DOE must address risks, vulnerabilities in critical electric infrastructure sector with mandatory standards

critical electric sector

A public interest researcher has asked the Department of Energy (DOE) to ensure that mandatory measures address the risks and vulnerabilities in the critical electric infrastructure sector. 

The DOE must ensure that mandatory standards address the risks and vulnerabilities presented by the import and installation of equipment or systems originating from adversaries of the U.S., including People’s Republic of China, Michael Mabee, who conducts investigations on the security of the critical electric infrastructure sector, said. These standards must apply to the entire critical electric infrastructure, including generation, transmission, and distribution.

Citing that the U.S. does not have time to rely on voluntary regulation, studies and kicking the grid security, which can be put off for another day, as the adversaries will in the meanwhile continue “to exploit our supply chain vulnerabilities while we continue to help them do so by failing to secure our critical electric infrastructure supply chains.”

The demand comes in the wake of the import and installation of equipment or systems originating from adversaries of the U.S., including China. Mabee also proposed that a new supply chain Executive Order and a replacement DOE Prohibition Order would be the fastest and surest way to accomplish this. He also wants these standards to apply across the entire critical electric infrastructure, including generation, transmission, and distribution.

Apart from importing transformers from China, Mabee also disclosed that the U.S. critical electric infrastructure sector may also be employing grid monitoring systems from vendors that are said to have direct ties with China.

Mabee revealed last month that the presence of Chinese transformer threats has now been confirmed by the administrations of two U.S. Presidents – Donald Trump and Joe Biden. He also has filed in August a complaint with the Federal Energy Regulatory Commission (FERC) that called for the issuance of an appropriate order to the Electric Reliability Organization (ERO) to strengthen the security of the bulk power systems.

In his latest disclosure, the U.S. critical electric infrastructure sector may also be employing grid monitoring systems from vendors that are said to have direct ties with China, Mabee disclosed. 

He also disclosed that behind many of the U.S. imports of Chinese-manufactured transformers, other equipment and components are from a company called Doubletree Systems. This company represents several other Chinese companies that sell transformers and other equipment imported for use within the U.S. critical electric infrastructure. In addition, Doubletree sells grid security and monitoring systems and works with the Electric Power Research Institute (EPRI) on grid security issues. The EPRI is an independent, nonprofit organization that conducts research, development, and demonstration projects for the benefit of the public in the U.S. and internationally. 

There is also evidence that the Chinese government has ownership and/or control interest in Doubletree Systems, according to Mabee. 

Apart from importing and marketing Chinese-manufactured transformers and other equipment into the U.S., Doubletree Systems also sells a variety of grid protection and monitoring products, he added.

Mabee also provided evidence that Doubletree held itself out ‘as collaborating with EPRI to help the industry comply with NERC’s Critical Infrastructure Protection (CIP) Standards through Doubletree’s Substation Network Sentinel (SNS) product.’ In other words, an entity owned or controlled by the People’s Republic of China – which is hacking the U.S. energy sector – is also helping the U.S. electric grid ‘to comply with NERC CIPs,’ he added. 

“It is of great concern that the People’s Republic of China (and its controlling Chinese Communist Party) is marketing equipment or systems to the same U.S. critical infrastructures that multiple U.S. government agencies have confirmed – for years – are the target of China’s past and present cyberespionage, probing, and cyberattacks,” Mabee said. “This raises security concerns. But there are no U.S. government requirements or mandatory reliability standards that such equipment or systems be checked,” he pointed out.

In addition to large transformers, Mabee revealed that official U.S. import data shows that the U.S. is also importing other critical equipment such as inverters and electricity meters from China. The U.S. has imported 171,288,538 inverters from China between 2002 and October 2021 and imported 3,217,154 electricity meters from China for the same period. This data shows that “our entire critical electric infrastructure from generation all the way down to the meters on homes and businesses – and everything in between – may be easily compromised or is already compromised by adversaries,” he added.

Another cybersecurity expert, Joe Weiss said that “backdoors have been found bypassing all cyber security protections that can cause grid equipment damage and wide spread grid disturbances.” 

Weiss also added that securing the electric grid will require a combination of many different approaches including making the economics of buying American-made products more affordable, or making Chinese-made products less affordable, and eliminating the use of known Chinese-front companies providing grid equipment and services. He also called for addressing networking and engineering issues, changing the scope of the NERC CIP to focus on the reliability and cyber security of the grid, not just routable networks, monitoring the process sensors off-line and in real-time, and having engineering participation.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Webinar: State of Zero Trust in the Industrial Enterprise

Register: April 10, 2024, at 8am PDT | 11am CDT | 5pm CEST

Related