29 September 2020

Energy Grid Supply-Chain Risks and U.S.-China Entanglement

By Justin Sherman, Tianjiu Zuo Monday

On May 1, President Trump signed an executive order on securing the U.S. bulk-power system, aimed at limiting foreign influence in the U.S. energy grid by targeting grid suppliers potentially compromised by those adversary governments. The bulk-power system, made up of interconnected devices that generate and transmit electricity across the country, is an especially vital component of U.S. national infrastructure. Jim Dempsey wrote an informative analysis of this executive order. Dempsey places these attempts to bolster supply-chain security in broader context, linking them with recent executive branch actions against foreign telecommunications companies. But it’s also worth examining the executive order in a context specific to the U.S. energy grid and focusing on Chinese suppliers, because of the notable role Chinese firms play in the U.S. energy grid supply chain.

Much attention has been paid of late to “decoupling,” the forcible separation of interdependent and interconnected supply chains, particularly between the United States and China. The recent executive order, to a certain extent, aims to do just that: identify foreign suppliers of bulk-power equipment that pose unacceptable security risks and ensure they aren’t included in U.S. critical infrastructure. As Dempsey noted, the order’s passage “indicates how the ‘great decoupling’ of China-U.S. supply chains, previously driven by trade war-induced uncertainties, increasingly may be cast in terms of cybersecurity and national security imperatives.” Even more broadly, U.S. actions to limit the presence of foreign suppliers in U.S. digital infrastructure are increasingly framed in terms of national security rather than purely economic considerations.

What’s worth unpacking further, though, is the extent to which this recent action on bulk power differs from other U.S. government actions focused on digital supply-chain security. Much of the decoupling involves these digital supply-chain issues, like with attempts to ban government employees and contractors from downloading the app TikTok, which is owned by a Chinese company, or the aforementioned inspections of foreign telecom suppliers whose operation in the U.S. may pose security risks.

But bulk-power systems are different from telecoms, and they’re definitely different from mobile apps. There may be some overlapping security risks (for example, where data collection occurs, data could be stolen), and some risks are certainly related (such as potential remote-access backdoors), but the risks of foreign compromise in bulk-power systems look quite different—they include anything from foreign powers manipulating data generated from power systems to shutting down energy grid components entirely. The potential effects of compromise could look quite different, too. Different as well is the landscape of suppliers of U.S. bulk-power systems (compared to, say, telecoms). Chinese companies certainly play a large role in many digital supply chains, but these Chinese firms have an especially large share of the bulk-power market.

So, it’s important to undertake a unique consideration of the foreign entanglement in the U.S. energy grid supply and of appropriate U.S. supply-chain policy responses.

U.S. Attention to Energy Grid Supply-Chain Risks

The need to understand particular risks of foreign compromise in the U.S. energy grid is growing increasingly urgent. Among other things, the U.S. government has slowly increased the attention it pays to these threats. For instance, the recent executive order says,

I therefore determine that the unrestricted foreign supply of bulk-power system electric equipment constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States, which has its source in whole or in substantial part outside the United States. This threat exists both in the case of individual acquisitions and when acquisitions are considered as a class.

For anyone watching this space, intrusions and potential intrusions into the energy grid are not a new threat. The White House’s 2018 National Cyber Strategy said as much: “We are vulnerable to peacetime cyber attacks against critical infrastructure, and the risk is growing that these countries will conduct cyber attacks against the United States during a crisis short of war.” That 2018 strategy document noted that “energy and power” is a key critical infrastructure area vulnerable to threats. (Washington is hardly the only one drawing attention to these risks; a January 2020 threat assessment published by the industrial security firm Dragos noted that “the number of publicly known attacks impacting ICS [industrial control systems] environments around the world continues to increase, and correspondingly the potential risk due to a disruptive cyber event impacting the North American electric sector is currently assessed as high.”)

