The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

Executive Order and the Chinese Transformer

image credit: pexels.com

On May 1, 2020 President Trump signed an Executive Order (EO) regarding foreign-sourced equipment for the bulk power system (BPS). There have been a few articles regarding the impact of this on the industry. I was interviewed by T&D World for one article and Joe Weiss, a long-time control system security expert, revealed that the timing of the EO may be based on the delivery and subsequent discovery of back doors from a Chinese transformer purchased by the Western Area Power Administration.

What does this EO mean for electric utilities? Right now, there is limited information. A Stakeholder call (transcript in this video) was held on May 21, 2020 by the Department of Energy, tasked with the development of the EO plan and associated Task Force. The presentation was mainly a restatement of the EO and a statement of the four pillars that the Department of Energy will focus on for this EO:

  1. Identify source countries and specific equipment for prohibitions based on risk to the BPS;
  2. Establish a pre-qualification process for equipment that are acceptable for use in the BPS;
  3. Develop a process to mitigate risk with asset owners of prohibited equipment; and
  4. Communicate information via the Task Force to the stakeholders (electric utilities, Federal entities such as the regional power administrations and others) in the BPS.

There are a few points that we can review in preparation of the Task Force issuing additional information.

Identify Source Countries and Equipment

The lion’s share of attention has been attached to China and the 345 kV transformer that was ordered by the Western Area Power Administration, according to the Wall Street Journal. However, equipment manufactured by companies with European headquarters is often developed in other countries such as China and Brazil due to labor and raw material costs. The challenge will be to determine which equipment poses a measurable risk to the BPS regardless of company or country of origin. Initially, the Task Force will need to develop broad categories of countries and equipment that require further assessment. Then, utilities and other BPS stakeholders will need to perform an inventory and risk assessment of the Task Force categories to determine mitigation actions.

Process and Control System Electronics

While the list of equipment under review in the EO is extensive, the major components that require scrutiny from a cyber view are the process sensors and control system electronics. These devices and systems measure physical and electromagnetic characteristics of the equipment or operating environment and report to a control system. The control system constantly performs logical analysis and can issue control commands to other devices such as valves, protective relays, load tap changers, and other control devices. If a characteristic such as voltage, current, temperature or pressure exceeds the boundaries previously set, the control device can take action to protect lives and equipment damage.

Utilities and other BPS stakeholders should be prepared to assess all process and control system electronics for cyber threats, regardless of country of origin or location in the BPS. The ability for nation-states to infiltrate electronics manufacturing and microcode development at any location in the world is a significant risk that will require an equally significant effort to identify and mitigate.

Summary

At first glance, this EO appears to be focused on major equipment associated with the BPS owned by large utilities or power administrations. However, I believe that this EO will only expose the tip of the iceberg from a threat and vulnerability perspective; and the industry will need to reassess all their process and control system electronics throughout the BPS.

The information technology industry experienced a similar issue in the late 2000s with counterfeit networking equipment, which is still an issue today. This associated issue for process and control systems is just starting to receive the level of attention required to take action, either from the EO or other risk assessments.

Jeff Pack's picture

Thank Jeff for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Jun 24, 2020 12:41 pm GMT

However, I believe that this EO will only expose the tip of the iceberg from a threat and vulnerability perspective; and the industry will need to reassess all their process and control system electronics throughout the BPS.

Would you say then that the approach of using the EO may have been hasty, and a more in depth and studious approach would have yielded a better strategy? Or was a sweeping EO at the outset needed to plug the dam, if you will, before a fully implemented and nuanced strategy could be contemplated?

Jeff Pack's picture
Jeff Pack on Jun 24, 2020 5:28 pm GMT

Hi Matt,

From a US policy standpoint, the EO was overdue, so in general, I'm glad it was issued. However, I do think that the implementation of the EO will be much more involved than most people expected and peeling back the first layer with the EO will expose the need for a comprehensive assessment of process and control system electronics. I expect that the EO will be modified or enhanced to include this assessment.

Richard Brooks's picture
Richard Brooks on Jun 25, 2020 11:58 pm GMT

Thanks for an objective analysis of the EO Jeff. I see you captureb Bruce Walkers 4 pillars description concisely. Good job.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »