Two recent articles appeared concerning possible implications of or prompts for the 01 May 2020 Executive Order on the US electric system. Notably, the Executive Order was quickly followed by a US Department of Commerce investigation into the supply of electrical transformers. While the latter would appear related to typical trade concerns under the cloak of national security (an observation supported by initial media and industry reactions), subsequent media reporting would indicate security concerns might have a more significant role to play.
Appearing first in online publication CSO Online then later with additional detail in The Wall Street Journal, a story emerged on a transmission-scale transformer purchased by the Western Area Power Administration (WAPA) for its Ault substation (likely associated with ongoing improvements to transmission lines) from China-based JiangSu HuaPeng (JSHP) Transformer. On receipt, the transformer was diverted from delivery to WAPA, a US government-managed power marketing authority, to the Department of Energy’s Sandia National Laboratory in Albuquerque, New Mexico.
Rumors immediately circulated – without evidence or much supporting information – that the diversion was due to alleged “hardware implants” in the transformer that would enable a future disruptive or destructive attack on the receiving substation. Given JSHP’s location and ownership, the rumors rapidly transformed into tales of an “attempted Chinese attack on the US electric system”. While concerning, several items simply do not plausibly support this theory:
First, the nature of the equipment involved – a 345/230 kV transformer – has little equipment capable of receiving a notable “backdoor”, “logic bomb”, or other “bonus” functionality to make the effort worthwhile. While modern transformer equipment includes technologies such as sensors for various environmental and performance monitoring purposes, these are passive reporting items with no substantial active role in transformer operation. Presumably altering sensor reporting to monitoring systems could enable damaging or dangerous conditions to proceed further than normal or without immediate notification, but additional physical safety and engineering controls exist to mitigate this damage. While possible hardware backdoors make sense in equipment with more active roles in managing electric operations (such as switchyard equipment operating breakers, like the ABB systems manipulated in the 2016 Ukraine event, or digital protective relays that provide dynamic protective operations), operations at the transformer level only make sense as part of a much broader effort impacting additional equipment. Even if actionable and successful, taking advantage of a “transformer backdoor” would entail additional access and manipulation points into the target substation to do much good.
Second, the timing of events makes no sense. Based on unfounded rumors, one would be led to believe that the transformer was deemed suspicious after an inspection thus resulting in the “additional scrutiny” at Sandia. Yet that is precisely not what happened in this instance. Based on the Journal story, events began with a modification to the initial order from WAPA to JSHP in June of 2019, prior to delivery at the Port of Houston. Initial actions included an abrupt contract change where WAPA declined installation and warranty services from JSHP – again, based on the article, prior to delivery. Only after receipt in Houston was the transformer then quickly diverted from WAPA to Sandia for reasons unexplained. Therefore, rather than identifying something meriting further investigation after post-delivery inspection, it would appear that the transformer was designated for diversion and further analysis before anyone from WAPA (or within the US) could lay eyes on the JSHP equipment.
Third, while speculation concerns the possibility of manipulating or modifying electronic components (such as sensors) installed on the transformer, Journal reporting and statements from JSHP indicate that such components were provided by third-parties for the Ault equipment. While it certainly remains possible that such third-party equipment could have been modified by JSHP personnel during integration, this remains less feasible than instances where JSHP would control the entire supply chain and begins stretching the story of how (or why) any such manipulation could have taken place. Essentially, unknown attackers would need to focus not so much on JSHP equipment, but instead on the suppliers of subcomponents which were selected by WAPA.
Fourth, the equipment was planned for diversion to Sandia, which seems an odd choice given available options and expertise. While Sandia performs research in multiple diverse fields, the lab’s primary role since its founding has been supporting US national security missions with scientific and engineering contributions to both nuclear and conventional US weapons programs. Meanwhile, Idaho National Laboratory (INL) is noted for its power systems expertise and practical research programs into all facets of the electric system including electric system security. If one were concerned about a potential hazardous or dangerous manipulation to electric equipment (including a transformer), the logical choice would be to send the device to INL for further analysis and investigation – and not an institution that functions primarily as a weapons research and development laboratory.
So, what the hell is going on?
Multiple aspects of this story simply do not line up. First, transformers seem to be a poor or very limited target for supply chain attacks on the power system. Second, the timing of events would appear to indicate diversion of the transformer in question was planned in advance rather than emerging through questionable discoveries on delivery. Third, the components that would be likely targets for manipulation were outside of JSHP control limiting attack possibilities. Finally, the equipment was shipped to a location separate from the US government’s existing technical expertise in power systems research and security analysis.
Overall, while the speculation about this event seems unfounded as an impetus to the Executive Order (and even less so as evidence of an attempted “Chinese attack” on the US electric system), plenty of additional questions remain. As noted in Reuters reporting on Commerce Department actions focusing on the transformer market, US manufacturing capacity for these critical pieces of equipment (and their components such as grain-oriented electrical steel) has largely evaporated while Chinese market share (either in transformers themselves, or in component steel then assembled in Mexico or elsewhere) is in the ascendent. Given the timing, nature, and sourcing of events, what if the reading of activity is the reverse of current rampant speculation – that rather than being evidence of the US government identifying and blocking a potential supply chain attack, this is instead an action by US government resources against Chinese entities or to enable some other action?
This theory seems wild for multiple reasons, but no less “wild” than the unfounded speculation of an impending Chinese attack via modified transformer equipment. One item that can likely be ruled out, despite the evisceration of the US transformer manufacturing market, is potential economic espionage. While occasional stories emerge of US government resources used to conduct economic espionage, the sourcing is poor and typically when taking place such operations are directly related to national security items and not for the benefit of private companies. That some targets with a vital national intelligence interest (such as oil and gas firms or aerospace companies) are commercial (or semi-commercial, state-owned) firms is immaterial to the intelligence value in gathering information from such entities for multiple government purposes. So the idea that the US identified a case where the government could directly intervene (an order placed through US-controlled WAPA) to then acquire a device for reverse engineering at a weapons laboratory may be thinly, vaguely possible, but is largely an unlikely if not insane idea.
Yet playing this theory out a bit more introduces another possibility emerging from the same set of circumstances. The order through a US-run entity, WAPA, would allow for some degree of government-directed alteration in contracting – such as the very short notice modification of shipping details to take control of the device at point of receipt and cut JSHP out of transporting and installing. While JSHP could theoretically have balked at such modifications, they appear to have taken place at the very last minute prior to shipping based on the Journal’s article – meaning JSHP was stuck in a position of either haggling over a custom-produced piece of large, expensive equipment, or accepting the modification as a late fait accompli to ensure they could get paid for work already done. Once received, rather than commandeering property belonging to one of the multiple privately owned power companies in the US, authorities could instead then immediately divert the shipment to another location, which seems to be the case in the article.
The choice of where the equipment was shipped is also interesting. While INL is noted for power systems research and security work, Sandia is best known for weapons and related research and engineering. Notably, although thinly sourced, Sandia has previously been accused of enabling or conducting supply chain attacks in critical infrastructure environments. So under this theory, instead of the transformer shipped to Sandia to look for “bugs” or backdoors, or for reverse engineering to aid US manufacturers, the equipment was instead diverted to conduct research into how the US could potentially manipulate, modify, or attack transformer equipment such as that manufactured by JSHP.
Based on various leaks from the National Security Agency in the past decade, there is something of a history for the US government allegedly diverting, intercepting, or planting backdoors into equipment, such as in Cisco and Juniper networking devices. Although pricey, networking gear is somewhat of a commodity – electric system transformers meanwhile are generally custom built, expensive, and very large pieces of equipment. So getting hands on one to “play around with” for whatever reason is a bit more difficult than redirecting a UPS delivery truck. Compelling a private power company to “give up” such a device may be possible, but suspicious and would be difficult to hide. So the distribution pathway from a government-directed purchase to a government-ordered diversion seems like it might be one of the only ways US entities could get their hands on such equipment while raising minimal alarm.
Overall, we would then have a very interesting situation indeed. The WAPA purchase was identified – either opportunistically or strategically – as a chance for a US government entity to acquire critical electric system gear for analysis and experimentation. Once reaching a point where JSHP was stuck with whatever last-minute terms WAPA could force on them, conditions were changed to cut out JSHP from all operations and handling as soon as the device arrived on US soil in Houston. Once there, the equipment was then diverted to a government weapons laboratory for research, analysis, and possible attack capability development – either against transformer equipment in general, or potentially against JSHP equipment specifically.
Of course, all of this is speculation – but has a degree of plausibility around it given circumstances. As a result, such speculation, while requiring more evidence, cannot just be dismissed as crazy out of hand. Notably, while many are quick to accept the possibility of an unlikely, difficult to execute supply chain attack via transformer, we as critical thinkers and individuals concerned about the defense of all civilian critical infrastructure should be mindful of our assumptions. This applies for both where they may lead us without having sufficient (or in this case, really any) evidence of a “Chinese intrusion into the US electric system” – and where we might dismiss things far too easily because they are uncomfortable thoughts, such as “the US may conduct operations to enable future attacks against civilian electric infrastructure”.
Overall, there are many questions concerning this event, some if not all of which will never be answered. We therefore should be certain that we don’t let fears, biases, and speculation lead us to pre-determined, preferential outcomes as we might miss something quite significant along the way. With luck we will learn more about this strange set of circumstances that led to a transformer being sent to New Mexico for reasons unknown. But until then, we should be cautious not to either build seemingly “strong” cases out of minimal evidence to support or preconceived notions, or to dismiss possibilities because they may offend or disturb us given their implications.
