Will someone please drive a stake through the heart of this lie?

This morning, my good friend Mark Weatherford sent me this article about an interview he’d given in conjunction with notable ICS security consultant Joe Weiss.

I read through most of it, thinking that both Mark and Joe made good points and this was a very reasonable discussion. However, that changed when I came to the part where Joe suddenly said “I'd like to mention one thing. And this actually goes back to what Mark first brought up about supply chain. The Executive Order 13920 came out because there was a Chinese-made transformer that had hardware backdoors preinstalled coming from China.”

This immediately set off alarm bells for me. Let’s be clear: Joe has been pressing this fable about the Chinese-made transformer since early last May. While Joe’s story is based on a real incident, first reported by Rebecca Smith in the Wall Street Journal on May 27 (and written about by me in this post on May 29), it’s 100% false.

I had thought this story was dead on each of these occasions:

1.      When I wrote a post about this on May 31.

2.      When Robert M. Lee, Tim Conway and Jeff Shearer of SANS wrote a Defense Use Case that stated that Joe’s report had zero credibility and was based on zero evidence (although other than that, they thought it was great – for instance, they just loved the font it was written in).

3.      When I put up a post describing the SANS document and proposing what I thought was a quite reasonable alternative explanation.

4.      And finally, when I put up a post on February 1 in response to an interview in Forbes where Joe repeated this lie.

Let me be clear: At no point has Joe ever pointed to any evidence to verify his claims, other than the easily-debunked “evidence” he has provided in his posts and interviews. Yet he keeps bringing this lie up again and again, and he did so again in his interview with Mark. I’m going to go though what Joe said on this topic – and Mark’s responses, which never yielded an inch, bless his heart – blow by blow, in the hope that I can finally drive a stake through the heart of this zombie lie:

1.      When Joe first brings the WAPA transformer up and Mark immediately challenges him on it, Joe says “I was on a call with people who were physically at the substation where that transformer was, as it was being installed.” Joe’s point being that the people installing the transformer realized something was wrong with it.

2.      Mark then correctly notes that the transformer was never even delivered to WAPA (it was intended for WAPA’s Ault substation in Colorado). As Rebecca Smith’s great article points out, it was transported directly from the port of Houston to Sandia National Laboratories when it arrived in early 2020. Moreover, the Jiangsu Huapeng Transformer Company, which made the transformer, was ordered by WAPA in June of 2019, while the transformer was still being manufactured, to change the delivery point for the order from the Ault substation in Colorado to a warehouse at the port of Houston. From there, it was transported – presumably by the US government – to Sandia. So obviously Joe’s statement was wrong.

3.      But Joe wasn’t fazed by this. He then said “There were two transformers involved. The first transformer was installed in the WAPA [Western Area Power Administration] Ault substation, Mark, not far from you, outside of Denver. It was installed in August 2019. When WAPA was doing the site acceptance testing, the mechanical and electrical engineers found the extra electronics in that transformer.”

4.      Of course, it’s hard to believe that this squares with Joe’s first statement, and it certainly doesn’t square at all with his statement (in bold type) in his blog post of May 11, 2020, to the effect that “When the Chinese transformer was delivered to a US utility, the site acceptance testing identified electronics that should NOT have been part of the transformer – hardware backdoors.”

5.      I’ll leave behind the issue of a “hardware backdoor”, which seems to have no discernable meaning, as Robert, Jeff and Tim described in their DUC and I pointed out in my post a few days after the WSJ article came out.

6.      Of course, this didn’t faze Joe! He replies “I have pictures of both transformers—Ault and Houston. As a result of that, the next transformer that arrived at the Port of Houston in early 2020 was intercepted by DOE and taken to Sandia [National Laboratories]. There is a utility missing a transformer. It would have never, ever happened if DOE wasn't so concerned about what they found with the first. What’s missing is what DOE found at Sandia.”

7.      Mark asks for evidence, and Joe provides a masterpiece of obfuscation: “Mark, you were within the government. Go ask DOE.” Note he does what I’ve seen other people do when they have just told a lie and are challenged for evidence: They tell the challenger that they can easily find the evidence for themselves; in other words, it’s an insult to them to even be asked for evidence.

8.      But Joe “backs this up” by continuing “I can read you—I won't even mention the country—an email I got from one of our closest allies. From someone very senior. And it's saying, ‘I am hoping you can help me with something. Regarding the transformer issue you discuss, can you please tell me to what level that information is confirmed?’”

9.      In other words, Joe was challenged for evidence for his story by someone overseas. He doesn’t describe any evidence he gave that person – since he didn’t have any – but he seems to be saying that the fact that this person asked him for evidence somehow indicates the evidence exists in the first place. I don’t quite understand his reasoning in this, but of course the whole idea was to shut Mark up, not to answer his question. 

10.   However, Mark didn’t shut up. He said “Well, I think you just confirmed my point, Joe, and that is, if they don't know, we don't know. Maybe there's nothing to know.”

