The Chinese transformer didn’t have a backdoor, but it does have something just as serious…

Note from Tom: If you’re only looking for today’s pandemic post, please go to my Pandemic Blog. If you’re looking for my cyber/NERC CIP post, you’ve come to the right place.

Last week, Tim Conway, Robert M. Lee and Jeff Shearer of the SANS ICS team published a “Defense Use Case” (DUC) titled “Analysis of the recent report of supply chain attacks on US electric infrastructure by Chinese Actors”. It was specifically focused on Joe Weiss’ blog post regarding the large transformer that was ordered by a large US transmission entity (later identified by the Wall Street Journal as the Western Area Power Authority or WAPA), manufactured to order in China and – after its arrival in the US last summer – diverted to Sandia National Labs for examination, where it remains to this day. I discussed Joe’s post here and the WSJ article here.

The document opens by discussing these events:

1. The issuance on May 1 of an Executive Order (EO) on supply chain security, requiring operators of the Bulk Power System to get pre-clearance from the Department of Energy for purchases of equipment for the BPS which originate from, or in some way involve, a “foreign adversary”. There was no specification of who or what those foreign adversaries are, although they presumably don’t include the Vatican or UNICEF. Kevin Perry and I analyzed the EO in this post. Joe claimed in his post that the EO was probably issued due to a “hardware backdoor” that was discovered in the transformer at Sandia National Labs, which he went on to describe as based on the Aurora vulnerability.
2. The blog post by Joe Weiss, dated May 11.
3. A formal complaint filed with FERC by noted prepper Michael Mabee on May 12. This called on FERC to a) require NERC to extend CIP-013 to cover low impact assets, and b) require NERC to “revamp” all of the CIP cyber security standards to address everything in the NIST Cyber Security Framework. The complaint starts by stating that NERC CIP-013 doesn’t “comport with” the EO, but for some reason nothing that would address this alleged deficiency made it into the final recommendations.

The authors explain that the purpose of a Defense Use Case (this is the seventh issued by SANS) is to analyze a report of an ICS attack (in this case, the Joe Weiss post) and answer the following three questions:

1. Is it credible?
2. Is there enough technical information available for ICS users (in this case electric utilities) to take action?
3. What are possible defenses against the threat that was reported?

As to credibility, the authors give the post a score of 0, which means “cannot be determined”. They point out that Joe’s post makes two important claims. The first is that the EO resulted from the “fact” that a “hardware backdoor” was found installed in the transformer that Sandia examined. To be correct, Joe’s post doesn’t directly say that this “discovery” directly led to the EO being issued. In fact, he executes a much more subtle logical maneuver, which I’ve heard the military informally describes as a “self-licking ice cream cone”: The EO is proof that a serious vulnerability was discovered, and the vulnerability is proof that the EO was properly issued.  

However, I’m sad to report that the authors of the DUC don’t appreciate the sheer beauty of this audacious logic step. Even though Joe’s assertion shouldn’t be taken seriously from the point of view of grid security, I suggest that Joe write a paper for the American Philosophical Association explaining his newly-discovered method for proving two propositions without providing evidence for either one! He may have missed his true calling as a pioneering logician.

The second claim in Joe’s post is one he states in big, bold letters: “What the Chinese did was install hardware backdoors that can cause an Aurora or other type of damaging event at a time of their choosing.” I pointed out in my post on Joe’s post that I consider this to be Joe’s central assertion, and I stated that I couldn’t make any sense out of this statement, let alone judge whether it’s true or not. As the great physicist Wolfgang Pauli said when presented with a piece of pseudoscience that didn’t make any scientific sense at all, “This isn’t even wrong.” Of course, the authors of the DUC are more charitable than I am, so they confine themselves to saying once again that no evidence is available to prove this assertion.

The second question the authors of the DUC answer is whether there is any technical information to back up Joe’s claims in the post. Again, the score for that question is zero, meaning there is no evidence at all.

However, when they get to the question of how to defend against the attack, the authors take an interesting step: They stipulate that Joe’s assertions are credible and backed by evidence. Then they discuss how Joe’s second assertion (the heart of his technical “argument”) might actually be realized. This includes discussion of the Attacker, Capability, Motivation, and finally how this attack would map into the ICS Kill Chain. What they write is very interesting, even though it’s entirely based on assumptions they’ve already shown are false. The fact that they actually draw some real conclusions that could help ICS defenders is pretty amazing. This is known as turning a sow’s ear into a silk purse.

However, I now have a startling announcement to make: I have learned – from sources that I unfortunately can’t reveal - that Joe was entirely correct that a serious vulnerability was found in the WAPA transformer. However, I would call this a physical, not a cyber, vulnerability: Upon arrival in the US, the transformer was tested and found to be infected with Covid-19!

Of course, as I believe has been proven by electrical engineers (although I don’t seem to have the data readily available), if one infected transformer is placed on the grid, it could easily spread Covid-19 to lots of other transformers. This will happen even if they’re in different substations - just as long as they’re on the same grid. This made it absolutely imperative that the transformer not be installed, which is why it was taken to Sandia and presumably pulled apart - although I hope the people who did that practiced proper social distancing and wore face masks. So even though Joe was wrong about the reason why the transformer was dangerous, he was right in asserting that we’re lucky it was never installed on the grid. The US hasn’t had a lot of lucky breaks lately, so we’ll take this one.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some help on it? Or would you like me to review what you’ve written so far and let you know what could be improved? Just drop me an email!