Grid Assurance Issues Public Comment on DOE Notice

WASHINGTON, Aug. 27 -- Dale Russell of Grid Assurance LLC, Kansas City, Missouri, has issued a public comment on the Department of Energy notice entitled "Securing the United States Bulk-Power System". The comment was written on Aug. 19, 2020, and posted on Aug. 24, 2020:

* * *

Grid Assurance LLC ("Grid Assurance") appreciates the opportunity to submit these comments on the Department of Energy's (DOE) Request for Information on Executive Order 13920, Bulk Power System, 85 Fed. Reg. 41023.

Grid Assurance Background:

Grid Assurance LLC (GA) is a pro-active electric utility industry resilience solution that provides its transmission-owning subscribers an emergency spare inventory of critical assets to improve their ability to restore power delivery promptly following a catastrophic event. GA maintains its spare inventory in secure, strategically located warehouses. GA also provides its subscribers pre-planned delivery logistics to aid in reducing service restoration time. The subscriber has the ability to obtain the equipment when they experience a Qualifying Event affecting their critical assets, such as a natural disaster, a physical attack or cyber security event.

The subscribers share access to the GA pooled inventory, providing certainty of spare availability and reduced cost compared to separately owning the inventory themselves. GA is not a regulated utility, because it holds assets as spare equipment only and does not connect them to serve the grid directly. The company structure mimics a utility in providing a cost-based service to its utility subscribers. Three energy companies that own and operate electric transmission launched Grid Assurance. The owners are American Electric Power, Berkshire Hathaway Energy and FirstEnergy.

GA is also not a manufacturer or supplier in the traditional sense, yet would be a source of replacement equipment for transmission owning utilities. As such, GA would like to engage with DOE to develop a mutual understanding of how GA supports the security of the bulk power system. GA also desires to understand whether we might be subject to variations of EO 13920 in order to qualify GA's important spare inventory quickly, so that GA subscribers have access to the assets upon a catastrophic event.

Comments on RFI

A Supply Chain

Although this RFI covers the full scope of BPS electric equipment as defined in EO 13920, the Department seeks comments on specific equipment as outlined below to enable a phased process by which the Department can prioritize the review of BPS electric equipment by function and impact to the overall BPS. In doing so, the Department employs a defense-in-depth, phased approach that addresses risk as well as the dynamic nature of threats and vulnerabilities affecting the BPS. Accordingly, the Secretary may establish specific pre-qualification criteria for a set of components that support defense critical electric infrastructure (DCEI) and other critical loads and critical transmission feeders (69 kV and above) reported under critical infrastructure protection reliability standards as formulated by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC). Specific essential reliability services of interest may also include black start systems.

The Department seeks comment on addressing the following types of equipment: transformers (including generation step-up transformers), reactive power equipment (reactors and capacitors), circuit breakers, and generation (including power generation that is provided to the BPS at the transmission level and back-up generation that supports substations). This includes both the hardware and electronics associated with equipment monitoring, intelligent control, and relay protection. Only transformers rated at 20 MVA and with a low-side voltage of 69 kV and above are included.

The Department does not plan to develop a SCRM tool or repeat questions already deemed best practices from well-established SCRM frameworks and tools, including the ODNI NCSC Supply Chain Directorate's SCRM Best Practices (see https://www.dni.gov/files/NCSC/documents/supplychain/20190405-UpdatedSCRM-BestPractices.pdf).

The Department will build upon efforts by standards development organizations, including but not limited to, NIST 800 series standards (see https://csrc.nist.gov/publications/sp800), ISO standards (see https://www.iso.org/home.html), ISA/IEC 62433 standards (see http://www.isa.org/intech/201810standards/), and NERC-CIP standards (see https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx). The Department is focused on improving utility owner/operator's asset/operations risk assessment by incorporating the identification of enterprise risk associated with supply chain vendor/services into the acquisition systems process. For example, the Cybersecurity Capability Maturity Model (C2M2) is an available tool that an organization might apply to continuously assess its cybersecurity posture (see https://www.energy.gov/ceser/activities/cybersecurity-critical-energyinfrastructure/energysector-cybersecurity-0).

The Department believes that it is prudent, and in the public interest, to address national security implications in acquisitions. This RFI is designed to specifically address: (1) evidence-based cybersecurity maturity metrics and (2) foreign ownership, control, and influence (FOCI). As part of the Federal acquisition process and NERC-CIP standards, the Department is considering:

* limited procurements,

* select build versus buy,

* the consequences of insufficient SCRM, and

* evidence-based performance metrics that support a continuous improvement process.

With that background, the Department seeks information responsive to the following questions:

A-1) Do energy sector asset owners and/or vendors conduct enterprise risk assessments, including a cyber maturity model evaluation on a periodic basis? Provide an explanation or description of an assessment program if it addresses the mitigation of risks associated with FOCI with respect to foreign adversaries (see https://www.dcsa.mil/mc/ctp/foci/).

Grid Assurance (GA) procurement process is facilitated through a service agreement with American Electric Power (AEP), and leverages AEP procurement processes. GA, through AEP services, applies a Third Party Risk Assessment methodology to review vendor security controls in place. AEP applies a Continuous Monitoring process to detect changes in the vendor's security status, including any change in security controls, breach information, and change of ownership or investment in the primary company as well as its subsidiaries.

A-2) Do energy sector asset owners and/or vendors identify, evaluate, and/or mitigate the following:

a. FOCI with respect to foreign adversaries with respect to access to company and utility data, product development, and source code (including research partnerships);

Due to the mission of GA to provide a source of critical spare inventory of long lead time equipment to respond to High Impact Low Frequency (HILF) events, the procurement process carefully limited sourcing to non-adversarial points of origin. This included the choice of qualified bidders and the vendors selected to supply GA assets. As mentioned above, GA employs the services of AEP in their procurement process. AEP is currently collecting data on foreign involvement in its vendors through a variety of sources to include, Open Source Information, questionnaires to the vendors and Requests for Information (RFI). AEP will provide relevant information regarding GA equipment suppliers, which are a small subset of AEP vendors.

b. potential supply chain risks from sub-tier suppliers, recognizing that some sub-tier supply chain manufacturers could have FOCI with respect to foreign adversaries; and

GA has multi-year contracts with its suppliers which will be renegotiated every five years or as needed due to market conditions. GA will maintain regular communications with its suppliers regarding FOCI-related status and will seek to negotiate a Security Supplement in new contracts or contract renewals which includes language requiring notification of GA of all foreign involvement in the products or services supplied and transfers that requirement to all sub-contracted organizations utilized by the primary vendor. GA will also leverage AEP procurement processes in this matter.

c. assets and services critical risk tolerance regarding protecting these assets and services from FOCI?

GA will leverage AEP's risk assessments related to the small subset of suppliers relevant to GA. AEP has a documented and implemented process through which they register risks resultant from gaps in required practices as mandated by AEP policies, standards and the Security Supplement. This process requires registry of risks that cannot or will not be remediated within a specified period of time. Each risk registered is reviewed by a multilevel Security Risk Review Board which ultimately could result in a review by the AEP Risk Executive Committee.

A-3) Are non-standard incentives or changes to established standard development organizations' SCRM standards (including NIST 800 series, ISA/IEC 62443, NERCCIP, and other Cyber Risk Maturity Model evaluations/practices) necessary to build capacity to protect source code, establish a secure software and firmware development lifecycle, and maintain software integrity? How are benchmarks documented and tracked, including:

a. the ability to provide software, firmware, and hardware "bill of materials" (e.g. NTIA Software Component Transparency [see https://www.ntia.doc.gov/SoftwareTransparency] or equivalent industry norm) and track supply chain provenance and white-labeling;

GA-owned assets include transformers and circuit breakers which have few components that use software and firmware. These include on-board protection and control devices, including transformer cooling controls. Risks are contained to those components. GA will leverage AEP procurement and security practices. (Note: All subscribers are transmission owning utilities. AEP is among the GA subscribers and participates in GA Equipment Committees.)

b. authentication practices that prevent tampering, unauthorized production, and counterfeits; and

(1) GA assets are critical spare inventory available for purchase and installation by subscribers following events on their system. The assets are securely stored with security monitoring of the warehouses. The assets in inventory are not connected to external networks. This limits the opportunity for tampering to the point of component manufacture through the assembly on the transformer or breaker, delivery to GA, and any checkout upon receipt.

(2) GA will leverage practices from AEP and its other subscriber committees to address this, focusing on check-out procedures at the storage location following receipt of the asset.

c. monitoring and tracking sub-tier supplier's adherence to security requirements as part of the SCRM?

GA will leverage AEP services for procurement and risk management. AEP's risk program includes a Right to Audit clause as well as Continuous Monitoring of vendors supplying products and services to AEP. Through these processes and required notification by vendors of breach, change of ownership and vulnerability information in the Security Supplement, we have the ability to monitor to the best degree possible at this time for any significant changes in risk to AEP through its vendor relationships.

