The utility sector needs precise information about the federal government's equipment concerns and better visibility into manufacturing supply chains in order to keep the electric grid secure, several groups told the U.S. Department of Energy in June 7 comments responding to a call for cyber and supply chain security recommendations to secure the electric grid.
However, new regulations and security requirements are not necessary at this time, according to the Edison Electric Institute (EEI), which represents investor-owned electric utilities. That idea was echoed by other industry groups filing comments.
Utilities support development of a U.S.-based supply chain, to move away from Chinese grid equipment, but warn that such a move could cause a short-term rise in prices due to a lack of suppliers. Procurement of some large power transformers, EEI noted, "may primarily depend on a single country."
Utilities say they need clear direction from the government on any equipment bans, and help getting more information on what components make up the grid equipment in use. But they also warn that, at this point, new regulations could get in the way of making the grid more secure — and could even affect its operations.
"Many efficiencies can be gained in leveraging existing cyber and physical security and supply chain processes, as opposed to creating and imposing upon the industry a new set of processes that could disrupt existing measures to combat the threats or access to critical equipment," EEI said in its response to the request for information (RFI).
'Spillover' effects on reliability
New directives from DOE, whether addressing supply chains or equipment in use, could affect the market for critical equipment and "have a spillover effect on the day-to-day grid reliability," EEI said, and "may increase the ultimate costs to electric customers."
Smaller utilities also questioned the need for new security requirements. The American Public Power Association (APPA) filed comments jointly with the Large Public Power Council, the National Rural Electric Cooperative Association and the Transmission Access Policy Study Group.
The groups urged DOE to "focus on the extent to which existing standards have been successfully implemented in the electric utility sector to help frame the scope for any new regulations." And if DOE sees risks that are not being addressed in the existing required supply chain standards, the agency should consult with the Federal Energy Regulatory Commission and/or the North American Electric Reliability Corp. (NERC), and "provide actionable information that can inform appropriate standard revision."
"It would be burdensome on utilities, in particular smaller entities like public power utilities and electric cooperatives, to require them to report on supply chain requirements to more than one federal regulator," APPA and the other groups said.
EEI also noted that NERC's critical infrastructure protection standards are relatively new, and consequently, additional requirements or standards at this point are premature. "Rather time for implementation and gap analysis is warranted to determine whether any changes or additions are needed," the group recommended.
The Nuclear Energy Institute, which advocates for the industry, told DOE, "we do not see the need for any additional assistance, security requirements, or procurement practices to be imposed on the commercial nuclear power fleet at this time." The group also said it does not see a need for DOE to issue any prohibition orders on "equipment or infrastructure associated with the commercial nuclear power fleet."
Supply chain visibility
Supply chain risks have come under heightened scrutiny since the SolarWinds hack. About 25% of power utilities were exposed to the software vulnerability, according to NERC.
Experts say modern software and equipment is made up of hundreds or even thousands of components which must be examined for vulnerabilities. EEI said its companies need specific details on any piece of equipment that DOE might flag for concern.
"The supply chain for electric power equipment is enormous ... and it is not the end-use electric companies who have information about what is inside those pieces of equipment or components," EEI said in its comments.
Utilities have tools to identify threats to the supply chain and electric grid, but EEI said "by definition, these are not all encompassing. Government has access to sensitive information that it should find ways to share so all affected stakeholders understand what equipment is of concern and why it is of concern."
The utility group encouraged DOE to "collaborate with and help electric companies by sharing this information and include other stakeholders who have the knowledge."
EEI also said the DOE could work with the National Institute of Standards and Technology to develop "consistent criteria" for a hardware and software bill of materials (SBOM). An SBOM indicates what components are in a piece of software, allowing utilities to track and patch vulnerabilities.
"Doing so would support standardization in these bill of materials, which would make the development and provision of such useful tools for the purposes of identifying provenance and the potential presence of any foreign ownership or control," EEI said.
President Joe Biden signed an executive order May 12 to improve the country's cyber defenses, and it required use of an SBOM in government procurements. EEI has been been collaborating with the federal government to pilot the use of SBOMs in energy sector procurements.
The Electric Power Supply Association, which represents competitive providers, said DOE could consider strengthening industry procurement efforts "by crafting standardized cybersecurity contract language and creating a whitelist of suppliers who manufacture component and subcomponent parts."
While DOE examines the potential of new security requirements, the RFI said the federal government expects utilities will "act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence."
It's not that simple, warned utilities.
The concept of "foreign ownership, control, and influence” is "very broad," APPA told the agency.
"To the extent DOE moves in this direction, the industry would benefit from efforts by DOE and other government agencies to identify actionable information regarding threats from adversaries abroad," APPA said.
EEI said its companies need clear guidance on what specific factors — including location of manufacturing or level of equity ownership — would constitute "foreign ownership, control, and influence."
"Otherwise, procurement decisions cannot be made with certainty. For example, given the number of equipment suppliers that are publicly traded and the speed at which stocks change hands, electric companies could never be certain whether a supplier has foreign ownership," EEI said.