back to article National Grid latest UK org to zap Chinese kit from critical infrastructure

The National Grid is reportedly the latest organization in the UK to begin pulling China-manufactured equipment from its network over cybersecurity fears. The contract with the UK subsidiary of China's state-owned Nari Technology, NR Electric UK, was terminated after seeking advice from the National Cyber Security Centre (NCSC …

  1. Mike 137 Silver badge

    the latest organization in the UK to begin pulling China-manufactured equipment from its network

    Since, regardless of brand, almost all the kit is built in China anyway, this could be a hard nut to crack (unless of course it's primarily a matter of policial posturing).

    1. Paul Crawford Silver badge

      Re: the latest organization in the UK to begin pulling China-manufactured equipment from its network

      While backdoored hardware is quite possible, the real risk is when software is crap (sadly VERY common) and/or the company behind it can be compelled to push out special version upgrades on the gov behalf.

      True, that applies to a significant degree in the west as well, but democracies have more checks & balances than an increasingly autocratic China (or Russia, etc, but most of them lack the impressive manufacturing capacity China has).

      1. Anonymous Coward
        Anonymous Coward

        Re: the latest organization in the UK to begin pulling China-manufactured equipment from its network

        Not mentioning backdoors-catrgorised-as-vulnerabilities-vulnerabilities purposefully included in software upgrades (the Hua-way-of-doing-things).

  2. Tom Chiverton 1

    "Tests had been carried out by engineers to scrutinize security standards of the network but these had yielded no issues"

    What does this mean ? That they have not actually run any tests so can't say ? Or they've done some but there are no security issues ?

  3. cyberdemon Silver badge
    Trollface

    Oh dear

    No more battery storage systems then

    Smart meters? Better get rid of those too

    1. wimton@yahoo.com

      Re: Oh dear

      The smart meters in the UK are manufactured in Europe (Greece in case of the L+G electricity meters and Manchester for the L+G gas meters)

      All smart meters in the UK are certified by NCSC for security

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh dear

        Final assembly, sure. I am not convinced the electronics will have been made by anyone but the very lowest bidder

        I'm employed in the sector and getting a smart meter is one of the very last things on my priority list.

  4. Andy The Hat Silver badge

    Interesting to see when Councils have to pull chinese kit out of their systems ... given that at least one has just completed a massive upgrade using Huawei kit ...

    1. hoola Silver badge

      Not any time soon as they have no money. Network kit in councils will often be old simply because of budget and that in reality, whitherever the brand, it tends to just keep running.

      The same in education. And the reason why Huawei (or similar) got put in the in the first place? Cost.

      When you have no budget, something is working and still supported (in the loosest sense) then ripping out kit is difficult, particularly when the options being forced for the replacement are twice as expense or worse.

      If National Grid is simply replacing stuff as part of a normal cycle then costs aside, there is nothing wrong with changing to a different vendor.

      1. Andy The Hat Silver badge

        money isn't a consideration here - perceived security implications in public services are. If the Government says jump, the councils will have to jump. The question I posed is whether the Government will give that instruction or decide that all council data is "secure enough" and let them keep the hardware?

        1. Alan Brown Silver badge

          "If the Government says jump, the councils will have to jump"

          More likely "how much are you paying us to remove and dispose of perfectly functional equipment?"

  5. HuBo
    Holmes

    特洛伊木马

    It's for the best (IMHO)!

    1. Jan 0 Silver badge

      Re: 特洛伊木马

      ට්රෝජන් අශ්වයා?

      සමහර විට අශ්ව බෝල්ක් පමණක්ද?

      1. HuBo
        Pint

        Re: 特洛伊木马

        Ṣọra fun awọn alejo ti o ni awọn ẹbun jia ibaraẹnisọrọ, ati awọn ẹṣin!

        1. Munehaus

          Re: 特洛伊木马

          Ghay'cha!

  6. Anonymous Coward
    Anonymous Coward

    Biggest issue I see

    Is not that this kit is a security risk, but that it may be so as it is supplied by a country that is actively probing for and exploiting security weaknesses all over the globe.

    1. Dr Fidget

      Re: Biggest issue I see

      USA?

      1. Mr Sceptical
        Black Helicopters

        did someone say Eternal blue?

        Not me obviously, must be that dodgy guy in the shades and overcoat with the earpiece...

        Saying that, China have shown repeatedly they're no friends of ours, more frenemies and once we've served our purpose will be absorbed into the Borg run by Pooh.

  7. cyberdemon Silver badge
    Devil

    Interesting stock image to pick for the article.. Is that what happens when all the EV chargers get their special OTA-update from China?

