Executive Order 13920: Position Paper - Guidehouse Energy, Sustainability, and Infrastructure Team
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Executive Order 13920: Position Paper Guidehouse Energy, Sustainability, and Infrastructure Team Prepared by: Guidehouse Inc. May 26, 2020 guidehouse.com
Executive Order 13920:
Position Paper
Table of Contents
Section Page
Executive Summary ........................................................................................................................ 2
Regulatory Background and Scope .............................................................................................. 3
NERC Reliability Standards for the BES.................................................................................... 4
Extension of the BES Threshold ................................................................................................ 5
Recommended Actions .................................................................................................................. 7
Recommended VRM Process Design ....................................................................................... 7
Sector A – Specific Issues ......................................................................................................... 9
Sector B – Specific Issues ....................................................................................................... 10
Conclusion .................................................................................................................................... 11
References ..................................................................................................................................... 12
About the Authors ........................................................................................................................ 14
About Guidehouse ........................................................................................................................ 17
Page 1Executive Order 13920:
Position Paper
Executive Summary
Executive Order (EO) 13920 declared a national emergency created by the potential for
compromised bulk-power system (BPS) equipment and their control systems procured from
vendors or other organizations under the control or influence of foreign adversaries. This
equipment is at risk of instigating a catastrophic failure of the US electrical grid. EO 13920 is based
on four pillars:
1. Prohibit foreign adversaries from supplying BPS equipment
2. Prequalify vendors for BPS purchases
3. Identify current risks on the BPS
4. Establish a task force, headed by the Secretary of Energy, to develop and publish rules and
requirements related to BPS equipment
The EO establishes immediate 1 procurement and installation prohibitions. It also references future
0F
rules and recommendations developed by the task force for any BPS equipment acquired from
vendors affiliated with foreign adversaries or other organizations that may present risk of sabotage
or subversion of the BPS equipment and control systems; this BPS equipment poses an undue risk
on the security or resiliency of national critical infrastructure. 2 1F
In this paper, Guidehouse:
• Examines the scope of EO 13290 and its impact on the US electrical grid.
• Discusses current regulatory and potential compliance, asset management, operations, and
planning aspects.
• Identifies two primary affected groups of customers related the order.
• Proposes an approach to support current and future client efforts in both groups.
The paper’s approach is intended to educate utilities about the potential impact of task force rules
and requirements, investigate impacts to existing or planned BPS equipment, and recommend
implementation strategies and roadmaps to address and mitigate supply chain risks.
1 As of the date of the Executive Order: May 1, 2020.
2 No specific equipment has been identified as the task force mobilizes.
Page 2Executive Order 13920:
Position Paper
Regulatory Background and Scope
Executive Order (EO) 13920 declared “a national emergency with respect to the threat to the
United States bulk-power system” created by the potential for compromised bulk-power system
(BPS) equipment and their control systems from “persons owned by, controlled by, or subject to
the jurisdiction or direction of foreign adversaries.” 3 Continued use of such equipment could result
2F
in a catastrophic failure of the US electrical grid. EO 13920 is based on four pillars: immediately
prohibit procurement and installation of BPS equipment from foreign adversaries, prequalify
vendors to supply BPS equipment, identify current risks on the BPS, and establish a task force to
set rules and requirements. The order also mandates that the task force consult with various
departments and industry groups, including to make recommendations to identify and mitigate
risks from existing equipment.
EO 13920 leaves the term foreign adversary in a vague state, charging the task force to identify
countries or organizations that are considered foreign adversaries. EO 13783 4 took a similar
3F
approach, although Huawei Technologies and several other organizations tied to the Communist
Party of China were subsequently identified as foreign adversaries relative to EO 13873. For the
sake of preliminary planning and proactive action toward EO 13920 preparedness, it is reasonable
to assume individuals and organizations with affiliations or other connections to mainland China,
Russia, Iran, and other nation-states, organizations, or individuals listed as US Department of
Commerce-proscribed Parties of Concern 5 will also fall under the foreign adversary banner.
4F
The total scope of EO 13920 across the grid is unknown but extends beyond the bulk electric
system (BES) threshold of 100 kV or higher subject to the North American Electric Reliability
Corporation (NERC) Critical Infrastructure Protection (CIP) and Operations & Planning (O&P)
reliability standards (see Figure 1). The scope may encompass certain BPS equipment that is
excluded from the NERC reliability standards under the application of the NERC BES definition. 6 5F
EO 13920 defined the BPS as:
Facilities and control systems necessary for operating an interconnected electric energy
transmission network (or any portion thereof); and (ii) electric energy from generation
facilities needed to maintain transmission reliability. For the purpose of this order, this
definition includes transmission lines rated at 69,000 volts (69 kV) or more. 7 6F
These terms are used throughout this paper to indicate applicable electrical equipment operated at
100 kV or higher (BES) subject to NERC reliability standards, other electrical equipment operated
at 69 kV to 99 kV (BPS), and their associated control systems.
