By Rich Heidorn Jr.
NERC is investigating Chinese ties to the vendor it selected for a high-profile software project, the Western Electricity Coordinating Council learned Tuesday.
NERC selected BWISE Information Security to develop its Align project in February 2018, when the company was owned by NASDAQ. NERC signed an ERO enterprise-wide, eight-year software licensing agreement with the company in June 2018.
Brian Evans-Mongeon, CEO of Utility Services Inc., told the WECC Members Advisory Committee Tuesday some registered entities raised concerns after NASDAQ sold BWISE to SAI Global, an Australia-based company whose investors include a Singapore-based private equity fund managed by Barings Private Equity Asia, which is based in Hong Kong. The deal closed in April 2019.
NERC CEO Jim Robb, who attended the WECC meeting in Salt Lake City, Utah, told the MAC NERC has commissioned an “independent review” into the matter and should have a report within about a week.
Robb said the review is “to really understand what the legal linkages are between mainland China and Hong Kong, particularly the applicability of the 2017 Chinese intelligence law, which is what we’re concerned about here.” The law says “foreign institutions, organizations and individuals” could be subjected to Chinese intelligence, and individual personal property could be accessed for investigative purposes, according to Jones Day.
Robb also said NERC will have a classified briefing with the Department of Energy in early July to see “if they have any insights into the relationship between SAI Global, Barings Private Equity Asia and mainland China.”
Robb described BWISE as a “blue chip provider of GRC [governance, risk management and compliance] systems,” saying “many utilities in the country use them right now. We took comfort in the fact that NASDAQ owned them because NASDAQ would obviously take security very, very seriously.”
“We are on top of this and doing everything we think prudent to make sure the tool as developed and implemented will be highly secure,” Robb said.
Robb said NERC staff also is seeking ways to minimize the amount of sensitive information auditors collect and would be stored in Align. Formerly known as the CMEP [Compliance Monitoring and Enforcement Program] Technology Project, Align is intended to improve and standardize processes across the ERO Enterprise.
“So, our goal is to make the tool as uninteresting as possible,” Robb said.
Evans-Mongeon, a Class 3 (transmission dependent energy service providers) MAC member, praised NERC’s general counsel’s office and Chief Technology Officer Stan Hoptroff for their research into the issue.
“Based upon the research people have shared with me — while there are still some registered entities who have expressed some concerns — overall I believe NERC has satisfactorily [obtained] information from these companies that those concerns and vulnerabilities do not exist.”
“That being said, the one concern I still have is in the area of supply chain. If you take a look at CIP 13, there is a provision in the requirements that software as well as hardware be examined and vendors be recognized.I think it is potentially beneficial for WECC to take a look at maybe reaching out to the registered entities and suggesting they take a look at these relationships for … potential threats and vulnerabilities.”