DNI identifies Chinese transformers as cyber vulnerable risks yet DOE and industry ignore the threat

DNI Concerns

The Office of the US Director of National Intelligence (DNI)’s National Intelligence Council in their National Intelligence Estimate, Climate Change and International Responses Increasing Challenges to US National Security Through 2040 NIC-NIE-2021-10030-A. On page 6, DNI states: “Deployment of utility-scale solar and wind technologies in remote areas is likely to require ultra-high-voltage transmission lines to move the power to cities. China is the world’s leading supplier of advanced grid components for ultra-high-voltage systems, such as transformers, circuit breakers, and inverters, which we assess creates cyber vulnerability risks.”

Additional Concerns with Chinese Transformers

My respected colleague Mike Swearingen did a review of the US Department of Energy (DOE) Western Area Power Administration (WAPA) procurement specification for the JSHP Chinese transformer installed at WAPA’s Ault substation. In Mike’s experience, a transformer like the one WAPA ordered would normally cost $3.2 to $3.75 million while Doubletree Systems Inc. and JSHP’s successful bid totaled $2,478,000 - a cost savings of $800,000 to $1,200,000. Is it any wonder that utilities are still buying Chinese transformers and the suspension of Presidential Executive Order 13920 is leading to a less cyber secure grid?

Mike also noted the WAPA procurement specification did not require a representative to travel to the factory to observe key points in transformer construction, which would include a visit to the manufacturer’s facility to discuss the drawings and specifications, visiting after transformer core is complete before it is placed in the tank to ensure core construction meets the specifications, and the testing of the transformer upon completion. As part of the supply chain discussions, I am not aware of any industry standard for a utility’s electrical engineer to perform a factory visit/acceptance testing at the equipment vendor’s facility. Why is there a surprise that additional equipment may have been installed at the factory before the transformer was shipped to WAPA’s Ault substation? How wide-spread is this gap and what does it mean to the other approximately 300 large Chinese-made transformers installed in the US grid?

Lack of Concern by DOE and Industry

The discussions about the hardware backdoors in large Chinese transformers continue to be ignored or brushed aside by DOE and the utility industry (https://www.controlglobal.com/blogs/unfettered/comments-to-the-us-secretary-of-energys-advisory-board-on-lack-of-process-sensor-cyber-security/). As an example, DOE gave a presentation on Presidential Executive Order (EO) 14017 Cyber Supply Chain (the replacement of Presidential EO 13920 which was suspended) to the October 20-21, 2021, Meeting of the Electricity Advisory Committee. According to DOE, supply chain included:

- Firmware – The permanent software programmed into a read-only memory; provides the low-level control on a device for a device's specific hardware. Any component that has storage/memory or programmable controls operates firmware.

- Software – The applications that run on a system, that perform functions and process data.

- Virtual Platforms and Services – Cloud-based platforms, on the internet or on premise, that run applications, perform services, and store data.

- Data – The information used as inputs and outputs into processes and functions operated by software.

However, hardware supply chain issues were neither identified nor addressed. As identified in Presidential EO13920, the hardware backdoors won’t be found by network monitoring.

Another example, this time by the industry, is the response to the complaint filed by Michael Mabee to the Federal Energy Regulatory Commission (FERC) on Chinese hardware in the US electric grid. (https://www.controlglobal.com/blogs/unfettered/formal-response-to-ferc-complaint-el21-99-000-on-chinese-equipment-in-the-us-grid). Even though Michael documented 158 bills of lading for Chinese hardware in the US grid, the North American Electric Reliability Corporation’s (NERC’s) response was to throw the complaint out on a technicality. Whose side is NERC on?

Potential Financial Impacts

May 6, 2020, Moody’s published the following: “On May 1, US President Donald Trump signed an executive order titled Securing the United States Bulk-Power System, a credit positive for US electric utilities because it addresses some of the cybersecurity risks that relate to the supply chain”. The hardware cyber vulnerabilities haven’t changed even though EO 13920 was superseded by EO 14017 which doesn’t address hardware vulnerabilities. Civil penalties are on the rise from cyberattacks and insurance coverage continues to be reassessed. Will the initial transformer savings be worth potential civil and/or regulatory enforcement actions if the Chinese transformers cause damage to the grid and public? What about insurance issues?

Potential Grid Impacts

Just in the U.S., there are more than 300 large Chinese transformers in the U.S. electric grid and more on order. Chinese transformers provide approximately 10% of the power to New York City and almost 20% of the power to Las Vegas. From a clean energy perspective, Chinese transformers are in use or on order for solar and wind farms. There has no clear understanding of what compromised transformers would mean to grid operation.

Summary

A DNI National Intelligence Estimate states: “Deployment of utility-scale solar and wind technologies in remote areas is likely to require ultra-high-voltage transmission lines to move the power to cities. China is the world’s leading supplier of advanced grid components for ultrahigh-voltage systems, such as transformers, circuit breakers, and inverters, which we assess creates cyber vulnerability risks.” The threat to the grid (not just in the US) from Chinese equipment with hardware backdoors should not be minimized. Exacerbating this issue is that Chinese transformers are cheaper than North American-made transformers, there are no industry requirements to monitor the manufacturing of this Chinese equipment, and Presidential Executive Order 13920 to prevent the use of Chinese equipment in the US grids was suspended and not replaced in-kind. At the November 3, 2021 Infragard National Disaster Resilience Council (NDRC) Conference, Paul Stockton discussed what he called “Coercive Information Operations”. This is where the Chinese would use targeted disinformation and cyberattacks to inhibit the US from responding to potential Chinese aggression in Asia. The impacts do not have to address the entire US grid. Think about the dependency in New York City and Las Vegas to Chinese transformers. The hardware backdoors could be preparing the way for those attacks. Yet, DOE and industry have chosen to focus on software and networks, ignoring hardware vulnerabilities. Are the utilities willing to accept the financial risks accruing from these hardware vulnerabilities?

Joe Weiss