3 Trump, 2020, EO 13920: Preamble, p. 26595
4 Securing the Information and Communications Technology and Services Supply Chain (Trump, 2018)
5 BIS, 2020a, Entity List; 2020b, Unverified List; 2020c, Temporary General License
6 NERC, 2014, BES Definition Reference Document
7 EO 13920, §4.a, p. 26598
Page 3Executive Order 13920:
Position Paper
Figure 1. Major Sectors of the US BPS
Bulk-Power System
[BPS] Sectors
Bulk Electric System
[BES] Electrical
Equipment
[100kV & higher] Other BPS
(O&P Standards) IRC Electrical Equipment
3.6 [69kV to 99kV]
DP BPS Control Systems:
Assets
EMS/SCADA, ICS, DCS
(State or Local
BES Cyber Systems
Jurisdiction)
Control Systems:
DCS, ICS &
EMS/SCADA BCS;
Control Center Facilities
(CIP Standards) Consumer Facing
Distribution Systems
U.S. Electrical Generation & Power Delivery System
Source: Guidehouse
NERC Reliability Standards for the BES
High impact and medium impact BES cyber systems (BCS) and associated cyber assets are
subject to the CIP-013-1 Supply Chain Risk Management (SCRM) standard. 8 In general, the 7F
NERC CIP standards address major operational cyber systems rated as high or medium impact
BCS, as identified by CIP-002-5.1a Impact Rating Criteria (IRC). 9 The IRC control BPS equipment
8F
and control systems operated at 100 kV or higher, with all remaining BES assets (e.g., smaller
control centers, transmission substations, and generation stations) identified as low impact. Low
impact assets are not within the scope of the CIP-013-1 SCRM standard. Most of the physical
electrical equipment encompassed by EO 13920 §4.a-b and operated at 100 kV or higher are also
covered by the NERC O&P reliability standards.
Other BPS equipment is not typically regulated by the NERC standards. One notable exception is
a relatively small number of load shedding protection schema and other facilities identified by
distribution provider (DP)-specific criteria, 10 subsequently classified as low impact BCS (LIBCS)
9F
under IRC 3.6. Under CIP-003-8 Requirement 2 (R2), LIBCS are mandated to provide cyber and
physical security protective measures. Equipment not covered under BES or BPS requirements
are left to individual states to develop regulations and requirements. However, most state and local
regulatory bodies typically focus on jurisdictional-specific issues that may or may not extend to the
level of federal regulatory requirements.
In its initial approval of the CIP Supply Chain standards, the Federal Energy Regulatory
Commission (FERC) directed NERC to include electronic access control and monitoring systems
8
NERC, 2018a, CIP-013-1
9 NERC, 2018b, CIP-002-5.1a, pp. 14-16
10 Ibid, Section 4.2.1, p. 2
Page 4Executive Order 13920:
Position Paper
(EACMS) associated with high and medium impact BCS. FERC also requested NERC study the
inclusion of physical access control systems (PACS) and other associated cyber assets in a
revision of the CIP-013-1 standard. 11 However, throughout the development of the CIP version 5
10F
(CIPv5) reliability standard suite, NERC pursued a risk-based approach for categorizing BCS
according to expected impact to reliability and security of the grid if a given BCS was compromised
or misused. 12 Registered entities subject to NERC CIP standards are required to provide cyber
11F
and physical security protective measures and controls commensurate to the expected risk to the
reliability and security of the BES, with the most stringent protections reserved for high and
medium impact BCS. 13 NERC stated, “the requirements applicable to low impact BES Cyber
12F
Systems, given their lower risk profile, should not be overly burdensome to divert resources from
the protection of medium and high impact BES Cyber Systems.” 14 13F
The 2019 NERC SCRM Staff Report 15 provided an expectation that LIBCS would be protected
14F
under a voluntary basis by registered entities across the grid and a further study would determine if
such voluntary efforts were effective. Following the direction of the NERC Board of Trustees,
NERC subsequently collected SCRM data from grid participants through a Section 1600 data
request to identify the scope of LIBCS and other BES systems not subject to CIP-013-1. The data
analysis report indicated LIBCS make up approximately 87% of all BCS in use across the grid, with
the remaining 13% encompassing high and medium impact BCS. 16 15F
NERC found a similar ratio (86%/14%) 17 among entities that operated all three impact categories
16F
of BCS. This finding indicates that approximately 75% of all categorized BCS operated across the
grid are LIBCS that are afforded minimal-to-no mandated cybersecurity, physical security, or
SCRM protective measures or controls. The study identified 66% of all LIBCS as having external
connectivity, which increases the probability of attack and compromise of these systems beyond
the physical security threats also posed to the 34% without external connectivity. Regulated
physical security protective measures are also limited to these same LIBCS with external
connectivity, 18 leaving a significant gap in cyber and physical security protective measures and
17F
controls for the BPS equipment and control systems associated with the remaining 34% of LIBCS.