Other government initiatives likewise demonstrate growing executive branch attention to risks of foreign compromise in the energy grid supply chain. In 2018, the U.S. Department of Energy established the Office of Cybersecurity, Energy Security, and Emergency Response and issued a Multiyear Plan for Energy Security Cybersecurity. Among other objectives like improving energy owners’ and operators’ cyber incident reporting, the plan’s stated key goal was to “reduce critical supply chain vulnerabilities and risks.” This is hardly the only effort within the government to address the risks. Dempsey has already noted, to give another example, that the Federal Energy Regulatory Commission has approved a mandatory supply-chain risk-management standard for bulk-power systems (though it hasn’t yet gone into effect). The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) also expanded the authorities of the Committee on Foreign Investment in the United States (CFIUS) to review international investments, acquisitions, mergers and joint ventures with U.S. companies. FIRRMA gave the committee the authority to review transactions involving a number of industries, including U.S. critical infrastructure systems. CFIUS exists to sniff out foreign-originating security risks and intervene before any risk materializes, though it also now can examine transactions that have been completed. These authorities and provisions highlight momentum inside the government for the U.S. to secure its critical infrastructure and to involve yet more executive branch components to do so. But the recent executive order that proposes to, in certain circumstances, actually ban foreign suppliers from bulk-power systems represents a new level of decoupling that merits some unpacking. Key to this unpacking is the extent to which Chinese firms, a routinely identified source of cybersecurity concern for the U.S. government, play a role in the U.S. bulk-power system market. It turns out, in this particular digital domain, Chinese companies supply a considerable proportion of components in the United States.

Chinese Firms and the U.S. Energy Grid

China’s rapid development of its high-tech manufacturing industry in recent decades has firmly secured the country’s role as a global supplier of energy production assets. The Chinese government has made it a key priority to establish dominance in this arena, namely with its enormous backing of the State Grid, the state-owned electric grid monopoly.

How does foreign equipment show up in the U.S. power grid? One relevant example comes from power transformers, which power companies use in substations and which have several functions, including changing alternating current to direct current (and vice versa) and switching generators in and out of a system. These power transformers transfer electricity from one circuit to another and serve as a conduit between power generators and the end user—they ensure power distribution to households, offices, hospitals and more. China has been exporting these power transformers to the United States in relatively large quantities. While China’s involvement in some industries, such as aerospace and chip-making, are relatively nascent, its ability to manufacture power-generating equipment is well established. For example, China is able to domestically manufacture cores, specialized components designed for power transformers, made of grain-oriented electrical steel and laminations. A 2014 report by the Department of Energy noted that more than 30 indigenous Chinese power transformer manufacturers have sprung up quickly. Established manufacturers such as ABB Group, a Swiss firm, have moved factories to China as well, underscoring the procurement demand for cheap Chinese components—which also, all too often, have little cybersecurity baked into their design.

In the past decade, China has exported more than 200 large power transformers for use in the U.S. power grid. There are around 2,000 total high-voltage power transformers in the United States, so China’s equipment represents roughly 10 percent of the total share. That is a significant proportion. Foreign components in the supply chain are difficult to replace, as they’re highly specialized and difficult to transport. There are other countries that can be sources of potential energy grip compromise, like Iran or Russia, but they don’t supply components at the same volume as China. Contrary to other digital supply-chain areas where decoupling targets a smaller subset of components, efforts to disentangle U.S.-China supply-chain dependencies in the energy grid would focus on a much higher proportion of components due to China’s market share in the United States.

