SolarWinds Hack Reinforces Critical National Importance of Securing Electric Grid Supply Chain
By Steven T. Naumann, former Vice President, Transmission and NERC Policy, Exelon
The recent hack of the SolarWinds software has pointed out, once again, the vital importance of protecting the supply chain for electric utilities. Unaware of a hack of its software, SolarWinds unwittingly sent out updates to its customers that included malicious code. Approximately 18,000 customers installed the update, allowing the malicious code to create a backdoor to their systems, which the hackers then used to install even more malware that helped them spy on companies and organizations, including U.S. government agencies.
While owners and operators of the bulk-power system are subject to mandatory supply chain risk management standards that are set and enforced by the North American Electric Reliability Corporation (NERC), the SolarWinds hack shows that even trusted vendors can put the power grid at risk. This is because the overall security of the electric grid is vulnerable to the “weakest link,” meaning that even if a utility has an excellent risk management plan, a compromised vendor in any stage of the supply chain can remain undiscovered and cause serious problems.[1]
Clearly, more timely and flexible processes are needed to secure the power industry supply chain. Compliance with the existing mandatory reliability standards is important, but it is not sufficient to protect against the escalating and sophisticated threats we now face.
Recognizing this, Executive Order 13920, “Securing the United States Bulk Power System,” was issued on May 1, 2020. It prohibited purchasing or installing certain bulk-power electric equipment that was developed, built, or supplied by companies that are subject to control or controlled by a foreign adversary.[2] After several months of gathering information, in December DOE issued a “Prohibition Order Securing Critical Defense Facilities.”[3] DOE also may issue a proposed a rule implementing the Executive Order.
Against this backdrop of enhanced urgency to secure the supply chain for the electric grid and other critical infrastructure, Protect Our Power launched a Supply Chain Collaborative, a series of meetings with representatives of multiple sectors of the electric power system, together with other experts. The meetings were a joint effort between Protect Our Power and Ridge Global, an international security and risk management firm chaired by Gov. Tom Ridge, the first Secretary of the U.S. Department of Homeland Security, and the Collaborative’s efforts will continue in the coming months as the new Administration tackles these issues.
Based on input from Collaborative participants, Protect Our Power filed initial comments with DOE in December,[4] making recommendations in three areas:
- Establishing lists of approved or prohibited vendors/components;
- Establishing a system of testing and evaluation of equipment and software; and,
- Addressing implementation issues associated with any forthcoming order(s).
In the collective opinion of Protect Our Power and Collaborative participants, the most important attribute of implementing an effective supply chain framework is that it be developed in a collaborative manner. While many asset owners and operators may use the same equipment, the risks to the grid and implementation challenges are not the same for each one. In order to protect the grid in a timely manner against the greatest risks, the development of any framework necessarily requires collaboration and cooperation across government (including intelligence agencies), asset owners and vendors.
Approved/Prohibited List
Protect Our Power did not recommend whether DOE should create approved or prohibited lists of vendors and/or equipment, but rather that if DOE does so, the lists should be based on input from assets owners and intelligence agencies who fully know and understand the risks to the electric power grid. Of note, taking this collaborative approach is consistent with the recommendations of the Congressionally-appointed Cyberspace Solarium Commission[5] and other experts.[6]
Testing and Evaluation
DOE should establish a system of testing and evaluation of equipment and software and, together with asset owners and intelligence agencies, determine priorities for testing based on potential impact to the grid. Given the myriad of equipment installed on the electric grid, it is urgent that a prioritization process is established. The industry, vendors, and the intelligence community, in coordination with U.S. government agencies need to determine which components constitute the greatest risk to the electric grid, as well as the type of expertise needed for testing.
Protect Our Power recommends creating a tiered system to determine not only the most critical equipment for testing, but also provide a list of qualified testers for different types of equipment. For example, the National Laboratories have testing capabilities and access to intelligence information, but the ability of the National Laboratories to test all important equipment quickly is limited.[7] Therefore, other qualified testing organizations should be utilized, based on their expertise. Collaborative government-industry efforts are needed to jump-start the testing in an orderly manner.