Extension of the BES Threshold
EO 13920 extends the required BPS equipment and control systems supply chain protective
measures 19 below the 100 kV floor for the CIP reliability standards. This extensions brings an
18F
unknown number of additional BPS equipment and control systems into the scope. Such BPS
equipment and control systems, operated at 69 kV to 99 kV (commonly referred to in the electrical
industry as sub-transmission or a lower voltage system), are not covered by the NERC CIP
standards, with the exception the DP-specific LIBCS classified under IRC 3.6, as described above.
11 FERC, 2018, Order 850, ¶5-6, pp. 53993-53994
12 NERC, 2018b, Purpose, p. 1
13 High and medium impact BCS are operated by the following NERC registered functions: reliability coordinator (RC),
balancing authority (BA), generation owner (GO), generation operator (GOP), transmission owner (TO), and
transmission operator (TOP). See NERC, 2016, Reliability Functional Model [v6 Draft]. The RC and BA functions
typically own and operate control centers only with other applicable control center, transmission, and generation BPS
equipment operated by the GO, GOP, TO, and TOP functions, as applicable.
14 FERC, Order 850, ¶12, p. 53994
15 NERC, 2019a, Recommended Actions to Address the Risks, pp. 19-20
16 NERC, 2019b, Figure 2.1, p. 7
17 Ibid, Figure 2.2, p. 8
18 NERC, 2019c, CIP-003-8, R2, Attachment 1, section 2, p. 23
19 Such measures are to be determined later by the EO 13920 task force.
Page 5Executive Order 13920:
Position Paper
Guidehouse is not aware 20 of any studies that quantify the number of BPS equipment and control
19F
systems that fall under the LIBCS or DP categories or that are included in the lower voltage sector
of the grid that is not addressed by regulatory bodies. Based on our knowledge of grid
transmission and distribution system operations, Guidehouse is confident most lower voltage BPS
equipment and control systems are owned and operated by the TO, TOP, and DP functions; these
functions encompass electrical utilities and other industry participants ranging from large entities
holding multiple registered functions to small distribution and other electrical consumer service
entities registered only under the DP function. Most generation stations operate at relatively low
output voltage levels and only reach 69 kV and higher voltage levels on the high side of the
generator step-up transformers. Depending on the demarcation point between the GO, GOP, and
the TO, TOP, and the high-side transformer voltage, these transformers may be included in the
BPS.
NERC regularly publishes an updated list of active registered entities. 21 The extent of lower
20F
voltage BPS equipment and control systems, while not quantified, may be estimated by analyzing
the reliability functions included in this list. Guidehouse analyzed the functions in the list, finding
that 25% of all NERC-registered operations and control functions may operate BPS equipment and
control systems that may not have any mandated or regulated cybersecurity or physical
securities. 22 Of these DP registrations, approximately 37% are not covered under the NERC CIP
21F
standards, with the exceptions noted above (see Table 1).
Table 1. NERC Compliance Registry (NCR) Active Entities – DP Functional Registrations
Total DP, GO, or DP, TO, or
All DP DP, RC DP, BA DP Only
Entities GOP TOP
1,556 390 2 69 141 119 143
Source: NERC, NCR Active Entity Matrix (2020)
Entities with multiple operational registrations, including the DP registration, that operate high or
medium BCS already have (or should have) some measure of CIP-013 SCRM planning and risk
assessment experience or processes that can be extended to other BPS equipment and control
systems. However, as stated above, a significant number of grid participants have no formalized
vendor or product risk identification and assessment methodology (hereafter, vendor risk
management, or VRM) in place due to operating only LIBCS or non-NERC regulated lower voltage
BPS equipment and control systems. The next section of this paper identifies two major industry
sectors that may require slightly different VRM processes to prepare for EO 13920. The section
also provides an overall recommended VRM program design that mitigates the national security
risks addressed in EO 13920.
20 As of the publication date of this paper.
21 NERC, 2020, NCR Active Entity Matrix. The six NERC regional entities provide regulatory services to 16 NERC
registered entities located in Canadian provinces, so these numbers may be skewed slightly by those entities. Although
not in scope for EO 13920, these Canadian entities are interconnected to US grid participants, so Canadian BPS
equipment and control systems also present a threat to the grid. Therefore, the authors elected to leave the Canadian
registrations in the statistics.
