Supply Chain Council of European Union | Scceu.org
News

Power Companies Brace For Supply Chain Shake-Up From New Cyber Rules

Many electricity companies and vendors are holding their breath as the Trump administration finalizes new limits on foreign equipment in an effort to bolster the U.S. power grid’s cybersecurity.

The May 1 executive order to cut reliance on suppliers from countries like China leaves in a lurch power companies that rely on global supply chains for equipment, company officials and lawyers say. Some firms in recent weeks have urged the Energy Department to clarify its new restrictions as the agency prepares to roll out proposed rules this fall.

The pending regulations have pushed some power companies to re-evaluate suppliers’ connections to foreign governments, they say, adding a wrinkle to procurement and raising the specter of unforeseen costs down the road.

Many U.S. power companies rely on equipment like transformers, turbines and generators, in addition to component parts in such products, from foreign vendors. Company officials and lawyers say that rejiggering those supply chains and replacing existing parts or contracts could take time and money.

“The industry has significant concern over the outcome from [the Energy Department] regarding replacement of assets already in production and how that will be funded,” said
Steve Swick,
chief security officer for
American Electric Power
Co.
“Until we know what the stance will be on replacement, we cannot calculate the cost to us or the industry as a whole.”

Company officials and attorneys say the power industry generally supports President Trump’s move to address cyber threats, which mirrors his order on foreign telecom firms such as Chinese-owned Huawei Technologies Co. Global supply chains in which vendors might have offices, manufacturing facilities and financial backers in separate countries give attackers more potential ways into the U.S. power grid, according to cybersecurity experts.

But details on what the Trump administration order means in practice, including the level of foreign government connections to a supplier that would cause concerns, were initially scant.

Federal officials in recent months held a series of virtual meetings and issued guidance to clarify the types of equipment under scrutiny, such as transformers, capacitors and circuit breakers, in addition to countries of interest. The list of adversaries includes Venezuela, North Korea, Iran, Cuba, China and Russia.

“Russia and China particularly are aggressively advancing their cyber capabilities to degrade critical electricity, communications, transportation, and other sectors essential to our national defense,”
Charles Kosak,
a deputy assistant secretary in the agency’s Office of Electricity, said on a May conference call.

A senior Energy Department official said the agency and the industry have had a productive relationship this summer as regulators gauge the extent to which they will vet suppliers from such countries. Officials tried to emphasize that they wouldn’t focus on ripping and replacing existing equipment as many companies fear, he said.

The agency is evaluating feedback from a public comment period that ended in August, during which power companies shared information about their cybersecurity efforts and raised questions about the order. The Energy Department is on track to meet an end-of-September target date for rule proposals, the official said.

The security team at Columbus, Ohio-based American Electric Power has been assessing foreign ownership, control and involvement in its thousands of vendors in anticipation of the final rules, Mr. Swick said.

Other companies have re-evaluated investments in equipment from China, said
Keith Martin,
co-head of projects at law firm Norton Rose Fulbright US LLP. Lenders also have begun requiring the companies behind new energy projects to fund any future costs of replacing equipment that might be banned by the order, said Mr. Martin, who specializes in financing such development.

“Talking to the Department of Energy has been very frustrating,” he said.

More From WSJ Pro Cybersecurity

Some companies and trade groups focusing on renewable energy shared that frustration in comments on the order filed last month.

The Business Council for Sustainable Energy warned of “significant regulatory uncertainty and cost of compliance.” Sungrow Power Supply Co., a Chinese-owned producer of solar inverters that has U.S. headquarters in San Francisco, called for “urgent clarifications.”

Japanese firm
Hitachi
Ltd.,
which has a segment focused on digitized solutions for the power grid, urged Energy Department regulators to hew close to existing benchmarks from the North American Electric Reliability Corp., a nonprofit that sets performance standards and audits power facilities under the Federal Energy Regulatory Commission.

NERC has been coordinating with the Energy Department as it prepares for Oct. 1 implementation of its own new supply chain standards, which focus on processes for limiting cyber risks, Chief Engineer
Mark Lauby
said.

“This is all about acquiring new equipment,” Mr. Lauby said, adding that NERC won’t specify products or suppliers as the Energy Department is expected to do. “There’s still the whole issue around legacy equipment that we’re working on.”

Write to David Uberti at david.uberti@wsj.com

Related posts

Technology in the supply chain – does it threaten jobs? | Technology

scceu

International Orgs Rally To Preserve COVID-19 Supply Chain

scceu

MineHub adds BHP, China Baowu to blockchain-based supply chain platform

scceu

Leave a Comment