A threat I didn’t know about

Blake Sobczak and Pete Behr of E&E News published a really excellent story today about the large transformer issue. I was expecting the story would focus on the big problems with replacing them – long lead times, difficult transportation, etc. (which wouldn’t be new news, of course). Instead, they focused on the potential problems posed by China becoming a big source of large transformers in the US.

They talk about two general problems. One is counterfeit – or deliberately tampered with – parts that could fail at an important time and cause big problems at key substations. But then they talk about cyber security problems. I never thought transformers could have cyber security problems, but they point out that transformers now all have sensors for maintenance purposes. Generating false readings on a sensor could lead to control centers taking actions they shouldn’t take, or not taking actions they should. If an adversary were able to fry a lot of large transformers at a time, this could cause severe problems for power flows.

So does this mean that the transformers (or perhaps the sensor monitoring systems) are BES Cyber Systems, and the industry should start applying all the CIP protections (including CIP-013) to them? I don’t think so. While these systems would definitely be Cyber Assets, I don’t think they’d be BES Cyber Assets. Yes, an adversary might cause a 15-minute BES impact if the monitoring system were didn’t tell a control center that the oil had drained out of the transformer. But it wouldn’t inevitably cause an impact. Maybe the control center would figure out that there was something wrong with the sensors and send someone to physically inspect the transformer – then there wouldn’t be an impact; there are many other such scenarios. I’ve always thought that the word “inevitably” is the key to understanding when a Cyber Asset is a BCA and when it isn’t – although don’t ask me to show you where I said it. I just looked and couldn’t find where I said it. But I know I did.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. To discuss this, you can email me at the same address.