The Presidential Executive Order Related to Supply Chain Cybersecurity and You

If you work in any of the critical infrastructure industries, the Executive Order issued on May 1st, 2020 should be of interest and importance to you. President Trump issued an Executive Order intended to reduce the possibility of cyber-attacks on the United States Bulk Electric System (BES), or better known as the Power Grid. This action will help in closing the vulnerabilities to cyber-attack that exist within the supply chain. The order calls for the identification of bulk-power electric equipment “designed, developed, manufactured, or supplied” by a “foreign adversary” which “poses an undue risk of sabotage to or subversion” of the bulk-power system in the U.S.

This is an expansion of the NERC CIP-013 regulations. This regulation requires BES related entities to develop one or more documented supply chain cyber security risk management plans for high and medium impact BES Cyber Systems. The plans must have one or more processes in place to plan for the procurement of BES Cyber Systems. The plans must also identify and assess cyber security risks to the Bulk Electric System from vendor products or services resulting from procuring and installing vendor equipment.

The Order applies to facilities and control systems necessary for operating an interconnected electric energy transmission network, and transmission lines rated at 69 kV or more. This does not address issues with local distribution facilities. It addresses many concerns that we in the OT Cybersecurity industry have had for a long time. It attempts to address existing gaps and vulnerabilities in bulk power equipment and operations including identifying a specific minimum bulk power voltage level.

The Executive Order will directly challenge core NERC Critical Infrastructure Protection (CIP) cybersecurity requirements that previously excluded the specific bulk electric equipment. Much of the equipment in scope for the NERC CIPs and supply chain requirements are explicitly identified as out-of-scope within the Executive Order. The intent is to secure the Bulk Electric Systems with a more balanced approach to securing IT and OT networks and engineering systems.

Both Russia and China have attacked control system vendor supply chains since at least 2010. The exploited systems are still in use in both the Bulk Power System Transmission and Distribution systems. Even bulk power equipment manufactured in the U.S. often use servers, processors, software, etc., that come from China. This makes securing the supply chain extremely difficult.

Concerns relating to the bulk power system and its supply chain are not new. Various types of counterfeit equipment have shown up in the supply chain such as transmitters and SCADA parts. Another thing to note is that most solar panels and the inverters used with many types of renewable power generation, come from China.

So why is this important to you even if you are not part of the Bulk Electric System? It is important because you can run the same risk of purchasing equipment that has built in vulnerabilities that could negatively impact your operations. Velta Technology’s vast Industrial Cybersecurity experience and solutions make us the preferred partner to navigate Executive Orders, Regulatory Compliance or any other cybersecurity issues. Our team of OT cybersecurity experts use multiple tools to assess the cybersecurity risk level of your organization. We then put together a mitigation plan to reduce the risk of attack to your organization and critical infrastructure.

Please get in touch. Be proactive versus reactive.