Last week, the Biden Administration through the Department of Energy, took actions regarding Executive Order 13920 (the “Bulk Power Order”). Such actions effectively established a clean slate for how the Biden Administration will implement the Trump-Era order. This article summarizes the timeline of the Bulk Power Order since its issuance last year, including the actions taken by the Biden Administration last week, and the Biden Administration’s initiatives going forward.

Timeline

  • On May 1, 2020, former President Trump issued the Bulk Power Order, which prohibited certain transactions involving bulk-power system electric equipment manufactured or supplied by persons owned by, controlled by, or subject to the jurisdiction of a foreign adversary that poses an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the national security of the U.S.[1]
  • On December 17, 2020, pursuant to the authority granted to it under the Bulk Power Order, the DOE issued a “Prohibition Order” which prohibited the acquisition, importation, transfer, or installation of specified bulk-power system electric equipment that is from the Peoples Republic of China and that directly serves Critical Defense Facilities.[2] The Prohibition Order expressly prevented utilities from procuring from China certain bulk-power system electric equipment that directly serves facilities that are (1) critical to the defense of the United States and (2) are vulnerable to a disruption of the supply of electric energy provided to such facility by an external provider.[3]
  • On President Biden’s inauguration day (January 20, 2021), the Biden Administration suspended the Bulk Power Order for 90 days, which effectively also suspended the Prohibition Order.
  • On April 20, 2021, (A) the Biden Administration’s suspension of the Bulk Power Order ended such that Bulk Power Order resumed effect, and (B) the Biden Administration took the following actions: (1) it entirely revoked the Prohibition Order, (2) it announced a new cybersecurity initiative, and (3) it released an RFI seeking input from energy industry stakeholders to inform future recommendation for supply chain security in the US energy systems.

The Cybersecurity Initiative and RFI:

On April 20, 2021, DOE announced an initiative to “enhance the cybersecurity of electric utilities industrial systems and secure the energy sector supply chain.”[4] Referring to this as the “100-day plan”, the initiative will be a coordinated effort among the DOE, electric utilities and the US Cybersecurity and Infrastructure Security Agency and is intended to enhance the security of facilities, systems, networks, and software.

Specifically, the initiative will modernize cybersecurity defenses and will:

  • Encourage owners and operators to implement measures or technology that enhance their detection, mitigation and forensic capabilities;
  • Include concrete milestones over the next 100 days for owners and operators to identify and deploy technologies and systems that enable near real time situational awareness and response capabilities in critical industrial control system (ICS) and operational technology (OT) networks;
  • Reinforce and enhance cybersecurity posture of critical infrastructure information technology (IT) networks; and
  • Will include a voluntary industry effort to deploy technologies to increase visibility of threads in ICS and OT systems.[5]

Concurrently with the Cybersecurity Initiative, the DOE issued a request for information (RFI) seeking input from energy industry stakeholders to inform future recommendations for supply chain security in the US energy systems.[6] Comments received in response to the RFI are expected to help the DOE “evaluate new executive actions to further secure the nation’s critical infrastructure against malicious cyber activity and strengthen the domestic manufacturing base.”[7]

The RFI requests information and recommendations as to how to best develop a comprehensive long-term strategy geared towards addressing “pervasive and ongoing grid security risks” and notes that attention is also needed to mitigate the risks associated with potentially compromised grid equipment that has already been installed on the system.

The revocation of the Prohibition Order, the announcement of a new Cybersecurity Initiative, and the issuance of the RFI effectively take the Bulk Power Order back to square one and give the Biden Administration a fresh start when it comes to addressing energy infrastructure security.