Friday, May 29, 2020

The plot thickens

Note from Tom: If you’re only looking for today’s pandemic post, please go to my new blog. If you’re looking for my cyber/NERC CIP post, you’ve come to the right place.

On Wednesday evening, Rebecca Smith of the Wall Street Journal published a great article on what has to be one of the stanger events in the ongoing story of efforts to improve the cybersecurity of the US electric power grid: Last summer, federal officials took control of a very large transformer that had arrived at the Port of Houston. It was custom built by the Jiangsu Huapeng Transformer Company in China for the Western Area Power Authority (WAPA) and was intended for installation in a WAPA-owned substation outside of Denver. It was taken to Sandia National Laboratory (part of the Department of Energy) outside of Albuquerque, NM and closely examined there. It most likely is still there.

Why did the authorities do this? Of course, nobody at Sandia or DoE would comment. The article does say “Other people, with more limited knowledge of the situation, said federal officials probably commandeered the transformer because they suspected its electronics had been secretly given malicious capabilities, possibly allowing a distant adversary to monitor or even disable it on command. But these people said they didn’t know whether any such alterations were found.” But exactly how would “malicious capabilities” – presumably malicious cyber capabilities – be embedded in a transformer?

Three weeks ago, in a post written with Kevin Perry, I wrote

 ..transformers are extremely important to the grid, since the grid wouldn’t work without them – in fact, news articles I’ve seen consider these to be a big target of the order. Yet these don’t have microprocessors. They don’t need direction in order to do their job, either; the laws of physics give them almost all the instructions they need. My friend Kevin Perry wrote “There may be some new, smart transformers that have microprocessors, but as a general rule, I don’t think the high voltage transformer has electronic systems that can be hacked.  At best, there are sensors throughout the transformer that allow operating conditions to be monitored.  That is not much different than the transducers scattered around a generating plant.  To the extent the transducer voltage output can be recalibrated to produce false readings is about the only issue I am aware of.  But usually you need to be in close proximity to be able to manage such a device.”

Rebecca says something similar in her article:

Federal officials have long worried that foreign adversaries might hack into the utility computer networks that control power flows on transmission lines and cause blackouts.

However, transformers hadn’t typically been seen as products that could be easily isolated and hacked. That is because they don’t contain the software-based control systems that foreign actors could access. They are passive devices that increase or reduce voltages in switchyards, substations and on power poles according to the laws of physics.

So it seems the problem that the government was looking for wasn’t a cyber problem at all, but a physical one. Of course, there are certainly lots of ways a transformer might be rigged to suddenly start malfunctioning at some point, or even to blow up. If a transformer like this failed, it would certainly cause problems for the power distribution system in the area served by that transformer; there might even be an outage as a result of it.

But local outages happen all the time. If you’re looking to greatly reduce the threat of local outages, I recommend you focus on the number one cause of those outages: squirrels (although Kevin pointed out to me that in larger substations, snakes are a bigger problem). If a genetic modification were introduced into the squirrel population so they no longer see insulated wires as a possible food source, that would be a huge step forward in the fight against local outages. But local outages that are caused by substation events are rare, since the grid has tremendous redundancy built in. Even if all the transformers in a substation are brought down (as was the case with the Metcalf attack in California in 2013), that usually wouldn’t lead to an actual outage (for example, there was no outage due to the Metcalf attack).

However, when we talk about attacks on the power grid, we’re not talking about a local outage, but some sort of event – the worst being a cascading outage like the 2003 Northeast Blackout - on the Bulk Electric System (or Bulk Power System, the term used in the Executive Order) itself. This is the network of high voltage power lines and substations that moves power around the country and feeds it into local distribution substations. A true BES attack would have to affect multiple transformers in multiple substations at the same time.

In principle, a BES event could be accomplished by a cyber attack. If a number of these transformers were microprocessor-controlled and connected to a routable (IP) network, and if all of these had some sort of malicious logic embedded in software or firmware, a foreign attacker could in theory send a signal and cause a number of these to go down or malfunction at the same time, which might cause a large-scale grid event. However, transformers aren’t microprocessor-controlled, so this isn’t a realistic scenario.