A-4) What information is available concerning the following: BPS electric equipment cyber vulnerability testing standards, analyses of vulnerabilities, and information on compromises of BPS electric equipment over the last five years, including results of independent BPS electric equipment testing and penetration testing of enterprise systems for vulnerabilities (including methodology for discovery and remediation)?

(1) GA assets are securely stored, disconnected from any power (other than 120V power to control cabinet heaters to prevent corrosion) or communication networks until a subscriber purchases and installs the asset.

(2) GA subscribers are responsible to comply with NERC CIP reliability standards requiring vulnerability assessment of assets classified as High or Medium Impact BES. The standards also require entities to monitor for, assess, and deploy applicable security patches to affected assets. If a patch cannot be deployed to an asset a mitigation plan must be filed describing the reason for the inability to deploy. There is currently no specific requirement to respond to identified vulnerabilities which do not have patches nor is there a requirement to perform any type of penetration testing on assets.

b. What process does the energy sector have to share information with utilities regarding vulnerabilities and vice versa? Are contingency plans in place? How is the effectiveness of vulnerability testing and mitigation efforts monitored, tracked, and audited?

There are a number of industry information sharing venues (EISAC, US CERT, ICS CERT, etc). While not specifically designed to share vulnerability information, they do allow the sharing of threat information.

c. Is a record of an analysis of component vulnerabilities and any compromises of components and systems maintained for a specific period of time (e.g., five years)? If yes, are the results of independent component testing and penetration testing of enterprise systems for vulnerabilities (including timeline for discovery and remediation) also maintained?

Assessment data will be retained in documentation for the asset.

d. How are the results of independent component testing and penetration testing of enterprise systems for vulnerabilities (including timeline for discovery and remediation) maintained?

GA is not an operating electric utility and does not have any assets connected to the grid, i.e., no in-service assets. GA has a services agreement with AEP and relies upon their enterprise network security practices. AEP assessment data such as Penetration Testing of systems and system components is maintained in a written document stored electronically. If the risk identified was not remediated, that information is placed in AEP's risk treatment and management system.

e. How are vulnerabilities identified by external entities addressed? How is the distribution of information regarding patching security vulnerabilities in the supply chain facilitated?

GA has a services agreement with AEP and relies upon their enterprise network security practices. AEP has separately responded to this RFI. AEP has a robust vulnerability management system.

f. What insecure by design/vulnerable communication protocols exist today that should be retired or cannot be disabled or mitigated from BPS electric equipment (examples of protocols include Distributed Network Protocol 3 [DNP3], File Transfer Protocol [FTP], Telnet, or Modbus)?

GA is not an operating electric utility and does not have any assets connected to the grid. GA subscribers will each address these risks on their respective systems.

A-5) What governance of sub-tier vendors do energy sector asset owners and/or vendors have in place? Is contract language for Supply Chain Security included in procurement contracts? Are metrics for supply chain security, along with cost, schedule, and performance maintained? What specific guidance should be developed for Integrator/Installer/Maintenance Service provider activities?

(1) GA procurement is facilitated through a services agreement with American Electric Power (AEP), and leverages AEP procurement processes. AEP has a Security Supplement which contains specific security controls expected for each vendor with whom we negotiate the supplement.

(2) GA is not an operating electric utility. GA assets are securely stored, disconnected from any power or communication networks until a subscriber purchases and installs the asset. Assets will be periodically inspected and maintained. Since the assets are not grid-connected, Maintenance Services should specifically exclude interaction with any software or firmware content on subcomponents beyond exercising the component functionally.

A-6) Can energy sector asset owners and/or vendors document the level of engagement in information sharing and testing programs that identify threats and vulnerabilities and incorporation of indicators of compromise (e.g., Information Sharing and Analysis Center, Information Sharing and Analysis Organization)? Does the energy sector participate in a community for sharing supply chain risks? Does the energy sector encourage security-related information exchange with external entities, including the Federal government?

GA is not an operating electric utility. GA will develop any protocols for threat assessments through consensus among its Subscribers' GA committees. AEP, e.g., is actively involved in a number of threat and information sharing relationships. GA is not yet aware of any specific Utility Industry Supply Chain Security data sharing capability outside of the A2V Network co-founded by AEP and Fortress Information Security.