Playing Out the Risks

Risk assessments can be broken down into the likelihood of a particular outcome and the potential severity of that particular outcome. Likelihood is a product of both threats and vulnerabilities; the executive order is focused on reducing foreign threats to the U.S. energy grid by potentially removing foreign suppliers’ presence in it, not shoring up vulnerabilities (like buggy code) found in U.S. systems themselves. Likelihood, for instance, involves considering the likelihood of a malicious actor exploiting a particular vulnerability in the U.S. energy grid to disrupt functionality in a particular conflict-like scenario. We won’t get into that here, though it’s worth noting that probes by foreign adversaries of U.S. infrastructure have occurred in the past, such as with the well-known Iranian intrusion into a dam in Rye Brook, New York, and they’re probably ongoing. Exact numbers are unclear. In 2018, for example, the head of the Cybersecurity and Infrastructure Security Agency commented that hackers have repeatedly broken into U.S. energy grid systems but then subsequently clarified that the hackers would not have had the ability to cause widespread outages. A 2019 Wall Street Journal investigation reported on a somewhat successful Russian campaign to break into the U.S. grid that targeted companies in 24 states.

But when talking about severity, it’s unquestionable that the potential severity of a digital compromise of the U.S. energy grid could be quite high. Attackers could potentially cause digitized transformers to overheat or just outright turn them off. These kinds of outages could be potentially devastating and could result in anything from loss of life (for example, if they were to deliberately or collaterally affect hospitals) to the undermining of civilian communication systems (for example, by cutting power to internet service providers in a particular region). Attackers, through compromises in the energy grid supply chain, could also lock engineers out of systems, falsify data, or turn off alarms intended to flag errors and abnormalities in grid behavior and performance for system maintenance or inspection. Geographically disparate attacks could make response coordination difficult. This is all especially concerning as more and more industrial control systems are being connected to the internet (including a huge increase in the number of connections between power grids and “internet-of-things” devices that may have abysmal security practices like default passwords) and bringing serious security risks with them.

Compromises of the energy grid supply chain could occur in numerous ways. Like with potential compromises of the telecommunications supply chain, foreign governments could insert backdoors into hardware or software equipment (which are deliberately created), or they could make use of bugdoors, which are vulnerabilities accidentally created during the coding process that a government (in this case, China) forces the manufacturer to keep in place for exploitation. Like with potential compromises of mobile apps, once an energy equipment supplier deploys its customer systems overseas, the foreign government in the country in which the firm is incorporated could also compel energy equipment suppliers to collect certain data for espionage or attack preparation purposes. Regardless of how an energy grid supply-chain compromise manifests, the potential severity of any compromise is high. Policies for supply-chain trustworthiness therefore must always weigh the context in which systems operate, what physical and digital processes may be dependent on or linked to those systems, and what kinds of digital or kinetic effects those systems can have. Defense Department mission-critical weapon systems are different from smartphone video-sharing apps, which are different from bulk-power grid components. There may be overlap among the risks inherent to each sector, but the likelihood and especially the severity of potential supply-chain compromise are different in different cases. The energy grid, as discussed here, is a prime example of that fact, due to the potential effects of compromise and the growing reliance on non-U.S. component suppliers, especially those from China. To that point, these supply-chain trust assessments certainly should be undertaken with a focus on Chinese suppliers.

But it would be a misstep to focus myopically on Chinese suppliers. Those conducting a trustworthiness assessment should also consider domestic suppliers and suppliers from other foreign countries, for it isn’t just Chinese suppliers that are a potential vector of foreign adversary compromise in the energy grid supply chain. Many power companies are often far more concerned with counterfeit or faulty parts in their systems, like the aforementioned transformers, than with adequate security. And even if U.S. companies aren’t compromising their energy grid components at the behest of foreign governments, serious supply-chain risks can also come from technically sloppy bulk-power and energy grid components that just have incredibly buggy and terribly managed code. These are potential attack vectors that may be exploited mostly by state actors, as Dragos’s Robert Lee noted recently, but also by non-state actors.

Another prime reason to consider risks beyond just Chinese suppliers—though, again, the proportion of Chinese suppliers in the U.S. energy grid raises its own set of unique security questions—is that a number of manufacturers have now built factories in China. In recent years, this includes manufacturers many in the U.S. would deem trustworthy, such as Siemens AG and the Swiss ABB Group. These moves raise their own questions: Could the U.S. government apply pressure on U.S.-based suppliers, such as through federal procurement rules, to change the sourcing of their subcomponents? Does the Chinese government have the ability to intervene in the manufacturing process of these factories? And even putting regulatory and legal authorities aside, does the mere physical presence of a factory in an adversary country make the potential for compromises easier for the adversary intelligence service?

