Friday’s Executive Order

Note from Tom: If you’re only looking for today’s pandemic post, go to my new blog (and if you’re not subscribing to that blog, sign up for it. This blog will increasingly be devoted to cybersecurity/NERC CIP discussions, although I’ll continue to post the pandemic posts here as well – but they won’t get picked up by the email feed on days when I post on both topics). If you’re looking for my cyber/NERC CIP posts, you’re come to the right place.

In case you haven’t seen it, on May 1 the White House issued an Executive Order on “Securing the United States Bulk-Power System”. First off, this was a complete surprise to me, as well as to a few other people who would normally have heard something about this beforehand. Second off, it’s not in any way a comprehensive order to secure the BPS (aka the BES, although I’m told there’s some minor difference in what the two terms apply to), but applies only to the supply chain.

Let me be clear: Unless there was some particular recent event that occasioned this – which I’ve certainly not heard about (if you have, please drop me an email) - or unless some important group like the Electric Sector Coordinating Council considered this was step wasnecessary (again, for a reason I have not heard about) and requested that the administration issue the order, the order is a huge mistake. It will end up making the BPS much less secure, rather than the other way around.

Essentially, the order requires that any new procurement of just about anything for the BPS – not just control systems – be first approved by the Secretary of Energy. Specifically, Section 1(a) states that “any acquisition, importation, transfer, or installation” of any BPS equipment is prohibited, “where the transaction involves any property in which any foreign country or a national thereof has any interest (including through an interest in a contract for the provision of the equipment), where the transaction was initiated after the date of this order”, and also where the Secretary has determined that the transaction meets two conditions:

1. It “ involves bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”; and the transaction
2. “poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of the bulk-power system in the United States; poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the economy of the United States; or otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.”

Of course, the Secretary can suggest mitigation measures, pre-qualify vendors, etc. But for the moment, I think the whole industry has to assume that any equipment they buy for the BPS (which is defined as 69kV and above, although the Order does state that any equipment used just for Distribution isn’t covered) first has to be cleared by DoE (by the way, would you say it’s likely that on Monday morning DOE will have all the forms ready for seeking approval, and whoever you talk to on the phone will know exactly who can answer any particular question you may have? I don’t, either).

I discussed this with Kevin Perry, former chief CIP auditor of SPP RE, this morning. We agreed that it’s hard to say what this order is intended to apply to. Since Kaspersky software was ordered removed from the BES a few years ago, we don’t believe there are any Russian or Chinese vendors at all who are now providing equipment to the BPS (and it’s hard to identify any other nations that would meet the “adversary” definition, since I don’t know of any trade now going on with North Korea and I don’t believe al Qaeda or ISIS sell electrical equipment). But here’s what the order might apply to:

1. Dell and HP servers in Control Centers (BTW, the order just refers to “control rooms”, which normally means a room at a generating station or substation where control equipment is located, not an actual Control Center meeting the NERC definition), which are often assembled in Asian countries or Mexico. But since these are commodity items produced for a huge market – essentially, every governmental or non-governmental organization in North America – it’s quite a stretch to theorize that somebody in China has figured out how to bring down the US grid by implanting a backdoor just in the servers that will end up in grid Control Centers. And it’s even harder to theorize how those people will identify and send a signal to all of those servers when the time for the dreaded Grid Apocalypse arrives.
2. Chips and other components of equipment and control systems. A lot of these probably are made in China, or might come from a small company in Singapore that might actually be sourcing them from China. But how is your average electric utility (or even a large one) going to be able to even learn the identities of the chips on a Dell motherboard, let alone determine who manufactured, assembled or traded them?

So I predict there will be massive confusion and wasted time, and ultimately very little risk mitigated, as a result of this hasty and ill-conceived order. As we all know, folks at electric utilities have lots of time on their hands now, since nothing significant in particular is going on otherwise in the US. I’m sure they’re all looking forward to those long mornings on the phone with DoE, trying to find out who even might know the answer to their question, let alone the answer itself – and to not knowing whether they’ll even get the same answer if they call back tomorrow.

But other than that these small quibbles, I think it’s a great order. For example, the font it’s written in conveys a great sense of presidential authority. And the signature is a great example of less is more: “DONALD J. TRUMP, THE WHITE HOUSE, May 1, 2020”. Ya gotta’ love it.

P.S.

It just occurred to me that, rather than waste the industry’s time trying to solve non-existent problems, there’s one clear security risk to the BES as we speak. It was brought to our attention most notably when the Directors of the FBI, CIA and Office of National Intelligence presented the 2019 Worldwide Threat Assessment to the Senate that January.

One sentence in that report read “Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure—such as disrupting an electrical distribution network for at least a few hours—similar to those demonstrated in Ukraine in 2015 and 2016.” And an article in E&E News in May 2019 quoted the former deputy director of the NSA as saying that the Russians had deployed 200,000 “implants” (i.e. malware) in US critical infrastructure, including electric power, natural gas and water.

Yet to this day, there has been no investigation by any governmental or industry body of these two statements – and if there were, no information has been passed on to the industry, in either classified or non-classified form (and wouldn’t the industry want to know about malware that’s out there now, especially how to identify and remove it?). Now there’s a real problem.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!