Cybersecurity and Physical Security

APPA, LPPC respond to bulk-power system executive order RFI

Responding to a Department of Energy request for information (RFI) tied to an executive order (EO) to secure the U.S. bulk power system (BPS), the American Public Power Association and the Large Public Power Council (LPPC) provided a cross-section of member utility responses based on principles that should be used to guide the rulemaking. 

Those principles included that any rules be risk-based, cost-conscious, and have a Defense Critical Electric Infrastructure (DCEI) focus.

In that context, the two public power trade groups in their Aug. 24 comments outlined potential enhancements to the risk-based purchasing process for capital equipment.

On May 1, 2020, President Trump signed Executive Order (EO) 13920, "Securing the United States Bulk-Power System, " which authorizes U.S. Secretary of Energy Dan Brouillette to work with federal partners and the energy industry to secure the country’s BPS.

In a move tied to the EO, the DOE issued a RFI on July 8 seeking information to understand, among other things, the energy industry’s current best practices to identify and mitigate vulnerabilities in the supply chain for particular components of the BPS.

APPA and LPPC “support the goals articulated in the EO and believe that carefully structured regulations will enhance grid security without undermining reliability associated with the historically robust level of investment in critical grid facilities,” the groups said in their RFI comments. “The key to effective additional security measures will be a strategic, risk-based approach, focused on the most critical resources and highest priority threats.” APPA and LPPC “read this balance to be an implicit feature of the EO.”

Costs tied to the EO

APPA and LPPC said that responding to the EO has the potential to substantially increase the cost of major equipment.

They argued that rules should minimize costs to the maximum extent feasible. Also, the rules should align with a utility’s overall risk to the BPS and national security by adopting a manageable and incremental approach to implementation based on identified BPS risk and allocating adequate resources to cover any added burden to utilities and ratepayers.

APPA and LPPC also noted that their members have concerns that there may be substantial cost implications for small asset owners to manage compliance with the requirements of the EO.

These concerns are that they may need to implement checks for purchases to address foreign ownership, control and influence (FOCI) concerns when they believe that they have any FOCI sourced equipment.

“Resources such as personnel additions or system overhauls to accommodate equipment/vendor checks for small utilities would be prohibitive. A risk-based approach that limits scope to larger systems would alleviate such concerns,” the two public power trade groups said.

Risk-based approach

The groups noted that electric utilities use some form of risk-based approach to capital equipment purchases, including associated BPS cyber systems purchases. Most rely on vendors with years of experience within the industry, careful study and design of equipment, and mature risk measures that assess suppliers in ensuring a reliable power supply, they said.

“Any rulemaking should enhance - not detract - from utilities’ existing, well-defined processes,” APPA and LPPC said.

DOE and its government partners can provide valuable assistance in these efforts through two enhancements to the risk-based purchasing process: (1) Identifying FOCI in a simple and easily accessible process; and (2) Identifying gaps in existing risk management frameworks with regards to FOCI to address in future framework iterations.

National defense strategic focus

In addition, APPA and LPPC said that defense critical electric infrastructure should be the first priority, while other infrastructure should be prioritized as a function of criticality.

The groups said that ideas to focus the extent of the rule include:

  • Prioritizing infrastructure applicable to the rule;
  • Strengthening partnerships between federal government and individual utilities; and
  • Avoiding the development of any new regulatory regime that changes or competes with existing industry standards or regulation