Dive Brief:

• The Federal Energy Regulatory Commission on Thursday issued a Notice of Inquiry (NOI) seeking comment on potential risks associated with installing bulk power system (BPS) equipment sourced from nations considered adversaries of the United States.
• The NOI follows an executive order issued by the White House in May, which sought to limit installation of BPS equipment from six nations, including China and Russia. FERC's inquiry takes special note of Huawei Technologies Co. and ZTE Corp., both Chinese companies that supply grid components.
• If utilities are forced to pull suspect components from the grid then the cost implications could be significant, according to Tobias Whitney, vice president of energy security solutions at Fortress Information Security. The average utility could spend $9 million up front to address the order and over $1.2 million per year to maintain a third-party risk program, he said.
  .

Dive Insight:

FERC's NOI seeks to understand how much BPS equipment the six adversarial nations supply the U.S., and what risks it poses. Experts say that may be difficult to discern because the information is not public and components and software code are often re-branded by vendors working with utilities.

"It's not necessarily whose name is on the actual appliance itself, but understanding the related components within the systems, or even within the software," Whitney said. "A lot of software and hardware is not monolithic, and the level of understanding really necessary to make reasonable decisions to mitigate third-party risk is not a trivial process."

Along with China and Russia, the list of nations from which the U.S. Department of Energy has limited equipment purchases includes Cuba, Iran, North Korea and Venezuela. Experts say China's inclusion is likely to have the greatest impact as it supplies transformers and other grid equipment to the United States.

FERC's inquiry in particular notes that Huawei and ZTE will face scrutiny for "potential risks posed by the use of equipment and services provided by certain entities identified as risks to national security."

According to the North American Electric Reliability Corporation (NERC), the use of BPS equipment sourced from adversarial nations is not shared publicly. "The extent of foreign equipment in the system is the subject of a recent NERC alert and for a confidential NERC report to FERC," spokesperson Martin Coyne said in an email.

FERC's NOI "is a key reliability item in the dialogue on strategies to mitigate any potential risks posed by certain telecommunications equipment and services," Coyne said. Solutions could include, but are limited to, potential modifications to the Critical Infrastructure Protection (CIP) reliability standards that NERC manages.

The NOI asks the electric industry to discuss the effectiveness of the current CIP standards "in mitigating the risks posed by equipment and services provided by covered companies used in the operation of the bulk electric system." In particular, regulators have asked:

• which CIP requirements direct entities to take actions that detect and mitigate the risks;
• what changes to the standards would minimize the risks;
• for stakeholders to describe strategies they have implemented or plan to implement to mitigate the risks;
• what other methods FERC could turn to, including regulatory action or voluntary collaboration with industry and government, "to further address the risks to bulk electric system reliability."

According to Whitney, the federal government is concerned about the potential for nation states to exert control over equipment providers operating within their borders.

"We're trying to mitigate the risk of technologies provided by certain vendors that have potential control weaknesses, where a nation state could infiltrate that provider and introduce code or malware" that could cause grid disruptions, said Whitney. Fortress manages the Asset to Vendor Network, a mutual assistance platform for utilities to share the cost of vendor risk assessments and cyber asset vulnerability patches.

"It could be cost prohibitive for each utility organization to do this in a vacuum," he said.

There are multiple ongoing initiatives to strengthen grid security and reliability, including new supply chain CIP standards set to go into effect on Oct. 1. Those had been set for a July implementation but were delayed due to COVID-19. FERC is also considering financial incentives for transmission owners who voluntarily apply certain CIP standards to facilities that are not currently subject to those requirements.

The focus on grid security is not political, said Whitney, and he expects the initiatives to continue regardless of which party wins the White House in November.

"It appears there is some bipartisan interest in ensuring these potentially compromised systems don't find their way onto the grid," he said. "We're not going to see a significant knee-jerk change one way or another" following the election.