Executive order boots “foreign adversaries” from US electric grid over security concerns

White House action implies that China is "creating and exploiting" vulnerabilities in the US power grid. Experts say hardware backdoors have the potential for doing significant damage.

Aerial view of the United States as a nationwide grid.
Imaginima / Getty Images

On May 1, the Trump Administration issued an Executive Order on Securing the United States Bulk-Power System. According to the order, the administration found that “foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system, which provides the electricity that supports our national defense, vital emergency services, critical infrastructure, economy, and way of life.”

The executive order (EO), which also encompasses “malicious cyber activities,” determines “that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.” It declares “a national emergency with respect to the threat to the United States bulk-power system” and prohibits the purchase or installation of specific equipment from foreign adversaries.

The prohibition applies to only a specified list of electrical equipment that poses an undue risk of sabotage or subversion of the equipment’s design, or poses a national emergency with respect to the threat to the United States bulk-power system or otherwise poses an unacceptable risk to the national security of the US or the security and safety of US persons. The order requires the energy secretary to work with other agencies “to identify bulk-power system electric equipment that poses the types of risks associated with prohibited transactions” and to adopt rules and regulations to implement the order within 150 days.

The equipment covered by the order includes a range of hardware that makes up the bulk power system, including substation transformers, which appear to play a particularly unique role in the order’s emergence. “We are aware that stepped-up transformers that could have an adverse impact on the grid are what’s being targeted here.” David Schwartz, a partner at Latham and Watkins who is focused on energy regulatory policy, tells CSO. (Schwartz has since clarified that they "believe that transmission facilities, including potentially step-up transformers that could have an adverse impact to the grid are what’s being primarily targeted here.”) 

Vulnerability fears behind the executive order

Although the order doesn’t specify which countries are “foreign adversaries,” the consensus among electric utility technologists and Washington energy policy experts is that China is the only “adversarial” country that supplies the appropriate equipment to US utilities. One central question surrounding this order is why now. Another big question: What vulnerabilities are adversaries creating and exploiting in the bulk power grid?

Some experts think that the administration is just now getting around to applying the same kind of bans to the bulk power grid that the government applied to Chinese telecom suppliers last year. “The executive order has some very similar language to another executive order last May in the communications area. We think the approach that was taken in the communications area was simply essentially replicated with respect to security issues [regarding] the bulk power system,” Schwartz says.

Shuli Goodman, executive director of LF Energy, an electricity and power initiative housed within the Linux Foundation, agrees with Schwartz that one impetus, although likely not the sole reason, behind the EO, is the effort to recreate what the administration has done in the telecom arena. “This is aligned with what happened in the telecommunications sector. This is just a kind of continuation of that,” she tells CSO.

Like many other technology experts, however, Goodman agrees that “it’s going to be very difficult if not impossible to eviscerate China from the supply chain." Excluding China could be particularly problematic given that a critical focus of the order appears to be high-voltage transformers, which are made of industrial-quality steel that the US is no longer capable of manufacturing.

Did China create backdoors to disrupt the US energy grid?

One electric utility security expert, Joe Weiss, believes that the prime motivator for the executive order is a real cyberattack on the US bulk power system. This attack took the form of a “hardware backdoor” that was discovered when a Chinese transformer was delivered to a US utility. Although Weiss is almost completely mum on the details of this situation, the backdoor is capable of causing a highly damaging event, he tells CSO.

Weiss contends that the utility found the backdoor when it was installing the transformer and was "finding things that should not have been in there.” He also believes there are multiple such transformers with hardware backdoors installed throughout the bulk power grid.

Although Weiss wouldn’t go into the details of what the “hardware backdoor” consists of, utility security engineer Chris Sistrunk of FireEye speculated what this might mean. Stressing that he hasn’t independently confirmed Weiss’ allegation, Sistrunk said that large power transformers usually have monitoring equipment installed with them that are sometimes called DGAs (dissolved gas analysis) sensors, or online condition monitoring.

