The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
New Executive Order Bans Procurement of Some Electrical Devices from U.S. Adversaries
May 28, 2020
On May 1, 2020, President Trump declared a national emergency with respect to the threat to the U.S. bulk-power systems and issued an executive order prohibiting federal agencies and U.S. persons from acquiring, importing, transferring or installing certain electrical equipment used in bulk-power substations, control rooms, or power generating stations.
The prohibitions apply to equipment that is designed, developed, manufactured, or supplied by a foreign adversary or by anyone under the “control, direction, or jurisdiction” of such and where such equipment poses an unacceptable risk to national security and America’s safety.
In his recent Controlglobal.com blog, Joe Weiss, process control system security authority and ControlGlobal.com columnist, hails the Executive Order (EO) believing it will reopen the dialogue regarding security and policy issues among regulators, policymakers, manufacturers (OEMs) and owner/operators.
The EO defines foreign adversaries as any foreign government or non-government person engaged in a long-term pattern or serious instance of conduct “significantly adverse” to the national security of the United States or its allies.
“It is clear the Chinese, Russians, North Koreans, Iranians, etc. have been actively trying to hack into the U.S. grid and other critical infrastructures as well as the control system supply chains for many years. There are acknowledged supply chain issues with critical infrastructure equipment made in the U.S. as they often come with computer chips or software made in China, etc.,” writes Weiss.
Weiss says that government and public utility procurement rules often push organizations into buying lower-priced equipment without regard to origin or risk. He gives an example of a large bulk transmission transformer that was purchased from China and arrived with hardware back doors that were extraneous to the system design.
“Procuring a large electric transformer with hardware backdoors is much more significant than having keystroke loggers in Lenovo laptops. An attacker does not install backdoors into a transformer to steal data – you do that to cause damage,” he says.
Preventing that kind of damage is why, Weiss believes, the list of equipment in the EO is so exhaustive. He says it is also why network devices such as firewalls were not included “as they are ineffective with embedded hardware vulnerabilities that can initiate communications from inside the firewall-protected perimeter.”
The Executive Order defines bulk-power system electric equipment to include “items used in bulk-power system substations, control rooms, or power generating stations, including, reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems.”
Weiss notes especially that the Oil and Natural Gas Subsector Coordinating Council is involved in developing the recommendations and evaluation related to the order, which demonstrates a real understanding of the complexity.
The EO also charges the DOE to develop a “pre-qualified” list of vendors to ensure that future equipment transactions are not in violation of the order; seeks to identify, isolate, monitor, or replace existing bulk-power system electric equipment presenting a security risk from foreign adversaries; and create a task force to update the Federal government’s acquisition regulations and to develop policy recommendations and issue reports.
August 27, 2020
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have urged critical infrastructure facilities to take […]
August 27, 2020
A second bit of ransomware code designed to target industrial control systems has emerged. Similar to the Megacortex malware that […]