The BES Supply Chain Executive Order – Your actions now will determine the outcome
image credit: Unsplash author unknown
- May 7, 2020 3:30 pm GMT
- 949 views
There has been a swirl of discussion around the industry about this Executive Order; who wrote it, why was it written, what was the catalyst for this order coming out now. Lots of good questions. It apparently came as a bit of a surprise to the Electric Industry as it seems there was little, or no, consultation with industry in advance of the order’s release on 5/1. I’m also a bit perplexed as to why there seems to have been no discussion with industry beforehand. But what’s important now is for the industry to decide what it should be doing, now, to get in front of this matter?
Clearly, the ball is in DOE’s court and they will decide the direction this takes and this is where industry should focus their attention and invest their resources – working with DOE on a solution.
DOE has a long record of collaborating with the industry to find solutions to problems that are practical. I expect this situation will be the same and a collaborative approach will be applied to tackling this challenge. And there may be a silver lining to this situation that could really benefit the industry.
Ever since the beginning of NERC CIP there has been some questions about how to vet products used within the grid control structure, i.e. routers, ethernet switches, firewalls etc., leaving some amount of uncertainty. I recently learned of a Company that had purchased drones from China to use in the inspection of grid equipment and were instructed to no longer use these devices as they pose a security threat. No details were provided as to the specific threat they pose, but they were to cease using the “foreign drones”, resulting in stranded drone assets and lost capital.
What if this Executive Order results in a “menu of approved solutions” that has the endorsement of the DOE, and industry, produced using a collaborative approach? This would seem to eliminate the uncertainty over which solutions should be used in the BES in order to ensure that foreign risk has been mitigated and proper security measures are being followed. This would give industry a level of certainty into what products are approved and would save the industry from having to do their own vetting – just pick from the DOE list of accepted solutions and you’re on the right path. Simple and elegant.
As with all thing’s cybersecurity related, this is never a one and done situation. Flaws will be discovered causing some solutions to fall out of favor and off the “approved list”, while new solutions will be added. This is just the beginning of a very long process and this provides the industry with an opportunity to work in collaboration with DOE to reach an acceptable outcome. We can all ask why industry was not consulted before this order came out or we can focus on what we need to do now to produce something useful from the new mandate. With the right thinking we can turn this into a benefit that will save us time and money in the long term, and avoid fines from having picked the “wrong solutions”. I have no crystal ball that guarantees this outcome I describe will occur; I think the industry has a lot of influence in determining the impact of this Executive Order and can turn this into something useful. My advice to you is to help yourself by getting on the phone with your DOE contacts and letting them know you want to be part of the solution. Alternatively, you can wait the 150 days and see what shows up on your doorstep – it’s your decision.