Implementation Issues
DOE should consider the practical implications of any order, including whether any prohibitions would be retroactive, and ensure that utilities can recover costs incurred. Additionally, any determination that only certain equipment or software may be used on the electric grid must account for real-world practical considerations and risks to the system. For example, limiting vendors of equipment or software may result in backlogs, which could delay the installation of equipment or software needed to maintain reliability. This is even more important if prohibitions are made retroactive.[8] As Protect Our Power noted in its comments to DOE, DOE’s Prohibition Order applied only for future transactions,[9] which will help support security objectives without creating undue strain on current operations.[10]
In addition, DOE needs to be sensitive to the need for asset owners to recover the costs of complying with requirements that limit equipment or software they may install on the electric grid. Cost recovery for grid investments depends on the regulator (FERC or a state commission); whether transmission rates are bundled with generation and distribution; and, whether or not an asset owner has a tariff under which it can recover increased costs.[11] Finally, liability protections for the implementation of a testing and evaluation program need to be established.
Other Considerations
Implementing a supply chain program based on U.S. national security needs must consider the breadth of the international supply chain and the myriad challenges that presents. For example, lower-level vendors of sub-components or software could change after testing is completed. Or, as seen with the hack of the SolarWinds software, a product that is approved on a particular day can be compromised the next day. As such, any process for implementing the May 1, 2020, Executive Order needs to consider how to deal with “moving targets.”
The importance of securing the U.S. power industry supply chain cannot be overstated – electricity is the lifeblood of our economy and powers every other sector of our critical infrastructure. If the “blood” supply is tainted or compromised, the rest of the body will eventually cease to function.
Sources
[1] The SolarWinds intrusion was not the first compromise of a vendor’s software to compromise users. Companies became infected by the NotPetya malware after downloading certain accounting software used for Ukrainian tax reporting. See, The Chertoff Group, “SolarWinds Compromise: Software Lifecycle Management Implications” (Jan. 11, 2021)(“The 2017 NotPetya attack, with estimated damages of over $10B, was enabled by corrupting a legitimate tax software update server.”), located at https://www.chertoffgroup.com/blog/solarwinds-compromise-software-lifecycle-management-implications; Matteo Crosignani et al., “Pirates Without Borders: The Propagation of Cyberattacks Through Firms’ Supply Chains,” at 2, Federal Reserve Bank of New York Staff Reports, Staff Report No. 937 (July 2020).[2] Executive Order 13920, Securing the United States Bulk-Power System, 85 Fed. Reg. 26595 (May 4, 2020).[3] Prohibition Order Securing Critical Defense Facilities, 86 Fed. Reg. 533 (Jan. 6, 2021).[4] Comments of Protect Our Power to DOE Request for Information on Securing the United States Bulk-Power System, Docket No. DOE-HQ-2020-0028, at 6 (filed Dec. 21, 2020), located at http://protectourpower.org/pop-doe-2020-0028.pdf (“POP Comments”).[5] Cyberspace Solarium Commission, “Building a Trusted ICT Supply Chain,” CSC White Paper No. 4, at 20 (Oct. 2020) (“As a first step toward securing supply chains and enabling U.S. competitiveness, the U.S. government must work with industry, partner countries, and state and local governments to identify key equipment and the components and materials that make its assembly possible”).[6] Paul N. Stockton, “Securing the Grid From Supply-Chain Based Attacks,” at 4-5 (Sept. 2, 2020), located at https://inl.gov/wp-content/uploads/2020/09/StocktonEOReport.pdf. [7] An example of the capabilities of the National Laboratories is DOE’s Cyber Testing for Resilient Industrial Control System (CyTRICS) program. See Cybersecurity Testing for Resilient Industrial Control Systems, located at https://www.energy.gov/ceser/cybersecurity-testing-resilient-industrial-control-systems.[8] The May 1, 2020 Executive Order states that prohibitions may be retroactive to May 1, 2020. Section 1 (applying to transactions “initiated after the date of [the] order”) even though there was no list of prohibited equipment at that time.[9] The Effective Date of the Prohibition Order is January 16, 2021.[10] See POP Comments at 6. In addition, the Prohibition Order is directed only to electric utilities that own or operate Defense Critical Electric Infrastructure (DCEI). Prohibition Order at 534.[11] For example, the Prohibition Order extends to Generator Step Up transformers (“GSUs”) with a high-voltage rating of 69kV and above. Yet GSUs are functionalized as production, not transmission. Kentucky Utilities Company, 85 FERC ¶ 61,274 (1998).
Steve Naumann
Author Bio