Note from Tom: If you’re only looking for
today’s pandemic post, please go to my new blog. If you’re looking
for my cyber/NERC CIP post, you’ve come to the right place.
After I wrote yesterday’s post,
Kevin Perry provided some important information to me about how a large
transformer could or couldn’t be attacked remotely. As I pointed out in the
post, the transformer isn’t controlled by a microprocessor but acts on its own,
guided by the laws of physics. However, there is at least one processor
included with the transformer, and that’s the one that gathers data from the
sensors monitoring the transformer’s operations (including dissolved gases, temperature and the
crucial oil level) and transfers it back to the control center.
Kevin
pointed out to me that the processor that does the latter work isn’t normally part
of the transformer but is external to it in a separate device. Sometimes, this is a fairly intelligent device that can communicate back to the control center or substation engineering, where the data are analyzed. These devices usually aren't manufactured by the transformer manufacturer; in fact, the device
he’s seen most often in his audits is made by GE, even when the transformer itself isn't one of GE's.
There are also less-intelligent devices that gather sensor data from the transformer and send it to the RTU (Remote Terminal Unit) in the substation. The RTU then forwards the data to the SCADA/EMS system in the control center, where it is analyzed - and an alarm is generated if something is found to be suspicious. In either case, the analysis of the data is looking for indications that the transformer is operating outside its normal bounds, such as by having a low oil level or overheating (which of course could be caused by a low oil level).
There are also less-intelligent devices that gather sensor data from the transformer and send it to the RTU (Remote Terminal Unit) in the substation. The RTU then forwards the data to the SCADA/EMS system in the control center, where it is analyzed - and an alarm is generated if something is found to be suspicious. In either case, the analysis of the data is looking for indications that the transformer is operating outside its normal bounds, such as by having a low oil level or overheating (which of course could be caused by a low oil level).
Kevin
believes the processor in this external device is the only processor that is
associated with the transformer, either inside or outside the transformer’s
casing itself (some transformers have a tap changer, which is controlled by a microprocessor. But they are smaller models, not the type we're talking about here). Obviously, if this device is made by a non-Chinese company like
GE, it’s very hard to see how the Chinese could embed malicious code into it. It
would only be if the device were made by the same company that made the
transformer that there would there be an opportunity to do this.
Yet since
this device doesn’t control the transformer itself (as I’ve said, the laws of
physics do that), what damage could be done, even if it did have malicious code
embedded in it? The only thing that Kevin can think of is that the device would
somehow manipulate the data gathered from the sensors to present a false
picture of the transformer’s health to the control center.
But what
would the attack do to the data? Would it make it look like the transformer is in
trouble? In that case the control center would just dispatch someone to find
out what’s wrong. They’d see the transformer is working fine and they’d
instruct the control center not to trust the data until the problem is found.
The only way
for the monitoring data to actually cause a problem would be if it were changed in such a way as to make the
control center believe there's no problem, when in fact the transformer
is having a problem. That way, the control center wouldn’t send someone
to check a problem out, since they wouldn’t know about it. And if the
problem were due to the transformer overheating, the transformer might fry
itself before the control center knew anything was wrong. But the problem with
this scenario is it requires someone physically damaging the
transformer itself, since as I’ve said there’s no way to attack it by purely cyber
means.
There is a
good analogy to this situation: the Metcalf attack
in 2013. In that attack, someone fired high-powered rifles at the transformers
in the Metcalf substation that serves Silicon Valley. Their goal was to drain
the oil out of the transformers, so they would be in danger of overheating. Before
the attack started, the attackers cut the communications cables that let the
control center "see" what was going on with the transformers. They
did this so that the control center wouldn't remotely shut down the
transformers before they'd fried themselves.
The
attackers succeeded in draining the oil out of most of the transformers, but
when the control center realized communications with the Metcalf substation
were lost, they dispatched people to find out why. They arrived quickly and saw
the drained oil – then shut the transformers (and the whole substation) down,
preventing the disastrous outcome of the transformers frying. That would have
been hugely expensive - much more than the actual $30MM total cost of the
attack - but most importantly would have resulted in the substation being out
of commission for many months or even a year, because of the long lead time for getting new large transformers. Of course, this is because these
transformers are always custom built, and no large transformers are currently
made in the US. They're made either in Europe or - dare I say it - China.
Metcalf was
a “successful” attack, since it shut down the substation for months and cost
PG&E a lot of money to fix. But it never caused even a local outage, let
alone a BES incident. And most importantly for our story, it required someone
to be onsite shooting at the transformers. There was no way this attack could
have been executed purely remotely.
The only way
that Kevin and I can currently conceive of a purely remote attack on a transformer would be
if a microprocessor with a bomb were attached inside the transformer housing, coupled
with a satellite or cell phone transceiver. That way, a signal could be sent by
satellite or through the cellular network, and the transformer would blow up. But
as I said in my post yesterday, an attack on the BES would require having a
number of rigged transformers already deployed on the grid (meaning the Chinese
company would have to have been installing the bombs in transformers going to
the US for at least a few years), and sending the signal to at least a few of
them. One lost transformer probably won't result in any outage at all, or at the most a short local one.
If this
happened, it would be immediately recognized as China's responsibility (since
all the transformers that blow up would be Chinese) and would be taken as an act of war; this
would inevitably go badly for China. This might make sense if we were in an
active war with China now. But remember, they would have to have been
installing these bombs in transformers for at least a few years. If a single
one of those bombs had been discovered, that itself would probably have been
considered an act of war. It's very hard to see why China would ever even
consider doing this.
Bottom line:
Kevin and I don’t see a way to cause a BES incident through a purely cyber
attack on large transformers, like the one seized last year by the Feds.
Tom 5/31: Orlando Stevenson of NERC pointed out in a comment on Friday's post that tap changers have their own microprocessor-based controllers. If that were to be compromised and the tap changer itself malfunctioned, there could be a BES impact, although this would probably have to occur in multiple substations simultaneously. Kevin agrees with that, although again I see the second-to-last paragraph of this post as being the overriding one: Why on earth would the Chinese want to do this, since it would likely be interpreted as an act of war?
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment