I am reticent to mix two items in one blog, though in this case I need to.
After more than 13 years of providing the Unfettered blog as a free public service, the Unfettered blog will become a subscription service. This will be occurring in the next few weeks as the subscription website becomes available. All of the historical Unfettered blogs will continue to be available for free at www.controlglobal.com/unfettered.
I have tried very hard to keep the Unfettered blog technical and will continue to do so. The issues with cyber security of the grid are at least 20 years old- this is not an issue unique to any presidential administration. Specific to the Presidential Executive Order 13920, there are many important policy, technical, and commercial issues (e.g., credit ratings, insurance, etc.) that are directly encompassed and indirectly affected by this Order. I will provide some top-level details with the rest of the policy, technical, and commercial details to be provided on a subscription basis.
I do not know what precipitated the issuance and timing of the Executive Order. However, this new Executive Order should not have been a surprise. May 30, 2019, I issued the blog on counterfeit transmitters.
The reason for the blog was that counterfeit transmitters from China were making their way into the North American market and the major sensor vendors (not just one) were affected. These counterfeit devices are a significant safety issue. This was not the first time China or Russia have attacked the control system vendor supply chains. Their attacks date back to at least the 2010-12 time-frame as I have written numerous blogs to that affect. Many of these affected systems are still in use in the US bulk and distribution power systems. Moreover, vendors supplying bulk (and distribution) electric equipment for the US electric system have also supplied similar (often the same) bulk and distribution electric equipment used in countries such as China, Iran, Russia, Pakistan, etc. (I have included distribution as it is often the same equipment as transmission and transmission directly “talks” to distribution). However, the North American Electric Reliability Corporation (NERC) refuses to address the transmitter and other engineering equipment and devices in their supply chain requirements and in the Critical Infrastructure Protection (CIP) cyber security standards.
August 6, 2019, I issued the following blog concerning the July 25-26, 2019 Cyber War Games at the US Naval War College which a number of major US electric utilities, NERC, and many government organizations participated; however, representatives from the Federal Energy Regulatory Commission (FERC) and the Nuclear Regulatory Commission (NRC) were not there.
The issue of “counterfeit SCADA parts” was brought up by the Red Team (attackers) resulting in the acting President of the United States (POTUS) issuing a grid emergency declaration. The utility representatives were irate at the POTUS declaration. The new Executive Order is essentially a replay of the Cyber War Games. Is there a direct correlation? I do not know though there were many from the military and intelligence community participating.
As mentioned, the new Executive Order is long overdue. However, it will open up some very interesting policy issues between FERC)/NERC, the state public utility commissions (PUCs), and the NRC.
These include:
- The Executive Order will directly challenge many of the core NERC CIP requirements that provide exclusions to addressing the identified bulk electric equipment;
- The jurisdictional split between FERC/NERC and state PUCs will be reopened; and,
- The jurisdictional split between FERC/NERC and the NRC will be reopened.
Additionally, “adversaries” (China, Russia, etc.) are on many US and international bulk and distribution standards committees (e.g., IEEE, ISA, ASME, IEC, CIGRE, etc.) as well as policy/research organizations (e.g., the Edison Electric Institute -EEI, the Electric Power Research Institute- EPRI, etc.).
The issues being addressed are not new. I testified to several Congressional committees on these issues dating back to the 2007 time-frame. Some of these issues are described in my book – Protecting Industrial Control Systems from Electronic Threats that was published in 2010. Consequently, it is evident this Executive Order is long overdue if we want to “keep the lights on” and “water flowing”. It will require a detailed reassessment of many policy, technical, and commercial issues associated with cyber security of the electric grid and will also require the participation of the engineering community.
