Ensuring Electric Grid Supply Chain Security: Developing and Sharing a Holistic Threat Assessment

By Steven T. Naumann, former Vice President, Transmission and NERC Policy, Exelon

Note: Federal agencies, the electric utility industry and its myriad suppliers and vendors are working to ascertain the full breadth and scope of the Trump Administration’s May 1, 2020, Executive Order (EO) 13920, Securing the United States Bulk-Power System. Dr. Paul Stockton, former Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs, and an expert on cybersecurity and infrastructure resilience issues, published a white paper on September 2 outlining in detail four “opportunities for progress” in securing the U.S. electric grid from attacks originating in the bulk power system supply chain.  This is the second of five installments reviewing the Stockton Paper; this piece is focused on the first opportunity: Developing and sharing a holistic threat assessment. Readers are encouraged to read the full Stockton Paper here.

Two near-term issues illustrate the broad sweep and urgent need to clarify and prioritize implementation of the Administration’s May 2 Executive Order.

First, the utility industry necessarily engages in long-term planning, often making procurement decisions for equipment years before that equipment will be delivered and/or installed. Large transformers, for example, can cost several million dollars, take up to two years to bid, design, manufacture, and deliver, and the vast majority currently are manufactured outside of the U.S.

As such, one of the utility industry’s most pressing needs for information from the Department of Energy and its intelligence community partners is identifying the manufacturers of critical equipment that companies eventually will be barred from purchasing under the Executive Order. The potential financial, system reliability and disaster recovery consequences of committing today to buy high-cost, long-lead equipment for the bulk power system that may be banned at some future date are significant, to say the least.

Second, power system owners and operators also need significant help from DOE, the intelligence community and their equipment vendors in order to determine if compromised or at-risk equipment is installed on existing Defense Critical Electric Infrastructure (DCEI), the energy infrastructure systems that are critical to the defense of the U.S.  But protecting DCEI, while necessary, is not sufficient.  The electric system that serves military installations also supports critical civilian facilities such as hospitals, emergency services, and other functions critical to public safety.

As Protect Our Power has noted previously, reliable electricity is the backbone upon which all other elements of our critical infrastructure depend for operations, and without electricity our national defense, our economy and our way of life will quickly grind to a halt.

The Executive Order requires DOE to “develop recommendations on ways to identify, isolate, monitor, or replace such items as soon as practicable, taking into consideration overall risk to the bulk-power system.” The electric utility industry’s input will be essential to completing this task, and will have to include mechanisms for cost recovery if acceptable equipment is more expensive and if specific equipment must be replaced. Utilities will need help prioritizing replacements for such equipment, while simultaneously maintaining the reliability of the electric grid and strengthening grid resilience.

Dr. Stockton suggests that the starting point for meeting EO requirements is for the government to provide industry with a “holistic, end-to-end assessment of how foreign adversaries are likely to use compromised [electric grid] equipment to actually conduct an attack.” [i] The not-so-obvious wrinkle here is that, according to U.S. intelligence agencies, foreign adversaries are not likely to launch an attack on the grid as a main event, but rather as a way to exacerbate or gain additional leverage during an intense crisis with the United States on another issue.[ii]

A particular concern is that adversaries are targeting supply chain vulnerabilities as a way to “prepare the battlefield,” i.e., to establish their ability to cause a major disruption to the electric grid and related infrastructure, and thereby hamper or prevent the deployment of U.S. military assets to address a crisis situation.[iii]

That concern has profound national security implications and the need for developing new countermeasures to defeat supply chain-based attacks, Dr. Stockton notes, concluding that protecting DCEI equipment should be a top priority for implementing the May 2 Executive Order.[iv]

Deterring our enemies by denial should also be a key factor in Executive Order implementation, according to Dr. Stockton. Creating a stronger and more resilient electric grid and critical infrastructure will create doubt in our adversaries that they can disrupt out bulk power system at-will which should, in turn, reduce the likelihood of attacks on the grid.

If adversaries want to use the threat of mass-scale electricity supply disruptions as a way to coerce U.S. behavior in international events, and do so via supply chain-based attacks, conducting and sharing a holistic threat assessment is a critical first step in identifying vulnerabilities and potential avenues of attack. Such knowledge will then support development of an effective “kill chain” to significantly enhance our ability to counter or deny such threats and strengthen bulk power system resilience.

Next week: Developing a Compromised Equipment Kill Chain

[i]  Stockton Paper at p. 5.

[ii]  Stockton Paper at p. 2.

[iii] Stockton Paper at pp. 5-6.

[iv] Stockton Paper at p. 6.

Steve Naumann

Author Bio