Presidential Executive Order (EO) 13920 was issued not as a whim but because the Chinese effectively did a “Stuxnet” to a large electric transformer installed at a US utility. The Chinese-installed hardware backdoors were scary enough to motivate the Department of Energy (DOE) to intercept the next large Chinese transformer imported into the US and transport it to the Sandia National Laboratory (SNL).
What does that mean to the cyber security of the US and other allied countries’ electric grids and other critical infrastructures? There are several Chinese transformer companies that export to the US (and Canada, Australia, etc.). One of the Chinese companies that exports transformers to the U.S. is JiangSu HuaPeng Transformer Co., Ltd. (JSHP) - http://www.jshp.com/usa-canada.html. It was a JSHP transformer that was found with the hardware backdoors installed at the US utility resulting in the next JSHP transformer being intercepted and sent to SNL for detailed assessment. As mentioned in my previous blog (https://www.controlglobal.com/blogs/unfettered/information-sharing-on-control-system-cyber-incidents-isnt-working-the-chinese-transformer-case/ ), there has been no mention of what has been found to date at SNL.
According to JSHP’s website at http://www.jshp.com/news.html, JSHP claims “over a hundred of JSHP transformers has been delivered to USA/Canada since 2009.” This includes two units to offshore wind platform installations and a High Voltage Direct Current (HVDC) substation. JSHP also states that in 2018, “JSHP supports 10% of the NYC load!” Shouldn’t that scare everyone? Unfortunately, given the silence or worse from the industry, apparently not.
Industry, has not, in general, taken a strong interest in the Chinese transformer incident. Supply chain security is often seen as something that can be addressed by a software bill of materials and adequate procurement specifications (even though there are no available control system device procurement guidelines). Supply chain problems are complex. They are often assumed to occur only with Chinese-manufactured equipment, but this ignores the complicating factor that US and other friendly countries’ equipment may have Chinese subcomponents or software. In the case of the EO, the equipment in scope was all hardware and control systems with network equipment explicitly out-of-scope. Why, because like the Maginot Line during World War II, the Chinese bypassed the network monitoring technologies. Unfortunately, that didn’t stop government and industry from focusing on the network devices because network devices are what the cyber security people know. It also didn’t stop DOE and industry from making this a forward-looking EO ignoring the more than 200 Chinese-made transformers in operation that may have backdoors installed.
Consider the recent biannual risk report published by Claroty, “There were hundreds of industrial control system (ICS) vulnerabilities identified last year and more than 70% of them were remotely exploitable. Vulnerabilities were most prevalent in the critical manufacturing, energy, water and wastewater, and commercial facilities sectors.” These vulnerabilities were all Internet-Protocol (IP) network-related and do not address any hardware backdoors possibly installed in the Chinese-made transformers nor does it address the lack of cyber security in non-IP networks. I repeat my concerns identified in my earlier blog about Sarah Freeman from the Idaho National Laboratory (INL) discussing Lenovo PCs but ignoring Chinese transformers. Aren’t securing large electric transformers more important to INL’s mission than Lenovo PCs?
Government and industry’s silence on the Chinese transformer subject is unnerving as Llewelyn King encountered as he was researching this for his Forbes blog - https://www.forbes.com/sites/llewellynking/2021/01/28/how-the-supply-chain-in-heavy-bulk-power-equipment-is-vulnerable-to-undetected-cyberattack/?sh=92d8e8d7213a. As I mentioned in my blog on control system incident sharing (https://www.controlglobal.com/blogs/unfettered/information-sharing-on-control-system-cyber-incidents-isnt-working-the-chinese-transformer-case/), it was unnerving for me when senior representatives from two close US allies were asking me about the Chinese transformer issue. It has also been unnerving when operators of the Chinese-made transformers have not adequately addressed this problem while many still feel the Chinese transformer case wasn’t real. Part of the skepticism can be attributed to the SANS response to my initial blog (https://www.controlglobal.com/blogs/unfettered/emergency-executive-order-13920-response-to-a-realnation-state-cyberattack-against-the-us-grid/) giving it a credibility score of 0 - ICS Defense Use Case (DUC) # 7: “Analysis of the recent report of supply chain attacks on US electric infrastructure by Chinese Actors”. Meanwhile, one US ally in attempting to understand the reason for the EO came up with same conclusions as I did, but they were confused as they have not received any confirmation by DOE. This is of concern as they also have these Chinese transformers installed in their grid.
Michael Mabee has done a great job of digging into this problem and you can find his blog: “Chinese Transformers in the Electric Grid: Lights Out For NYC?” https://michaelmabee.info/chinese-transformers-in-the-electric-grid-lights-out-for-nyc/. Specifically, JSHP has identified the following transformers as having been delivered:
Bayonne, NJ (Supplying New York City – Delivered by JSHP in 2011 and 2017)
Houston, TX (Delivered by JSHP June 2020)
Blackwater HVDC Station, NM (Delivered by JSHP February 2019)
Las Vegas / Laughlin, NV (Delivered by JSHP October 2016)
PacifiCorp Oregon substation (Delivered by JSHP October 2015
Niagara Hydroelectric Power Station, NY (JSHP 2010)
Flynn Power Plant, Holtsville, NY (JSHP 2010)
AES, Virginia (JSHP 2010)
BC Hydro (JSHP delivered in 2010)
Lakeland, FL (JSHP delivered in 2009)
Grand Dam River Authority, OK (Delivered by JSHP 2010)
According to https://www.tdworld.com/overhead-transmission/whitepaper/21147382/jshp-uses-scale-economics-to-grow-its-north-american-transformer-business, some of the entities that have purchased JSHP transformers include:
Massachusetts’ Braintree Electric Light Department (BELD)
Bechtel
Fluor
Florida Power & Light
PacifiCorp
Iberdrola
BC Hydro
Fortis
Public Service Company of New Mexico (PNM)
NV Energy
New York Power Authority (NYPA)
Sacramento Municipal Utility District (SMUD)
Additionally, per Mike Mabee’s search on import records, Nebraska Public Power District can also be added to this list.
It is apparent there is no coherent story from JSHP about the two JSHP transformers purchased by the Western Area Power Administration (WAPA) to be delivered to the Ault substation outside Denver. The transformer delivered to WAPA in 2019 where the hardware backdoors were found is not shown on the above list nor is WAPA shown on the procurer list. The Global Times on June 3, 2020 claimed “there was nothing to the May 27, 2020 Wall Street Journal’s story (“U.S. Seizure of Chinese-Built Transformer Raises Specter of Closer Scrutiny”) and its just US disinformation in the trade war. JSHP categorically denies that its transformer was seized.” Yet, in the Wall Street Journal article, Jim Cai, U.S. representative for JSHP said that for months he didn’t know where the enormous transformer had been hauled and learned it was taken to Sandia only when he was informed by The Wall Street Journal.
What should be evident is that these JSHP transformers are installed in wide-spread areas. Consequently, a cyberattack of these transformers can cause wide-spread impacts. To be clear, this is not just a transformer or grid issue nor is it just a JSHP issue. China has supplied pumps, valves, motors, relays, and other equipment world-wide. As mentioned in a previous blog, a pharmaceutical facility had a shadow backdoor network installed in Chinese-made equipment to exfiltrate data and possibly to cause physical impacts. There is also the 5G issues that have led many countries to exclude ZTE and Huawei from their infrastructure. Prudence dictates we take a hard look at Chinese-manufactured equipment not only for the grid but also in other critical sectors.
Joe Weiss