Biden administration blazes new path to protect grid from cyber threats, foreign adversaries

The Department of Energy April 20 launched an aggressive 100-day plan to protect electric infrastructure from persistent and sophisticated cyber threats.

DOE also lifted a prohibition by former President Donald Trump on procurement of certain bulk power system equipment from Chinese entities imposed on electric utilities that serve critical defense facilities, while opening a comment window to aid the development of a long-term strategy for addressing security of the US energy system.

As adversaries increasingly look to compromise critical systems essential to US national and economic security, the new 100-day initiative will take "swift, aggressive actions" to bolster the cybersecurity of electric utilities' industrial control systems and secure the energy sector supply chain, DOE said in a press release.

The 100-day plan is a coordinated effort between DOE, the electric industry and the Cybersecurity and Infrastructure Security Agency, and it serves as a pilot to a broader cybersecurity initiative the Biden administration plans to roll out to several other critical infrastructure sectors.

ICS security initiative

It calls on DOE's Office of Cybersecurity, Energy Security, and Emergency Response to partner with utilities over the next 100 days to advance technologies and systems seen as key to modernizing the electricity sector's cybersecurity defenses. An emphasis was placed on implementing measures that enhance a utility's cyber visibility, detection, mitigation and response capabilities.

Specifically, the plan lays out milestones over the 100-day period for infrastructure "owners and operators to identify and deploy technologies and systems that enable near real-time situational awareness and response capabilities in critical industrial control system (ICS) and operational technology (OT) networks," DOE said. The initiative also "reinforces and enhances the cybersecurity posture of critical infrastructure information technology (IT) networks; and includes a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems," according to DOE.

"It's up to both government and industry to prevent possible harms -- that's why we're working together to take these decisive measures so Americans can rely on a resilient, secure and clean energy system," Energy Secretary Jennifer Granholm said in a statement.

National Security Council spokeswoman Emily Horne applauded the "aggressive but achievable milestones" laid out in the 100-day plan, and said that "innovative partnerships like these are essential to addressing the urgent cybersecurity challenge because much of our critical infrastructure is owned and operated by the private sector."

Tom Kuhn, president of the investor-owned utility trade group Edison Electric Institute, welcomed the new ICS initiative, saying it was complementary to other Electricity Subsector Coordinating Council efforts already underway and showed "the industry's willingness to collaborate on new, creative approaches that enhance security."

Order revocation

The announcement comes as a 90-day suspension President Joe Biden placed on a Trump-era executive order aimed at fortifying the bulk power system against malicious cyberattacks by foreign adversaries ends.

EO 13920, issued May 1, 2020, as security concerns about Chinese technology firms Huawei Technologies and ZTE were on the rise, authorized the energy secretary to bar federal agencies and US entities from acquiring, transferring or installing bulk power system equipment that might pose an "unacceptable risk" to national security or public safety. But it sparked concerns among utilities over its lack of clear guidance on equipment procurement.

A Prohibition Order, invoking EO 13920's authority, was issued Dec. 17, 2020, and took effect Jan. 16. It targeted bulk power system equipment from entities owned or controlled by China or subject to that country's jurisdiction, and applied to a limited number of utilities that supply critical defense facilities at a voltage of 69 kV or higher.

Granholm revoked the Prohibition Order, effective April 20, following a review by the department and White House's Office of Management and Budget that "identified opportunities for change, increased awareness, and strengthened protections against high-risk electric equipment transactions by foreign adversaries while providing additional certainty to the utility industry and the public," according to DOE's website.

The revocation document signed by Granholm said the decision was made "in order to create a stable policy environment before the emergency declaration made by EO 13920 expires on May 1, 2021, and while the department conducts a Request for Information to develop a strengthened and administrable strategy to address the security of the US energy sector."

Industry input sought

That RFI, announced by DOE April 20, asks electric utilities, energy companies, academia, research laboratories, government agencies and others to chime in by June 7 with ideas for preventing exploitation and attacks by foreign threats to the US supply chain. DOE said those comments would enable it to evaluate new executive actions to further secure the grid from cyber threats and inform any future recommendations it makes with regards to supply chain security in US energy systems.

Through the RFI, which is part of a larger coordinated effort to address critical infrastructure and supply chain security, DOE hopes to gain insight into developing a long-term strategy that includes technical assistance needs, supply chain risk management, procurement best practices, and risk mitigation criteria. The department is also looking for industry input on the depth and breadth of a future prohibition authority.

DOE noted that though it nixed the Prohibition Order, "the growing prevalence of essential electric system equipment being sourced from China presents a significant threat to US critical infrastructure."

"Accordingly, the department expects that while further recommendations are being developed, utilities will act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries' ownership, control or influence," it said.