The U.S. energy industry was caught by surprise by an executive order from President Trump last Friday announcing that “bulk-power system electric equipment” from “foreign adversaries” represents an “extraordinary threat to national security” and laying out a sweeping yet ill-defined set of powers to prohibit U.S. companies from their “unrestricted acquisition or use.”
Now the power sector is demanding more information on what the executive order means and how it could disrupt their business.
Which countries are “foreign adversaries”?
The order doesn’t make that clear, although it’s likely that China and Russia would be on that list, cybersecurity experts say, pointing to recent federal actions against companies from those countries, such as Kaspersky Lab’s cybersecurity products and Huawei’s telecommunications equipment and solar inverters.
What kind of equipment may or may not be included?
The order lists specifics including generators, capacitors, transformers, circuit breakers, reclosers, voltage regulators, metering equipment and industrial control systems. But it also includes the broad category of “generation facilities that are necessary for system reliability,” meaning it could apply to battery energy storage systems, solar panels and inverters or wind turbines.
When will the government say which equipment is prohibited and which is not?
In an email, a Department of Energy official declined to provide hard dates. The task force led by Energy Secretary Dan Brouillette that will carry out the order will be created “over the forthcoming weeks,” the official said, and a “pre-qualified vendor list as well as prohibited equipment” will be announced after that — presumably within the 150 days the order gives the task force to publish rules or regulations to enforce it.
How far into the past will the task force be able to extend its authority to demand that private industries “identify, isolate, monitor, or replace” prohibited equipment?
The answer is “as clear as mud,” Keith Martin, a transactional lawyer focused on tax and finance at law firm Norton Rose Fulbright, said in an interview. While the order states that its prohibitions will apply to transactions initiated “after the date of this order” on May 1, it also states that they will apply “notwithstanding any contract entered into or any license or permit granted prior to the date of this order,” indicating it could apply to transactions that have been underway for some time, he said.
It’s also unclear whether the order will simply bar U.S. companies from importing prohibited equipment or also ban transactions involving projects that use it, Martin said. That could potentially prevent energy storage projects from being sold by developers to other parties or prevent tax equity transactions for wind and solar projects, he said.
All of these unknowns are a new burden for renewable energy developers rushing to meet deadlines for federal tax credits, energy storage projects that face tight completion schedules, and an energy sector at large that’s struggling to manage the disruptions of the coronavirus pandemic, Martin said. “It’s sand in the gears of the power market until some of these questions are answered. I hope that DOE sees value in putting out a list of equipment of concern more quickly. That would start to address some of the uncertainty.”
It’s unfortunate that the executive order has caused so much confusion because it’s far from clear that was its intention, Jason Johns, energy partner at the law firm Stoel Rives, said in an interview. While the order could extend to utility-scale wind, solar and battery systems, it’s more likely “meant to focus on assets that are material to the reliability of our system, such as the nuclear facilities, and certainly the transmission network.”
The cybersecurity concern most likely to have prompted the executive order
A person involved in high-level DOE cybersecurity work who was not authorized to speak on the record echoed this view, saying that the executive order is the culmination of several years of work on identifying equipment used in U.S. critical infrastructure that might contain technology that could make it vulnerable to cyber-intrusion by foreign entities.
One of the groups behind this effort is the Cyber Solarium Commission, created under the 2019 National Defense Authorization Act to develop a governmentwide approach to protect against cyberattacks "of significant consequences.” The commission’s March report highlighted China, Russia, Iran and North Korea as potential threats, and called for “private-sector entities to step up and strengthen their security posture.”
The second is the Cyber Testing for Resilience of the Industrial Control Systems (CyTRICS) program, part of DOE’s Office of Cybersecurity, Energy Security, and Emergency Response. CyTRICS is designed to provide “testing and enumeration of critical electrical components” to “identify both systemic and supply chain risks and vulnerabilities,” DOE Assistant Secretary Karen Evans told the House of Representatives Energy and Commerce Committee's Energy Subcommittee in a July 2018 hearing focused on whether technology from China’s Huawei and ZTE — two companies that have become the focus of U.S. national security concerns — is making its way into bulk power system equipment.
Damon Small, technical director of cybersecurity consulting firm NCC Group, said that Friday’s executive order “looks like they’re trying to protect the supply chain of components that will end up within bulk power equipment…that somehow gives those malicious actors access to the grid.”
As an example, he mentioned the 2018 report from Bloomberg Businessweek describing a Chinese effort that led to spyware microchips being embedded on motherboards from U.S. company Super Micro Computer that went into servers used by the Department of Defense and companies including Apple and Amazon — a claim strenuously denied by the companies and agencies involved.
