In May, the Trump administration seized a 250-ton, $3 million Chinese high-voltage transformer that was on its way to Colorado. It was taken to Sandia National Labs in New Mexico for reasons unknown. What happened to it still remains a mystery.
On May 1, the Trump Administration issued a surprise Executive Order (EO), “Securing the United States Bulk Power System.” The directive aims to keep critical equipment supplied by foreign adversaries out of the nation’s power grid due to supposed supply chain security threats. It requires the Secretary of Energy to work with other agencies in identifying the specific equipment from adversarial suppliers, particularly Chinese suppliers, that the government should bar from the bulk-power system.
The Department of Energy (DOE) has to issue relevant rules on the matter within 150 days, or by September 28. Shortly after the EO’s release came the surprising revelation that a federally owned utility managed by DOE, the Western Area Power Administration (WAPA), hijacked a nearly $3 million Chinese-manufactured transformer initially intended for one of its substations in Colorado. WAPA instead diverted it to one of DOE’s national laboratories, Sandia National Labs, in New Mexico.
The manufacturer of the high-voltage 500,000-pound transformer was Chinese company JiangSu HuaPeng Transformer Co., Ltd., or JSHP, which shipped the transformer from Shanghai to the Port of Houston in August 2019.JSHP’s North American representative Jim Cai told Motherboard his company planned to spend a couple of hundred thousand dollars to transport the high-grade steel using a particular kind of railroad car to WAPA’s Ault substation in Colorado, where JSHP would then install it. Like all electric substations, the Ault facility’s main purpose is to “step down” high-voltage electricity, typically above 1,000 volts, to lower, more manageable levels that can be distributed safely to homes and businesses.
Before the ship docked in Texas, WAPA told JSHP to cancel its plans to transport and install the transformer and to forget about selling a warranty on the equipment, which is almost always mandatory for highly specialized, expensive electrical system equipment. The utility then transported the transformer itself to Sandia. Since then, WAPA and DOE have been silent on this odd development, which has sparked confusion and concerns among utilities and industrial control system (ICS) security specialists.
Motherboard has spent the past two months delving into possible reasons why WAPA hijacked its own transformer and why DOE—and practically everybody else—isn’t talking about it. We also investigated whether DOE asked another company to build a replacement transformer for the Ault substation. Here’s what we discovered regarding what industrial control security specialist Dale Peterson has dubbed “transformergate.”
Did DOE Suspect the JSHP Transformer Contained Hidden, Destructive Backdoor Weapons?
One industrial control security expert published a controversial piece in May that said the discovery of a hidden backdoor capable of causing a catastrophic-level event in a high-voltage transformer supplied by a Chinese company is what spurred the EO. Although most ICS specialists ignored this unverified assertion, some prominent ICS security experts were outraged when it surfaced in news reports connected to the missing transformer. They saw undocumented fear-mongering and sensationalism by an unreliable source, which often occurs when it comes to alleged threats to the electric grid.
In early July, Robert M. Lee, founder and CEO of top ICS security consulting firm Dragos, and an adviser to DOE, issued a 20-page paper along with colleagues from the information security training organization SANS Institute dismantling the validity of the backdoor claims. He assigned them a credibility score of zero because the individual making those claims offers no substantiating information to back them up, nor is he in any position to have first-hand knowledge of them.
Moreover, no one has produced any evidence to back up those kinds of claims, the paper’s authors report. “The position of the SANS ICS team is that currently there is not enough information provided to validate the claims nor is there actionable steps to take for defenders who may wish to address the claims regardless of credibility or accuracy.”
JSHP’s Cai denies the presence of a backdoor in his company’s equipment but says he believes that DOE suspects China of booby-trapping its power grid gear. Cai points to early 2019 press reports in which DOE officials talk about the risks of Chinese equipment in electric facilities.