Checks on these questions could come in many forms. Certainly, the intelligence community and other elements of the U.S. government likely have classified information related to these questions. Third-party, independent, transparent audits of hardware and software systems could be another vector for getting insight into suppliers—but those come with their own hosts of questions, like the feasibility of doing so at scale and with potentially notable costs (in time and money). The recent executive order on the U.S. bulk-power system creates a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security—composed of representatives from the departments of Defense, Interior, Commerce and Homeland Security, as well as other agencies—that presumably will be monitoring the energy grid supply chain, albeit with influence from the White House’s policy preferences. It remains to be seen how effective the task force is at addressing these complicated questions.

More than 85 percent of America’s utility transfers come from abroad. The U.S. lacks the domestic production capacity to entirely fulfill demand for components across the entire supply chain, especially as many specialized steel manufacturers are located in China. Practically, it is difficult to move completely away from Chinese transformer equipment. While the executive order does not take any immediate actions in the way of ejecting particular suppliers from the U.S. energy grid supply chain, it does add an extra layer of regulatory oversight for many infrastructure transactions.

Regardless of what the Department of Energy recommends in the future, it’s essential to better understand not just supply-chain risks, potential ways to evaluate trust and ways to mitigate risks where applicable—but it’s also critical to understand context, especially what foreign compromise of a particular digital system would do and what decoupling supply chains for that system would look like.

The task force should leverage ongoing U.S. government efforts to track potential energy grid compromise. For instance, the Wall Street Journal reported that in the summer of 2019, the U.S. government seized a Chinese-manufactured electrical transformer when it arrived in Houston. The government then shipped it to Sandia National Laboratories in New Mexico, a government research lab with the responsibility for safeguarding the U.S. nuclear stockpile but also for energy grid research. It is possible these kinds of inspections of energy grid equipment (analogous to the U.K. National Cyber Security Center’s formal process for testing Huawei telecom equipment, though in this case not made public) could help inform U.S. government decisions about foreign supplier risks. The task force is already charged with working in cooperation with the secretary of homeland security, but it is worth the White House further laying out how this new task force should interact with ongoing work on critical infrastructure protection by the Department of Homeland Security and particularly the Cybersecurity and Infrastructure Security Agency. This is, at the end of the day, an energy issue.

That said, the task force would also do well to consider objective criteria for establishing trust in bulk-power system components. This kind of criteria development is something one of us has already argued for in the context of securing the U.S. telecommunications supply chain. Context again matters. Depending on what the component in question is and where it is geographically located within the country and within the energy grid network, the U.S. government may find certain factors to designate one foreign energy grid component supplier as more risky than another. The task force should leverage classified insights from within the U.S. government. But it should also use objective and publicly known technical hardware and software trust criteria, especially those that conform with industry best practices and to a certain extent are third-party verifiable.

Finally, it’s worth noting that the executive order allows a total ban on equipment deemed a threat. The task force should also consider if it can issue partial bans and in which cases those may be useful. A partial ban could entail many things: limiting a supplier to only a certain geographic area in the U.S. (for example, no supplying of equipment in the grid around a military base), limiting a supplier to providing only certain components (such as providing devices to measure electricity levels but not backup generators), or limiting a supplier to only a certain percentage of the overall grid. This may not work in every case. In many instances, the government may deem it better to fully ban equipment.

In any case, what’s clear is that the proportion of Chinese suppliers in the U.S. bulk-power system, combined with the risks of compromise to the energy grid, merits the administration’s increased scrutiny of supply-chain risks in this digital domain. Targeted, evidence-based decoupling from certain foreign suppliers in this space has the potential to reduce real national security risks.

No comments: