The Clock is Ticking for Important Decisions on Grid Security by Biden Administration
By Tommy Waller – Originally published by the Center for Security Policy
While President Biden’s 90-day suspension of Executive Order 13920 (securing the U.S. bulk-power system) leaves the country vulnerable, his nominee for Secretary of Energy, former Michigan Governor Jennifer Granholm, has a chance to remedy this by recommending the implementation of a much stronger replacement order.
The suspended Executive Order 13920 had declared “a national emergency with respect to the threat to the United States bulk power system,” and warned “that foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system.”
Countries hostile to the United States have been able to exploit supply chain vulnerabilities. When American utility companies buy equipment manufactured in countries like Russia and China (or built with components from these and other hostile nations), they give these adversaries the ability to install hardware or software that could monitor or disable important functions of the grid.
In 2012, Russia began supply chain penetration and in 2014 active cyber intrusions into the U.S. grid in the form of malware. The FBI investigated the 2014 intrusions, but the report was never released publicly. In December 2016, Russian hackers activated malware in the network of Ukraine’s national grid, causing an unprecedented blackout in Kyiv and what should have been a wake-up call in America.
Meanwhile, “experts in the five or six critical infrastructures, including the CONUS national security functions, have grave concerns and some actual experiences (i.e., malware-related election intrusions), in the capabilities of the Russian Federation to seriously disrupt the grid,” George Cotter, a cryptologist and forty-year veteran of the National Security Agency said.
Last year, a Chinese built transformer offloaded at the Port of Houston by was seized U.S. Government officials and transported, with federal escort, to Sandia National Laboratory (SNL) where it was presumably analyzed.
“If there are hardware backdoors in the Chinese-made transformer at SNL in addition to the known backdoor in the Chinese-made transformer installed at a US utility substation, the question then becomes how many other Chinese-made transformers already installed in the US grid (and elsewhere) have hardware backdoors?” industrial control cybersecurity expert Joe Weiss asked.
These vulnerabilities exist partially because the regulators for the bulk power system – The Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) – have, for years, refused to create or enforce effective regulations with respect to the supply chain and cybersecurity. This is what necessitated Executive Order 13920 in the first place.
Biden’s suspension of the order stated: “The Secretary of Energy and the Director of OMB shall jointly consider whether to recommend that a replacement order be issued.” The deadline is April 20, 2021.
Fortunately, Biden’s nominee for Secretary of Energy, former Michigan Governor Jennifer Granholm, may to be up to the task.
In her confirmation hearing before the Senate Energy Committee, Governor Granholm responded to a question on cybersecurity from Chairwoman Senator Lisa Murkowski (R-AK) by stating, “We have to harden our electric grid for protection of our energy system. I hope that this is a part of the infrastructure package that will be coming from the administration as well.” This is very encouraging.
Murkowski’s question surrounded the SolarWinds hack during which Russia compromised hundreds of federal agencies and American businesses in what many experts have called the worst cyberattack in history. Separately, China also used SolarWinds to hack a federal payroll agency covering 600,000 employees – including intelligence agents. These attacks demonstrate that China and Russia have the ability and willingness to hack U.S. government agencies and should strengthen American resolve to fortify the grid and close all vulnerabilities as soon as possible.
The Senate should prioritize confirming Granholm as Secretary of Energy so she can begin addressing these weaknesses immediately.
Once Granholm is confirmed, she should be immediately provided a copy of the 2014 FBI report and be briefed on the Chinese-made transformer at SNL.
She must also be aware that she will be the target of influence by major utility organizations and associations who have traditionally lobbied against stricter supply chain cybersecurity provisions for the electric grid, citing that they would be “unduly burdensome.”
For instance, Edison Electric Institute (EEI) has lobbied to defer and delay the implementation of cybersecurity regulations and they have close ties to China.
“Scott Aaronson, vice president for security and preparedness at EEI, praised Biden’s order, saying the move provides more time to get new DOE officials up to speed,” E&E News reported.
Meanwhile, in an effort to actually help Governor Granholm “get up to speed” and understand the urgency of situation, the Secure the Grid Coalition has sent her an important letter detailing policy recommendations to strengthen EO 13920 and secure grid vulnerabilities that can be exploited by adversaries like China and Russia.
Now, it’s up to the Senate to confirm her for the position and for her to fulfill that commitment to “harden the grid.” The clock is ticking.