On December 17, 2020, the US Department of Energy (“DOE”) issued a “Prohibition Order Securing Critical Defense Facilities“ (the “Prohibition Order”) pursuant to authority granted to the Secretary of Energy by Executive Order 13920 (the “BPS EO“). As of January 16, 2021, the Prohibition Order prohibits certain electric utilities that serve certain defense facilities from acquiring, importing, transferring, or installing identified bulk-power system (“BPS”) equipment and related software produced or supplied by entities subject to China’s ownership, control, or influence. The Prohibition Order is limited in scope and only applies to certain utilities and a subset of BPS equipment that has a nexus to China, although DOE is anticipated to engage in additional rulemaking in the near future.
The DOE’s Prohibition Order is part of a larger effort by the US Government to implement supply-chain security measures that are likely to continue with the Biden Administration. On January 19, 2021, the US Commerce Department published interim final rules to implement Executive Order 13873 related to “Securing the Information and Communications Technology and Services Supply Chain.” We previously blogged about the implementation of that Order here and here. On the same date, the Trump Administration issued Executive Order 13984 related to “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.”
Background
The Prohibition Order represents the first implementation of the BPS EO, which aims to prevent “foreign adversaries” from exploiting vulnerabilities in the US bulk-power system in furtherance of US national security. Our prior blog post on the BPS EO is available here. On July 8, 2020, DOE published a “Request for Information“ (the “RFI”) soliciting public comments on the implementation of the BPS EO. The RFI identified China, Cuba, Iran, North Korea, Russia, and Venezuela as “foreign adversaries” for purposes of the BPS EO whose advanced cyber capabilities pose a significant threat to the US BPS and other critical infrastructure. The Prohibition Order reflects the US Government’s focus on China’s military strategy of “system destruction warfare,” in which electronic warfare and cyber-capabilities are used at the onset of conflict to disrupt an opponent’s command and control, communications, and infrastructure networks.
Covered Utilities
The Prohibition Order’s restrictions apply to a limited number of “Responsible Utilities” that own or operate “Defense Critical Electric Infrastructure” (“DCEI”) that services “Critical Defense Facilities” (“CDFs”), as defined in the Federal Power Act, at a voltage level of 69kV or higher. CDFs are facilities designated by the Secretary of Energy that are “located in the 48 contiguous states and the District of Columbia that are (1) critical to the defense of the United States; and (2) vulnerable to a disruption of the supply of electric energy provided to such facility by an external provider.” The Prohibition Order only covers the portion of a Responsible Utility’s system from the point of electrical interconnection to the CDF up to and including the next “upstream” transmission substation. DOE will notify covered utilities of their Responsible Utility status.
Prohibited Transactions
Responsible Utilities are prohibited from acquiring, importing, transferring, or installing any of the BPS electric equipment identified in Attachment 1 of the Prohibition Order (“Regulated Equipment”) that is (1) “manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China” and (2) is for use by the Responsible Utility as a component of its DCEI serving the CDF. Digital components, software, and firmware used to control the operation of Regulated Equipment and that are manufactured or supplied by persons owned by, controlled by, or subject to the influence of China are also considered Regulated Equipment. Regulated Equipment covered by the Prohibition Order fall within the definition of BPS equipment used in the BPS EO, but are limited to a subset of such BPS equipment.
Responsible Utility Certification Requirements
The Prohibition Order requires each Responsible Utility to submit an initial certification to DOE by February 15, 2021 that it has designated, or taken all reasonably available actions to designate, each CDF as a priority load in the applicable system load shedding and restoration plans. Responsible Utilities must submit a second certification by March 17, 2021, and once every three years thereafter, certifying that the Responsible Utility has not engaged in any Prohibited Transactions and that the Responsible Utility has an internal monitoring process to track its compliance with the Prohibition Order. The Secretary of Energy has the authority to waive “any term” of the Prohibition Order “for good cause shown.”
Additional BPS Measures Possible in 2021
Utilities and BPS suppliers should prepare for additional DOE measures to implement the BPS EO in the near future. The DOE’s webpage for the BPS EO references a notice of proposed rulemaking that is anticipated to be issued in connection with the RFI, which identified several additional countries as “foreign adversaries” for purposes of the BPS EO as described above. Recent major cybersecurity incidents have highlighted the significant national security risks presented by cybersecurity vulnerabilities and may cause implementation of the BPS EO to be expedited. Utilities and BPS suppliers should continue to evaluate their supply chain exposure to BPS equipment supplied or produced by “foreign adversary” entities in anticipation of additional BPS actions.