August 24, 2020

Response to the Department of Energy Regarding Executive Order 13920, Securing the United States Bulk-Power System

Via Federal eRulemaking Portal:

Mr. Charles Kosak

Deputy Assistant Secretary

Transmission Permitting and Technical Assistance Division

Office of Electricity

Department of Energy

Mailstop OE-20, Room 8G-024

1000 Independence Avenue, SW

Washington, DC 20585

Re: Bulk-Power System EO RFI; Docket No. DOE–HQ–2020–0028

Dear Deputy Assistant Secretary Kosak:

The Cybersecurity Coalition appreciates the opportunity to respond to the Request for Information (RFI) issued on July 8, 2020 by the Office of Electricity (OE), Department of Energy (DOE). The RFI was issued by your office in response to Executive Order (EO) 13920, Securing the United States Bulk-Power System. The intention of the RFI, as stated in your office’s press release, is to “solicit views on safeguarding the bulk-power system (BPS) supply chain from threats and vulnerabilities.”

The Cybersecurity Coalition brings together leading companies from the cybersecurity industry to share their expertise and unique perspective on critical policy issues. Several member companies have significant expertise in providing secure components and solutions to members of the electrical sector. Its through this lens that the coalition provides the attached comments for your consideration in response to the request for information.

If you have any questions on these comments, please contact me or Ross Nodurft (504-343-7544 or


Ari Schwartz

Executive Director, Cybersecurity Coalition


Risk-Based Approach

DOE should ensure critical infrastructure companies operating as part of the bulk power system, as well as suppliers selling components or services to the asset owners and operators, are leveraging risk management programs to identify and mitigate threats to their organizations or the assets they own and operate.

The members of the Cybersecurity Coalition agree with the critical importance of securing and hardening the United States’ bulk power system. We share the view that it is vital to the nation’s interest to create a secure, resilient power system. More specifically, the RFI asks about the vendor and asset owner use of risk assessments and risk management programs. The Cybersecurity Coalition believes that any approach to securing our bulk power system from disruption by nation states and other bad actors must be based on strong cybersecurity risk management principles.

Alignment with National and International Cybersecurity Standards

DOE should reference and leverage existing standards in the development of any final rules, guidelines, recommendations, and best practices that result from the implementation of EO 13920.

Another area referenced in the RFI asks about the use of and/or modification to existing standards around cybersecurity and supply chain. The Cybersecurity Coalition supports the use of existing interoperable standards, protocols, and frameworks in the development of regulations, requirements, guidelines, best practices, and any other output that results from the implementation of Executive Order 13920. Specific examples include, but are not limited to, the following:

  • National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations
  • NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, to include pending draft Rev.5 which addressed supply chain risk management
  • International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) 27000 Family, especially those focused on information security management systems such as ISO/IEC 27001, ISO/IEC 27103, ISO 27002 (in revision), and ISO/IEC 27402 (in development)
  • International Society of Automation (ISA)/IEC 62443 Standards, Security for Industrial Automation and Control Systems
  • NIST Cybersecurity Framework (CSF)
  • NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security
  • NIST SP 800-193, Platform Firmware Resiliency Guidelines
  • NIST Interagency Report (IR) 8259A, IoT Device Cybersecurity Capability Core Baseline
  • North American Electric Reliable Corporation (NERC) Critical Infrastructure Protection (CIP) Standards, especially those addressing security management, information protection, and supply chain risk management

Alignment with NERC CIP Scope and Timing

DOE should make every effort to align the scope, requirements, and timing of rules it promulgates with applicable NERC CIP standards.

The RFI regularly references the EO’s mandate to address risk in non-distribution BPS operating above a specific threshold—i.e., 69kV. While the Cybersecurity Coalition strongly supports improving the security of the BPS, DOE should strive to mitigate risk of uncertainty and confusion among BPS operators and suppliers by aligning the scope, requirements, and timing for any new rules and regulations for BPS security with relevant industry-led standards for those same systems—e.g., NERC CIP 13-01. The EO introduces potential ambiguity on this point, which DOE should strive to reconcile, by both declaring that 69 kV and higher to be in scope for regulation, but electricity distribution is not.1 Current NERC standards apply only to BPS operating at 100 kV or higher. Systems operating in the newly targeted range of 69kV to 100 kV include both non-distribution and distribution systems. To the extent the EO calls for an expansion of regulatory scope beyond the coverage of NERC CIP standards, DOE should seek to understand any potential impacts with a review of relevant NERC CIP standards. Such a process should begin with an assessment of whether and how non-distribution systems below 100kV differ from those operating at higher power levels—potentially benefiting from a different set of risk-mitigation strategies. After reviewing the relevant NERC CIP standards, DOE could then consider whether it needed to expand NERC CIP standards to include lower power non- distribution BPS operating below 100kV as required by the EO.

