Security and Resilience (Cyber and Physical)

FERC issues NOI on threats from equipment sourced from foreign adversaries

The Federal Energy Regulatory Commission (FERC) is seeking comments on the potential risks to the bulk electric system posed by equipment and services produced or provided by entities identified as risks to national security.

The Notice of Inquiry (NOI), docket # RM20-19-000, also seeks comments on whether or not the current Critical Infrastructure Protection (CIP) reliability standards adequately mitigate the identified risks and on what possible actions the commission could consider taking to address the risks. The NOI is also seeking comment on the extent to which equipment and services provided by such entities are used in the operation of the bulk electric system.

Since October 2018 when FERC issued Order 850, which approved the existing CIP reliability standards on supply chain risk management, there have been significant developments in the form of Executive Orders, legislation, as well as federal agency actions that raise concerns over the potential risks posed by the use of equipment and services provided by certain entities identified as risks to national security, the NOI says.

In particular, Huawei Technologies Company and ZTE Corporation “have been identified as examples of such certain entities because they provide communication systems and other equipment and services that are critical to bulk electric system reliability,” the NOI said.

The NOI says both entities have close ties to the Chinese government at both the ownership and employee level. In addition, under Chinese law, both entities have obligations that permit Chinese government entities, including state intelligence agencies, to demand that private communications sector entities cooperate with governmental requests, including revealing customer information and network traffic information.

And while there are many manufacturers of networking and telecommunications equipment, Huawei and ZTE are “gaining substantial shares of the market globally,” the NOI says, adding that systems are also vulnerable to Huawei and ZTE components embedded in equipment produced by unaffiliated vendors. That raises the probability that electric utilities now use “a significant amount” of telecommunications equipment with embedded components from Huawei and ZTE, the NOI says.

“If these obscured, or potentially unlabeled, components are present in an electric utility’s infrastructure, the same risks may exist as if the hardware had been purchased directly from Huawei, ZTE or one of its subsidiaries,” the NOI says.

The NOI cited Executive Order 13,873, which directs the Secretary of Commerce to identify equipment from a foreign adversary that has the potential for sabotage.

Executive Order 13,920, issued May 1, 2020, declared a national emergency in that foreign adversaries are increasingly creating and exploiting vulnerabilities in the bulk power system, including substations, generating stations and control rooms, and that unrestricted foreign supply of equipment constitutes a threat to national security. The order also created a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security, chaired by the Secretary of Energy.

In June 2020, the Federal Communications Commission issued orders designated Huawei and ZTE as national security threats to the integrity of communications networks and the communications supply chain.

Comments on the NOI are due 60 days after publication in the Federal Register, and reply comments are due 90 days after publication in the Federal Register.