On April 20, 2021, the Biden Administration took steps to address cybersecurity risks in the US energy sector industrial base by announcing a 100-day cybersecurity initiative for electricity subsector industrial control systems (“100-Day Plan”) and by issuing, on April 22, 2021, a Request for Information to inform future recommendations for US energy systems’ supply chain security (“RFI”). Public comments in response to the RFI are due by June 7, 2021.
These actions support the Biden Administration’s February 24, 2021 Executive Order on “America’s Supply Chains” (“Executive Order 14017” or “Supply Chain EO”), which, among other things, directed the heads of appropriate federal agencies, to, (i) within 100 days, identify and make recommendations to address risks in the supply chain for certain technologies and critical goods, and, (ii) within one year, review and make recommendations to improve supply chains for a wide range of industrial sectors. These actions also mark the Biden Administration’s first efforts to formulate a new approach to specifically address the US energy sector’s supply chain security following President Biden’s suspension of Executive Order 13920 (“Bulk-Power System EO” or “BPS EO”).
100-Day Plan
The Supply Chain EO emphasizes a number of potential threats to American supply chains, including threats arising out of pandemics, cyber-attacks, extreme weather events, terrorist attacks, and geopolitical and economic competition, which can reduce critical manufacturing capacity and the availability and integrity of critical goods, products, and services. The Supply Chain EO orders federal agencies to examine vulnerabilities in certain US supply chains and to issue reports providing policy recommendations for increasing supply chain resiliency and security. The Supply Chain EO mandates accelerated 100-day reviews of supply chain vulnerabilities in four key sectors (i.e., semiconductor manufacturing and advanced packaging, high-capacity batteries, critical minerals and strategic materials, pharmaceuticals and active pharmaceutical ingredients), as well as one-year reviews for several broader sectors, including the energy sector industrial base. Our blog post on the Supply Chain EO is available here. Our blog post on the Department of Agriculture’s recent request for comments on agricultural commodities and food products supply chains under the Supply Chain EO is available here.
The 100-Day Plan announced by the Department of Energy (“DOE”) is part of the one-year review of energy sector industrial base supply chain vulnerabilities. The initiative, which is envisioned to be a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency, aims to modernize cybersecurity defenses for electric utilities’ industrial control systems (“ICS”) to provide better visibility and threat detection capabilities. The 100-Day Plan focuses on (i) encouraging owners/operators of electric utility ICS to implement additional cyber intrusion detection and mitigation capabilities, (ii) recommending milestones for owners/operators to identify and deploy real time situational awareness and response capabilities in critical ICS and operational technology (“OT”) networks, (iii) seeking to reinforce and enhance critical infrastructure IT networks, and (iv) including a voluntary effort to deploy threat detection technologies in ICS and OT networks.
The RFI
The RFI seeks the public’s input on long-term strategies for addressing cyber risks to the US energy sector industrial base and the possible expansion of DOE’s prohibition authority following President Biden’s suspension of the BPS EO. By way of background, the BPS EO authorized the Secretary of Energy to prohibit the acquisition, transfer, or installation of certain bulk-power system equipment sourced from “foreign adversary” countries. In December 2020, the Trump Administration issued a “Prohibition Order” that invoked the authority of the BPS EO to prohibit certain “critical defense facilities” from acquiring, transferring, or installing BPS electric equipment manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China. Our blog post on the December 2020 Prohibition Order is available here.
On January 20, 2021, the Biden Administration suspended the BPS EO, and therefore the Prohibition Order, for 90 days through Executive Order 13990 while the Administration considered other approaches that would strengthen protections against high-risk electric equipment while providing greater certainty to the electric utility industry and the public. Following the expiration of the 90-day suspension of the BPS EO on April 20, 2021, the DOE revoked the Prohibition Order and subsequently issued the RFI.
Note, however, that the revocation of the Prohibition Order does not impact other existing laws that prohibit the federal government from entering into a contract with an entity that uses any telecommunications equipment or services as a substantial component of any system from certain companies, including Huawei Technologies Company or ZTE Corporation. See Sec. 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019.
Unlike the Prohibition Order that focused specifically on threats from China, the RFI is seeking to identify threats on a global basis. Specifically, the RFI seeks public input by June 7 on national security, economic, and administrability considerations to inform future actions by DOE. In particular, the RFI seeks public comment on:
- Any technical assistance needed by states, Indian Tribes, and local governments to enhance the security of their electric systems;
- Any additional actions regulators could take to address critical electric infrastructure security and the incorporation of criteria for evaluating foreign ownership, control, and influence (“FOCI”) into supply chain risk management;
- Actions DOE can take to facilitate responsible procurement practices in the private sector;
- Any criteria DOE could issue to inform utility procurement, state requirements, or Federal Energy Regulatory Commission reliability standards to mitigate FOCI risks;
- Whether DOE should issue a prohibition order or other action focusing on equipment installed in the electrical distribution system;
- Whether DOE should issue a prohibition order or other action covering critical electric infrastructure serving sectors other than defense; and
- Whether utilities are capable of identifying critical infrastructure in their service territory that would enable compliance with DOE requirements.
The RFI notes that DOE expects utilities to minimize the risk of installing electric equipment and programmable components sourced from foreign adversaries, including China, while further recommendations are under development. Given this expressed concern regarding electric system equipment originating from foreign adversaries, utilities may consider refraining from installing electric equipment and programmable components sourced from China or other countries that the federal government considers a foreign adversary until additional guidance or actions are taken by DOE.
If you wish to submit a comment on the RFI or have any questions, please reach out to your Baker McKenzie contacts.