Administration Asks Energy Companies to Report on Supply Chain Vulnerabilities

Pursuant to a May executive order, the Energy Department’s Office of Electricity wants to know what measures the power sector employs to safeguard its supply chain from cyberattacks and its use of equipment from “foreign adversaries”—questions members of Congress have been asking for more than a year.  

The executive order bans the procurement of such equipment and tasks the Energy Secretary with establishing criteria for vendors that would be pre-approved, among other things. 

A request for information from Energy set to publish in the Federal Register Wednesday specifically names Russia and China as foreign adversaries, noting that the Office of the Director of National Intelligence considers them both near-peer adversaries with advanced cyber programs that threaten U.S. critical infrastructure. Other countries Energy included—for the purposes of the EO—are Iran, North Korea and Venezuela.  

“A successful attack on the [Bulk Power System] would present significant risks to the U.S. economy and public health and safety and would render the U.S. less capable of acting in defense of itself and its allies,” the document reads.

The document asks whether energy sector asset owners and/or vendors identify, evaluate, and/or mitigate foreign ownership control or influence in the context of adversaries potentially accessing company and utility data, product development and source code, the extent to which sub-tier suppliers might be vulnerable to foreign ownership control or influence, and the critical risk tolerance of assets and services.

In March 2019, Sen. Angus King, I-Maine, and others on the Senate Energy and Natural Resources Committee asked a related question, in much simpler terms: “do any of our utilities have ZTE, Huawei, or Kaspersky equipment or software in their system?”   

The question was addressed to Jim Robb, CEO of the North American Electric Reliability Corporation, a self-regulatory body, comprising members of the industry.  

Pressed on the same issue, in July 2019, Robb told the House Energy and Commerce subcommittee on energy that NERC was developing a level 2 alert “regarding Chinese equipment suppliers including Huawei and ZTE.” 

Robb said the alert would enable the industry “to get a better sense of the scope of the threat.” He also noted plans to issue a “mandatory data request to gather more information on potential supply-chain threats to cybersecurity.”

But NERC’s public records show the alert was never issued. A NERC spokesperson told Nextgov the alert is “still being worked.”

The Energy Department’s RFI asks specifically about equipment—such as transformers, reactive power equipment, circuit breakers and generation—and gets granular in its request, seeking information about whether entities employed the use of a software bill of materials to get insight into its suppliers and measures like penetration testing to validate defenses.