Large electric transformers are subject to cyber attacks which can cause outages of months to years

April 28, 2019
Large electric transformers are critical to maintaining the grid. However, they are cyber vulnerable to long-term damage. Yet, the electric industry has not done near enough to address these critical vulnerabilities.

April 25, 2019, E&E News reporters wrote: “China and America's 400-ton electric albatross”.  According to the article, the transformer itself is not at risk from a cyber attack. Instead, components added to transformers such as monitoring devices and remote sensors could open the door to hacking.

According to the EE article, if those devices are tampered with, it could have a significant cyber impact. For example, a false alarm signaling the need for maintenance or replacement of a "smart" transformer could pose a hazard. So could manipulating "tap changers" that set voltage levels, or the temperature gauges that trigger fans. A hacker could cause a digitized transformer to overheat. Damaging large transformers can lead to very long outages (months to even years) which is why the industry is stockpiling large transformers. However, even transporting large transformers can be problematic as they cannot go over or under many highway or railroad bridges as they are too big.

There is no cyber security or authentication in process sensors, actuators or drives. July 22, 2018, I wrote a blog: Renewable resources can increase cyber threats - www.controlglobal.com/blogs/unfettered/renewable-resources-can-increase-cyber-threats. “The switchyard (substation) is the same for any power plant as the switchyard does not distinguish what has generated the voltage. The transformers in the switchyard for any type of power plant can include sensors for monitoring load tap changer positions, bushing monitors, gas analyzers, and winding temperatures. None of these sensors are cyber secure nor are the current transformers (CTs) and potential transformers (PTs) providing input to the transformer protection systems (process sensors are outside scope for the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards). Since the input to the SCADA system has no security, how can the SCADA system be secure?”

Is this a real concern? According to the EE article, “A deliberately faulty or booby-trapped component has yet to be uncovered in any Chinese equipment, whether in hardware or software.” That is not true. I was on panel session when a presentation was made by a representative from China discussing cyber-related incidents that affected their grid including more than 100 Disturbance Recorders malfunctions due to logic bombs installed at the factory in China. As there are no cyber security forensics at the sensor level and a cyber attack could look like a malfunction, how do we know that transformer failures that have occurred to date weren’t cyber-related?

Cyber threats to transformers are not just from “traditional” hacking. The Aurora vulnerability also can damage transformers. My September 22, 2016 blog, www.controlglobal.com/blogs/unfettered/the-use-of-protective-relays-as-an-attack-vector-the-cyber-vulnerability-of-the-electric-grid, demonstrates that the Aurora mitigation device can be hacked to cause an Aurora event and damage transformers as well as Alternating Current (AC) rotating equipment such as generators and induction motors. Given the need for transformer protection, one would expect the Federal Energy Regulatory Commission (FERC), NERC, and the utilities to focus on credible cyber threats to these large critical pieces of equipment. However, sensors, actuators, and drives are out of scope for the NERC CIPs. Moreover, very few utilities have installed the Aurora hardware mitigation as defined by NERC. If transformers are so critical, why is appropriate cyber protection being ignored?

As an aside, April 25, 2019,  I gave a presentation at the DHS ICSJWG Spring Conference in Kansas City on the lack of cyber security in sensors. There were no discussions of the Aurora vulnerability and my presentation was the only one dealing with sensors (I will have a separate blog on my observations from the DHS ICSJWG Conference).

Joe Weiss