Guest Post IV: The Presidential Executive Order declaring an energy emergency in the US has entered into force again

ICS cyber security blog guest post:
Guest Post IV: The Presidential Executive Order Declaring an Energy Emergency in the US is back in force

April 24, 2021 – icscybersec

Our colleague GéPé has been keeping a close eye on the fate of the Presidential Energy Emergency Executive Order enacted by the previous (Trump) administration in the US, and summarizes the developments this week below:

In my previous posts (here and here), I touched on the May 1, 2021, Presidential Executive Order on Securing the U.S. Transmission Grid (E.O. 13920, Executive Order on Securing the United States Bulk-Power System, hereafter EO), which declared an energy emergency. As stated in the EO, implementation details were to be issued 90 days later. This was not done. Finally, after a long delay, the DOE (Department of Energy) issued only an order banning the installation of certain Chinese-origin electrical equipment in critical defense facilities. On January 20 of this year, President Biden issued one of the first executive orders of the EO, a 90-day suspension. At the end of that period, on 20 April, DOE reinstated the EO and set out what it would do for the next 100 days. The details of this are not yet known, except that a new RFI (with a 45-day deadline for response) was issued after last summer’s RFI (Request for Information).

One might ask what this cock-and-bull story has to do with the cyber security of ICSs, including electricity ICSs!

Well, for one thing, “only” that the EO (and the prohibition provision) imposes tough measures and restrictions on the operation and installation of critical electrical equipment (e.g. transformers, instrument transformers, protection and control equipment) of foreign origin or interest that is newly acquired (or even already in service). All because of the cyber threats to the US electricity system through the supply chain of this equipment!

The US is now particularly vulnerable to threats to its supply chain, especially from China. On 24 February this year, the Presidential Executive Order on US supply chains (E.O. 14017, America’s Supply Chains) was issued, which required a 100-day deadline for a review of supply chain risks, among many others, e.g. for high-capacity batteries (which are of particular importance for the reliable power supply of critical infrastructure ICS/SCADA). This review must also be conducted with a 1-year deadline for the energy sector as a whole.

On the other hand, the SolarWinds/Orion scandal, which has shocking lessons for ICS/OT systems, has just erupted, revealing the blindness, or rather the bankruptcy, of US cyber defence, and as part of that, of ICS cyber defence.

Thirdly, the US continues to consider equipment of Chinese origin increasingly installed and integrated into its critical infrastructures as a major risk. As the RFI puts it, “Chinese-origin key electrical equipment poses a fundamental threat because Chinese law provides China with the opportunity to exploit vulnerabilities in U.S. critical infrastructure equipment – whether manufactured or supplied in China.”

The content and practical implications of the re-enactment provision raise several questions. E.g.

  • How could it be possible now to deal in 100 days with a situation – and since then “even more so” (see SolarWinds/Orion) – that was once failed in 90 days?
  • Is the “creation of a stable political environment” sufficient justification for the withdrawal of the only substantive (and justified) development of the past period – the December ban on critical defence installations?
  • How can the electricity companies concerned meet the expectation to operate in the spirit of the EO in the 100 days that have just begun, if the details of implementation will in all likelihood only be known after the 100 days have elapsed?!
  • How will the likely horrendous costs of implementing the EO be financed?!

So we continue to face an exciting few months ahead.

And let us not think for a moment that all this is happening far away from us, in a far away place, which is none of our business here in Hungary. The threats to today’s globalised supply chains are affecting us too! In other words, those responsible for the cyber security of critical infrastructures – especially the electricity system – in our country should reflect on why the US is pushing the bell so hard.

***

The original guest post was published on the ICS cyber security blog.

Translated by DeepL.