How could someone remotely attack a transformer?

Note from Tom: If you’re only looking for today’s pandemic post, please go to my new blog. If you’re looking for my cyber/NERC CIP post, you’ve come to the right place.

After I wrote yesterday’s post, Kevin Perry provided some important information to me about how a large transformer could or couldn’t be attacked remotely. As I pointed out in the post, the transformer isn’t controlled by a microprocessor but acts on its own, guided by the laws of physics. However, there is at least one processor included with the transformer, and that’s the one that gathers data from the sensors monitoring the transformer’s operations (including dissolved gases, temperature and the crucial oil level) and transfers it back to the control center.

Kevin pointed out to me that the processor that does the latter work isn’t normally part of the transformer but is external to it in a separate device. Sometimes, this is a fairly intelligent device that can communicate back to the control center or substation engineering, where the data are analyzed. These devices usually aren't manufactured by the transformer manufacturer; in fact, the device he’s seen most often in his audits is made by GE, even when the transformer itself isn't one of GE's.

There are also less-intelligent devices that gather sensor data from the transformer and send it to the RTU (Remote Terminal Unit) in the substation. The RTU then forwards the data to the SCADA/EMS system in the control center, where it is analyzed - and an alarm is generated if something is found to be suspicious. In either case, the analysis of the data is looking for indications that the transformer is operating outside its normal bounds, such as by having a low oil level or overheating (which of course could be caused by a low oil level).

Kevin believes the processor in this external device is the only processor that is associated with the transformer, either inside or outside the transformer’s casing itself (some transformers have a tap changer, which is controlled by a microprocessor. But they are smaller models, not the type we're talking about here). Obviously, if this device is made by a non-Chinese company like GE, it’s very hard to see how the Chinese could embed malicious code into it. It would only be if the device were made by the same company that made the transformer that there would there be an opportunity to do this.

Yet since this device doesn’t control the transformer itself (as I’ve said, the laws of physics do that), what damage could be done, even if it did have malicious code embedded in it? The only thing that Kevin can think of is that the device would somehow manipulate the data gathered from the sensors to present a false picture of the transformer’s health to the control center.

But what would the attack do to the data? Would it make it look like the transformer is in trouble? In that case the control center would just dispatch someone to find out what’s wrong. They’d see the transformer is working fine and they’d instruct the control center not to trust the data until the problem is found.

The only way for the monitoring data to actually cause a problem would be if it were changed in such a way as to make the control center believe there's no problem, when in fact the transformer is having a problem. That way, the control center wouldn’t send someone to check a problem out, since they wouldn’t know about it. And if the problem were due to the transformer overheating, the transformer might fry itself before the control center knew anything was wrong. But the problem with this scenario is it requires someone physically damaging the transformer itself, since as I’ve said there’s no way to attack it by purely cyber means.

There is a good analogy to this situation: the Metcalf attack in 2013. In that attack, someone fired high-powered rifles at the transformers in the Metcalf substation that serves Silicon Valley. Their goal was to drain the oil out of the transformers, so they would be in danger of overheating. Before the attack started, the attackers cut the communications cables that let the control center "see" what was going on with the transformers. They did this so that the control center wouldn't remotely shut down the transformers before they'd fried themselves.

The attackers succeeded in draining the oil out of most of the transformers, but when the control center realized communications with the Metcalf substation were lost, they dispatched people to find out why. They arrived quickly and saw the drained oil – then shut the transformers (and the whole substation) down, preventing the disastrous outcome of the transformers frying. That would have been hugely expensive - much more than the actual $30MM total cost of the attack - but most importantly would have resulted in the substation being out of commission for many months or even a year, because of the long lead time for getting new large transformers. Of course, this is because these transformers are always custom built, and no large transformers are currently made in the US. They're made either in Europe or - dare I say it - China.

Metcalf was a “successful” attack, since it shut down the substation for months and cost PG&E a lot of money to fix. But it never caused even a local outage, let alone a BES incident. And most importantly for our story, it required someone to be onsite shooting at the transformers. There was no way this attack could have been executed purely remotely.

The only way that Kevin and I can currently conceive of a purely remote attack on a transformer would be if a microprocessor with a bomb were attached inside the transformer housing, coupled with a satellite or cell phone transceiver. That way, a signal could be sent by satellite or through the cellular network, and the transformer would blow up. But as I said in my post yesterday, an attack on the BES would require having a number of rigged transformers already deployed on the grid (meaning the Chinese company would have to have been installing the bombs in transformers going to the US for at least a few years), and sending the signal to at least a few of them. One lost transformer probably won't result in any outage at all, or at the most a short local one.

If this happened, it would be immediately recognized as China's responsibility (since all the transformers that blow up would be Chinese) and would be taken as an act of war; this would inevitably go badly for China. This might make sense if we were in an active war with China now. But remember, they would have to have been installing these bombs in transformers for at least a few years. If a single one of those bombs had been discovered, that itself would probably have been considered an act of war. It's very hard to see why China would ever even consider doing this.

Bottom line: Kevin and I don’t see a way to cause a BES incident through a purely cyber attack on large transformers, like the one seized last year by the Feds.

Tom 5/31: Orlando Stevenson of NERC pointed out in a comment on Friday's post that tap changers have their own microprocessor-based controllers. If that were to be compromised and the tap changer itself malfunctioned, there could be a BES impact, although this would probably have to occur in multiple substations simultaneously. Kevin agrees with that, although again I see the second-to-last paragraph of this post as being the overriding one: Why on earth would the Chinese want to do this, since it would likely be interpreted as an act of war?

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!