FERC and NERC have published a joint white paper sharing techniques that utilities can use to identify the manufacturers of equipment used in their computer networks, a response to concerns that systems could be vulnerable to cyberattacks by foreign intelligence services.
The paper focused on network interface controllers (NICs), components found in every computer with Internet access, that control connection to an Ethernet or wireless network. NICs in older computers are often found on expansion cards, but modern NICs may be built directly into a device’s motherboard.
FERC and NERC cited research demonstrating “numerous avenues” by which hackers can use NICs to compromise electronic systems. More important, however, was the prominence of devices made by the Chinese companies Huawei and ZTE, which together with their subsidiaries account for more than half of the global supply of NICs.
The two companies and other Chinese hardware makers are alleged to cooperate with China’s security services.
The white paper cited a report by the Defense Innovation Board that said “evidence of backdoors or security vulnerabilities have been discovered in a variety of devices globally” and that many of them “seem to be related to requirements from the Chinese intelligence community pressuring companies to exfiltrate information.” NICs are particularly worrying because they are so ubiquitous and because a buyer may not be able to tell at a glance that a piece of equipment contains hardware from a company under suspicion.
“If these obscurely labeled (or even unlabeled) components exist in an electric utility’s infrastructure, the same risks exist as if the hardware bore the logo of Huawei, ZTE or one of their well-known subsidiaries,” the report said.
Huawei, ZTE Are Longstanding Issues
The presence of hardware from Huawei and ZTE in the bulk power system is not a new topic. Sen. Angus King (I-Maine) asked NERC CEO Jim Robb last year whether he knew if any U.S. utilities had the companies’ equipment in their systems, with Robb admitting he was not sure. (See Senators Call for Urgency on Energy Cybersecurity.)
Since then the government has toughened its stance toward foreign hardware manufacturers, with President Trump earlier this year declaring a national emergency aimed at restricting the purchase of BPS equipment from suppliers suspected of connections with hostile governments. (See Trump Declares BPS Supply Chain Emergency.) NERC and the Department of Energy followed up on the emergency declaration in July: DOE filed a request for information asking utilities how they identify and mitigate supply chain vulnerabilities, while NERC issued a Level 2 alert demanding data on transformer control and protection systems. (See NERC Issues Level 2 Supply Chain Alert.)
The guidance from NERC and FERC is intended to help utilities investigate the hardware on their systems to find possible vulnerabilities, which some have complained about following NERC and DOE’s orders this year.
“It’s one thing for us to recognize and figure out who we bought from. … We probably have those records going back 10 years,” Mike Kormos, senior vice president of transmission and compliance at Exelon, said at the National Association of Regulatory Utility Commissioners’ Summer Policy Summit in July. “But … [we] might have bought a transformer from one vendor, [and] who that vendor was using for subcomponents in that is something we don’t have, quite frankly.” (See Industry Seeks Clarity on Supply Chain Orders.)
Noninvasive Techniques Recommended
The white paper described several techniques for identifying NIC manufacturers from the equipment’s Media Access Control (MAC) address. This noninvasive technique does not require physical inspection of the hardware and therefore is less time-consuming and carries a lower risk of damaging important equipment or voiding its warranty.
The advantage of using a MAC address is that every piece of hardware in a system — including subcomponents like NICs — must have a unique MAC address, part of which is a string of characters identifying its manufacturer. Every hardware manufacturer is required to use one of a limited set of such strings. For instance, a MAC address beginning with “FC:E3:3C” always identifies a Huawei device.
Though this approach is useful, it is not foolproof: MAC addresses can be changed manually, conceivably allowing devices to obscure their manufacturers. NERC and FERC also warn that even noninvasive techniques run the risk of interfering with devices’ normal operation.
“Before implementing any approach detailed here, caution dictates complete testing in a non-production network to minimize or eliminate operational impacts,” the report said. “If a vendor of concern is identified, it does not confirm there is malicious activity in the network. Actions should be taken to determine if the device or component exhibits malicious activity.”