This equipment typically consists of sensors that monitor hydrogen and other dissolved gasses, moisture, oil level, temperature, and hot spots, as well as the presence of an internal fault or short circuit. “It’s plausible that a malicious component could send fake data to power company control system networks and the internet,” Sistrunk says.

Dale Peterson, CEO of ICS consulting firm Digital Bond, believes that a backdoor is irrelevant so long as the front door to industrial systems remains open, which he contends is the case. “There is little benefit in closing the backdoors that ‘foreign adversaries’ may insert if the pre-qualified US and friendly foreign systems are insecure by design – if they have the front door open,” Peterson wrote in his assessment of the EO.

Although tight-lipped about details, Weiss did confirm that one of the Chinese transformer makers who has surfaced in connection with the hardware backdoor is JiangSu HuaPeng Transformer Co., Ltd., also known as JSHP, which is either the largest or second-largest Chinese supplier of transformers to the US, depending on the source. Jim Cai, manager of North American Marketing & Service for JSHP, denies he has ever heard from a customer about “hardware backdoors.”

However, Cai did tell CSO a strange tale about a $2.8 million high-voltage transformer that the Department of Energy (DOE) purchased from JSHP last year. DOE bought the transformer for the US government-owned utility Western Area Power Administration (WAPA), which is managed directly by DOE. The transformer was shipped from Shanghai and arrived at the Port of Houston in late August 2019.

Under the terms of the contract signed by DOE, JSHP was supposed to transport the transformer from the Port of Houston to Colorado, no easy feat for a solid steel unit that weighs hundreds of tons. (Transformers are monstrously large, too big for highways, and are usually transported via rail using their own specially designed cars called Schnabel cars.) JSHP was also contractually obligated to install the transformer and then provide a multi-year warranty.

Cai said that DOE contacted JSHP to cancel the transportation from the Port of Houston, told JSHP not to install the transformer, and rejected the warranty for the hardware, something no other customer has ever done. Cai said that he called DOE to follow up later and that the department never returned his phone calls. In an email exchange with DOE’s press office, CSO asked the department to confirm or deny Cai’s account and received no response.

Energy utilities await rules

In terms of timing, the EO gives interested parties until September 28 to file comments in a rulemaking proceeding that will spell out the rules of the road under the EO. To clarify matters, the DOE issued a set of FAQs to help utilities plan their purchases until the actual rules are released, which could take months or even possibly years, experts say.

The FAQ document makes clear that no utilities are obligated to do anything until the rules come out, including ripping and replacing equipment that seems likely to be prohibited by the final regulations. Some experts think the effect on Chinese equipment purchases is already underway. “It just may be that it has the impact of chilling some future equipment supply contracts with companies that are under the jurisdiction of a foreign adversary that may not otherwise have been chilled,” Latham and Watkins’ Schwartz says.

Despite the focus on equipment and hardware, the EO also aims at digital security, albeit mostly indirectly. A source close to the DOE tells CSO that although the order focuses extensively on the security of hardware, it deals with digital security because, “You can't buy a non-smart transformer. It's going to have monitoring software on it.”

“It's going to speak internet protocol. It's often for diagnostics, remote diagnostics going back to the supplier so that they can monitor it and see if anything's going wrong ahead of time. They can get out in front of it before it breaks, similar to jet engines. Jet engines are like that, too, with remote diagnostics by wireless communication,” the source says.

The tasks ahead for DOE and the nation’s bulk power grid seem complicated with long-term horizons given that most of the equipment cited in the EO tends to be in service for decades. The national laboratories at the DOE, which are filled with scientists and technical specialists, could come in handy. “There are established programs at National Laboratories in Idaho, Tennessee, Washington and New Mexico that could support key elements of the executive order,” the source close to DOE said, referencing Idaho National Labs, Oak Ridge National Laboratory, Pacific Northwest National Laboratory, and Sandia National Labs.

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations