Two of the most consequential control system cyber events (attacks) in 2020 were supply chain attacks. The first event was the Chinese installing hardware backdoors in large electric transformers, an incident that prompted Presidential Executive Order (EO) 13920. The hardware backdoors are obvious control system threats. The second event was the Russian SolarWinds cyberattack. Even though SolarWinds is a significant threat to IT networks and the Cloud, it is also a control system threat, although less obvious than the hardware backdoors.
In the transformer case, the scope of the compromise remains unknown. There are more than 200 large Chinese-made electric transformers in the US bulk electric system and it is unknown how many of these transformers have hardware backdoors installed. It is also unknown what and how much other Chinese-made equipment throughout the US (international) commercial and industrial infrastructure have Chinese hardware implants.
The industry response to the Executive Order missed the attack vector – the control systems. The Chinese attackers installed hardware implants most likely prior to field installation of the transformers to provide remote command and control capabilities. In this manner, “spoofed” sensor signals (there is no cyber security or authentication in existing process sensors) are completely trusted by the transformer equipment. This means the Chinese can effectively gain control of the transformers without any network forensics being the wiser. Consequently, the Executive Order stated: ”The term bulk-power system electric equipment means items used in bulk-power system substations, control rooms, or power generating stations, including reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators (LTC), shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems. Items not included in the preceding list and that have broader application of use beyond the bulk-power system are outside the scope of this order.”