President Donald J. Trump issued an Executive Order in which he declared a national emergency to protect the United States’ bulk-power system against attacks from foreign adversaries.
Reasoning Behind the Executive Order
In the Executive Order the President issued on May 1, President Trump framed the threats confronting the American bulk-power system as risks to U.S. national security:
…[F]oreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system, which provides the electricity that supports our national defense, vital emergency services, critical infrastructure, economy, and way of life. The bulk-power system is a target of those seeking to commit malicious acts against the United States and its people, including malicious cyber activities, because a successful attack on our bulk-power system would present significant risks to our economy, human health and safety, and would render the United States less capable of acting in defense of itself and its allies.
Malicious attackers have already made headlines in their attempts to exploit software vulnerabilities and thereby attack the U.S. power grid. Below are just a few of those incidents:
- Back in May 2018, The Hill covered a vulnerability that affected two applications developed by international energy management company Schneider Electric. A security firm reported that malicious actors could have abused the flaw to assume control of the underlying system. They could have then leveraged that access to move laterally throughout the network and access the human-machine interface, technology which they could have tampered with to disrupt or cease operations at the victim organization.
- Approximately a year later, Dark Reading reported on the latest activity of those individuals responsible for the Saudi Arabian petrolchemical plant attack. A security firm observed that that threat group, dubbed “XENOTIME,” had launched a campaign to probe the networks of U.S. electric utilities located in the United States and the Asia-Pacific region.
- SecureWorld revealed in a blog post that the North American Electric Reliability Corporation (NERC) had learned of a power attack against an organization in the western United States. In March 2019, operators at a power control center owned by the victim organization lost communication with “multiple remote power generation sites.” An investigation determined that an external entity had been exploiting a known firewall vulnerability to cause firewalls at the organization to reboot, thereby affecting communications. This digital attack persisted for 10 hours.
Measures Enacted under the Executive Order
The incidents described above highlight the need for the United States to protect its bulk-power system against digital attacks from foreign actors. President Trump vocalized his support for this viewpoint in the Executive Order:
I therefore determine that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States, which has its source in whole or in substantial part outside the United States. This threat exists both in the case of individual acquisitions and when acquisitions are considered as a class.
To help minimize the risks posed to the U.S. bulk power system, President Trump presented two important initiatives in his Executive Order: new responsibilities for the Secretary of Treasury and the creation of the Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security (Task Force).
New Responsibilities for the Secretary of Energy
The Executive Order authorizes the U.S. Secretary of Energy to oversee the addition of foreign equipment to the country’s bulk-power system. As such, the Secretary is empowered to terminate pending and future transactions of such equipment; to determine particular countries or persons that would constitute foreign adversaries under the Executive Order; to identify equipment that needs further investigation; and to create means by which transactions involving foreign bulk-power system equipment that would otherwise be prohibited may proceed forward. The Secretary may choose to redelegate some duties to authorities of their choosing along the way.
At that point, it is up to the Secretary to collaborate with the Secretaries of Defense and Homeland Security along with the Director of National Intelligence and other agency heads in publishing rules that can guide the industry actors in their acquisition and management of bulk-power equipment produced in foreign countries. Those rules must be published within 150 days of the Executive Order. They are also expected to develop recommendations through which organizations can isolate, monitor and/or replace equipment that might constitute a threat under the President’s directive.
Creation of the Task Force
The Executive Order lays the groundwork for the creation of the Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security (Task Force). The mission of this body is to protect the nation’s energy infrastructure against national security threats. According to the President’s directive, the Secretary of Energy will chair this Task Force as it pursues its mission. They will be joined by the Secretaries of Defense, Interior, Commerce and Homeland Security along with the Director of National Intelligence, Director of the Office of Budget and Management and any other relevant agency heads.
In pursuit of its mission, the Task Force is expected to pursue certain tasks. Of paramount importance, it must coordinate industry actors’ efforts to obtain energy infrastructure equipment. It will do this by developing policies and procedures that govern how agencies can procure critical energy infrastructure while taking the United States’ national security into consideration. It will also lead the means to share risk information and relevant risk management practices with industry groups. The Task Force will form these relevant policies and channels by consulting with both the Electricity Subsector Coordinating Council and the Natural Gas Subsector Coordinating Council.
The Task Force must then submit a report to the President within a year. This report must summarize the Task Force’s findings and recommendations.
What the EO means for Defending Critical Energy Infrastructure
Dan Brouillette, U.S. Secretary of Energy, explained in a press release that the Executive Order will help to shore up the nation’s critical energy infrastructure going forward:
Today, President Trump demonstrated bold leadership to protect America’s bulk-power system and ensure the safety and prosperity of all Americans. It is imperative the bulk-power system be secured against exploitation and attacks by foreign threats. This Executive Order will greatly diminish the ability of foreign adversaries to target our critical electric infrastructure.
It’s important to note that the rulemaking process outlined in the Executive Order allows for flexibility in the timeline for implementation. Therefore, electric utility organizations must continue working to secure their environments against all types of attackers. They can do this by developing an up-to-date inventory of their assets, continually managing that inventory, implementing internal security controls and conducting penetration tests to prob their networks for weaknesses.
Learn how ITEGRITI can support your efforts to develop and implement programs that protect your network, and mitigate cyber and compliance risk..