Emergency Executive Order 13920 – Response to a real nation-state cyberattack against the US grid

May 11, 2020
Executive Order (EO) 13920 was issued through emergency powers to address a real nation-state cyberattack against the US bulk electric system. Additionally, Moody’s issued their analysis of the EO implying if the utilities choose not to address the EO, the impact on their credit ratings will be commensurate. Unfortunately, the NERC CIP process is not capable of addressing this real threat.

This is a follow-up to my May 4th blog on Presidential Executive Order 13920 - https://www.controlglobal.com/blogs/unfettered/an-assessment-of-presidential-executive-order-13920-securing-the-united-states-bulk-power-system/

The Executive Order (EO) was issued through emergency powers to address a real nation-state cyberattack against the US bulk electric system. The EO is necessary to not only provide the needed cyber security and safety that has been missing from the NERC CIP process and plug the holes in the NERC Supply Chain Program, but to address a real current threat to our country. The NERC CIPs have missed the problems described below and effectively prevented the right people and expertise from being involved which can preclude cyber events (malicious or unintentional) from even being identified. This cannot be allowed to continue.

It is clear the Chinese, Russians, North Koreans, Iranians, etc. have been actively trying to hack into the US grid and other critical infrastructures as well as the control system supply chains for many years. There are acknowledged supply chain issues with critical infrastructure equipment made in the US as they often come with computer chips or software made in China, etc.

The first nation state attack against the US grid is when the Chinese tried to hack into the California Independent System Operator (CA ISO) in 2001. The first case of hacking the control system vendor supply chains were in the 2010-2012 timeframe by China and Russia. The Russians have been in our US grids since 2014. The Chinese were producing counterfeit transmitters in the 2014 timeframe and the counterfeits made their way into North America in the 2018-19 timeframe. Supply chain attacks from China are not just aimed at the US. I participated in an international power engineering conference where the Chief Engineer from the Power Grid of China described how they were hit by supply chain attacks from within China!

So why the EO now?  Government and public utility procurement rules often push organizations into buying equipment due to price and without regard to origin or risk. In this case, it resulted in a utility having to procure a very large bulk transmission transformer from China. When the Chinese transformer was delivered to a US utility, the site acceptance testing identified electronics that should NOT have been part of the transformer – hardware backdoors. That transformer now resides at a government installation. That is why the EO stated: “The Secretary, in consultation with the heads of other agencies as appropriate, may establish and publish criteria for recognizing particular equipment and particular vendors in the bulk-power system electric equipment market as pre-qualified for future transactions; and may apply these criteria to establish and publish a list of pre-qualified equipment and vendors”  Procuring a large electric transformer with hardware backdoors is obviously much more significant than having keystroke loggers in Lenovo laptops. An attacker does not install backdoors into a transformer to steal data - you do that to cause damage. It is unclear just how widespread the impact of compromised transformers and other grid equipment are though it is safe to say it is more than just one transformer. Could this be considered an act of war? What does this mean to the 5G discussions about Chinese technology that could affect the electric grid?

The need for having spare transformers started almost 20 years ago because it was recognized these very expensive, long-term procurement items could have a major impact on grid availability. However, unless the devices that are inside or supporting the operation of the transformers (and generators, motors, valves, capacitor banks, etc.) are also addressed, the pool of spare transformers and other large equipment can be quickly exhausted by damaging the equipment from “within”. As I supported the US Department of Defense (DOD) on the Aurora hardware mitigation program, I am well aware of Aurora and Aurora-type events. Remotely accessing the protective relays can cause an Aurora event damaging the transformer and AC rotating equipment such as generators and motors connected to that substation. What the Chinese did was install hardware backdoors that can cause an Aurora or other type of damaging event at a time of their choosing. This is why the list of equipment in the EO is so exhaustive. It also why network devices such as firewalls were not included as they are ineffective with embedded hardware vulnerabilities that can initiate communications from inside the firewall-protected perimeter. It is also why this EO was issued through emergency powers. Addressing this problem requires Engineering to be the lead to address the equipment and devices identified in the EO, not the CISO or OT security organizations, though they should be involved as needed. It also requires changes in procurement requirements.

Why are we still buying this critical equipment from China? What does it take to start making them domestically again? Addressing the supply chain is not intractable, but it takes work. For those that cannot assure the supply chain, appropriate monitoring will be key. There is at least one control system vendor, Bedrock Automation (I am on their Technical Advisory Board) that owns their supply chain as they are a spin-off of Maxim Semiconductor. Consequently, securing the supply chain can be done. Work being done by GE and others on advanced equipment monitoring using technology like Digital Ghost can help though there still needs to be monitoring of the sensor and sensing networks independent of the Ethernet Windows displays (more to say in future blogs).

On a separate front, May 6, 2020, Moody’s issued their analysis of the EO. The Moody’s assessment stated: “US electric utilities will benefit from cybersecurity measures in executive order”. What the Moody’s report implies is if the utilities choose not to address the EO, the impact on their credit ratings will be commensurate.

The EO is necessary to address a real and existing threat. There are financial, technical, and societal needs to embrace the EO. And they have to start now.

Joe Weiss