Supporting Industry Engagement through Existing or New Fora

DOE should utilize existing public/private engagements around supply chain security to further refine potential rules, guidelines, or best practices that result from the implementation of EO 13920.

The Cybersecurity Coalition participates in several public/private efforts to develop and improve smart, effective cybersecurity policies – and, where necessary – regulations. Regarding supply chain security, the Cybersecurity Coalition is an executive committee member of the Department of Homeland Security (DHS) Supply Chain Risk Management (SCRM) Task Force. This body brings together members of the Information and Communications Technology (ICT) sectors to develop and vet recommendations that DHS brings to the Federal Acquisition Security Council (FASC). Currently, the FASC is finalizing its operating procedures; however, when fully operational, it will issue recommendations for how to handle threats to government and critical infrastructure supply chains. Given the mandate of the FASC, we recommend leveraging the pathways created by the SECURE Technology Act2, such as the DHS SCRM Task Force, to fully vet any rules, guidelines, or best practices. DoE should explore whether that existing structure would accommodate development of a working group aimed at addressing cybersecurity supply chain risk related to BPS, or, in the alternative, whether a similar structure could be developed specific to BPS security improvement.

Another area for continued engagement includes the sector coordinating councils (SCC). The Cybersecurity Coalition applauds the reference to specific SCCs in the executive order. However, we think that increasing the outreach beyond the traditional energy sector coordinating councils to include the Information Technology Sector Coordinating Council (ITSCC) and other sector coordinating councils and industry groups not identified in the EO is also important, especially as you seek to better understand evidence-based cybersecurity maturity metrics. The IT and Communications SCCs provide a potential model here whereby each designates an ex- officio member to participate in the meetings of the other. Similarly, DoE and the Electricity Subsector Coordinating Council should develop liaison engagements with the ITSCC or other bodies that formally capture the feedback of relevant operators and suppliers.

Understanding Economic Impact of Impacted Entities

DOE should take into account other supply chain acquisition rule making processes that establish impacted entities as it seeks to determine the economic impact to owners, operators, vendors, and their supplier base.

In the RFI, DOE asks for the economic impact to owners, operators, vendors, and suppliers both large and small. Again, the Cybersecurity Coalition appreciates DOE’s interest in understanding how any new rules, regulations, or guidelines may impact the industry. In order to do this, DOE needs to further clarify which entities will be impacted by changes to the acquisition process. To do this effectively, DOE should take into consideration other rule making processes currently underway. Additionally, as part of the rule making process, DOE should ensure there is an appeal process that includes the ability to respond and mitigate any identified supply chain risks.

Furthermore, DOE should align with NERC terminology for entities and functions within Bulk Electric Systems to provide utilities with explicit equipment and functions in scope. Without this clarity, the EO could have significant economic impact on vendors whose equipment has broader application beyond bulk-power systems.

Foreign Ownership Control or Influence (FOCI) Clarification Needed

DOE should provide additional clarification around what information it needs from vendors and asset owners regarding FOCI mitigation.

The RFI asks owners, operators, and vendors how to assess and manage/mitigate risks related to FOCI within their suppliers “with respect to access to company and utility data, product development, and source code (including research partnerships).” The Cybersecurity Coalition members are seeking clarification on both the scope of these question and the process for gathering the information to answer these questions. It can be very difficult to assess the mitigation of foreign ownership, control, or influence in the top tier of a supplier base and even harder to gather a fulsome understanding for lower tier suppliers. Any additional information that DOE can provide would be helpful in providing feedback.

1 The EO also introduces some ambiguity by referring to Bulk-power Systems when the applicable NERC CIP standards refer to Bulk Electricity Systems.

2 SECURE Technology Act -