The U.S. Department of Energy (DOE) has taken the first major step towards implementing the recent Executive Order (EO) from the Trump Administration that seeks to protect the national bulk-power system (BPS) from foreign adversaries. Specifically, DOE issued a Request for Information (RFI) on July 8, 2020, seeking input from industry stakeholders to "understand the energy industry's current practices to identify and mitigate vulnerabilities in the supply chain for components of the [BPS]." Energy industry stakeholders should follow and consider submitting responses to the RFI, as this process may be a harbinger for the establishment of future limitations on specific electrical infrastructure.
Background
On May 1, 2020, the Trump Administration issued EO 13920, which declared that a successful attack on the BPS would present significant risks to the U.S. economy and public health and safety. The EO directs DOE, in consultation with the heads of several other agencies, to promulgate regulations by Sept. 28, 2020. For purposes of the EO and the future regulations it mandates, the BPS includes 1) facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof), and 2) electric energy from generation facilities needed to maintain transmission reliability. The BPS includes transmission lines rated at 69 kilovolts (kV) or higher, but excludes facilities used in local electricity distribution.1
Request for Information
The RFI includes a complete list of questions for which input is sought. The RFI explains that, although DOE seeks input on the full scope of BPS electrical equipment, DOE is considering a "phased process" to prioritize review of electrical equipment by function and impact to the overall BPS. The RFI is designed to address: 1) evidence-based cybersecurity maturity metrics and 2) foreign ownership, control and influence (FOCI). Further, as part of the federal acquisition process and in conjunction with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standards, DOE is considering:
- limited procurements
- select build versus buy
- the consequences of insufficient supply chain risk management (SCRM)
- evidence-based performance metrics that support a continuous improvement process
Additionally, the RFI hints that the Secretary of Energy may establish prequalification criteria for a set of components that support defense critical infrastructure, as well as critical loads and transmission. DOE does not plan to develop additional SCRM frameworks but plans to build upon existing standards.2
Foreign Adversaries Identified
Most notably, unlike the EO itself, the RFI identifies the following governments as "foreign adversaries": China, Cuba, Iran, North Korea, Russia and Venezuela. The RFI notes, however, that this identification is strictly limited to purposes of the EO, and that the Secretary retains authority to periodically review, subtract and supplement the list.
Next Steps
Responses to the RFI are due by Aug. 7, 2020, and can be submitted via email or Regulations.gov.
Market participants that may be impacted by EO 13920 may consider using the RFI as an opportunity to influence DOE's future regulations, as well as gather clarity as to how future prohibitions may be administered or applied to specific components of the BPS.
Notes
1 See Holland & Knight's previous alert on EO 13920: "Securing the U.S. Power Grid: President and Commerce Department Sound the Alarm," May 6, 2020.
2 For example, NIST 800 series standards, ISO standards, ISA/IEC 62433 and NERC CIP standards.