Regulators pressed on Chinese gear in energy supply chain

The heads of agencies charged with protecting the cybersecurity of electrical transmission infrastructure told members of the House Energy and Commerce Committee's Energy Subcommittee that they're addressing supply chain concerns on a number of fronts.

The top managers of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER); the Federal Energy Regulatory Commission (FERC); and the North American Electric Reliability Corporation (NERC) faced questions in a July 12 hearing from lawmakers concerned about whether gear from Chinese manufacturers Huawei and ZTE are showing up in bulk power companies' operations.

NERC President and CEO Jim Robb said his organization plans additional action over Huawei/ZTE concerns in the coming days. NERC first issued a bulletin to grid providers in March in response to the administration's prohibitions of those companies' products.

Robb said his organization plans to follow up on that initial warning next week, when it issues a "Level 2 NERC Alert" about Huawei/ZTE equipment in electrical utility networks. Under the alert, he said, companies will have to inventory of all the prohibited equipment still in their networks and provide a mitigation strategy for it.

"We'll have that information by the end of the summer," said Robb.

CESER chief Karen Evans told the panel that her agency is working a number of approaches to address that evolving threat. DOE and CESER, she said, had a supply chain risk management program in place before the White House issued its executive order and guidance about supply chain concerns last May.

The agency's Cyber Testing for Resilience of the Industrial Control  Systems (CyTRICS) program, tests and evaluates cybersecurity of  critical  electrical  components, Evans said.  

CESER, she said, has also purchased an evaluation tool it plans to give grid providers so they can use it to look at their suppliers. The agency, she added, has also set up an advanced manufacturing initiative to help develop cybersecurity capabilities in electric grid products in the future.

Rep. Greg Walden (R-Ore.) wanted to know if products developed under the programs would get a "stamp of approval" similar to that given by the Underwriters Laboratory for products it tests.  

"That is what we hope to be able to identify jointly through the advanced manufacturing institute," said Evans.

"We think a supplier certification program is a smart thing to do," Robb said.

The subcommittee is also working on supply chain legislation.

The Cyber Sense Act of 2019 (H.R. 360), introduced by subcommittee member Rep. Robert Latta (R-Ohio), would require the Energy Department to set up a voluntary program to test bulk power systems products and technologies for cyber vulnerabilities.

Evans also told Latta the Energy Department's National Labs are working on ways to verify the cybersecurity vulnerabilities of products used in the bulk power system. "Verify and validation of products is important regardless of legislation," she said. If bulk power supply chain bills are passed, she said, their protections will "enhance" the work the National Labs are doing.

On another energy cybersecurity front, although natural gas pipeline security is the responsibility of the Transportation Security Administration, some committee members prodded the Energy Department to take over its cybersecurity duties.

Rep. H. Morgan Griffith (R-Va.) urged Evans and the Energy Department to "take the lead" on pipeline cybersecurity. Griffith asked Evans if her agency had "more people working" on pipeline cybersecurity than the Department of Homeland Security agency. Reports have said TSA has only a handful of people dedicated to pipeline cybersecurity issues.

A few committee members noted natural gas pipelines are increasingly used to provide fuel to electrical power generating operations, making them a critical piece of the electrical grid.

Evans said TSA has been present at all planning activities, including the last meeting of the Oil and Natural Gas Coordinating Council.

She declined to answer on the staffing question. "That's a question for DHS," she said.

Another committee bill, the Energy Emergency Leadership Act (H.R. 362), sponsored by Subcommittee Chairman Rep. Bobby Rush (D-Ill.), would set the CESER deputy secretary position and the agency's authorities permanently.