Executive Order 13920: Position Paper-Supply Chain Implications for Manufacturers - Guidehouse
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Executive Order 13920: Position Paper– Supply Chain Implications for Manufacturers Prepared by: Guidehouse Inc. Michael Hartnack Senior Research Analyst Michael Kelly Senior Research Analyst Mackinnon Lawrence Senior Research Director June 23, 2020 guidehouse.com
Securing the United States Bulk-Power System Executive Order –
Supply Chain Implications for Manufacturers
Table of Contents
Section Page
Overview ...................................................................................................................................... 1
Understanding the Scope .......................................................................................................... 2
Decoupling .................................................................................................................................. 3
Recommendations ...................................................................................................................... 4
About Guidehouse and the Energy, Sustainability, and Infrastructure Segment................. 7
Page iSecuring the United States Bulk-Power System Executive Order –
Supply Chain Implications for Manufacturers
Overview
On May 1, 2020, President Trump signed an Executive Order (EO 13920) on Securing the
United States Bulk-Power System. 1 The EO targets foreign adversaries and places restrictions
0F
on the procurement of bulk-power system (BPS) electric equipment.
The EO is a first step in what is likely to be a lengthy process involving the US Department of
Energy (DOE) and various other federal agencies to define the scope and rules as they pertain
to the BPS. The EO should not be viewed as an anomalous initiative. While more explicit in its
focus on securing a key aspect of the US’ critical infrastructure, it represents a further tightening
of restrictions aimed at mitigating threats to national security.
President Trump issued a similar EO on Securing the Information and Communications
Technology and Services Supply Chain (EO 13873) in May 2019. EO 13873 authorizes the
Commerce Secretary to regulate the acquisition and use of information and communications
technology and services from a foreign adversary. 2 The White House’s 2018 National Cyber
1F
Strategy notes that “energy and power” is a key critical infrastructure area vulnerable to
threats. 3 Also in 2018, DOE established the Office of Cybersecurity, Energy Security, and
2F
Emergency Response and issued a Multiyear Plan for Energy Sector Cybersecurity. Among
objectives like improving energy owners’ and operators’ cyber incident reporting, the plan’s
stated key goal was to “reduce critical supply chain vulnerabilities and risks.” 4 3F
Initiatives aimed at shoring up the security of the country’s critical infrastructure suggest that
improving cybersecurity will remain top-of-mind for lawmakers going forward regardless of what
happens in the upcoming election cycle. This is especially true considering the proliferation of
connected industrial control systems, including significant increases in the number of
connections between power grids and Internet of Things devices with less-than exemplary
security track records.
The EO is written broadly with minimal guidance on specific application or interpretation of key
language. Due to the EO’s broad grant of authority to DOE, it is difficult to determine the full
effect of the EO until DOE implements rules and regulations or issues detailed explanatory
guidance. DOE is required to publish rules or regulations to implementing the EO within 150
days from the date of the order (May 1, 2020).
Given the potential breadth of the EO as issued, current vagueness, and potential implications
across the BPS, Guidehouse recommends that utilities, renewable project developers and
investors, and BPS vendors and manufacturers assess the potential risks to business as usual,
with an expectation that additional policies and regulations will likely introduce further
restrictions on the supply chains serving critical infrastructure. If implemented in full, the
potential impact to the power system in the US could be significant.
1
Exec. Order No. 13920, 85(86) Fed. Reg. 26595-26599 (2020). https://www.whitehouse.gov/presidential-actions/executive-order-
securing-united-states-bulk-power-system/
2
Exec. Order No. 13873, 84(96) Fed. Reg. 22689-22692 (2019). https://www.whitehouse.gov/presidential-actions/executive-order-
securing-information-communications-technology-services-supply-chain/
3
White House, National Cyber Strategy of the United States of America, September 2018, https://www.whitehouse.gov/wp-
content/uploads/2018/09/National-Cyber-Strategy.pdf
4
US Department of Energy, Multiyear Plan for Energy Sector Cybersecurity, March 2018,
https://www.energy.gov/sites/prod/files/2018/05/f51/DOE%20Multiyear%20Plan%20for%20Energy%20Sector%20Cybersecurity%20
_0.pdfa
Page 1Securing the United States Bulk-Power System Executive Order –
Supply Chain Implications for Manufacturers
Note that Guidehouse has published a companion position paper on the EO that outlines
potential impacts on utilities. 5 Th following analysis focuses on the potential impacts for vendors
4F
and manufacturers.
