American security experts have long worried about the threat of hackers targeting the U.S. critical infrastructure. American citizens have increasingly begun to see the real-world results, such as the Colonial Pipeline cyber attack, which forced Americans to stand in massive lines for dwindling fuel for days.

But what if foreign adversaries didn’t even need to use hackers to breach our network defenses to cause havoc? What if they were the ones who built the most critical parts of our infrastructure in the first place?

That’s the warning recently raised by a Texas resident in a complaint lodged with the Federal Energy Regulatory Commission (FERC), the nation’s federal agency that regulates the “bulk power system.”

According to the documents provided in the complaint, 300 large power transformers, the backbone of the electric grid, were imported into the United States from a Chinese company named JiangSu HuaPeng Transformer Co., Ltd. (JSHP). Copies of bills of lading indicate that at least 20 of these transformers passed through the Port of Houston, Texas, on the way to destinations all over the country. At least one of them, according to the manufacturer, remains in Houston.

Why is this a problem? At least two transformers from JSHP have already been discovered to contain hardware backdoors that could enable Chinese agents to maliciously remote-access and manipulate them. In the summer of 2018, the U.S. government seized a JSHP transformer in the Port of Houston and transported it to Sandia National Laboratories for a comprehensive examination.

“They found hardware that was put into that that had the ability for somebody in China to switch it off,” said Latham Saddler, the former director of intelligence programs at the National Security Council in the last administration.

Yet, despite some efforts of the federal government to address these supply chain vulnerabilities, U.S. utilities just keep importing Chinese transformers. JSHP’s website boasts that their transformers handle 20 percent of the electrical load for Las Vegas and 10 percent of the load for New York City.

But it’s not just JSHP and its transformers. The recent complaint also revealed that U.S. utilities are purchasing a whole host of grid “protection” and “monitoring” products from companies with direct links and even ownership ties to the Chinese Communist government. Chinese law obligates all Chinese corporations to provide assistance whenever the Communist regime’s intelligence agencies demand.

If the federal government isn’t working fast enough to address these vulnerabilities, maybe the Texas government can. On June 18, 2021, Governor Abbott signed into law the “Lone Star Infrastructure Protection Act,” co-authored by Texas state Senator Donna Campbell and State Representative Tan Parker. In a statement about the bill, Rep. Parker said that the legislation “sends a clear message that we will not allow hostile foreign actors to access these vital elements of our great state.”

The legislation appears to be forward-looking and prevents investments and contracts occurring after June 18, 2021, that might entangle the Texas grid with a foreign adversary. It specifically states:

“A business entity may not enter into an agreement relating to critical infrastructure in this state with a company:

  1. if, under the agreement, the company would be granted direct or remote access to or control of critical infrastructure in this state, excluding access specifically allowed by the business entity for product warranty and support purposes; and
  2. if the business entity knows that the company is:

(A) owned by or the majority of stock or other ownership interest of the company is held or controlled by:

  • individuals who are citizens of China, Iran, North Korea, Russia, or a designated country; or
  • a company or other entity, including a governmental entity, that is owned or controlled by citizens of or is directly controlled by the government of China, Iran, North Korea, Russia, or a designated country; or

(B) headquartered in China, Iran, North Korea, Russia, or a designated country.”

Based on the evidence brought forth in the recent complaint, it seems that future purchases of JSHP transformers by Texas-based utilities would be a violation of this Texas law.

But what if the Texas utilities choose to remain “unaware” that their vendors are a front for the Chinese government or its intelligence agencies? And what about the existing Chinese grid components already in Texas grid? It is unclear whether the Lone Star Protection Act could be a vehicle to remove Chinese-made transformers from the Texas grid or discipline the corporations that import them without performing due diligence.

What has become clear is that governments and corporations must thoroughly investigate the existing Chinese transformers and grid components and the companies selling them.

Experts recommend FERC schedule a technical conference and employ a special task force to find and vet these transformers and grid components, with an emphasis on determining whether these transformers supply electricity to nuclear power stations.

This emphasis on nuclear power stations is important because a loss of offsite power to a nuclear plant requires that it rely upon emergency diesel generators to power the systems that keep the reactor and its spent nuclear fuel safe. Those same experts point to a history of issues with these diesel generators and have stressed the need to prevent nuclear plants from losing offsite power in the first place.

However, the federal government has shown little interest in moving quickly to resolve the potential threat posed by the Chinese-made transformers and grid components that could be used to take down the grid.

It will be up to the state of Texas to take initiative on their own. State government agencies should immediately begin their own investigations, ideally starting with identifying potentially compromised components supporting offsite power to Texas’ two nuclear power plants.

The state should also put other critical infrastructure owners on notice about the threat of Chinese-made equipment. Joseph Weiss, an international authority on cybersecurity and control systems, recently warned that the same equipment identified in the grid transformers “can be used in many other critical infrastructures such as water/wastewater, pipelines, oil/gas, and manufacturing.”

Failure to act could leave the Lone Star state vulnerable to an even more disastrous blackout than the one suffered this winter: a blackout where the ability to turn the power back on no longer rests in the hands of Texans.

Finally, other states should follow Texas’ lead and pass similar infrastructure protection legislation.

Protecting the national electric grid from malicious manipulation by foreign actors is ultimately the responsibility of the federal government. While states other than Texas do not have the advantage of their own independently regulated electric grid, state governments should not be afraid to take prudent steps to secure their citizens from this foreseeable threat. And, they don’t have to wait for legislators to mandate it.

State public service commissioners, law enforcement, and national guard personnel can and should investigate whether their state is host to any of these Chinese transformers now.

This is a commentary published with the author’s permission. If you wish to submit a commentary to Texas Scorecard, please submit your article to submission@texasscorecard.com.

Tommy Waller

Tommy Waller is Director of Infrastructure Security at the Center for Security Policy. Tommy comes to the Center with more than 18 years an Infantry Officer and Expeditionary Ground Reconnaissance Officer in the Marine Corps and service spanning multiple deployments to Afghanistan, Iraq, Africa, and South America.

RELATED POSTS