22 Utilities across the grid are historically risk-averse and have some cyber and physical security provisions provided as a
best practice in the interest of consumer service and the reliability and security of their individual operationalsectors of
the grid. However, protective measures and controls associated with best practices are not mandated or regulated to the
extent of the NERC CIP standards, and the authors are not aware of any supply chain management best practices that
have been implemented at DP registered entities.
Page 6Executive Order 13920:
Position Paper
Recommended Actions
The Guidehouse team identified two primary industry sectors with varying levels of SCRM planning
and implementation expertise available to support EO 13920 preparedness. The team developed
an overview of approaches required from both sectors based on knowledge of typical clients in
each sector (see Figure 2).
• Sector A is a relatively small group of approximately 200 registered entities (as derived from
the NERC Section 1600 study and the NERC 2020 NCR Matrix) that operate high or medium
impact BCS that fall under the NERC CIP standards, including CIP-013-1, as well as LIBCS
and lower voltage systems. These entities, several of which are Guidehouse clients, should be
able to adapt their CIP-013-1 R1.1 VRM processes to prepare for possible new risk
management approaches to be identified later by the task force.
• Sector B includes grid participants that may or may not be NERC registered entities and
typically operate only LIBCS or lower voltage BPS equipment and control systems, as
described above in the Regulator Background and Scope section. Sector B participants
operate most of the BPS equipment and control systems across the grid and represent an
under-served industry segment that has little-to-no formalized VRM processes in place to
support future preparedness with EO 13920.
While the two recommended sector-specific approaches have some basic process similarities,
SCRM design and implementation expertise in both sectors may be minimal and need to adapt to
adequately address EO 13920.
• Sector A clients may adapt by modifying the VRM process from their existing SCRM program
for EO 13920.
• Sector B participants should develop an EO 13920-focused VRM program.
• Both sectors should develop appropriate mitigation strategies and plans for identified BPS
equipment and control systems.
Recommended VRM Process Design
The EO 13920 task force is tasked with preparing and publishing a list of proscribed BPS
equipment and control systems vendors and developing specific mitigation recommendations. 23 22F
The order allows the task force up to 1 year to achieve these milestones. 24 Nevertheless, EO
23F
13920 validates that the supply chain risk is significant—not just from a security and reliability
perspective (CIP-013) but also from a national security perspective.
While the specificity of these regulations is forthcoming, Guidehouse suggests that utilities take
steps to augment or create a VRM program to ensure preparedness for EO 13920, ensure
preparedness and compliance with CIP-013 SCRM requirements, and manage residual supply
chain risk that does not fall into either one of these categories. Utilities should first develop and
implement a BPS equipment and control systems inventory process to fully understand the scope
of their exposure and subsequent risk to the grid posed by vendors that may fall under the
proscribed list of foreign adversaries and other potentially malicious actors.
23 EO 13920, §2.d.i-ii
24 Ibid, §3.f.i
Page 7Executive Order 13920:
Position Paper
Figure 2. Guidehouse VRM Flow Chart
Start
Executive Order 13920
NO Bulk Power System Equipment [BPSE]
Own, operate, or ----
procuring BPSE Applying a Vendor Risk Identification
operated at 69kV
or higher?
and Assessment Methodology
YES
YES Develop
NO NO
Identify Leverage CIP-013 vendor risk
any BPSE meeting SCRM R1.1 Vendor identification
Section 4 (b) Risk Assessment and
criteria? Methodology? assessment
methodology
Executive YES
Order 13920
may not
apply! Apply methodology to
NO Any vendors each BPSE item or
identified as a Foreign
system meeting the
Adversary or otherwise
proscribed Section 4 (b) criteria
entity? to identify and assess
vendor(s) risks
YES
Take recommended actions to
Document analysis &
isolate and mitigate identified
mitigation results.
risks to the Bulk Power System
End
Source: Guidehouse
This first step toward EO 13920 preparedness would require an inventory of the utility’s applicable
control centers, transmission stations and substations, and generation sites to identify BPS
equipment and control systems as defined in the order. 25 Following the identification of each
24F
applicable BPS equipment and control systems component or supporting system, a rigorous
review of each component to identify the primary vendor and upstream vendors, if applicable,
should be pursued. For high risk and critical BPS equipment and associated control systems,
25 Ibid, §4.a-b
Page 8Executive Order 13920:
Position Paper
mapping vendors to the deepest tier possible in the supply chain may be optimal. For those utilities
with strong asset management programs, this step may not be burdensome, but for other utilities,
it may represent a major hurdle. Guidehouse suggests implementing effective tools, such as our
proprietary Supply Chain Illumination methodology, to assist in the vendor identification and
mapping process to produce accurate results.
