Security and Resilience (Cyber and Physical)

APPA, other groups urge DOE to incorporate foundational principles for supply chain security

As the Department of Energy (DOE) considers further action on energy sector supply chain security, any new measures must be risked-based, directives should be clear, prospective, and scalable, there should be a DOE focus on vendor risks and directives must be cost-conscious, the American Public Power Association (APPA), the Large Public Power Council (LPPC), National Rural Electric Cooperative Association (NRECA), and the Transmission Access Policy Study Group (TAPS) recently asserted.

The June 8 comments submitted by the four trade associations responded to a DOE Request for Information (RFI) seeking input from stakeholders to inform future recommendations for supply chain security in U.S. energy systems.

The RFI was issued on April 20 in conjunction with an announcement by DOE that it was revoking the “Prohibition Order Securing Critical Defense Facilities,” which took effect on January 16, 2021, and prohibited utilities that supply critical defense facilities from procuring China specific bulk power system (BPS) equipment that pose an undue risk to the BPS, the security or resilience of critical infrastructure, the economy, national security, or safety and security of Americans.

The prohibition order was associated with Executive Order (EO) 13920, Securing the United States Bulk-Power System, which President Biden suspended for a 90-day review upon entering office in January. EO 13920 was briefly reinstated following the 90-day suspension, but the emergency declaration of the EO expired on May 1. 

Four foundational principles

In their joint comments, the four trade associations said that as a replacement for EO 13920 is considered, DOE should incorporate into its thinking four foundational principles as follows: 

New measures must be risk-based: The consideration of any new standards, measures, or prohibitions must be calibrated to reflect the risk of the related infrastructure or activity to the nation’s security or public health, APPA and the other groups commented.

The definition of Critical Electric Infrastructure in Section 215A of the Federal Power Act (“Critical Electric Infrastructure Security”) provides an important touchstone for prioritization of these efforts, specifying that “Critical Electric Infrastructure” means “a system or asset of the bulk power system, whether physical or virtual, the incapacity or destruction of which would negatively affect national security, economic security, public health or safety or any combination of such matters,” the groups said.

“Key elements of this definition focus attention on the bulk power system (as opposed to distribution systems), and on the impact that the incapacity of such system may have on national (not local) security, economics and public health or safety.”  

Directives should be clear, prospective, and scalable: APPA, LPPC, NRECA and TAPS said that clarity in connection with any directives, with respect specifically to the facilities that are addressed, and the nature of any activity prescribed or prohibited, is critical. “Ambiguity can be costly and time consuming and ultimately undermine the effectiveness of the directive. Further, directives should be prospective only, and effective only once all definitions and required regulations are in place. Again, ambiguity as to whether the directive applies to infrastructure already in place, or to activities and contracting already underway, will be both costly and may adversely affect grid reliability. Finally, where possible, directives should be scalable, in recognition of widely varying size and capabilities of affected electric utilities.”          

Directives must be cost-conscious: Closely related to the precept that any new measures must be calibrated to reflect varied risks, DOE must be mindful of the cost of any directives, the groups told DOE. “The cost of electric service is a key factor in the nation's economic health, and the reality of varying, but finite resources and budgets suggests that over-spending on security measures may compromise grid reliability in other respects. This is especially important to consumer-owned, not-for-profit public power utilities and rural electric cooperatives, who are owned by the consumers they serve and must bear any new costs imposed by new requirements.“

DOE should focus on vendor risks: The groups said that the electric utility industry’s ability to influence the security measures undertaken by industry suppliers is limited, and particularly so for smaller utilities. Though vendors are outside the direct authority of the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, “DOE may use its influence to affect supplier practices by encouraging suppliers to adopt shared security practices, and to foster security certification upon which the industry can rely.”   

APPA, LPPC, NRECA, and TAPS also responded to a series of questions outlined in the RFI.

In conclusion, the associations urged DOE “to directly engage with vendors that provide equipment to electric utilities to address any concerns the department may have about risks in the supply chain. The vendors are best suited to address such questions. Any new measures, directives, requirements, or prohibition authority that DOE chooses to pursue regarding electric infrastructure must be risk-informed, clear, prospective, and scalable, and take cost into account to avoid unintended consequences to grid security and reliability.”