Via Federal eRulemaking Portal: https://www.regulations.gov
Mr. Charles Kosak
Deputy Assistant Secretary
Transmission Permitting and Technical Assistance Division
Office of Electricity
Department of Energy
Mailstop OE-20, Room 8G-024
1000 Independence Avenue, SW
Washington, DC 20585
Re: Bulk-Power System EO RFI; Docket No. DOE–HQ–2020–0028
Dear Deputy Assistant Secretary Kosak:
The Cybersecurity Coalition appreciates the opportunity to respond to the Request for Information (RFI) issued on July 8, 2020 by the Office of Electricity (OE), Department of Energy (DOE). The RFI was issued by your office in response to Executive Order (EO) 13920, Securing the United States Bulk-Power System. The intention of the RFI, as stated in your office’s press release, is to “solicit views on safeguarding the bulk-power system (BPS) supply chain from threats and vulnerabilities.”
The Cybersecurity Coalition brings together leading companies from the cybersecurity industry to share their expertise and unique perspective on critical policy issues. Several member companies have significant expertise in providing secure components and solutions to members of the electrical sector. Its through this lens that the coalition provides the attached comments for your consideration in response to the request for information.
If you have any questions on these comments, please contact me or Ross Nodurft (504-343-7544 or RBNodurft@venable.com).
Executive Director, Cybersecurity Coalition
DOE should ensure critical infrastructure companies operating as part of the bulk power system, as well as suppliers selling components or services to the asset owners and operators, are leveraging risk management programs to identify and mitigate threats to their organizations or the assets they own and operate.
The members of the Cybersecurity Coalition agree with the critical importance of securing and hardening the United States’ bulk power system. We share the view that it is vital to the nation’s interest to create a secure, resilient power system. More specifically, the RFI asks about the vendor and asset owner use of risk assessments and risk management programs. The Cybersecurity Coalition believes that any approach to securing our bulk power system from disruption by nation states and other bad actors must be based on strong cybersecurity risk management principles.
DOE should reference and leverage existing standards in the development of any final rules, guidelines, recommendations, and best practices that result from the implementation of EO 13920.
Another area referenced in the RFI asks about the use of and/or modification to existing standards around cybersecurity and supply chain. The Cybersecurity Coalition supports the use of existing interoperable standards, protocols, and frameworks in the development of regulations, requirements, guidelines, best practices, and any other output that results from the implementation of Executive Order 13920. Specific examples include, but are not limited to, the following:
DOE should make every effort to align the scope, requirements, and timing of rules it promulgates with applicable NERC CIP standards.
The RFI regularly references the EO’s mandate to address risk in non-distribution BPS operating above a specific threshold—i.e., 69kV. While the Cybersecurity Coalition strongly supports improving the security of the BPS, DOE should strive to mitigate risk of uncertainty and confusion among BPS operators and suppliers by aligning the scope, requirements, and timing for any new rules and regulations for BPS security with relevant industry-led standards for those same systems—e.g., NERC CIP 13-01. The EO introduces potential ambiguity on this point, which DOE should strive to reconcile, by both declaring that 69 kV and higher to be in scope for regulation, but electricity distribution is not.1 Current NERC standards apply only to BPS operating at 100 kV or higher. Systems operating in the newly targeted range of 69kV to 100 kV include both non-distribution and distribution systems. To the extent the EO calls for an expansion of regulatory scope beyond the coverage of NERC CIP standards, DOE should seek to understand any potential impacts with a review of relevant NERC CIP standards. Such a process should begin with an assessment of whether and how non-distribution systems below 100kV differ from those operating at higher power levels—potentially benefiting from a different set of risk-mitigation strategies. After reviewing the relevant NERC CIP standards, DOE could then consider whether it needed to expand NERC CIP standards to include lower power non- distribution BPS operating below 100kV as required by the EO.
DOE should utilize existing public/private engagements around supply chain security to further refine potential rules, guidelines, or best practices that result from the implementation of EO 13920.
The Cybersecurity Coalition participates in several public/private efforts to develop and improve smart, effective cybersecurity policies – and, where necessary – regulations. Regarding supply chain security, the Cybersecurity Coalition is an executive committee member of the Department of Homeland Security (DHS) Supply Chain Risk Management (SCRM) Task Force. This body brings together members of the Information and Communications Technology (ICT) sectors to develop and vet recommendations that DHS brings to the Federal Acquisition Security Council (FASC). Currently, the FASC is finalizing its operating procedures; however, when fully operational, it will issue recommendations for how to handle threats to government and critical infrastructure supply chains. Given the mandate of the FASC, we recommend leveraging the pathways created by the SECURE Technology Act2, such as the DHS SCRM Task Force, to fully vet any rules, guidelines, or best practices. DoE should explore whether that existing structure would accommodate development of a working group aimed at addressing cybersecurity supply chain risk related to BPS, or, in the alternative, whether a similar structure could be developed specific to BPS security improvement.
Another area for continued engagement includes the sector coordinating councils (SCC). The Cybersecurity Coalition applauds the reference to specific SCCs in the executive order. However, we think that increasing the outreach beyond the traditional energy sector coordinating councils to include the Information Technology Sector Coordinating Council (ITSCC) and other sector coordinating councils and industry groups not identified in the EO is also important, especially as you seek to better understand evidence-based cybersecurity maturity metrics. The IT and Communications SCCs provide a potential model here whereby each designates an ex- officio member to participate in the meetings of the other. Similarly, DoE and the Electricity Subsector Coordinating Council should develop liaison engagements with the ITSCC or other bodies that formally capture the feedback of relevant operators and suppliers.
DOE should take into account other supply chain acquisition rule making processes that establish impacted entities as it seeks to determine the economic impact to owners, operators, vendors, and their supplier base.
In the RFI, DOE asks for the economic impact to owners, operators, vendors, and suppliers both large and small. Again, the Cybersecurity Coalition appreciates DOE’s interest in understanding how any new rules, regulations, or guidelines may impact the industry. In order to do this, DOE needs to further clarify which entities will be impacted by changes to the acquisition process. To do this effectively, DOE should take into consideration other rule making processes currently underway. Additionally, as part of the rule making process, DOE should ensure there is an appeal process that includes the ability to respond and mitigate any identified supply chain risks.
Furthermore, DOE should align with NERC terminology for entities and functions within Bulk Electric Systems to provide utilities with explicit equipment and functions in scope. Without this clarity, the EO could have significant economic impact on vendors whose equipment has broader application beyond bulk-power systems.
DOE should provide additional clarification around what information it needs from vendors and asset owners regarding FOCI mitigation.
The RFI asks owners, operators, and vendors how to assess and manage/mitigate risks related to FOCI within their suppliers “with respect to access to company and utility data, product development, and source code (including research partnerships).” The Cybersecurity Coalition members are seeking clarification on both the scope of these question and the process for gathering the information to answer these questions. It can be very difficult to assess the mitigation of foreign ownership, control, or influence in the top tier of a supplier base and even harder to gather a fulsome understanding for lower tier suppliers. Any additional information that DOE can provide would be helpful in providing feedback.
1 The EO also introduces some ambiguity by referring to Bulk-power Systems when the applicable NERC CIP standards refer to Bulk Electricity Systems.
2 SECURE Technology Act - https://www.congress.gov/115/plaws/publ390/PLAW-115publ390.pdf