Until such time as the task force publishes a list of prequalified vendors 26 and recommended
25F
actions to mitigate identified risks, current foreign affiliations for some larger vendors may be
identified through research efforts; it may also be necessary to submit a vendor risk questionnaire
to other vendors to fully identify and assess the risks associated with potential for malicious
compromise or misuse of BPS equipment and control systems procured from that vendor.
Guidehouse considers proactive and immediate action to identify and classify client BPS
equipment and control systems vendors as critical to timely EO 13920 preparedness.
Once the inventory and subsequent vendor risk identification and assessment is completed, each
utility should develop a sound mitigation strategy for high risk BPS equipment and control systems
components. This strategy will accomplish a primary goal of EO 13920: “to identify, isolate,
monitor, or replace such items as soon as practical, taking into consideration overall risk to the
bulk-power system.” 27 26F
Strategic planning relative to EO 13920 BPS equipment and control systems mitigation efforts,
particularly for those DP clients with no prior SCRM experience, should consider and integrate the
Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s (CISA’s)
SCRM guidelines 28 and Electric Power Research Institute (EPRI) reports on operational
27F
resiliency. 29 Utilities should also consider updating their existing business continuity/disaster
28F
recovery plans and emergency operating plans 30 to enhance their ability to recover as soon as
29F
possible from an incident that exploits one or more vulnerabilities inherent in their equipment and
systems.
Sector A – Specific Issues
Guidehouse is engaged with several clients on CIP-013 SCRM plan design, development, and
implementation projects. While larger clients in this sector may have a robust asset management
program and typically have a current inventory of BPS equipment and control systems operated at
or above 100 kV as part of their CIP-002-5.1a compliance programs, such inventories are typically
limited to sites containing BES cyber systems (R1.1, R1.2 lists of high and medium impact BCS).
Current inventories do not account for specific BPS equipment and control systems components
located at low impact BES assets (R1.3 list) or any applicable lower voltage components (see
Figure 2).
As part of its CIP-013-1 SCRM engagements, Guidehouse has developed a customized vendor
risk questionnaire template for each applicable client. This questionnaire includes questions
relative to organizational issues, including any foreign affiliations, and can be easily modified to
probe further into specific issues developed by the task force to understand if any such vendor
affiliations include organizations identified as foreign adversaries. Other components of the
Guidehouse-recommended VRM program approach (as described in the Recommended VRM
Process Design section) are applicable to this sector.
26 Ibid, §1.d
27 Ibid, §2.d.ii, p. 26597
28 CISA, 2020 May 5
29 EPRI, 2019, 2013
30 e.g., NERC, 2015, EOP-011-1
Page 9Executive Order 13920:
Position Paper
Sector B – Specific Issues
Clients in this sector that are currently in scope for the NERC CIP standards operate LIBCS and
lower voltage BPS equipment and control systems. These entities may have an inventory of low
impact BES assets and other locations containing BPS equipment and control systems, but they
typically will not have an aggregated inventory of specific BPS equipment and control systems
components; this is particularly true for lower voltage BPS equipment and control systems. As
these clients tend to be smaller organizations, they may not have robust asset management
systems or monitoring and tracking programs. Sector B clients may also be unversed in SCRM as
it relates to the BPS equipment and control systems in their operational areas. Development from
the ground up of an effective VRM program may be required for Sector B clients, so it is critical
that such entities begin a proactive approach to achieve EO 13920 preparedness as soon as
possible.
Page 10Executive Order 13920:
Position Paper
Conclusion
Guidehouse reviewed the background of EO 13920 and other applicable regulatory actions,
described the potential scope of BPS equipment and control systems covered under the order, and
identified two primary electrical industry sectors impacted by EO 13920. The Guidehouse team
also developed a preliminary approach for utilities to design and implement an overall EO 13920
preparedness program and address specific issues relative to each of the two grid sectors. The
Guidehouse-recommended approach includes:
• Developing a VRM plan to identify and assess the vendor and product risks associated with
BPS equipment and control systems.
• Classifying BPS equipment and control systems components in accordance with the VRM plan
and other supply chain management tools.
• Designing and implementing feasible mitigation plans to minimize the effect on the reliability
and security of the BPS by identified BPS equipment and control systems components
associated with vendors that have ties to foreign adversaries or affiliated with other proscribed
organizations.
Collectively, Guidehouse has over 435 years of electrical industry experience with power system
operations, cybersecurity, information technology, and regulatory/compliance programs. In that
total, team members have accumulated 150 years of specific experience with FERC, NERC, and
regional regulatory and compliance programs, including SCRM-specific vendor and product risk
identification and assessment programs. We have extensive experience performing SCRM-related
activities across the US government, including critical national security programs within the US
Department of Defense; these activities include illuminating vendors, mapping the supply chain
(parts, components, and entities), and developing proprietary and collaborative risk rating
methodologies. Guidehouse SCRM experience also includes conducting due diligence reviews
that include details on risks of concern to our clients and recommended mitigation steps,
continuous monitoring and evaluation of supply chain concerns, and developing robust SCRM
programs. We also have a team of cybersecurity experts able to provide clients with insights and
guidance on protective assets and developing cybersecurity programs.
