The Energy Department last summer quietly diverted a Denver-bound, Chinese-built grid transformer to search for suspected attack malware — an extraordinary move that would seem to warrant a confidential briefing with top U.S. utility executives.
But federal leaders never raised a red flag with major power providers, according to some industry officials. The omission appears to run contrary to the electricity industry’s pleas to the federal government for more intelligence about cybersecurity threats from foreign-based vendors.
Grid executives were also caught by surprise by President Trump’s executive order May 1 directing DOE and other agencies to produce a list of suppliers in "adversary" countries whose equipment would be banned for security reasons. China is a top suspect, a Department of Defense official told reporters.
A high-level committee of CEOs and federal security officials, the Electricity Subsector Coordinating Council (ESCC), exists for just that information-sharing purpose.
The group wasn’t consulted in advance, said Tom Fanning, CEO of utility giant Southern Co., one of three ESCC co-chairs.
Scott Aaronson, vice president for security and preparedness at the Edison Electric Institute, which represents U.S. investor-owned utilities, said the ESCC was "aware … that an executive order was in development."
"But as far as running it through us, having a chance to react to it before it went live, no, we did not," said Aaronson, who is the ESCC secretary.
"Everybody is really of the opinion that the executive order got issued … without a lot of consultation with stakeholders in the electric sector," said Duane Highley, CEO of Tri-State Generation and Transmission Association Inc., another ESCC co-chair.
"There was a big rush and nobody is quite sure what their motivation was," other than to keep the electric sector secure, Highley said.
That puts the two events in the ring with other issues that have strained U.S.-Chinese relations to a high pitch, alongside accusations by each country that the other is responsible for the worldwide coronavirus pandemic, new U.S. trade investigations of Chinese imports, moves to ban Huawei Technologies Co. Ltd. telecom equipment, and stepped-up air and sea patrols by both nations in the Taiwan Strait flashpoint.
U.S. intelligence officials say China has penetrated energy networks in this country with the capability of disrupting them.
"There is an effort [by the president and top officials] to put pressure on China," said Bonnie Glaser, director of the China Power Project at the Center for Strategic and International Studies.
"There is an assessment in this administration that China has been taking advantage of the U.S. for many years, that prior administrations have been very weak and have allowed China to gain advantage over the U.S. in a range of areas," she added.
"Because the U.S. is often acting unilaterally, and not in coordination with allies and partners, we are playing with a weaker hand than we would be if we were acting with other countries," Glaser said.
Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, said that Chinese defense writers talk about attacks on critical infrastructure as a way to deter the U.S. from challenging their own national interests.
"They want to remind the U.S. decisionmakers that if there is a regional conflict — [the] South China Sea or Taiwan Strait being the most likely — that the U.S. would not necessarily be untouched," Segal said.
Asked whether the order will further agitate tensions between the U.S. and China, Segal said that the move will be "another small part" of continuing friction.
"They’re already so exasperated that I don’t know how you can make them worse," Segal said of the relationship.
Segal said that the order appears to be another part of the Trump administration’s "broad push on Chinese technology and supply chain security."
Allan Marks, a partner at the international law firm Milbank LLP, pointed out that Trump’s order is similar to a previous one that focused on supply chain threats in information and communications technology.
"China is often the target of administration actions on trade and other areas, and China is a significant exporter of power goods and machinery and components to the U.S. and worldwide," said Marks.
People familiar with the transformer case said DOE Assistant Secretary Bruce Walker, who heads the Office of Electricity, and his team, had suspicions about the massive pieces of electrical equipment being built by Jiangsu Huapeng Transformer Co., headquartered in Changzhou, China.
One such transformer arrived last summer at Houston’s port, according to Jim Cai, North American representative for Jiangsu Huapeng, and was made per the instruction of the Western Area Power Administration with electronic accessories from U.S. and U.K. manufacturers.
Most of the digital controls on the transformer were made by U.S. companies and were shipped with the unit, a common practice, ESCC’s Highley said.
The Wall Street Journal reported yesterday that federal officials commandeered the 500,000-pound unit and shipped it to DOE’s Sandia National Laboratories, in Albuquerque, N.M. Other sources told E&E News that since the transformer was headed for the Western Area Power Administration (WAPA), a DOE electricity marketing agency, the transfer was not a seizure. DOE headquarters said it wanted the equipment tested and it was, according to these accounts.
Cai also objected to the use of the word "seizure" saying, "WAPA has paid full amount for this unit per the contract and how WAPA uses this unit is not our business."
Jiangsu Huapeng has delivered more than 100 transformers in the U.S. and Canada since 2009 and has one of the biggest factories in the world, with units sold to the New York Power Authority and utilities in New Jersey, Florida and Nevada, according to the company’s website.
"For 7,000+ 110kV transformer units delivered worldwide, [we] never had any cybersecurity incident, not even this WAPA unit," Cai said.
