Amid fears over having to replace equipment, Energy official noted no set timeline for implementing next steps on a related executive order.
The Federal Energy Regulatory Commission wants to know how it might mitigate risks posed by providers of telecommunications equipment, specifically including Chinese companies Huawei and ZTE, which have been identified by other government entities as threats to national security.
“The Commission seeks comments,” FERC said in a notice of inquiry set to publish Wednesday in the Federal Register on “the extent of the use of equipment and services provided by certain entities identified as risks to national security related to bulk electric system operations.”
Lawmakers such as Sen. Angus King, I-Maine, have called on the energy sector to report the information since March 2019. Following a subsequent pair of executive orders banning U.S. entities from procuring information and communications technology from vendors connected to foreign adversaries, the pressure has significantly increased.
In July, the Department of Energy referenced Executive Order 13920, which specifically targets the bulk power system, in issuing a request for information asking the industry to describe its supply chain risk management practices, especially regarding efforts to stem foreign ownership, control or influence.
“The RFI is helpful in that it provides clarification in a number of areas, but concern remains that the Executive Order creates substantial uncertainty in the sector due to its potentially far-reaching implications,” the Business Council for Sustainable Energy responded. The group represents a wide ranging set of entities including the solar, wind and natural gas industries. “Without timely clarifications, the Executive Order could result in delay or cancellation of equipment orders as well impede investment in energy projects and infrastructure.”
Now, the FERC notice has narrowed things down. The commission cited the Federal Communications Commission’s designation of Huawei and ZTE as national security threats in specifically requesting information on those entities. FERC also requested information on the sector’s use of other entities identified under section 889 of the 2019 National Defense Authorization Act.
Rural internet service providers are currently facing uncertainty with no appropriation from Congress to help them rip and replace their Huawei and ZTE equipment under orders from the FCC. BCSE expressed related anxiety in its response to Energy.
“The U.S. Department of Energy should encourage flexibility when implementing the BPS Executive Order (EO),” the group wrote. “DOE should allow for differences within supply chains among the industry. Specifically, generation of older technology vintages (like hydroelectric plants) have limited number of suppliers and any mitigation protocols of existing equipment should include options beyond replacement.”
Filings with Energy noting communication between Southern Company and Energy’s Assistant Secretary Bruce Walker indicate the DOE has not set a timeline for proceeding with the requirements in the order.
“There is no specific timeline at this time,” Walker said in response to a question about when DOE planned on capturing existing assets. “The Secretary of Energy, in consultation with the Secretary of Defense, Secretary of Homeland Security, the Director of National Intelligence, and the heads of other agencies as appropriate, will propose rules and regulations to carry out the authorities contained within the executive order. During the rulemaking process, the Department of Energy will work closely with stakeholders to address this issue.”
Walker also suggested a potential way out of the prohibitions in the order.
“Examples of mitigation measures may include testing components and addressing vulnerabilities or inspecting manufacturing plants,” Walker said, again noting that there was not yet a specific timeline for such testing by the national labs. “Such measures may be used as a precondition to allow a transaction (or class of transactions) that otherwise would have been prohibited.”
The challenge of securing the sector from supply chain threats is further complicated by the fact that equipment containing components from foreign adversaries may not be labelled as such.
“The probability that electric utilities now use a significant amount of telecommunications equipment with embedded components from Huawei or ZTE is greater in consideration of [their global market share], especially when factoring in components that are branded under a different vendor’s label,” FERC wrote. “If these obscured, or potentially unlabeled, components are present in an electric utility’s infrastructure, the same risks may exist as if the hardware had been purchased directly from Huawei, ZTE, or one of their subsidiaries.”
NEXT STORY: PIV security frays under the crush of telework