WASHINGTON, D.C. – Today, U.S. Senators Angus King and Joe Manchin (W-Va.), members of the Senate Energy and Natural Resources Committee, sent a letter to the North American Electric Reliability Corporation (NERC) requesting information about NERC’s efforts to protect the United States’ bulk power system from supply chain vulnerabilities, particularly those posed by vendors from Russia and China.

The letter was motivated by Senator King’s questioning of NERC CEO James Robb in a February 14th committee hearing, inquiring whether Huawei, ZTE, or Kaspersky technology was located anywhere within the American electricity grid.

Sen. King:  “Okay let me as another question. Do any of our utilities have Kaspersky, Huawei, or ZTE equipment in their system?”

Mr. Robb: “We issued a NERC alert.”

Sen. King: “I didn’t ask you if you issued an alert. I asking you do any of our utilities have ZTE, Huawei, or Kaspersky equipment or software in their system?”

Mr. Robb: “Not to my knowledge.”

Sen. King: “Not to your knowledge. Have you surveyed any of the utilities to determine that? ”

Mr. Robb: “Uhhh, I don’t believe we have.”

Sen. King: “I think that would be a good idea don’t you?”

The letter reads, in part:

“We are deeply concerned about companies from Russia and China in light of recent statements by the Director of National Intelligence, Daniel Coats. Director Coats noted that ‘China and Russia are more aligned than at any point since the mid-1950s, and the relationship is likely to strengthen in the coming year.’ China, according to Director Coats, has the potential to take down a natural gas pipeline, and Russia has the ability to disrupt an electrical distribution network. Unfortunately, China and Russia ‘have significantly expanded their cooperation, especially in the energy, military and technology spheres, since 2014.’”

As a member of both the Senate Energy and Natural Resources (ENR) Committee and Senate Intelligence Committee, Senator King been an outspoken advocate for cybersecurity and grid resiliency. In a February ENR hearing, Senator King emphasized the need for urgent action, and questioned NERC President and CEO James Robb about the dangers of foreign equipment in America’s energy grid. He has also led the bipartisan effort to protect U.S. energy infrastructure from potential cyberattacks by introducing the Securing Energy Infrastructure Act, which would partner with industry to utilize engineering concepts to remove vulnerabilities that could allow hackers to access the grid through holes in digital software.

NERC is an international regulatory authority responsible for assuring the effective and efficient reduction of risks to the reliability and security of the North American electric grid. NERC is the electric reliability organization (ERO) for North America, subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 334 million people.

The full letter is below and is available HERE.

+++

Dear Mr. Robb:

We write to request information regarding the North American Electricity Reliability Corporation’s (NERC) efforts to protect the reliability of the nation’s bulk power system from supply chain vulnerabilities, particularly those posed by vendors from Russia and China.  The Energy Policy Act of 2005 (PL 109-58) and subsequent Federal Energy Regulatory Commission certification in 2006 require NERC to establish and enforce reliability standards for the bulk power system. 

We are deeply concerned about companies from Russia and China in light of recent statements by the Director of National Intelligence, Daniel Coats.  Director Coats noted that “China and Russia are more aligned than at any point since the mid-1950s, and the relationship is likely to strengthen in the coming year.”[1]  China, according to Director Coats, has the potential to take down a natural gas pipeline, and Russia has the ability to disrupt an electrical distribution network.  Unfortunately, China and Russia “have significantly expanded their cooperation, especially in the energy, military and technology spheres, since 2014.”[2]      

The federal government has taken some action.  On September 13, 2017, the Department of Homeland Security (DHS) issued a Binding Operational Directive[3] which barred products from the Russia-based Kaspersky cybersecurity firm from being used across all federal government information systems.  DHS explained its actions by noting that the “Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”[4]  We understand NERC alerted its members immediately after DHS issued its release of the risks posed by using Kaspersky products.

With respect to specific Chinese companies, the statement of an ally is telling.  The Director-General of the Australian Signal’s Directorate, Mr. Michael Burgess, noted that Australia banned Chinese companies Huawei and ZTE from being able to participate in Australia’s new 5G mobile network because such participation would prevent the electricity grid and other infrastructure from being protected.[5]  The Federal Communications Commission has proposed action that would discourage Huawei and ZTE’s participation in our nation’s new 5G network.[6]  Finally, Congress acted in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (PL 115-232), effectively banning Huawei and ZTE from all federal contracts for telecommunications equipment or services, and effectively prohibiting Huawei and ZTE from doing business with U.S. government contractors.[7]             

We fear the same risks posed to the country’s federal agencies and departments, telecommunications networks, and military assets also threaten to impair the reliability of our nation’s energy infrastructure.  As a result, we request answers to the following questions:

1. Since August 2017, has NERC undertaken efforts to determine whether the bulk power system includes any components or software provided by Kaspersky, ZTE, or Huawei?  If so, what were the results?  If not, why not?

1. Has NERC issued guidance or recommendations to the users, owners, and operators of the bulk power system for mitigating the potential risks posed by components or software provided by Kaspersky, ZTE or Huawei? 

1. What are NERC’s next steps to mitigate the potential risks posed by components or software from Kaspersky, ZTE or Huawei?  

Your assistance in this matter will continue to ensure the reliability of our nation’s energy assets, which are critical to the safety, security, and economic well-being of the country.  Please provide your response to this letter within 30 days.  We would be pleased to receive your response in either a letter or a private briefing. 

Thank you for your consideration.

[1] https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf

[2] Ibid.

[3] https://cyber.dhs.gov/bod/17-01/

[4] https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01

[5] https://www.theguardian.com/australia-news/2018/oct/30/huawei-poses-security-threat-to-australias-infrastructure-spy-chief-says

[6] https://docs.fcc.gov/public/attachments/FCC-18-42A1.pdf

[7] PL 115-232