopher Wray called China’s cyber posture “the defining threat of our generation” and warned that the country’s hackers were preparing “to wreak havoc and cause real-world harm to American citizens and communities.” (See China Preparing to ‘Wreak Havoc’ on US, Cyber Officials Warn.) 

CIP

Leave a Reply

Your email address will not be published. Required fields are marked *