Critical Infrastructure Security

US Officials Urged to Examine Chinese Risk to Electric Grid

Utility Vendors Have Cut Back on Buying Chinese Transformers Due to Security Risks
US Officials Urged to Examine Chinese Risk to Electric Grid
Image: Shutterstock

Utility companies increasingly refrain from purchasing large power transformers from China given greater awareness of the security risks, a U.S. Department of Energy official told a Senate panel.

See Also: Cybersecurity workforce development: A Public/Private Partnership that enhances cybersecurity while giving hands-on SOC experience to students

Puesh Kumar said Thursday the U.S. government is analyzing the prevalence of Chinese-made components in the electric grid but wouldn't indicate when he expects the work to the done, frustrating senators on both sides of the aisle. The head of the department's Office of Cybersecurity, Energy Security, and Emergency Response testified before the Senate Energy and Natural Resources Committee.

"Determining the Chinese origin and content of crucial parts of the electric system is a 'hair on fire' urgent demand," said Sen. Angus King, I-Maine, who caucuses with the Democrats. "The next time you're here, we need a much sharper answer to that, because that's an enormous opportunity for malicious activity."

Kumar said the Energy Department has probed which components of the electric grid would have a debilitating impact if disrupted and which subcomponents of electric equipment are from an adversarial nation, including China.

National laboratories have tested electrical equipment down to the chip or software level to determine its country of origin, Kumar said. As part of this analysis, he said the Energy Department must consider not only that China might exploit its own equipment but also that it could take advantage of equipment developed by a third party that has a vulnerability present.

"The hard part about some of these questions is, at the top level, it could look like an American manufacturer or a friendly country," Kumar said. "But when you get down to the subcomponent level, it gets a lot harder."

Republican Sen. Josh Hawley, R-Mo., questioned Kumar about the Biden administration opting to suspend a Trump administration-era executive order that restricted the procurement of foreign electrical equipment, which Hawley said resulted in the Trump administration seizing some Chinese transformers in 2020.

"Getting procurement of electric equipment made in China and allowing it to be integrated into our grid is a bad idea," he said.

Kumar said the Biden team has taken a holistic view of supply chain security that goes beyond having an approved and unapproved list.

"We're taking a more strategic approach to this to ensure we look at security from all different aspects," Kumar said. "It's too large of a problem to have one solution, which was the solution in that executive order."

Robert M. Lee, founder and CEO of operational technology cybersecurity firm Dragos, testified that Congress should place more security requirements on the firms serving critical infrastructure providers rather than just the electric utilities themselves. Dragos made the extremely costly decision to have all of its software development done in the U.S. by American citizens since the company's software lives in nuclear power plants, and Lee said that should be the rule for all firms in the national security space.

Incentivizing Domestic Transformer Manufacturing

The transformer industry has come under pressure not only from security risks but also from supply chain issues, which have resulted in development and installation times exceeding 18 weeks for large grid equipment. Despite making up less than 3% of the total transformer base in the U.S., high-voltage transformers carry between 60% and 70% of the nation's electricity, said Sen. Catherine Cortez Masto, D-Nev.

There is "widespread agreement among government agencies, utilities and manufacturers" that high-voltage transformers in the U.S. are vulnerable to a terrorist attack or a natural disaster, "and that such an attack potentially could have catastrophic consequences," Cortez Masto said.

Kumar said transformer manufacturers have struggled with obtaining minerals, finding personnel capable of doing the work and meeting heightened production demands stemming from greater electrification. The Energy Department has discussed allocating funds from the Defense Production Act to incentivize the building of transformers in the U.S., said Kumar.

"How do we simplify the production and movement of these big pieces of equipment?" Kumar asked. "Through innovation and R&D, how do we make it easier to build some of these things going forward?"

Energy officials have also connected with their counterparts in the departments of Labor and Commerce about developing apprenticeship programs to get more people into the trade of building transformers, he said. Officials hopes to reduce production times for large power transformers through standardization, and the Office of Electricity is investigating how transformers could become more modular.

"Supply chain diversity is one of the things we're looking at to help manage the risk," said Steve Swick, chief security officer at American Electric Power. "We have agreements where we can share transformers, which allows us to focus on the management of the supply as well as the cyber risk."


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.