- The Trump administration on Wednesday specified six countries, including China and Russia, as "foreign adversaries" from which the electric sector cannot purchase bulk power system (BPS) equipment.
- The blacklist of nations is part of a U.S. Department of Energy Request for Information (RFI) soliciting input on how to enforce President Trump's May 1 executive order aimed at protecting the BPS supply chain from "threats and vulnerabilities."
- Separately, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday laid out a multi-year plan for securing the industrial control systems (ICS) which increasingly help operate the electric grid. Through 2023, CISA plans to help industry "drive technology developments" and will "dedicate resources to future studies and trend analysis."
The Trump administration is refining its long-term approach to cybersecurity, and is now seeking to flesh out the practicalities of enforcing its BPS executive order.
The eagerly-awaited RFI is an initial step for DOE to develop regulations that give teeth to Trump's dictate, which DOE said "prohibits any acquisition, importation, transfer, or installation of BPS electric equipment which has a nexus with any foreign adversary and poses an undue risk to the BPS."
The full list of nations from which equipment purchases are banned also includes: Cuba, Iran, North Korea and Venezuela. Experts say China's inclusion, which was widely anticipated, is likely to have the greatest impact as it supplies transformers and other grid equipment to the United States.
China and Russia were singled out for possessing "highly advanced cyber programs" that "pose a major threat to the U.S. government, including, but not limited to, military, diplomatic, commercial, and critical, infrastructures."
"The BPS is a target of these adversaries' asymmetric cyber and physical plans and operations," the RFI says. "A successful attack on the BPS would present significant risks to the U.S. economy and public health and safety and would render the U.S. less capable of acting in defense of itself and its allies."
The North American Electric Reliability Corp. has been working to boost security through Critical Infrastructure Standards and new vendor requirements, but the executive order seems to shortcut that process, Keith Bradley, a partner at Squire Patton Boggs, told Utility Dive last month. "It throws a wrench into what's going on right now," he said.
While no equipment is prohibited yet, security experts previously told Utility Dive that utilities have already begun limiting some types of procurements. Not all equipment purchases from adversary nations will be blocked: The executive order calls for DOE to establish a list of "pre-qualified equipment and vendors" which would be allowed.
The gave DOE until Sept. 28 to finalize new rules. Industry observers say the tight deadline will be a challenge for the agency. Developing rules will include, along with the RFI, private consultations with industry and other stakeholders, followed by proposed rules, a comment period and then the publication of final regulations.
The RFI focuses on supply-chain evaluation and asks industry to estimate how much implementation of the order might cost. DOE asked respondents to provide "estimated one-time and recurring costs of developing, implementing, and periodically revising compliance plans and procedures associated with the executive order."
On the operational side, the RFI asks what "physical and logistical role-based access control policies have been developed to monitor and restrict access during installation when a foreign adversary, or associated foreign-owned, foreign-controlled, or foreign-influenced person, is installing BPS electric equipment at a BPS site in the U.S."
Comments on the RFI are due Aug. 7.
Separately, CISA's multi-year strategy focuses on working with critical infrastructure owners "to build ICS security capabilities that directly empower ICS stakeholders" to secure their operations against threats.
"We're going to develop and utilize technology to mature ICS defense," CISA Director Christopher Krebs said in June. "We have legacy infrastructure out there. So how do we work with our partners to help protect that infrastructure?"
The strategy aims to engage the ICS community of manufacturers, developers, installers and the organizations that utilize the devices. "We are going to recommit and reinvest in our partnerships, drive more areas for collaboration and opportunity in an inclusive way that provides more access," Krebs said.