Guidehouse is prepared to apply its experience, operational background, and expertise to design
and implement effective solutions related to EO 13920 and other reliability and security projects.
Page 11Executive Order 13920:
Position Paper
References
Bureau of Industry and Security [BIS] (2020a May 7). Supplement No. 4 to Part 744 – Entity List. In
Electronic Code of Federal Regulations, Title 15, Subtitle B, Chapter VII, Subchapter C,
Part 744. Retrieved from https://www.ecfr.gov/cgi-bin/text-
idx?rgn=div5&node=15:2.1.3.4.28#ap15.2.744_122.4
BIS. (2020b May 7). Supplement No. 6 to Part 744 – Unverified List. In Electronic Code of Federal
Regulations, Title 15, Subtitle B, Chapter VII, Subchapter C, Part 744. Retrieved from
https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=15:2.1.3.4.28#ap15.2.744_122.6
BIS. (2020c May 7). Supplement No 7 to Part 744 – Temporary General License. In Electronic
Code of Federal Regulations, Title 15, Subtitle B, Chapter VII, Subchapter C, Part 744.
Retrieved from https://www.ecfr.gov/cgi-bin/text-
idx?rgn=div5&node=15:2.1.3.4.28#ap15.2.744_122.7
Cybersecurity and Information Security Agency [CISA]. (2020 May 5). CISA Supply Chain Risk
Management Essentials. Retrieved from
https://www.cisa.gov/sites/default/files/publications/ict_scrm_essentials_508.pdf
Electric Power Research Institute [EPRI]. (2019 February).Transmission and Distribution
Resiliency: What’s Going on and What is EPRI Doing to Help. Retrieved from
https://www.epri.com/#/pages/product/000000003002015363/?lang=en-US
EPRI. (2013 January). Enhancing Distribution Resiliency: Opportunities for Applying Innovative
Technologies. Retrieved from https://www.epri.com/#/pages/product/1026889/?lang=en-US
Federal Energy Regulatory Commission [FERC]. (2018 October 18). Order No. 850: CIP-013-1—
Supply Chain Risk Management Reliability Standard Final Rule. 165 FERC ¶ 61, 020, 18
CFR Part 40, Docket No. RM17-13-000. In Federal Register, 83(208), [2018 October 26,
pp. 53992-54005]. Retrieved from https://www.gpo.gov/fdsys/pkg/FR-2018-10-26/pdf/2018-
23201.pdf
North American Electric Reliability Corporation [NERC]. (2020 May 1). NCR Active Entities List.
[Excel Spreadsheet Matrix] Retrieved from
https://www.nerc.com/pa/comp/Registration%20and%20Certification%20DL/NERC_Compli
ance_Registry_Matrix_Excel.xls
NERC. (2019a May 17). Cyber Security Supply Chain Risks: Staff Report and Recommended
Actions. Retrieved from
https://www.nerc.com/pa/comp/SupplyChainRiskMitigationProgramDL/NERC%20Supply%
20Chain%20Final%20Report%20(20190517).pdf
NERC. (2019b December 9). Supply Chain Risk Assessment: Analysis of Data Collected under the
NERC Rules of Procedure Section 1600 Data Request. Retrieved from
https://www.nerc.com/pa/comp/SupplyChainRiskMitigationProgramDL/Supply%20Chain%2
0Risk%20Assesment%20Report.pdf#search=study%20CIP-013%202019
NERC. (2019c July 31). CIP-003-8 – Cyber Security – Security Management Controls. [Critical
Infrastructure Protection Reliability Standard]. Retrieved from
https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-003-8.pdf
Page 12Executive Order 13920:
Position Paper
NERC. (2018a October 18). CIP-013-1 – Cyber Security – Supply Chain Risk Management.
[Critical Infrastructure Protection Reliability Standard]. Retrieved from
https://www.nerc.com/_layouts/15/PrintStandard.aspx?standardnumber=CIP-013-
1&title=Cyber%20Security%20-
%20Supply%20Chain%20Risk%20Management&jurisdiction=United%20States
NERC. (2018b October 18). CIP-002-5.1a – Cyber Security – BES Cyber System Categorization.