The Trump administration has launched a number of actions to bar Chinese technology in the U.S. communications infrastructure, including an executive order primarily aimed at telecom tech giant Huawei. In May, the Commerce Department made it difficult for Huawei to acquire U.S.-made semiconductors. In June, the Federal Communications Commission designated Huawei and its peer ZTE as supply chain threats and ordered the mostly rural telcos to replace that kit as soon as possible. Finally, the administration’s latest Chinese target is video app TikTok, which has presumably calmed supply chain fears by working out a “trusted tech” partnership of sorts with Silicon Valley giant Oracle.
Based on phone calls Cai says he received in early 2019 from industry analysts and consultants, he thinks that DOE suspects one of his company’s transformers installed at the Bayonne (NJ) Energy Center, a generating facility now owned by Scottish company Ethos Energy, was responsible for the so-called “blue sky” incident in New York in late-December 2018. In that widely reported “arcing” incident, an explosion at ConEd’s Astoria substation caused the New York skyline to shine bright blue for a brief period.
Although the technical details are intricate, utility engineers say that it’s virtually impossible for a generating plant’s transformer, in this case the high-voltage transformer supplied by JSHP in Bayonne, to cause a downstream incident in a substation transformer receiving electricity, such as the device in Astoria.
The only way that could happen, according to Richard Shiflett, electrical engineer and senior security consultant at ICS consulting firm Archer Security, is for the Bayonne transformer to send an abnormal surge of electricity to Astoria, and even then, the odds are vanishingly small anything would happen. “It’s unlikely that voltage going up or down by virtue of that output would cause this kind of event,” he told Motherboard. “There would have to be other kinds of contributing factors with that tap change to result in a phase-to-phase or phase-to-ground fault [that occurred in the Blue Sky] incident.”
Patrick Miller, head of Archer Security and founder of energy industry consortium EnergySec, is blunter. “The requirements to get a transformer to do that are insanely challenging from a physics perspective. It’s profoundly improbable. Especially when there are so many other ways to get a much higher reach for an attack. It doesn’t fit China’s mentality. They’re not a full-frontal attack kind of country.”
ConEd, which never publicly explained the blue-sky incident, sent Motherboard a statement saying, “on December 27, 2018, an electrical fault on a section of 138-kV equipment in an Astoria substation caused a transmission disturbance. The equipment that malfunctioned was associated with voltage monitoring within the substation. We have concluded our review and are not aware of any further investigation into the matter.”
Is DOE Reverse-Engineering the Transformer?
The U.S. once was the chief supplier of high-voltage electrical transformers, but today few, if any, high-voltage transformers are made by American companies on U.S. soil. One theory is that DOE transported the JSHP transformer to Sandia to break it down and reverse engineer it. The goal of this breakdown would be to help the U.S. decipher manufacturing methods that may help the country take back some market share.
Most experts say that’s not the style of U.S. industrial efforts, even as China routinely engages in reverse engineering for economic espionage purposes. Joe Slowik, Principal Adversary Hunter at Dragos, wrote in a paper regarding why DOE hijacked its transformer, “one item that can likely be ruled out, despite the evisceration of the US transformer manufacturing market, is potential economic espionage. While occasional stories emerge of US government resources used to conduct economic espionage, the sourcing is poor and typically when taking place such operations are directly related to national security items and not for the benefit of private companies.”
“We absolutely do not do that,” Bryson Bort, CEO of industrial security firm Scythe and co-founder of the hacking conference DEF CON’s ICS Village, told Motherboard. “This is kind of what makes us different from [China]. The U.S. government does not do corporate espionage, which is essentially what the accusation is here.”
Did DOE Want the Chinese Equipment for an Experimental Transformer Program?
One theory floated by JSHP’s Jim Cai is that DOE might have needed the transformer to boost its hybrid transformer development program currently underway at Sandia Labs. That program seeks to merge transformer technologies to improve performance and reliability.
Most energy experts say that’s not possible. “The thing about transformers is that most of the time they’re custom-built,” Archer’s Miller says. “They’re not like Legos where you can just pop them in, and they’ll work. They’re a custom-made object. Otherwise, we could just go down to Home Depot and go and buy a transformer.”
Where Did WAPA Find a Replacement Transformer?
