On May 1, President Trump issued an “Executive Order on Securing the United States Bulk-Power System” (Order) which could have wide ranging consequences for utilities, generators, transmission providers, and other electricity sector participants across the nation. Citing the risk of malicious cyber activities to the U.S. bulk power system, the Order declares that the unrestricted foreign supply of bulk-power system electric equipment constitutes an “unusual and extraordinary threat” to U.S. national security.
The Order has been issued pursuant to the International Emergency Economic Powers Act, which grants the President broad authority to take actions with respect to transactions involving foreign countries and foreign nationals during a declared national emergency. The Order is focused on the security of the U.S. portion of the North American bulk electric grid and broadly applies to Federal agencies and U.S. persons in the chain of supply and use of bulk power system electric equipment. Lead authority to implement the Order has been assigned to the Secretary of Energy, acting in close coordination with the Office of Management and Budget, Department of Defense, Department of Homeland Security and other agencies.
MAY 1 EXECUTIVE ORDER
The Order is focused on prohibiting the acquisition, importation, transfer or installation of certain bulk power system electric equipment, which is defined in the Order to include transformers, generators, protective relays, metering equipment, circuit breakers, generator turbines, industrial control systems, and other critical equipment. However, this prohibition is not self-implementing. Instead, a transaction is not prohibited unless the Secretary of Energy has determined that:
the equipment involved has been designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the direction of a “foreign adversary”; and
the transaction poses: (i) an undue risk of sabotage or subversion of the bulk-power system; (ii) an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the economy, or (iii) an unacceptable risk to national security.
Any transaction occurring after May 1st is potentially subject to a Secretarial finding that it constitutes a prohibited transaction. Further, each of the four categories of actions (acquisition, importation, transfer or installation) is a separate basis for application of the prohibition. On the other hand, the Secretary may pre-qualify particular equipment and vendors of bulk-power system electric equipment, to which the prohibitions would not then apply.
Regulations implementing the Order are to be promulgated within 150 days. Such rules may include:
Designations of particular countries or persons as a “foreign adversary” for purposes of the Order’s prohibitions;
Identification of persons determined to be owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary;
Classification of particular equipment warranting higher levels of scrutiny; and
Establishment of procedures to license activities otherwise prohibited under the Order.
Other actions to be taken under the Order include:
Identification of existing bulk-power system electric equipment that may pose national security risks because it was designed, developed, manufactured or supplied by a foreign adversary, and recommendation of measures to identify, isolate, monitor or replace such equipment;
Design or negotiation of measures to “mitigate” the national security risks to the bulk power system underlying the Order; and
Development of energy infrastructure procurement policies and procedures for Federal agencies.
The Order could have wide-ranging consequences for the acquisition, importation, installation or transfer of equipment used for the bulk power system, where such equipment, or parts or software incorporated in such equipment, is sourced outside of the United States. “Bulk-power system electric equipment” is specifically defined to include items commonly used in bulk power substations, control systems, and power generating stations. It appears that the Order is not intended to reach distribution system equipment, but where components are used for both transmission and distribution, for instance, availability could be affected. The Order also is not limited to equipment currently subject to NERC cyber security and other reliability standards.
A key implementation question arises with respect to the Supply Chain reliability standards developed by NERC in 2017. Under the adopted supply chain standards, entities that possess high and medium impact bulk electric cyber systems are required to develop processes to manage supply chain risks to those systems through their procurement processes. Companies will need to consider the interplay between the new restrictions under the Order, which are effective as of May 1, 2020 and measures designed to comply with the NERC CIP requirements including the Supply Chain reliability standard, which has a recently extended effective date of October 1, 2020.
The Secretary of Energy, Dan Brouillette, has stated that DOE’s implementation of the Order will “leverage domestic manufacturing opportunities as a way to strengthen the security of the bulk-power system, maintain the resilience of the electric power grid more broadly, and generate well-paying jobs here at home.” This suggests that the Administration may seek to prioritize and drive use of domestic manufacturers of bulk power system equipment. It is expected that the Secretary’s initial focus will be on immediate risks to the bulk power system arising from malicious cyber threats and activities.