This focus on hardware and supply-chain threats is distinct from long-running efforts to combat foreign actors seeking to hack into the information technology (IT) and operational technology (OT) systems of the U.S. power sector, Small said. Those have been going on since 2011 at least, via "spear-phishing," "watering hole domains" and other known hacking methods.
A 2018 joint alert from the Department of Homeland Security and the FBI formally accused Russia of a “multi-stage intrusion campaign” targeting energy, nuclear, water supply and government entities via the IT networks of subcontractors and third-party suppliers, aimed at accessing the industrial control systems or supervisory control and data acquisition systems of utilities and power plants.
Russian hackers have been identified as the perpetrators of a cyberattack in Ukraine that caused blackouts affecting several hundred thousand people for a few hours, first in December 2015 and again in December 2016.
Last year, E&E News detailed the first documented cyberintrusion affecting the U.S. bulk power system, though a far less serious one than the Ukraine attacks. It targeted a known weakness in Cisco firewalls that caused renewable energy provider sPower to lose communications between remote wind and solar sites and its grid control center in 5-minute increments over a period of 12 hours. It had no effect on operations and the firewall vulnerabilities were quickly closed.
But Smalls pointed out that these attacks didn’t require access to compromised hardware to carry out. “It’s much easier to attack the traditional OT-IT interconnects, coming through business networks and then pivoting into the control systems network. What we don’t know yet, which will be interesting to find out, is, does our government have some kind of intelligence that would suggest a supply chain attack would provide another way to gain access?”
Risks for renewable developers: "How far into the plant does this go?"
Whatever secrecy may be hidden behind the executive order’s oblique wording has put renewable and energy storage companies on edge “at a time when supply chains were already somewhat constrained due to coronavirus,” Stoel Rives' Johns said. “You could imagine that many systems that are assembled in a friendly foreign nation, or even in the U.S., may include components that may come from China. How far down do we need to strip down our equipment to understand where individual components come from?”
It’s also unclear why the executive order would be rolled out at a time when the entire country is being forced to postpone a great deal of ongoing work to deal with the pandemic, he said. Just last month, the Federal Energy Regulatory Commission granted a request from North American Electric Reliability Corporation to delay the implementation of cybersecurity risk standards for U.S. utilities, including those centered on supply-chain assessment, due to coronavirus disruptions.
Tom Kuhn, president of the Edison Electric Institute, said the utility trade group and its members support the executive order as part of an “ongoing collaboration with the federal government,” adding that utilities “will continue to ensure that we are sourcing critical equipment from reputable manufacturers."
Ben Kellison, director of grid edge research at Wood Mackenzie Power & Renewables, noted that the types of utility equipment cited in the executive order are primarily supplied by companies based in the U.S., Europe and Japan companies such as General Electric, Siemens, and the ABB power grid business soon to be owned by Hitachi. “US utilities don’t buy primary transmission equipment from China.”
Kellison noted that the executive order could be seen as applying to generation equipment, primary transmission equipment and controls, and ICS and SCADA systems and their supply chain. "ICS, SCADA and transmission controls are certainly a focus under this order, but it remains unclear how deep into the generation plant this order will go. There are a multitude of inverters, solar panels, batteries, and components that were either designed, developed, manufactured, or supplied by China.”
And while the executive order may appear to be focused on cybersecurity, “the way it’s written, it also applies to equipment that may or may not have any software or intelligent components,” he said. “There are questions regarding clarity that it’s important for the administration to answer regarding wind, and solar, and energy storage facilities, equipment and components, as well as potentially other types of plants.”
Peter Navarro, a senior trade adviser to Trump who led work on the executive order, told Politico this week that clean energy and storage developers shouldn’t worry about the impacts. "Unless you intend to use foreign components that may pose a risk for the bulk power system, including flawed batteries or inferior solar or wind turbine systems, you have nothing to worry about," Navarro said.
Meanwhile, Navarro wrote in a Fox News op-ed that the executive order may consider “hardware-based” threats, such as components “purposefully made with inferior materials designed to fail prematurely, and possibly intentionally.”
It's unclear, ultimately, what recourse that affected solar, wind and storage developers would have if their equipment is targeted, Johns said. Regulated utilities would likely be able to seek cost recovery for any equipment that is barred entry or removed from service, under a legal principle known as the filed-rate doctrine, he said.
Renewable energy developers, on the other hand, “will have to look to other avenues” to seek financial compensation for similar losses, “and I’m not sure there is an equivalent regulatory avenue that protects them,” he said.