Executive Order and the Chinese Transformer
image credit: pexels.com
- Jun 24, 2020 11:43 am GMT
- 522 views
On May 1, 2020 President Trump signed an Executive Order (EO) regarding foreign-sourced equipment for the bulk power system (BPS). There have been a few articles regarding the impact of this on the industry. I was interviewed by T&D World for one article and Joe Weiss, a long-time control system security expert, revealed that the timing of the EO may be based on the delivery and subsequent discovery of back doors from a Chinese transformer purchased by the Western Area Power Administration.
What does this EO mean for electric utilities? Right now, there is limited information. A Stakeholder call (transcript in this video) was held on May 21, 2020 by the Department of Energy, tasked with the development of the EO plan and associated Task Force. The presentation was mainly a restatement of the EO and a statement of the four pillars that the Department of Energy will focus on for this EO:
- Identify source countries and specific equipment for prohibitions based on risk to the BPS;
- Establish a pre-qualification process for equipment that are acceptable for use in the BPS;
- Develop a process to mitigate risk with asset owners of prohibited equipment; and
- Communicate information via the Task Force to the stakeholders (electric utilities, Federal entities such as the regional power administrations and others) in the BPS.
There are a few points that we can review in preparation of the Task Force issuing additional information.
Identify Source Countries and Equipment
The lion’s share of attention has been attached to China and the 345 kV transformer that was ordered by the Western Area Power Administration, according to the Wall Street Journal. However, equipment manufactured by companies with European headquarters is often developed in other countries such as China and Brazil due to labor and raw material costs. The challenge will be to determine which equipment poses a measurable risk to the BPS regardless of company or country of origin. Initially, the Task Force will need to develop broad categories of countries and equipment that require further assessment. Then, utilities and other BPS stakeholders will need to perform an inventory and risk assessment of the Task Force categories to determine mitigation actions.
Process and Control System Electronics
While the list of equipment under review in the EO is extensive, the major components that require scrutiny from a cyber view are the process sensors and control system electronics. These devices and systems measure physical and electromagnetic characteristics of the equipment or operating environment and report to a control system. The control system constantly performs logical analysis and can issue control commands to other devices such as valves, protective relays, load tap changers, and other control devices. If a characteristic such as voltage, current, temperature or pressure exceeds the boundaries previously set, the control device can take action to protect lives and equipment damage.
Utilities and other BPS stakeholders should be prepared to assess all process and control system electronics for cyber threats, regardless of country of origin or location in the BPS. The ability for nation-states to infiltrate electronics manufacturing and microcode development at any location in the world is a significant risk that will require an equally significant effort to identify and mitigate.
At first glance, this EO appears to be focused on major equipment associated with the BPS owned by large utilities or power administrations. However, I believe that this EO will only expose the tip of the iceberg from a threat and vulnerability perspective; and the industry will need to reassess all their process and control system electronics throughout the BPS.
The information technology industry experienced a similar issue in the late 2000s with counterfeit networking equipment, which is still an issue today. This associated issue for process and control systems is just starting to receive the level of attention required to take action, either from the EO or other risk assessments.