Understanding the Scope
On its face, the EO defines a BPS as facilities and control systems necessary for operating an
interconnected electric energy transmission network and transmission lines rated at 69 kV or
more. It does not include local distribution facilities in the definition.
The EO is based on four pillars:
• Prohibit foreign adversaries from supplying BPS equipment
• Prequalify vendors for BPS purchases
• Identify current risks and now-prohibited equipment already in use on the BPS
• Establish a task force, headed by the Secretary of Energy, to develop and publish rules and
requirements related to BPSs equipment
BPS electric equipment encompasses an array of critical hardware and software solutions that
cut across generation and transmission markets. Key grid systems at substations, control
rooms, and generating stations are set to be covered by the order, including the components
listed below:
• Reactors • Instrument transformers
• Capacitors • Coupling capacity voltage transformers
• Substation transformers • Protective relaying
• Current coupling capacitors • Metering equipment
• Large generators • High voltage circuit breakers
• Backup generators • Generation turbines
• Substation voltage regulators • Industrial control systems
• Shunt capacitor equipment • Distributed control systems
• Automatic circuit reclosers • Safety instrumented systems
While the EO states that it applies to transactions that were initiated after May 1, 2020, its
language also grants discretion to DOE to apply the rule retroactively. This retroactive
application could nullify prior equipment procurement transactions or force installed and
currently operational equipment to be replaced. While it is unlikely that equipment already
installed by utilities and other stakeholders will result in mandatory removal, the EO directs DOE
to develop recommendations for how utilities can identify and then isolate, monitor, or replace
such items to address the risks they present.
5
Guidehouse, Executive Order 13920: Position Paper, May 26, 2020, https://guidehouse.com/-
/media/www/site/insights/energy/2020/eo-13920_gh_positionpaper_final.pdf.
Page 2Securing the United States Bulk-Power System Executive Order –
Supply Chain Implications for Manufacturers
It is too early to determine how the EO will be implemented. However, it is recommended that
vendors and manufacturers engage with the process early and monitor DOE guidance going
forward.
Decoupling
The four key pillars outlined by DOE (listed above) are designed to address and respond to the
fact that the supply chain for electric power equipment has grown increasingly global, thereby
exposing the US BPS to threats posed by foreign adversaries. Specifically, more than 85% of
America’s utility transformers are supplied by vendors outside the US today.
Foreign components exist in nearly every level of the US transmission and distribution network.
Power transformers, which are located in transmission substations, have several functions.
These include changing alternating current to direct current (and vice versa) and switching
generators in and out of a system. These power transformers transfer electricity from one circuit
to another and serve as a conduit between power generators and the end user. Most critically,
they ensure power distribution to households, offices, hospitals, and more.
China has been exporting these power transformers to the US in relatively large quantities.
According to DOE analysis, there are around 2,000 total high voltage power transformers in the
US BPS, with equipment sourced from China representing an estimated 10% of the total market
share. 65F
Decoupling, or the forcible separation of interdependent and interconnected supply chains,
particularly between the US and China, is central to understanding the intent of the order. At this
time, the EO itself does not specify which countries or non-country persons are identified as
foreign adversaries. However, US intelligence specifically identified China and Russia as
primary threats to the US power system in the 2019 Worldwide Threat Assessment report. 7 6F
While the proportion of equipment from Chinese suppliers in the US energy grid raises its own
set of unique security questions, potentially affected stakeholders should look beyond China.
The EO could have a major effect on the power industry’s ability to use equipment with China-
sourced components, which is problematic because a number of non-Chinese manufacturers
now source an increasing percentage of components from China. Established BPS
manufacturers such as ABB and Siemens AG have recently moved factories to China,
underscoring the procurement demand for cheap Chinese components—which all too often
have insufficient cybersecurity protections embedded. In particular, digital monitoring devices
and remote sensors that could open the door to hacking are potentially problematic.
