WASHINGTON, Dec. 23, 2020 — An effective program to secure the integrity of the U.S. power industry supply chain is a complex but urgent matter requiring extensive collaboration, and sustained industry input, among government agencies, electric power companies and vendors, according to comments filed today with the Department of Energy by Protect Our Power, an electric grid advocacy group.
The comments were developed during two Supply Chain Collaborative meetings hosted by Protect Our Power and included representatives from more than a dozen investor-owned, municipal, and public power companies from across the U.S., as well as other experts from the private sector.
The meetings were a joint effort between Protect Our Power and Ridge Global, an international security and risk management firm chaired by Gov. Tom Ridge, the first Secretary of the U.S. Department of Homeland Security, in response to a May 2020 Executive Order and anticipated DOE rulemaking.
“Ensuring supply chain security for the bulk power system is a massive and complex undertaking,” said Jim Cunningham, executive director of Protect Our Power. “And critical to success is ensuring comprehensive, meaningful industry input — no one but the system operators actually understand the practical and operational implications of buying one component over another, and being able to do so doing so in a cost-efficient manner, while maintaining confidence in the integrity of the components or service. This process simply cannot be completed without sustained power industry input.”
In order to facilitate an open exchange of ideas, the Supply Chain Collaborative meetings sought comments from participants on an anonymous basis through a survey and in two live meetings, resulting in a unique and broad range of perspectives which were then aggregated and provided to DOE.
Key recommendations from the Supply Chain Collaborative group included:
- Collaboratively developing a comprehensive cybersecurity supply chain framework that recognizes the significant differences in utility companies and is designed to operate effectively across these varied systems.
- Creating a list of permitted components and vendors, preferably, or in the alternative a prohibited component list based on the country of origin or product manufacturer
- The creation and maintenance of such lists should be grounded in information sharing — federal intelligence organizations sharing information with DOE, and DOE and other agencies actively receiving information from the industry so that practical effects and impacts are considered.
- Establishing a system for testing and evaluating the integrity of components using existing National Labs and non-governmental organizations to oversee reviews and/or a certification process. Due to the volume of components in need of evaluation, and the complexity of some equipment, multiple organizations will be needed to meet demand and match the capabilities of the testing organizations with the criticality of the equipment.
- Developing a tiered testing process to encourage the evaluation of the most critical components first, focus industry and vendors on the most critical risks, and facilitate prioritization on the most critical components if testing capabilities are limited.
- Considering the practical implications of components that are designated as “restricted,” including whether, and to what date, these designations are retroactive, and what actions entities that have already contracted for, purchased, or installed these components installed on their systems must take.
- DOE should also consider tiers of priority equipment that would dictate the timing and thoroughness of the testing regime. DOE should also develop appropriate guidelines, with industry input, if a restricted component is already installed on a system and recognize that FERC and state energy regulators will need to actively collaborate on policies for cost recovery.
“The Supply Chain Collaborative will continue to develop and refine recommendations to assist DOE in creating a workable framework for supply chain equipment designation and enforcement,” Gov. Ridge said. “We believe that addressing issues of implementation and workability at this stage of the process, and from the utility perspective, reduces the risk that the framework DOE sets forth will have implementation problems. The collaborative process serves the DOE’s interest and also benefits all stakeholders and the overall security of the grid.”
About Protect Our Power:
Protect Our Power (POP) is a not-for-profit organization designed to build a consensus among key stakeholders, decision-makers, and public policy influencers to launch a coordinated and adequately funded effort to make the nation’s electric grid more resilient and more resistant to all external threats. The national program must also ensure establishment of an enhanced power restoration and recovery component for all grid operations that would include communications protocols to protect the American public.