- The Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) July 31 published a cybersecurity guide for the power sector, which covers four noninvasive techniques that security professionals can use to identify chips produced by Huawei and ZTE.
- Grid operators may be unknowingly using network interface controllers (NICs) or other devices produced by Huawei and ZTE that could compromise their operations, according to the paper. Government entities have identified both companies' equipment as potential security threats.
- The white paper guides the industry to think beyond their equipment vendor relationships to examine the component suppliers, Josh Sandler, EY Energy cybersecurity senior manager, said in an email. The white paper also complements the new NERC critical infrastructure protection (CIP) standard for Cybersecurity Supply Chain Risk Management (CIP-013) that becomes effective Oct. 1, according to Sandler.
Electric power suppliers rely on networking and telecommunications abilities in their daily operations. Several government entities, including the House Permanent Select Committee on Intelligence, Government Accountability Office (GAO), Defense Innovation Board and Federal Communications Commission (FCC), have identified equipment produced by Huawei and ZTE as potential threats, according to FERC and NERC.
Concerns about cybersecurity of the electric grid have grown this year. President Trump issued an executive order on physical and cybersecurity of the nation’s power grid and the Department of Energy identified six countries – China, Cuba, Iran, North Korea, Russia, and Venezuela – as "foreign adversaries" from which the power sector cannot purchase equipment.
While the executive order is focused on infrastructure, the white paper focuses more on cyber assets and their components, according to EY’s Sandler.
“Additionally, the white paper provides examples of practical, technical steps that the industry can take today to better understand and assess what has already been deployed within their environment,” Sandler said.
Even if a grid operator hasn’t purchased equipment produced by Huawei or ZTE, their components are so pervasive in the market that suspect components may have been used in equipment purchased from other manufacturers, according to the white paper.
It’s difficult to know precisely how pervasive Huawei or ZTE components are in the power sector, Sandler said.
A backdoor in a NIC may allow malicious actors access to a grid operator’s system by bypassing firewalls or intrusion-detection software, according to the white paper. While grid operators could physically open devices to check the serial numbers on components against a list of potentially malicious components, FERC and NERC suggested four automated tools for identifying suspect components.
The techniques suggested in the white paper do not increase the burden on industry, Sandler said, adding that the methods are aligned with good supply chain risk management practices already underway in the industry.
“Over the last few years, as attacks have increased in frequency and sophistication, cybersecurity risk management has risen in importance for electric utilities and regulators,” Sandler continued, and “utilities need a thoughtful approach to supply chain vendor management to help mitigate cybersecurity risk.”