Recently, President Donald Trump signed an executive order to protect the US electricity grid from cyber attacks by blocking power-equipment imports from "foreign adversaries." Presumably, that includes Russia, Iran, and -- most important of all -- China. There's only one problem with that: The vast majority of high-end electrical equipment is built outside of the US.
In specific, China is leading the way in advanced electrical grid technology. State Grid Corporation of China (SGCC), the world's largest power company, is building the first ultra-high-voltage DC (UHVDC) electrical lines, which can carry over a million volts. China is doing this in partnership with the Swiss-Swedish ABB Group. Are Switzerland and Sweden "foreign adversaries" too?
We don't know. While Trump declared this to be a national emergency, it's up to the Energy Secretary and other cabinet-level officials to decide what electric equipment that may fall under the ban. The global power companies are struggling to work out what Trump's executive order really means.
It's a real problem because, as Shuli Goodman, the LF Energy executive director, pointed out in an interview: "The US has lost almost all capacity to build large high-voltage equipment, like transformers. Our power grid is very dependent upon imports." LF Energy is an open-source electricity and power systems initiative. Its job is to build and maintain open-source commodity software for all electrical companies.
But, while we can't magically turn the US back into a manufacturing powerhouse, there is a way to make foreign electrical equipment safer. You see, Goodman, observed, "It is not entirely a hardware problem. We need to be looking at the attack surface and where the risk lies. It is the firmware embedded in those systems that is the problem."
Even when the equipment is assembled in the US, Jeff Pack, a senior product engineer and cybersecurity expert with POWER Engineers, observed: "Each component will have something, whether it be memory chips, boards, or processing chips, that are manufactured in foreign lands."
With today's global supply chain based manufacturing, it's hard to "buy American." Therefore, Goodman thinks we should look to open-sourcing the equipment's firmware and software:
"A more targeted and long-term solution would be to open-source the entire stack. In essence, this means outlawing black boxes on the grid whether at high-medium-or low voltage. And, because any device attached to the grid can be a security vulnerability, we need to create a path towards complete transparency. A wiser course would be to recognize that any hardware with embedded, proprietary software (sic that cannot be accessed or reviewed) is the real threat to the grid."
This is also a long-term solution since, as Goodman observed, "Whether the hardware is made in those countries that we today deem adversaries is irrelevant. Big equipment investments are made with 50-year windows -- today's friends can be tomorrow's foes. A malevolent actor can access and attack the black boxes of all OEMs -- regardless of whether they are a nation-state or a major energy company. We want to future-proof the grid. The only way to do that is through open source, in an open community, with open governance, and complete transparency."
Some believe that we could protect our power grid by mandating the use of "retro"-- that is analog or manual-- technologies on US power grids. While the Securing Energy Infrastructure Act (SEIA) has ordered a trial of this method, this back-to-the-past approach is unlikely to prove any kind of long-term answer.
Goodman concluded: "Given the heightened tensions between the US, Russia, and China, limiting any black-box technology from any vendor makes more sense. If a malevolent actor wants to exploit vulnerabilities, all black boxes threaten the grid, no matter the voltage level."
Since US companies aren't going to be building new high-end electrical grid equipment anytime soon, going open-source is really the only way forward. For true security, you need to know exactly what's running inside your equipment and that means open-source software.