[Critical Infrastructure Protection Reliability Standard]. Retrieved from
https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-002-5.1a.pdf
NERC. (2016 June). Reliability Functional Model [version 6 Draft]. Retrieved from
https://www.nerc.com/pa/Stand/Functional%20Model%20Advisory%20Group%20DL/FMA
G_Inf_Functional%20Model%20v6%20(clean).pdf
NERC. (2015 November 19). EOP-011-1 – Emergency Operations. [Operations and Planning
Reliability Standard]. Retrieved from
https://www.nerc.com/_layouts/15/PrintStandard.aspx?standardnumber=EOP-011-
1&title=Emergency%20Operations&jurisdiction=United%20States
NERC. (2014 April). Bulk Electric System Definition Reference Document [v2]. Retrieved from
https://www.nerc.com/pa/RAPA/BES%20DL/bes_phase2_reference_document_20140325
_final_clean.pdf
Trump, D. J. (2020 May 1). Executive Order 13920: Securing the United States Bulk-Power
System. In Federal Register, 85(86), [2020 May 4, pp. 26595-26599]. Retrieved from
https://www.govinfo.gov/content/pkg/FR-2020-05-04/pdf/2020-09695.pdf
Trump, D. J. (2019 May 15) Executive Order 13873: Securing the Information and Communications
Technology and Services Supply Chain. In Federal Register, 84(96), [2019 May 17, pp.
22689-22692]. Retrieved from https://www.govinfo.gov/content/pkg/FR-2019-05-
17/pdf/2019-10538.pdf
Page 13Executive Order 13920:
Position Paper
About the Authors
Dr. Joseph Baugh, Managing Consultant
Dr. Baugh is a managing consultant in the Risk, Compliance, and Security group of
Guidehouse’s Energy, Sustainability, and Infrastructure (ES&I) segment. His professional career
spans more than 45 years in electrical utility operations and technology sectors. Prior to joining
Guidehouse, he performed North American Electric Reliability Corporation (NERC) Critical
Infrastructure Protection (CIP) compliance audits and other investigations for Western Electricity
Coordinating Council (WECC) members and other registered participants in the Western
Interconnection. He currently supports Guidehouse clients with CIP-013-1 Supply Chain Risk
Management (SCRM) program development and implementation, audit preparation, internal
controls evaluations, and training programs.
Joseph holds a PhD in organization and management with a specialization in leadership, an
MBA, and a BS in computer science. His professional and academic research interests include
organizations in transition, organizational structures, and change management. While at WECC,
he participated in electrical industry task forces and developed numerous outreach
presentations for participants in the North American electrical grid, CIP compliance personnel,
and industry user groups at WECC Compliance Workshop meetings, NERC meetings, and
other industry venues. Dr. Baugh accomplished several industry-based research studies on the
impact of the CIP Version 5 transition and implementation phases on registered entities in the
North American electrical grid, the transmission owner control center issue, and the upcoming
NERC supply chain standards. His presentations on these studies to various industry
associations and regulatory bodies helped influence beneficial policy changes in these crucial
compliance areas. Dr. Baugh continues to bring his strong research, analytical, and problem-
solving skills to bear on complex issues faced by Guidehouse clients.
Chris Luras, Partner
Chris joined Guidehouse in 2015 and has over 17 years of energy industry experience. At
Guidehouse, Chris serves as the solution leader for the ES&I’s Risk, Compliance, and Security
services, working with utilities on all aspects of NERC reliability and security compliance, cyber
and physical security, risk management, and resiliency. Specifically, Chris leads the
development, management, and execution of tools and services aimed at cyber security,
security compliance, risk management, internal controls, and process and program
improvement within the energy sector. Since joining Guidehouse, Chris has assembled an
experienced team of over 30 individuals who build expert solutions for utilities to effectively and
efficiently manage their security and NERC CIP processes and programs. With his team, Chris
has helped utilities achieve clean security audits, reduce regulatory burden, and attain process
efficiency and effectiveness. His team specializes in developing strong, sustainable, and fully
integrated CIP and cybersecurity processes.
Chris is a nationally recognized NERC reliability and security compliance expert. He was
formerly the Director of Compliance Risk Analysis and Enforcement at the WECC, where he led
a team of regulatory professionals, cybersecurity professionals, and electrical engineers. During
his 7 years at WECC, Chris created and developed the compliance risk analysis, mitigation, and
enforcement teams and led the development of all the tools, processes, policies, and
procedures that paved the way for how WECC monitors, audits, and enforces all reliability and
security standards in the Western Interconnection. Chris also served as the National Chair
(eight regions and NERC) of the Enforcement, Mitigation, and Sanction working group for
several years. Prior to WECC, Chris was a technical consultant for the State of Utah (Division of
Page 14Executive Order 13920:
Position Paper
Public Utilities) focusing on auditing, ratemaking, and overall utility regulation. Chris has an
MBA, with honors, from the David Eccles School of Business at the University of Utah, a BS in
economics, and a BS in communications from the University of Utah.
