Department of Energy Identifies “Foreign Adversaries” and Seeks Industry Input Regarding Implementation of Bulk-Power System Executive Order
Key Points
- On July 8, 2020, the Department of Energy (DOE) published a Request for Information (RFI) concerning Executive Order 13920, “Securing the United States Bulk-Power System” (the “E.O.”). The E.O. authorizes the DOE to block transactions involving bulk-power system electric equipment with a nexus to “foreign adversaries.”
- The RFI states which countries are “foreign adversaries” for the purposes of the E.O. Russia and China are of particular concern.
- The RFI seeks information about the electric industry’s current cybersecurity and supply chain practices to assist the DOE in drafting a rule implementing the E.O. Comments in response to the RFI are due on August 7, 2020.
Introduction
On July 8, 2020, the Department of Energy (DOE) published a Request for Information (RFI) concerning Executive Order 13920, “Securing the United States Bulk-Power System” (the “E.O.”), which was issued May 1, 2020. The RFI identifies which countries are considered “foreign adversaries” for the purposes of the E.O. and, therefore, from which countries the acquisition of electrical equipment might be restricted. The RFI notes that Russia and China are of particular concern.
The RFI seeks information about the electric industry’s current cybersecurity and supply chain practices to assist the DOE in drafting a rule implementing the E.O. In particular, the RFI seeks the industry’s insight regarding evidence-based cybersecurity maturity metrics, foreign ownership, control, and influence, and the E.O.’s potential economic impacts. Comments in response to the RFI are due on August 7, 2020.
In addition to requesting comments regarding industry practices and the E.O.’s potential economic impacts, the RFI provides insight regarding the outlines of a rule implementing the E.O.
Background
As discussed in our prior alert (found here), the E.O. authorizes the DOE to block transactions involving bulk-power system (“BPS”)1 electric equipment2with a nexus to “foreign adversaries.” Specifically, the E.O. prohibits transactions involving certain BPS electric equipment where the DOE, in consultation with other agencies, has determined that the transaction (i) involves equipment with a nexus to a “foreign adversary” and (ii) poses an undue risk of damage to the BPS, U.S. critical infrastructure, or the U.S. economy, or an unacceptable risk to national security or the safety of U.S. persons.
The issuance of the E.O. initially caused considerable concern in the industry, as the scope of equipment potentially impacted was extremely broad. The DOE alleviated some of these concerns in a series of phone conferences, emphasizing that it was not interested in a wholesale replacement of the U.S. electric grid, and that its implementation of the E.O. would be “surgical” and “strategic.” In its FAQs regarding the E.O., the DOE further clarified that the E.O. would affect “just a portion” of the nation’s electric infrastructure, and that, “for many stakeholders, there will be no impact.” The FAQs further noted that, “even for affected stakeholders, DOE will consider procedures for mitigation measures that may allow for the use of equipment that would otherwise be prohibited.” However, though the DOE’s reassurances were welcome, they provided little guidance regarding the ultimate impact of the E.O.
Clarifications on the E.O.
The RFI provides a list of countries currently considered foreign adversaries by the United States—China, Cuba, Iran, North Korea, Russia, and Venezuela—and notes that China and Russia are “near-peer” adversaries that pose particular risk to U.S. critical infrastructure.
The RFI also clarifies how the DOE views its mandate in the E.O. First, as suggested by prior DOE statements, the RFI confirms that the rulemaking process will provide an opportunity for stakeholder comment and input on the substance of the rule, which is currently expected to be issued on or before September 28, 2020.
The RFI explains that the DOE will rely primarily on pre-existing standards and frameworks for its risk analysis, in particular the National Counterintelligence and Security Center’s supply chain risk management framework. The DOE will also build on existing guidelines and standards, including the National Institute of Standards and Technology’s 800-series publications, and the Critical Infrastructure Protection Reliability Standards (CIP Standards) developed by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC).
The RFI also states that the DOE seeks to use a “phased process” to prioritize the review of the most critical equipment based on function and impact to the overall BPS. The RFI explains that this process will allow the Secretary of Energy to establish “pre-qualification criteria” for BPS components that support “defense critical electric infrastructure” and “other critical loads and critical transmission feeders (69 kV and above) reported under” the CIP Standards developed by NERC and approved by FERC. The RFI also includes black start systems among the systems that may be affected by pre-qualification criteria. This suggests a highly targeted approach that may affect particular projects based on their location on the grid and whether they serve a critical role in maintaining reliability (such as black start systems or specific substations), rather than a broad brush approach that might affect projects that pose little risk if compromised.
Information Sought
Although the RFI covers the full scope of BPS electric equipment as defined in the E.O., the DOE is particularly interested in comments on specific types of equipment, such as (i) transformers, including generation step-up transformers, rated 20 MVA and above with a low-side voltage of 69 kV and above; (ii) reactive power equipment (reactors and capacitors); (iii) circuit breakers; and (iv) generation, including generation connected at the transmission level and backup generation that supports substations. This includes both hardware and electronics associated with equipment monitoring, intelligent control, and relay protection. This list is considerably narrower than the definition of BPS electric equipment provided in the E.O., which included significantly more categories of equipment and could be read to also include many dual- and multi-purpose items.3 However, the RFI does not significantly narrow the definition of “generation” beyond confirming that only generation connected at the transmission level will be impacted; the RFI does not clarify whether intermittent renewable generation is included within the scope of the E.O. Larger renewable facilities often connect at the transmission level, but are generally considered to pose a relatively low reliability risk since grid planners do not expect them to be available at all times.
The RFI provides a specific and technical list of questions regarding cybersecurity measures and risk assessment, supply chain risks, foreign access to company assets, potential changes to standards, known vulnerabilities and breaches, control over subvendors and subcontractors, and critical materials, among other things. It also asks about the E.O.’s potential economic impacts, including compliance costs, categories of equipment likely to be particularly affected, and challenges to small businesses.
Contact Information
If you have any questions concerning this alert, please contact:
Christian C. Davis Washington, D.C. +1 202.887.4529 |
Shiva Aminian Los Angeles +1 310.552.6476 |
George (Chip) Cannon Jr. Washington, D.C. +1 202.887.4527 |
John J. Marciano III Washington, D.C. +1 202.887.4450 |
Daniel Phillip Sinaiko Los Angeles +1 213.254.1211 |
J. Porter Wiseman Washington, D.C. +1 202.887.4219 |
Katherine P. Padgett Washington, D.C. +1 202.887.4079 |
Scott Daniel Johnson Washington, D.C. +1 202.887.4218 |
Devin S. Sikes Houston +1 202.887.4336 |
Michael James Adame Washington, D.C. +1 202.887.4323 |
Thor Petersen Washington, D.C. +1 202.887.4307 |
Cameron Peek Washington, D.C. +1 202.887.4518 |
1 “E.O. 13920 defines BPS as (i) facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion therE.O.f); and (ii) electric energy from generation facilities needed to maintain transmission reliability. This definition includes transmission lines rated at 69,000 volts (69 kV) or more, but does not include facilities used in the local distribution of electric energy.” RFI at I.B.
2 “E.O. 13920 defines BPS electric equipment as items used in BPS substations, control rooms, or power generating stations, including reactors, capacitors, substation transformers, coupling capacitor potential devices [expressed in the E.O. as current coupling capacitors and coupling capacity voltage transformers], large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems. Items not included in the preceding list and that have broader application of use beyond the BPS are outside the scope of E.O. 13920.” Id.
3 See supra note 2.