The Wall Street Journal‘s report said the equipment under suspicion was a monitor that detects deterioration in the transformer’s insulating oil. High-voltage transformers raise and lower voltages across power lines and do not typically contain huge amounts of computer code that could be exploited in cyberattacks. But they come with monitors and digital controls, and the latter are potential targets of hacking, experts say.
A threat to a transformer could come from electronic devices that transmit data and signals to utilities and vendors. "It comes down to how well-protected the communications circuits are to the outside world," Highley said.
It’s possible for electronic monitoring equipment to be tampered with to provide false reports, triggering interruptions of power flows, said Andrew Ginter, vice president for industrial security at Waterfall Security Solutions Ltd. Such tampering could provide an adversary with the means to attack and possibly take over connected computers on substation networks. However, Ginter stressed that there have not yet been any public reports of such attacks nor has malicious software or capabilities found in transformer components.
A chilling effect
Marks of the Milbank law firm said that the overarching question being asked by the energy industry on the executive order is, "how will this get implemented?"
As the industry waits for the ruling from DOE, there will be a chilling effect on certain manufacturers as companies invest in new equipment they need to decide whether to import, said Marks.
"As long as there’s uncertainty that will cause delay and possibly increase costs," Marks said.
Marks said that the timing of the order is an "odd juxtaposition" given that the Federal Energy Regulatory Commission recently pushed back a new standard that would have required electric utilities to come up with mitigation plans around supply chain threats. That separate order is now set to take effect Oct. 1 (Energywire, April 21).
FERC, which oversees the physical and cybersecurity standards for large power providers in conjunction with the North American Electric Reliability Corp., already manages an existing jurisdictional framework that is largely ignored by Trump’s order, Marks said.
The grid overseers have not been as focused on which malicious actors are attacking the grid, instead focusing on stopping all threats regardless of the origin of the attack, experts say.
"The specifically foreign nature of the threat — that’s different, that’s unique to the executive order," Marks said.
"U.S.-China cyber has been a steady drumbeat, and the drums are getting louder and louder. You have to look at this issue against the broader backdrop of the geopolitical situation," said Frank Cilluffo, director of the McCrary Institute on cybersecurity at Auburn University.
"The need for greater visibility into our supply chain is becoming more and more apparent," Cilluffo said. "You do want to be able to work hand and glove with your industry partners, but there will be times when national security preempts all that."
While the details of the executive order may not have been shared in advance, the order itself shouldn’t have surprised anyone, he said.
Fanning, a leader in his industry’s cybersecurity policy circles, said he wasn’t overly bothered that the ESCC wasn’t briefed on the executive order in advance. "This order is fantastic," he said. "This is something that we have been seeking for years, and it’s a very good move for America."
"We see this as a great move forward," said Kevin Wailes, CEO of Lincoln Electric System, in Lincoln, Neb.
Fanning said the key elements of the executive order are all on target.
He said from briefings that followed the order, he believes the industry will have more access to sensitive and classified government information on suppliers. "Private industry will have an insight into that," Fanning said.
There will be a certification process for trusted vendors and equipment, "designed by the government with the collaboration of private industry," Fanning said.
The controls on foreign vendors will be selective, he said.
"You’re going to evaluate not everything in the stream of supply chain but rather the most important assets in America that are going to impact the safety of our citizens, the security of our economy and our ability to defend ourselves to fight back as a nation," Fanning said. "We prioritize in a very rigorous way what the most important assets are. We will then have a better sense of evaluating … the assets that they reside currently in our system."
One of the order’s most important pieces is the promise that U.S. grid companies and domestic vendors will get access to sensitive, classified intelligence on which foreign vendors pose the greatest security risks, said Paul Stockton, former assistant secretary of Defense for Homeland Defense and managing partner of the Sonecon LLC consulting firm.
David Whitehead, CEO of Schweitzer Engineering Laboratories (SEL), was another industry leader caught by surprise by the order. SEL, based in Pullman, Wash., is rated the top U.S. producer of protective grid relays for transmission lines. Schweitzer also manufacturers other grid protection, automation and control systems.
"My understanding is that the executive order came out with not a lot of understanding of how to execute the ideas. We are sort of in a wait and see position … to see how this falls out," Whitehead said.
The industry has been asking government for more threat intelligence for a long time, said Highley of Tri-State Generation and Transmission. "’What can you tell us?’ They said, ‘Google it,’ literally."
"We wouldn’t want to put things in our control rooms that [the government] wouldn’t want to put in their facilities," Highley added.
"To the extent they can share white list and black list" information, "that is really important to us," he said.
"I’m grateful to see the executive order," Highley said. "Now that the order is out the door, we want an opportunity to work with them."
Stockton said the success of the executive order depends on collaboration. "The only way to successfully implement the order is to bring electric industry into that process as a full partner," he said.
Correction: An earlier version of this story misidentified Kevin Wailes’ company. He is the CEO of Lincoln Electric System, in Lincoln, Neb. The weight of the transformer was also misstated.