The WSJ article pointed out that the transformer has sensors to monitor the level of insulating oil (and presumably some sort of microprocessor and communications link to relay that information to the control center), since transformers generate a lot of heat, which needs to be carried away to keep the unit from frying. In theory, the sensors could be recalibrated to report false readings, but as Kevin pointed out in the last three sentences of his quote above, that would almost certainly require someone being onsite to recalibrate the sensors.

Note from Tom 5/29: Kevin provided some good clarifying information to me this afternoon, which I'll pass on in a post tomorrow. It doesn't change any of the conclusions of this post, but it does fill in a few logical gaps.

There are also some smaller transformers that have tap changers, which are controlled by a microprocessor. It's unclear what harm could be caused by misusing a tap changer, but in any case, we don't believe one would be found in a large transformer like the one in question.

Since there’s nothing in the transformer normally that could be the vehicle for a successful cyberattack, it seems the people at Sandia must be looking for some logical device that was implanted in the system in China. What would this device do? It might trigger a bomb to blow the transformer up. It’s hard to see anything else that it could do, since the transformer operates according to the laws of physics – it doesn’t need any sort of commands to operate.

But remember, just having one transformer blow up isn’t going to cause a BES event, and it probably won’t cause even a local outage. There would have to be a coordinated attack on multiple transformers. The article says that Jiangsu Huapeng has installed about 100 of these units in the last decade in the US and Canada. If a significant number of these had some sort of microprocessor attached to a bomb inside of them, some of them might blow up at the same time – which would probably cause a big problem for the grid. But for that to happen, they would all have to receive some signal telling them it’s time to blow up. Since this implanted processor is unlikely to have an external communications port (which would be immediately noticed), then it would need some sort of satellite receiver embedded in it.

So yes, if Jiangsu Huapeng has been implanting these devices in their transformers for some time, and if nobody has ever noticed them before this, then a BES attack might be possible. But here’s the bigger question: What possible benefit would the Chinese reap from conducting such an attack? If it happened, it would be immediately traced back to China and would be rightly treated by the US as an act of war.  And given the relative sizes of the two countries’ militaries, I’d say China’s guaranteed to come out on the worse end of the deal.

Of course, the real question is whether the folks at Sandia have found anything wrong in the transformer. If they had, US utilities – especially the ones who have purchased these transformers – would presumably have been notified immediately. And that would explain why the Executive Order was released very precipitously about a month ago. The industry would have been placed on high alert.

Did that happen? E&E News published a very good article today that quotes a number of industry executives saying they were left completely in the dark about the EO until it was published. And the Department of Energy made clear in a couple calls with the industry recently that the EO doesn’t require utilities to do anything different now that what they were doing before the EO was issued - this despite what seems to be clear language in the EO saying that all procurements of Bulk Power System equipment need to be cleared with DoE as of the day of the order. So this is another good indication that no problems have been found so far with the transformer at Sandia.

Ironically, while the government is making a big effort to find a problem which seems unlikely to exist, there’s a serious foreign cybersecurity threat that the government itself has warned about multiple times (as described in this post, this one and this one, and in this WSJ article from 2018), which still has never even been investigated. Why don’t we investigate that one, too? Either we’ll find something, or the industry can sleep a lot more soundly, knowing that all of these reports were wrong.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!


  1. Yes, it would seem that transformers with no means of being controlled remotely offer little useful adversarial cyber attack surface. Yet, for some newer substation transformers, there are microprocessor-based packages commercially available that go beyond monitoring to support operational control of tap changers. And of course in the bigger scheme, there are many other digital advancements in play for the bulk power system bolstering reliability, and yet potentially also increasing cyber risk.

  2. Thanks, Orlando. I had thought tap changes are only found in smaller transformers, but Kevin told me they can be found in transformers of all sizes, so I stand corrected. I do admit that, if the controller were compromised and the tap changer were caused to malfunction in some way, there could be a grid impact.

    But now we get back to the larger question of why the Chinese would want to do this, since it would probably be interpreted as an act of war - as well as why there was no notification to the industry if this had been found.