This EO also deepens the impact of and rewards responses to the 2018 order from the Office of
the United States Trade Representative establishing tariffs on $200 billion in Chinese imports. 8 7F
Many of the affected goods are critical to developing BPS equipment, and US suppliers and
manufacturers have had to either pay these tariffs, increasing the costs of their products
compared to their European competitors, or shift their supply chain to mitigate exposure.
Companies that have already initiated efforts to reduce supply chain risk and integrated
6
US Department of Energy, Large Power Transformers and the U.S. Electric Grid, June 2012.
https://www.energy.gov/sites/prod/files/Large%20Power%20Transformer%20Study%20-%20June%202012_0.pdf
7
Office of the Director of National Intelligence, Statement for the Record: Worldwide Threat Assessment of the US Intelligence
Community, January 29, 2019, https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf
8
Office of the United States Trade Representative Press Release, “USTR Finalizes Tariffs on $200 Billion of Chinese Imports in
Response to China’s Unfair Trade Practices,” September 18, 2018, https://ustr.gov/about-us/policy-offices/press-office/press-
releases/2018/september/ustr-finalizes-tariffs-200
Page 3Securing the United States Bulk-Power System Executive Order –
Supply Chain Implications for Manufacturers
American or non-Chinese parts into their equipment are more prepared for the effects of this EO
than those that have not.
North Korea, Iran, and other expected adversaries are not major suppliers of the US electric
power industry.
Recommendations
Within the EO and subsequent rulemaking exists an inherent tension between the expressed
need for improving cybersecurity across the US grid and the critical importance of maintaining
the country’s power supply. Fully decoupling supply chains will be impractical without
significantly disrupting the current system. The US lacks the domestic production capacity to
fulfill demand for components across the entire supply chain, especially as many specialized
steel manufacturers are located in China.
Given that the EO language does not specify who might be an acceptable vendor, which
countries are foreign adversaries, or what types of equipment procurement transactions are
permissible under the EO, there is the potential risk that equipment that has already been
installed, procured, or is pending procurement may eventually be identified as prohibited. Note
that DOE guidance specifically indicates that the EO will not require rip and replace actions, at
least in the short term. 9 8F
The EO ultimately directs the Secretary of Energy to issue implementing regulations by
September 28, 2020. In the meantime, Guidehouse advises that vendors, manufacturers,
utilities, and other BPS stakeholders begin asking for guidance from DOE on specific
transactions underway. Where feasible, leveraging existing relationships with legislative
stakeholders to influence or seek guidance around the regulations should be considered.
With respect to vendors and manufacturers serving the BPS market, we recommend preparing
for the potential wholescale impact this EO could have if implemented in full. For example, when
coupled with other US federal policies in favor of domestic natural gas and coal generation, the
EO could initiate a reversal in US wholesale generation away from renewables like solar and
wind back toward natural gas- and coal-fired plants. This shift would be significantly disruptive to
current investment and market trends.
It is also worth acknowledging that this EO has been well-received by several industry
associations and may generate new opportunities for select grid vendors. In imploring grid
operators to improve their cybersecurity defenses, the EO could generate increased investment
in hardened and secure technologies throughout the BPS. This investment would include
traditional cybersecurity offerings such as antivirus and perimeter defense technologies and
likely extend to industrial control system providers that offer secure energy management and
SCADA systems or intelligent electronic devices with hardened physical security and encrypted
communications.
9
US Department of Energy, “Executive Order on Securing the United States Bulk-Power System Frequently Asked Questions,” May
2020, https://www.energy.gov/sites/prod/files/2020/05/f74/DOE%20BPS%20EO%20FAQ.pdf
Page 4Securing the United States Bulk-Power System Executive Order –
Supply Chain Implications for Manufacturers
Vendors and manufacturers should make note of how the EO may affect their customers.
Utilities, for example, are reviewing potential implications for pending and forthcoming
transactions and may consider contingency plans if these are nullified. Specifically, expect
utilities to:
• Review forthcoming purchases: Utilities will identify equipment that could be subject to the
EO and identify alternative suppliers in the event it is needed.
• Maintain thorough documentation: Utilities will likely keep accessible records related to
the procurement of equipment likely to be subject to the EO.
• Seek guidance: Where necessary, utilities will likely obtain determinations from the
Secretary of Energy that the procurement transaction or equipment is not prohibited.
• Procurement review procedures: Longer term, utilities may consider developing internal
protocols for thorough review of BPS equipment purchases and ensure appropriate levels of
compliance.
Grid BPS technology vendors and manufacturers operating in US markets should also take
immediate steps to determine how this EO would apply to their supply chains. This includes
solar and wind as well as battery storage equipment manufacturers with sourced equipment or
components from foreign adversaries, which arguably falls within the scope of the EO. While
many of the control systems used by US utilities are manufactured in Europe, ancillary
components and software applications produced by foreign adversaries such as China could fall
under the purview of DOE guidance as well.
Such supply chain exposure could become a barrier to accessing the US BPS market. The
disruption of physical supply chains could have downstream impacts as well, including potential
breaches of power purchase or other commercial agreements that depend on timely completion
of construction or maintenance activities.
By establishing an agency or governing body to develop specific criteria for BPS equipment and
assessing supply chain risk, the EO will require DOE to inject itself into the otherwise-simple
transactions between suppliers and producers. Increased oversight can and will likely impact
supply chains, procurement timelines, and project deliveries, especially as the initial security
assessments are conducted across all equipment providers. At this point, it is unclear exactly
how much authority this governing body will have and whether or not specific guidelines will be
issued to initially non-compliant suppliers to achieve authorization for equipment delivery.
To address the challenges above and prepare for the uncertain outcomes of this order,
Guidehouse recommends that vendor and equipment providers:
• Assess product portfolios: It is critical that technology vendors assess their product
portfolios to identify potential impacts on current and future business. Sales pipelines for
products that may be affected should be examined and adjusted accordingly.
• Review supply chain and component sourcing: Even if a specific product is not included
in the EO, grid equipment providers must conduct a full-scale review of their supply chain for
all product components to identify potential risks in procurement and production.
• Evaluate current contract risk: With the uncertainty surrounding this order and the 150-
day timeframe for further guidance, grid equipment providers must evaluate their current
contracts and understand where risks are assumed by the parties involved. If a contract
Page 5Securing the United States Bulk-Power System Executive Order –
Supply Chain Implications for Manufacturers
contains items included in this EO, vendors must prepare for disruption and should adjust
their risk assessment accordingly.
• Prepare for prequalification and the potential for non-qualification: A key pillar of the
EO is the establishment of a governing body that will identify and prequalify vendors and
equipment that are permitted to install on the BPS. Equipment suppliers must position
themselves and their products for prequalification and prepare to make necessary changes
to their supply chain if they are assessed as a potential security risk.
To discuss the impact of EO 13920 on your business, schedule a briefing with one of our
experts.
Page 6Securing the United States Bulk-Power System Executive Order –
Supply Chain Implications for Manufacturers
About Guidehouse and the Energy, Sustainability, and
Infrastructure Segment
Guidehouse is a leading global provider of consulting services to the public and commercial
markets with broad capabilities in management, technology, and risk consulting. We help clients
address their toughest challenges with a focus on markets and clients facing transformational
change, technology-driven innovation and significant regulatory pressure. Across a range of
advisory, consulting, outsourcing, and technology/analytics services, we help clients create
scalable, innovative solutions that prepare them for future growth and success. Headquartered
in Washington, DC, the company has more than 7,000 professionals in more than 50 locations.
Guidehouse is led by seasoned professionals with proven and diverse expertise in traditional
and emerging technologies, markets and agenda-setting issues driving national and global
economies. For more information, please visit: www.guidehouse.com.
© 2020 Guidehouse Inc. All rights reserved. This content is for general informational
purposes only, and should not be used as a substitute for consultation with professional
advisors. This publication may be used only as expressly permitted by license from
Guidehouse and may not be otherwise reproduced, modified, distributed, or used without
the expressed written permission of Guidehouse. Page 7You can also read