Whatever may have happened to the JSHP transformer after it arrived in the U.S., WAPA initially and ostensibly ordered it because it needed the equipment to help run its Ault substation in Colorado. According to public documents related to the DOE-JSHP contract, the utility ordered the transformer on September 26, 2017, 15 months before the Blue Sky incident and far ahead of when the Trump administration’s concerns over China’s supply chain threats reached their apex in the 2020 Executive Order.
According to publicly available documents, about a month after WAPA transported the JSHP transformer to Sandia, the utility issued a $6.1 million sole-source contract to an 8-A firm in the San Antonio, TX area called Taurean General Services. That contract, dated September 25, 2019, required delivery of a transformer for the Ault substation, along with a transformer for another WAPA facility called North Cody and equipment called a shunt reactor for WAPA’s Badwater facility. The location of this contract performance in public records is listed as “Croatia.”
Jeff Jaime, the CEO, and Founder of Taurean, who is a former Air Force IT security specialist who primarily fulfills orders for the military, told Motherboard his job was simply to find the transformers and shunt reactor for WAPA. He’s not aware of any of the background related to the JSHP contract. “In a high level, we receive general requirements, and we find manufacturers of the products that the government is looking for with very specific technical specs,” he says.
When asked whether he purchased the transformers and shunt reactor from a manufacturer in Croatia, he said he would have to get WAPA’s permission to tell Motherboard. When informed that “Croatia” is written on documents in the public record, he said, “if it’s public record, you don’t have to ask me.”
Representatives of KonKar, the only manufacturer in Croatia capable of producing a high-voltage transformer, did not respond to requests for comment.
How Can DOE Keep the Whereabouts and Status of a 250-Ton Transformer Secret?
Motherboard has asked WAPA in various forms about the fate of the JSHP transformer and its possible replacement. WAPA CEO Mark Gabriel repeatedly told Motherboard in an interview that the information is “critical electric infrastructure information” or CEII. Effective as of May 30, 2020, CEII is a new designation for the DOE that exempts the department from making public information that, among other things, could be useful to someone planning an attack on critical infrastructure.
Although the Federal Energy Regulatory Commission (FERC), which, unlike DOE, is an independent regulatory agency, has long had CEII rules in place related to the bulk power grid, DOE’s CEII rules are currently being challenged in the courts by a coalition of public interest groups as being illegal and overly broad. The alliance challenging DOE’s rules includes the Union of Concerned Scientists, Public Citizen’s Energy Program, and Earthjustice. These critics say that DOE exceeds its statutory authority in a way that could allow it to designate almost any piece of information submitted to the Department as CEII.
The DOE’s challengers argue that there is a legitimate role for CEII designations in order to protect the U.S. electric grid. And they also stress that they are unfamiliar with the situation involving the Ault transformer. Still, they argue that DOE’s job is to follow FERC’s blueprints, which they believe are less political and better balanced when it comes to weighing critical infrastructure protection against the public’s right to know. “What DOE is supposed to be doing is following the regulations that FERC has established,” Cassandra McCrae, an associate attorney at environmental law non-profit organization Earthjustice, tells Motherboard.
Kim Smaczniak, Managing Attorney of the Clean Energy Program at Earthjustice, says, “FERC is very cognizant that there are important public uses for information. There are legitimate concerns about DOE under its rules that it is unlawfully setting forth here, whether it’s going to take the same kind of approach that FERC has.”
Even if too restrictive from a public interest perspective, the DOE’s CEII rules fit right in with the culture of the electric utility industry, which has long been press-shy about technical information. Many if not most utility engineers are required to sign NDAs.
Virtually no representative of a utility or DOE we contacted for this story would talk on the record, despite repeated requests. Ethos Energy, which owns the Bayonne facility, also did not respond to a request for comment. ICS security firm Dragos declined comment.
DOE’s silence on the fate of the transformer and its unexplained diversion to Sandia Labs has left the U.S. power industry puzzled, opening the door for a lot of theories but no answers. As of today, for all but a handful of people at DOE who presumably know what’s going on, the JSHP transformer is still missing in action.