The White House issued on May 1, 2020, an Executive Order on Securing the United States Bulk-Power System.1 The executive order states that the cyber threats against the bulk-power system2, and the supply chain risks associated with foreign designed and manufactured equipment procured and installed as part of the bulk-power system, constitute such a significant risk, which necessitated the declaration of a national emergency. Among other things, the executive order gives a mandate to the US Department of Energy to prepare lists of pre-qualified equipment and manufacturers and to identify prohibited equipment already in use for their later isolation and removal.3
Setting the newly released executive order into its wider context; understanding the cyber threats targeting the power grid, acknowledging the vulnerabilities residing in the wider bulk-power system and the electric equipment it contains, and presenting the potentially catastrophic aftermath of an attack targeting the grid and wider critical energy infrastructure, has been a very often visited topic in recent years.
Some of the most recent examples include the latest publicly available ‘Worldwide Threat Assessment of the US Intelligence Community,’ where nation-states such as Russia and China have been publicly identified to have cyber capabilities to cause disruptive effects on electrical distribution networks and natural gas pipelines.4 The former White House cybersecurity czar, Richard A. Clark, dedicated in his latest book, ‘The Fifth Domain,’ a whole chapter to discussing the disruptive potential of cyber-attacks against the US power grid. He suggested that the US power grid has already been penetrated by Russians and that they have already managed to gain access to the air-gapped control systems.5 Lastly, an American cybersecurity company specialized in industrial control systems, Dragos, released a report in January 2020, where they listed 11 different activity groups targeting electric utilities not only in North America, but also in Europe, Middle East, Africa, Asia, and Asia Pacific region.6
Dragos’s findings are in line with news emanating from Europe, where the European Network of Transmission System Operators for Electricity (ENTSO-E) released a statement in March 2020 telling that its office networks had been successfully penetrated.7 While ENTSO-E plays a coordinating role in the European electricity markets and has a limited impact on the operational side of transmission system operators (TSO), the successful penetration of ENTSO-E could be seen as an intelligence collection effort to gain information on the TSOs and their operations, and serve as a stepping stone for further intrusions in the network of operators.
Taking a look at the energy sector outside the electric grid, the executive order signed by President Trump to protect the bulk-power system comes roughly six months after a disruptive cyber-attack had hit another part of the broader energy network. A ransomware attack using ‘Ryuk’ malware against a natural gas compression facility caused a controlled shutdown of the processes and two days of downtime at the facility and the pipeline it serves.8
The language used in the executive order, particularly the term ‘foreign adversary’ and references to malicious activities targeting the US critical infrastructure, suggest that the key goal of this executive order is to rid US bulk-power system from components originating from China, Chinese companies, or companies where Chinese interests play a key role. The secondary element is to support the growth of local manufacturing and further implement Trump administration’s ‘America First’ policy. Depending on the implementation of the executive order, it could also have a limited impact on European producers of power system components that might end up losing some American market share in a longer timeframe.
- After years of continued warnings about the vulnerability of the electric grid and energy sector, and supported by the increasing geopolitical tensions, the US has finally made a major political move to protect its bulk-power system from malicious foreign actions. According to some comments, the principal target for this executive order appears to be China and Huawei in particular.9
- Aiming to remove potentially malicious foreign components from energy infrastructure can be seen as a natural continuation of the work started earlier in the telecommunications sector. It remains to be seen if other countries will follow suit now that the United States has opened the game.
- Should manufacturers from countries considered friendly towards the US and its interests be greatly impacted by this executive order, it might lead to further tit-for-tat protective actions taken. For example, the European Union could issue protective measures against critical infrastructure components designed and manufactured in the US, or by American companies.
- As the decoupling of markets and establishing protective market barriers continues, the locale of manufacturing and ownership continues to play a more significant role than before. This development, together with growing distrust in fragile just-in-time global supply chains, will move more production of various kinds of critical components closer to their locale of use and operation.
- European Union and its member states are forced to make painful choices between the historically important transatlantic connection and China. The new emerging world may not prove to be China-centric, but that the Western world, in particular, will be increasingly alienated from China because of China’s more aggressive geopolitical posture.
- Apart from the supply chain protection measures, the US government and private sector findings concerning the foothold that Russia and other countries may have successfully built within the US bulk-power system give a raise to an uncomfortable question. What is the current situation with the bulk-power systems in Finland, other Nordic countries, and the wider European Union?
Featured in Sectra Newsletter, May 2020