11.   Joe’s reply to Mark is very interesting. He says “We have a utility missing a transformer. Mark, that has never, ever, ever happened. You don't buy a transformer like it without an absolute need to have it installed.” In other words, he seems to be asking “Why would WAPA have ordered the transformer in the first place, if they just wanted to have it shipped to a warehouse and torn apart?” I’ll address that in a moment. Let’s continue to Joe’s next lie.

12.   Joe goes on to say “When you look at Executive Order 13920, they give a detailed list of all of the equipment that is in scope for Executive Order 13920. Every single item in that executive order is out of scope for NERC CIP. Every single thing in NERC CIP, and in the supply chain, is out of scope for the executive order. We have a problem here. This is a real, honest hardware implant. There are over 200 large Chinese electric transformers in our electric grids today. We have no idea how many of them have these hardware backdoors.” I do have an idea how many large Chinese transformers have hardware backdoors: zero, since there’s no such thing.

13.   But Joe is absolutely right that EO 13920 provides a detailed list of equipment in scope – in fact, there are around 25 items on the list. He’s also right that almost all of those items (at least 21, but not all of them) aren’t in scope for the NERC CIP standards. But there’s a good reason for that: The NERC CIP standards only apply to devices that are operated by – or at least contain – a microprocessor or some other logical hardware (e.g. in a PLC), since only a processor can be subject to a cyberattack. Almost all of the devices in the EO don’t have a processor at all – meaning they are no more subject to a cyberattack than a 1920 automobile, my $5 steam iron, or for that matter a brick. Kevin Perry and I documented that in this post.

14.   This includes transformers. They operate according to the laws of physics, period, not the commands from some processor. They run day and night and don’t need external power to operate their core function. The last time I checked, the laws of physics still apply in China. It’s true that a transformer can have ancillary devices with processors, including load tap changers and dissolved gas analyzers (the former are often external to the transformer itself, and are often made by a different manufacturer than the one that made the transformer). But it’s very hard to see how they could be attacked. Moreover, it’s just as hard to see how a successful attack on one of them could lead to anything more than a brief local outage – and if you’re concerned about local outages, I suggest you figure out a way to address the number one cause of those, which is squirrels. The big national security concern is a widespread, cascading outage, not a local one.

Now, let’s get down to the question Joe (implicitly) asked: “Why would WAPA have ordered the transformer if they had no intention of using it?” That was certainly a question I asked myself when I read the WSJ article last May. It didn’t take too long to figure it out, but I didn’t want to raise this point until now, since it wasn’t required by any discussion. However, since Joe has kindly asked me to provide it, I will now. Here’s what I think happened:

1.      It’s no secret that the Trump administration in 2019 was looking for ways to decrease imports from China. Someone pointed out that WAPA – part of DoE – had bought Chinese large transformers and had one on order at the time.

2.      Someone had the bright idea that they could take a look at the transformer when it arrived, to find out if it contained some sort of “hardware backdoor” that would allow the Chinese to compromise it through some sort of cyberattack (never mind that transformers don’t have a processor to attack) launched over some sort of internet connection (never mind that a device without a processor can’t be connected to any communications network, any more than your living room sofa can).

3.      This also ignored a fact that was pointed out in the WSJ article: Since WAPA isn’t staffed with dumb bunnies, they knew perfectly well they had to be very careful when ordering any grid equipment from China; they left nothing to chance. The article says “…the transformer had been built to WAPA’s exact specifications, down to the parts numbers for the electronics that were sourced from companies WAPA chose in the U.S. and U.K.”

4.      Of course, a privately owned utility would have raised big objections to diverting a huge piece of equipment that was – as Joe points out – needed to maintain grid reliability. But since WAPA is 100% controlled by DoE they had to comply, although – knowing a number of people who work for WAPA – I can assure you they must have been furious, both at losing the transformer and for the implicit judgment that they were too stupid to know they should be very careful when ordering any grid hardware from China (the WSJ article points out that there are a number of US utilities that buy transformers from the same supplier. And there are other transformer suppliers in China as well).

5.      So the effort to find a “hardware backdoor” failed, but of course the transformer was totally destroyed.

6.      As I described in this post, shortly after the EO came out, DoE held two briefings for utility executives and made a point of declaring that they didn’t have to do anything differently now (since many utility executives were under the naïve impression that, because the EO required all purchases of equipment for the Bulk Power System to be stopped pending review of the risk by the Secretary of Energy, this actually meant that they had to do that. How silly of them); if they did, they’d be given plenty of warning before they had to do anything.

7.      If DoE had just discovered a serious hardware backdoor in the WAPA transformer at Sandia (which of course is owned by DoE), don’t you think they would have phrased this a little differently? In fact, wouldn’t they have already held a series of briefings – both classified and unclassified - for the industry? That’s what DHS (I believe) did in 2016, in the wake of the first Ukraine attacks.

So I hope Joe stops peddling this lie. The irony is that he’s done a lifetime of good work and is really one of the founders of ICS security. To have all of that tainted this way is really a shame.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.