DNI identifies Chinese transformers as cyber vulnerable risks yet DOE and industry ignore the threat
DNI Concerns
The Office of the US Director of National Intelligence (DNI)ās National Intelligence Council in their National Intelligence Estimate, Climate Change and International Responses Increasing Challenges to US National Security Through 2040 NIC-NIE-2021-10030-A. On page 6, DNI states: āDeployment of utility-scale solar and wind technologies in remote areas is likely to require ultra-high-voltage transmission lines to move the power to cities. China is the worldās leading supplier of advanced grid components for ultra-high-voltage systems, such as transformers, circuit breakers, and inverters, which we assess creates cyber vulnerability risks.ā
Additional Concerns with Chinese Transformers
My respected colleague Mike Swearingen did a review of the US Department of Energy (DOE) Western Area Power Administration (WAPA) procurement specification for the JSHP Chinese transformer installed at WAPAās Ault substation. In Mikeās experience, a transformer like the one WAPA ordered would normally cost $3.2 to $3.75 million while Doubletree Systems Inc. and JSHPās successful bid totaled $2,478,000 - a cost savings of $800,000 to $1,200,000. Is it any wonder that utilities are still buying Chinese transformers and the suspension of Presidential Executive Order 13920 is leading to a less cyber secure grid?
Mike also noted the WAPA procurement specification did not require a representative to travel to the factory to observe key points in transformer construction, which would include a visit to the manufacturerās facility to discuss the drawings and specifications, visiting after transformer core is complete before it is placed in the tank to ensure core construction meets the specifications, and the testing of the transformer upon completion. As part of the supply chain discussions, I am not aware of any industry standard for a utilityās electrical engineer to perform a factory visit/acceptance testing at the equipment vendorās facility. Why is there a surprise that additional equipment may have been installed at the factory before the transformer was shipped to WAPAās Ault substation? How wide-spread is this gap and what does it mean to the other approximately 300 large Chinese-made transformers installed in the US grid?
Lack of Concern by DOE and Industry
The discussions about the hardware backdoors in large Chinese transformers continue to be ignored or brushed aside by DOE and the utility industry (https://www.controlglobal.com/blogs/unfettered/comments-to-the-us-secretary-of-energys-advisory-board-on-lack-of-process-sensor-cyber-security/). As an example, DOE gave a presentation on Presidential Executive Order (EO) 14017 Cyber Supply Chain (the replacement of Presidential EO 13920 which was suspended) to the October 20-21, 2021, Meeting of the Electricity Advisory Committee. According to DOE, supply chain included:
- Firmware ā The permanent software programmed into a read-only memory; provides the low-level control on a device for a device's specific hardware. Any component that has storage/memory or programmable controls operates firmware.
- Software ā The applications that run on a system, that perform functions and process data.
- Virtual Platforms and Services ā Cloud-based platforms, on the internet or on premise, that run applications, perform services, and store data.
- Data ā The information used as inputs and outputs into processes and functions operated by software.
However, hardware supply chain issues were neither identified nor addressed. As identified in Presidential EO13920, the hardware backdoors wonāt be found by network monitoring.
Another example, this time by the industry, is the response to the complaint filed by Michael Mabee to the Federal Energy Regulatory Commission (FERC) on Chinese hardware in the US electric grid. (https://www.controlglobal.com/blogs/unfettered/formal-response-to-ferc-complaint-el21-99-000-on-chinese-equipment-in-the-us-grid). Even though Michael documented 158 bills of lading for Chinese hardware in the US grid, the North American Electric Reliability Corporationās (NERCās) response was to throw the complaint out on a technicality. Whose side is NERC on?
Potential Financial Impacts
May 6, 2020, Moodyās published the following: āOn May 1, US President Donald Trump signed an executive order titled Securing the United States Bulk-Power System, a credit positive for US electric utilities because it addresses some of the cybersecurity risks that relate to the supply chainā. The hardware cyber vulnerabilities havenāt changed even though EO 13920 was superseded by EO 14017 which doesnāt address hardware vulnerabilities. Civil penalties are on the rise from cyberattacks and insurance coverage continues to be reassessed. Will the initial transformer savings be worth potential civil and/or regulatory enforcement actions if the Chinese transformers cause damage to the grid and public? What about insurance issues?
Potential Grid Impacts
Just in the U.S., there are more than 300 large Chinese transformers in the U.S. electric grid and more on order. Chinese transformers provide approximately 10% of the power to New York City and almost 20% of the power to Las Vegas. From a clean energy perspective, Chinese transformers are in use or on order for solar and wind farms. There has no clear understanding of what compromised transformers would mean to grid operation.
Summary
A DNI National Intelligence Estimate states: āDeployment of utility-scale solar and wind technologies in remote areas is likely to require ultra-high-voltage transmission lines to move the power to cities. China is the worldās leading supplier of advanced grid components for ultrahigh-voltage systems, such as transformers, circuit breakers, and inverters, which we assess creates cyber vulnerability risks.ā The threat to the grid (not just in the US) from Chinese equipment with hardware backdoors should not be minimized. Exacerbating this issue is that Chinese transformers are cheaper than North American-made transformers, there are no industry requirements to monitor the manufacturing of this Chinese equipment, and Presidential Executive Order 13920 to prevent the use of Chinese equipment in the US grids was suspended and not replaced in-kind. At the November 3, 2021 Infragard National Disaster Resilience Council (NDRC) Conference, Paul Stockton discussed what he called āCoercive Information Operationsā. This is where the Chinese would use targeted disinformation and cyberattacks to inhibit the US from responding to potential Chinese aggression in Asia. The impacts do not have to address the entire US grid. Think about the dependency in New York City and Las Vegas to Chinese transformers. The hardware backdoors could be preparing the way for those attacks. Yet, DOE and industry have chosen to focus on software and networks, ignoring hardware vulnerabilities. Are the utilities willing to accept the financial risks accruing from these hardware vulnerabilities?
Joe Weiss