Chinese transformers in critical electric sector confirmed by two US administrations

critical electric sector

A public interest researcher who conducts investigations on the security of the critical electric sector said that the presence of Chinese transformer threats has now been confirmed by the administrations of two U.S. Presidents – Donald Trump and Joe Biden.

Michael Mabee has repeatedly raised concerns about the security of the critical electric sector.

A report released last month by the Office of the Director of National Intelligence (ODNI), states that the “Deployment of utility-scale solar and wind technologies in remote areas is likely to require ultra-high-voltage transmission lines to move the power to cities. China is the world’s leading supplier of advanced grid components for ultra-high-voltage systems, such as transformers, circuit breakers, and inverters, which we assess creates cyber vulnerability risks.”

Before that in an interview in July this year, Latham Saddler, the former Director of Intelligence Programs at the National Security Council in the last administration, confirmed that after the Chinese transformer was taken to the National Lab, “they found hardware that was put into that that had the ability for somebody in China to switch it off.”

This leads to the larger issue of how much of a loss has the deployment of Chinese equipment in the critical electric sector has resulted in.

Mabee told Industrial Cyber, “​​If you are asking how much loss the use of Chinese equipment has already caused, I am not aware of any.”

“The problem is that we are importing transformers and equipment from the People’s Republic of China to install in our critical electric infrastructure that the Chinese government is already hacking,” Mabee explained. “This creates a massive cyber vulnerability for the United States. As far back as 2003, Congress expressed concern about China conducting ‘coordinated cyber reconnaissance’ and ‘probing’ U.S. electric utilities in a hearing entitled: ‘Implications of Power Blackouts for The Nation’s Cybersecurity and Critical Infrastructure Protection,’” he added.

The critical electric sector is made up of about 3,000 entities, both public and private sector, involved in the generation, transmission, and distribution of electricity. The regulatory structure is complex with over 60 public and private sector regulators involved, including the Department of Energy (DOE), Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), U.S. Nuclear Regulatory Commission (NRC), and state public utility commissions (PUCs).

“However, no government agency has the authority to mandate that the electric grid protect itself from known threats. Protection is voluntary for the majority of the electric and inadequate and self-regulated in the bulk power system,” according to Mabee.

“We have known about the threats to the electric grid for decades: The U.S. government has been concerned about the cybersecurity of the critical electric infrastructure since at least 2003; the security of the electric grid from physical threats since at least 1981; geomagnetic disturbance (GMD) threats since at least 1990; and electromagnetic pulse (EMP) threats since at least 1972,” Mabee pointed out.

“Moreover, we continue to see the impacts of extreme weather on our critical electric infrastructure every year. In other words, we have been talking about securing our critical electric infrastructure for over four decades from the very threats we still face today,” he added.

The electric utility industry has spent US$1.2 billion lobbying Congress in the last decade, pushing their self-regulatory agenda not to mention what they have spent in the states, Mabee said. The current voluntary and self-regulatory scheme is not working. The federal government must mandate reasonably prudent actions be taken by all entities in the critical electric sector, he added.

He called upon the DOE and the U.S. administration to immediately “through a Presidential Executive Order and a Department of Energy Emergency Order, protection of the entire electric grid against known threats must be made mandatory.”

He also asked for Congress to, at the administration’s urging, enact legislation mandating that reasonably prudent actions on cybersecurity, physical security, EMP/GMD protective measures, and hardening for severe weather events be taken by all entities, public or private sector, that are part of the critical electric infrastructure. These measures must be certified periodically by the chief executive officer of each such critical electric infrastructure entity.

Last week, President Biden’s signed the ‘Secure Equipment Act of 2021’ that requires the Federal Communications Commission (FCC) to adopt rules clarifying that it prevents any authorization application for equipment that poses an unacceptable risk to national security. In October, the FCC revoked and terminated on security grounds China Telecom (Americas) Corporation’s ability to provide domestic interstate and international telecommunications services within the U.S., in an order.

The U.S. administration has released two Security Directives after DarkSide ransomware hackers targeted Colonial Pipeline, which led to the compromise of the fuel pipeline company’s IT networks. The government also followed up with an Executive Order that took decisive steps to modernize US critical infrastructure and its approach to cybersecurity by increasing visibility into threats while employing appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.