Ridge Global Report: Foreign-Controlled Equipment Creates Opportunity for Governments, Hackers to Disrupt Electricity Grid
WASHINGTON, D.C., Nov. 1, 2018 — Potentially crippling power outages could be caused by foreign agents gaining access to the U.S. electricity grid by exploiting known equipment vulnerabilities, according to a report released today by Ridge Global, an international risk assessment and management firm based in Washington, D.C.
The report focuses on one key component of the supply chain, inverters used in the solar industry, because of their widespread current use and the significant projected growth of solar-generated electricity. The report was produced by Ridge Global for Protect Our Power, an independent, non-partisan, not-for-profit organization established to help strengthen the nation’s electric infrastructure against potential attacks.
“Recognizing that the integrity of the supply chain plays a key role in the ultimate integrity of the electric grid, and that the majority of power inverters are produced by foreign manufacturers, it is prudent to examine inverters from foreign companies with close ties to, or controlled by, their government because those inverters create a pathway directly into the grid,” said Tom Ridge, former Governor of Pennsylvania and the first U.S. Secretary of Homeland Security.
“Because the potential for nation-state actors to tamper with inverters exists during manufacturing, in transit, or after installation, we need to continue to closely monitor those products penetrating the U.S. photovoltaic market by overseas manufacturers, particularly those that are state- owned and controlled,” Ridge said. “We have addressed this issue with regard to our telecommunications network. We must now broaden our scrutiny of what equipment is allowed in our electric utility grid, assess the risk and, if necessary, ban the use of equipment made by certain companies.”
Richard Mroz, former president of the New Jersey Board of Public Utilities and a senior advisor for state and government relations for Protect Our Power, said inverters provide a prime illustration of the need to address utility industry supply chain issues, including the need for manufacturing and cyber-security standards.
“In my state and national roles as a utility commissioner, I have been highlighting the need for manufacturing standards for devices being integrated into the evolving grid – the development of a standard ‘seal of approval’ – and this report clearly reinforces that need,” Mroz said. “We need to have confidence in the integrity of the supply chain, and we need to know that devices that interface with the grid do not create a portal for a cyber-attack.”
Key points from the report include:
The report notes that there are numerous reported cases of foreign-owned companies surreptitiously installing malware, viruses, trojans and many other bugs to monitor, manipulate, control or create a backdoor in software and devices.
- The U.S. National Counterintelligence and Security Center has assessed that supply chain infiltration has already threatened the U.S. critical infrastructure sector and could threaten other sectors as well.
- The supply chain for critical electric and electric grid components, including inverters, is global and contains numerous opportunities for threat actors to tamper with equipment during manufacture, in transit, or after installation.
- Only minimal manufacturing and cyber-security standards exist for many critical electric grid components.
- The criticality of inverters to grid stability was demonstrated during recent California wildfires, where inverters automatically shut down approximately 900 megawatts of solar power generation.
- A hacker or cyber-attacker could potentially access thousands of web-connected inverters and significantly alter the flow of power from them to the grid; in a worst-case scenario, this could cause large, sudden spikes or dips in electricity supply, disrupting a local, state or national grid’s balance and potentially causing a widespread power outage.
Major recommendations from the report include:
- The U.S. should closely monitor those products penetrating the U.S. photovoltaic market by foreign-owned manufacturers, and expand an existing Congressional investigation focused on Chinese manufacturers.
- Federal, State, and private sector entities should work together in creating compliance requirements and best practices based for photovoltaic systems, including minimum physical and cyber-security measures and a supply chain security program.
- The U.S. photovoltaic industry should adopt a supply chain certification program to protect PV components and inverters from manufacturer to installation.
- Public and private investments need to increase to modernize and secure the U.S. electric grid, including secure photovoltaic technologies, to a level commensurate with existing threats.
- DHS should lead immediate development of a cross-sector program to provide real-time visibility into cyber-security incidents that threaten critical U.S. infrastructure in order to protect against cascading impacts.
The full report can be found here.
Steve Aaron, Ridge Global,