A-7) What physical and logistical role-based access control policies have been developed to monitor and restrict access during installation when a foreign adversary, or associated foreign-owned, foreign-controlled, or foreign-influenced person is installing BPS electric equipment at a BPS site in the U.S.? What policies and practices exist to ensure installers/integrators effectively protect the systems and components during installation and commissioning? What policies and practices are in place to ensure that service providers (including those providing remote monitoring and management of systems) effectively maintain the security protections of the systems and components they are monitoring? Does an insider threat program exist?

GA is not an operating electric utility. GA assets are securely stored and security is monitored through a service agreement with AEP. Assets are disconnected from any power or communication networks until a subscriber purchases and installs the asset.

A-8) Are there critical mineral or supply chain materials, and if so, what are they? Specify if any of these critical inputs rely on foreign sources, and the cause for that reliance, such as lack of domestic capability or quality factors. Per Executive Order 13817, the Department of Interior prepared The Final List of Critical Materials 2018, see: https://www.federalregister.gov/documents/2018/05/18/2018-10667/final-listofcritical-minerals-2018.

GA is not aware of any critical mineral materials that can only be supplied from adversaries.

As this RFI covers the full scope of BPS electric equipment as defined in EO 13920, the Department seeks information responsive to the following questions:

B-1) Within the EO 13920 definition of BPS electric equipment, what are the estimated one-time and recurring costs of developing, implementing, and periodically revising compliance plans and procedures associated with the Executive Order, including but not limited to:

a. Evaluating requirements.

b. Developing compliance plans and frameworks: supply chain documentation, foreign involvement evaluations, risk assessments, and process reviews.

c. Implementing plans: new supplier processes and contractual provisions; and supplier audits.

d. Supporting transaction reviews: records retention and responding to information inquiries.

e. Negotiating agreements to mitigate concerns raised in connection with transactions.

f. Other compliance costs.

Answers to all of the above are to be determined. GA will rely upon its administrative services agreement with AEP to adapt administrative protocols, as well as input from its other subscribers.

B-2) Within the EO 13920 definition of BPS electric equipment, are there categories of BPS electric equipment that are more reliant on vendors likely to become the subject of transaction reviews, and if so, what are they? What are the sourcing challenges and cost impacts for companies facing prohibited transactions for those BPS electric equipment categories?

GA's mission is to provide a secure source of critical spare equipment to address high impact low frequency events for US electric transmission-owning subscribers. GA, therefore has taken a thoughtful approach to procurement that aligns well with EO 13920. GA did not permit sourcing of major equipment from adversarial points of origin, and carefully considered the flexibility and confidence in sourcing not only for initial purchases, but also for rapid resupply from GA suppliers after subscribers pull from GA inventory.

B-3) Does the energy sector have a procedure to identify services, components, and/or systems which are or should be covered by EO 13920? If yes, list the services, components, and systems and provide the reasoning regarding why they should or should not be covered by EO 13920.

GA is not aware of any current industry-wide procedure. For assets in which GA is involved, the unique (sub)components of greatest concern would be electronic chips included in on-board protection and control circuits. Although these components would not normally be accessible to external actors to manipulate after installation, there is potential for some form of malware, with a means of self-actuation or time/parameter triggering to be present. Possible mitigations include disallowing adversarial points of origin or having some means of detection and removal of malware in advance of delivery and/or installation.

B-4) What unique challenges could EO 13920 present to small businesses?

EO 13920 likely will create a burden on the energy industry relative to the depth of assessment which will ultimately be decided by drafters of any requirements or legislation. If the requirements only go as deep as knowledge of the primary owners or investors of the business, the burden will be moderate in that there will have to be a means of investigating each business relationship to identify foreign involvement. There is currently no single source which provides that information.

If each business were required to register within a registry system any foreign involvement in their corporations, it would make the burden lighter for utilities and their suppliers.

If the ultimate outcome of this order is the require entities to investigate down to sub-component or even mineral level as indicated in question in this RFI, the burden will be onerous. This would necessitate both an attestation from the manufacturer of the product to the origin of every component of the system provided and a method of auditing the integrity of the attestation. This may be prove to be both unnecessary and ineffective.

Additionally, with the scope of the RFI including assets as low as 69 kV, the utility industry would be required to bring far greater volume of assets into scope that are currently outside of the NERC CIP requirements. This increases the burden to the industry and may adversely impact the degree of focus on those assets which are currently defined by the industry as "bulk electric system" assets.

* * *

The notice can be viewed at: https://beta.regulations.gov/document/DOE-HQ-2020-0028-0001

TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact MYRON STRUCK, editor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com