The United States Department of Defense recently put out a Request for Information (RFI) regarding Executive Order 13920 (Securing the United States Bulk-Power System). While Finite State does not typically publish our RFI submissions, the urgency of this issue and the fact that these answers will be available to the public allow us to do so in this instance.

Among other things, the Executive Order:

“Prohibits any acquisition, importation, transfer, or installation of bulk-power system electric equipment which has a nexus with any foreign adversary and poses an undue risk to national security, the economy, or the safety and security of Americans” — energy.gov

 

Will prohibiting installation of equipment manufactured by foreign adversaries secure our bulk-power system?

It is our belief that simply banning equipment from foreign adversaries will not address or entirely prevent vulnerabilities within our critical infrastructure, and that it is imperative that we recognize the impact of a globalized economy on our supply chains. The reality is, if you look deeply enough every supply chain is at risk of compromise by potential adversaries.

Trying to solve this through vendor self reporting and lightweight 3rd-party risk assessments will never work. We need to move away from this trust-based model and focus on a robust, continuous, risk-based approach where every device, software application, and firmware update in the BPS is being screened for real threats and vulnerabilities.

Country of origin and geopolitical risk are but a few factors in a comprehensive supply chain risk management strategy. Supply chain security is a multi-faceted, strategic, global priority, and it requires a collaborative effort between vendors and asset owners. We’re proud to work with manufacturers and asset owners in the energy sector to ensure their firmware, devices, networks, and supply chains are safe.

 

Read Finite State’s Full Response:

Finite State – DOE RFI 2020-0028 Response