Jason Dury, Director
Jason Dury leads our Open Source Solutions team. He has more than 25 years of experience
within the government and commercial sectors in the fields of Open/All Source intelligence and
analysis, supply chain risk management, insider threat, counterespionage and economic
espionage awareness, global security, cybersecurity, threat analysis, information security
programs, and more in support of developing and implementing multidisciplinary security
programs for the US Government, the Defense Industrial Base, and Information Technology
Sectors.
Jason has extensive experience with the development of metrics and senior executive reports
and briefings on the status of security programs. He has worked directly with threat and
vulnerability analysis teams to assess, evaluate, identify, and mitigate impacts to operations and
corporate / client data, and enable business success.
Marianne Bailey, Director
Marianne Bailey leads the Advanced Solutions Cybersecurity segment to provide strategies and
solutions that enable Guidehouse clients to manage their cybersecurity risks. By leveraging
other Guidehouse solutions areas of Artificial Intelligence, Open Source Solutions, Advanced
Analytics, Enterprise Risk Management, and Digital & Emerging Technologies, she partners
with clients to develop and sustain cyber resilience to mitigate cybersecurity risks against
current and emerging threats.
Marianne brings over 30 years of experience in government leadership, spearheading
cybersecurity and information sharing initiatives across the Department of Defense, IC, and civil
government sectors. Most recently, she served as Deputy National Manager for National
Security Systems (NSS) and Senior Cybersecurity Executive for NSA. In this position she was
directly responsible for all national security systems across the government containing classified
or sensitive information critical to military and intelligence activities. Prior to that she served as
both Principal Deputy for Cybersecurity and Deputy Chief Information Security Officer (DCISO),
Department of Defense Chief Information Officer. She recently received the Distinguished
Executive Presidential Rank Award, the highest government civilian recognition, for her
contributions to national security.
Keshav Sarin, Director
Keshav has professional experience in a variety of roles related to risk management,
information systems development, cybersecurity, and project management in the energy,
finance, and healthcare industries. His energy industry experience includes leading a team of
cybersecurity professionals, and electrical engineers as the Manager of Compliance Risk
Analysis for WECC. He built the tools and training for conducting technical risk analyses of Self-
Reports, Self-Certifications, and Mitigation Plans and provided technical support for the
enforcement staff with respect to violation processing and settlements. Keshav conducted
cybersecurity audits and cybersecurity and operations/planning internal controls assessments of
electric utilities.
As part of the Reliability Assurance Initiative (RAI), Keshav worked closely with NERC and other
regional counterparts on the development teams to design and develop risk-based processes,
which are now implemented as part of the NERC compliance landscape. He has conducted risk
Page 15Executive Order 13920:
Position Paper
and controls analyses, conducted compliance program benchmarking analyses, developed and
supported a grid security exercise, and assisted with the delivery of various cybersecurity
programs. He has extensive experience in developing risk and controls framework and
conducting internal controls evaluations and assessing overall CIP Version 5 readiness.
Keshav’s experience in information systems includes design and development of software
systems solutions in the finance and healthcare industries. Keshav has extensive experience in
implementing software security solutions such identity management, user provisioning and
access management, asset management, CVA, and disaster recovery planning.
Geoffrey Kintzer, Managing Consultant
Geoffrey helps lead our Supply Chain Risk Management team where he has supported clients
across public sector and commercial industries. He has over 15 years of industry experience
leading strategy, transformation, and operations engagements with a focus on measurable and
sustainable improvements to performance and cost. Geoffrey served as an officer in the US
Marine Corps and is PMP-certified with extensive experience managing complex projects
through execution. Geoffrey holds an MBA from the Kenan-Flagler Business School at the
University of North Carolina at Chapel Hill and a BA from Lafayette College in history and
government & law.
Page 16Executive Order 13920:
Position Paper
About Guidehouse
Guidehouse is a leading global provider of consulting services to the public and commercial
markets with broad capabilities in management, technology, and risk consulting. We help clients
address their toughest challenges with a focus on markets and clients facing transformational
change, technology-driven innovation and significant regulatory pressure. Across a range of
advisory, consulting, outsourcing, and technology/analytics services, we help clients create
scalable, innovative solutions that prepare them for future growth and success. Headquartered
in Washington, DC, the company has more than 7,000 professionals in more than 50 locations.
Guidehouse is led by seasoned professionals with proven and diverse expertise in traditional
and emerging technologies, markets and agenda-setting issues driving national and global
economies. For more information, please visit: www.guidehouse.com.
© 2020 Guidehouse Inc. All rights reserved. This content is for general informational purposes
only, and should not be used as a substitute for consultation with professional advisors. This
publication may be used only as expressly permitted by license from Guidehouse and may not
be otherwise reproduced, modified, distributed, or used without the expressed written permission
of Guidehouse.
Page 17You can also read
