US President Donald Trump has declared a national emergency over threats to the country’s power system and ordered the Government to ban equipment from foreign adversaries and audit equipment already installed.
In an executive order signed on 1 May, Trump said: “foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system” and added that “a successful attack on our bulk-power system would present significant risks to our economy, human health and safety”.
The order bans the purchase or installation of any bulk-power system electric equipment designed, developed, manufactured, or supplied by a “foreign adversary” that poses a risk of sabotage or risk of catastrophic effect on critical infrastructure. It also directs the Energy Secretary Dan Brouillette to identify existing control room equipment, reactors, meters, distributed control systems, and safety instrumented systems that pose a risk, and develop plans to isolate, monitor or replace them.
The order does not define who is a foreign adversary though the order comes amid growing tensions with China. Ed Crooks, Vice Chair at energy consultancy Wood Mackenzie, tweeted that the value of US imports of power equipment from China have risen steadily from just above US$2bn in 2002 to US$10bn last year.
“Are all those imports…now going to be blocked?” Crooks said.
Responding to the executive order, the Department of Energy (DoE) said that current Government procurement rules often result in contracts being awarded to the lowest-cost bids. It said this is “a vulnerability that can be exploited by those with malicious intent.”
Brouillette tweeted: “@ENERGY will be looking to leverage domestic manufacturing opportunities as a way to strengthen the security of the bulk-power system, maintain the resilience of the electric power grid more broadly, and generate well-paying jobs here at home.”
The DoE’s Office of Cybersecurity, Energy Security, and Emergency Response tweeted: “Malicious actors have sought to leverage unauthorized access to the bulk power system against the U.S. for over a decade. At the direction of @SecBrouillette, CESER stands ready to work with its partners to secure the private and federal procurement of critical BPS components.”
In a report last year on the energy industry’s vulnerability to cyber attacks, F-Secure warned that hacks against critical infrastructure are growing. The precise numbers are difficult to come by as attacks can go undetected and those that have been hacked are reluctant to publicise the fact. F-Secure detailed a number of recent cyber-attacks including one called Dragonfly 2.0 that targets industrial control systems for sabotage.
Faustine Felici, Project Manager at the European Cybersecurity (CyberSec) Forum, said: “Because of its critical function for our economies and societies, the energy sector has become a prime target for cyber-attacks.
“Ransomware attacks such as RagnarLocker and Maze recently hit Energias de Portugal – a Portuguese electric utilities company – and the information technology giant Cognizant, which provides services to industries in the energy sector among others, allegedly stealing dozens of terabytes of valuable files.”
EEI, an industry association representing electricity generators across 90 countries as well as equipment vendors, said its members will work closely with the DOE to address threats to security and “will continue to ensure that we are sourcing critical equipment from reputable manufacturers.”
The executive order has also created a taskforce that will work with representatives from the electricity and oil and gas sectors to develop infrastructure procurement procedures for Government agencies.