President Donald Trump on Friday issued an executive order barring federal agencies and companies under U.S. jurisdiction from installing foreign-owned equipment in the electric sector that might pose “an unacceptable risk to national security.”
The sweeping directive authorizes Trump’s energy secretary, Dan Brouillette, to work with U.S. national security agencies and the energy industry to vet equipment before it gets installed, and to identify vulnerable gear already in place. It is the latest move by the administration to clamp down on foreign-sourced software and hardware, following an order last year covering U.S. companies’ procurement of telecommunications gear.
The new executive order covers equipment procured and installed in the “bulk-power system” — or infrastructure used in electricity generation and transmission, and generally not distribution. “Foreign adversaries are increasingly creating and exploiting vulnerabilities” in that system, including through “malicious cyber activities,” Trump said in the order.
One of the more notable hacking operations to target the U.S. energy sector was a multi-year campaign by alleged Russian government-backed hackers to gather information on control-system software used in the sector. The hackers did not disrupt any of the control systems or affect power flow, but it was a shot across the bow that the Trump administration blamed Moscow for in 2018.
U.S. utilities have long had supply-chain security programs in place to address hacking threats. But the executive order looks to add another layer to those programs.
The directive allows Brouillette to develop a list of criteria that vendors would meet to demonstrate their products are “pre-qualified” for use in the U.S. bulk-power system. It also authorizes him to identify what vulnerable equipment is already in the field and figure out how to get it removed or otherwise remediated.
In a statement, Brouillette said the order would cut down on foreign adversaries’ ability to target U.S. electric infrastructure. Multiple hacking groups have probed the equipment vendors that supply electric utilities around the world, including in the U.S. That includes the group behind the Trisis malware that shut down a Saudi petrochemical plant in 2017.
“Current government procurement rules often result in contracts being awarded to the lowest-cost bids, a vulnerability that can be exploited by those with malicious intent,” the Department of Energy said in a statement.