    1. tip pc Silver badge
      Facepalm

      this is what happens when the grid has had its readybrek.

      for the youth

      https://youtu.be/QoiYfsKgVG8?feature=shared

      for the oldies

      https://youtu.be/LfRvrHixpMc?feature=shared

  8. Anonymous Coward
    Anonymous Coward

    In Huawei's case, the decision to remove its kit was made largely out of fears that Beijing can legally compel companies to share data with it, which could in theory include data collected from operations in other countries.

    Of course those companies are perfectly happy to sell the data to anyone at all for peanuts.

    Our main protection being that there is probably some bureaucratic Chinese law that that stops them from buying spy data from off-shore suppliers without a special permit they can't get.

  9. markrand

    When managing a business or a national grid, doesn't every organization use their own WAN, or, at least, VPNs to effect communication between sites?

    So What was the problem. Stupidity or politics???

    1. Lee D Silver badge

      Short answer:

      No.

      That's exactly how Iranian nuclear refineries were compromised.

      Remember Stuxnet?

      You would expect even verified code, code-signing and whitelisting, etc. in such an industry. It simply doesn't happen.

      They buy cheap junk off-the-shelf, slap it on the Internet, open all the ports (because "that's what the instructions said") and then are surprised when they are compromised.

      There's probably more airgapping on my home network than there is in the national grid.

      1. Anonymous Coward
        Anonymous Coward

        While what you say is true of incompetents, I think you unfairly underestimate what is done in this space.

        After all, if it was wide open, the list of successful attacks would have been a whole lot more extensive than it is.

        1. Lee D Silver badge

          You mean like at least 14 major hacks within the last 10-15 years?

          https://www.dpstele.com/blog/major-scada-hacks.php

          1. Anonymous Coward
            Anonymous Coward

            The article is about NG. How many major hacks have made the news there?

            I'm not disputing systems of this nature are targetted. Not least of which was Black Energy in Ukraine.

      2. Stuart Castle Silver badge

        IIRC, securing some of the hardware (after stuxnet) was made more difficult due to the fact it was designed using hard coded passwords. And TBH, if you are going to hardcode passwords, you might as well just remove the requirement for a password.

        I think the problem is that a lot of the hardware/software in use is designed with the idea it will never be connected to any outside network, with any support being done on site.. Then someone works out it costs more to send engineers to customer sites, so someone connects all the machinery that should be on a secure network to the Internet. A problem that can be somewhat mitigated with a properly configured firewall, but the companies cheap out, and pay the minimum possible.

        1. hoola Silver badge

          And the vendors push "phone home" support for everything. It is not just an issue at the user.

        2. wimton@yahoo.com
          FAIL

          These aspects must be part of the selection criteria: if your product has hard coded password, or does not accept our firewall policies when calling home, we do not buy it.

    2. Anonymous Coward
      Anonymous Coward

      It's embedded technology that's the issue. If they have a 5G connection which isn't obvious to the end user, then there is a way to get in. Even a simple radio connection between the units and the outside world would be enough to allow control. Then you have the issue of any nefarious code within the device which is set to operate equipment in the future and then brick the device to slow down repair and return to service. The comms will be secure between sites and control centres, but that doesn't stop the other simpler attacks.

      1. Stuart Castle Silver badge

        5g connections are easy (if potentially costly) to disable in a server room. Just bung the entire room into a Faraday cage. Not so easy with hardware in the wild though. Hell, unless there is some sign on the device (maybe a menu option or logo), it may not be obvious that there *is* a 5g connection on the device. After all, unless you know what you are looking for, one chip looks like another..

  10. titchy

    Chinese control of our grid connected solar inverters

    They will hardly close a hole in their exposure by removing Chinese kit when many of the most popular brands of solar inverter being installed in the UK operate by connecting to Chinese manufacturers cloud systems. They can still mess with our grid by adjusting power settings on the edges of the grid.

    Thousands of inverters all adjusting frequency or voltage at the same time will have a big impact on the whole grid. To top that off these cloud systems have details of location, and I am sure the national grid layout is available so taking down a section is as easy as adjusting systems in specific locations and hey presto overloaded critical interchange, bye bye power in targeted area.

    1. Anonymous Coward
      Anonymous Coward

      Re: Chinese control of our grid connected solar inverters

      So clouds can interrupt solar power generation. Who'd have thought.

    2. Andy The Hat Silver badge

      Re: Chinese control of our grid connected solar inverters

      Wow - changing frequency or voltage on a few kW inverter trying to drive against the multiple MW national grid. That would be an experiment I would not wish to be close to as I know who would come off worst!

      1. hoola Silver badge

        Re: Chinese control of our grid connected solar inverters

        However the damage and disruption could be significant. It is not about compromising the grid. If inverters, batteries and so start catching fire or even just failing, it is going to cause issue.

        You could very quickly overload emergency services.

      2. Anonymous Coward
        Anonymous Coward

        Re: Chinese control of our grid connected solar inverters

        It's not going up against the whole Grid, just the last transformer or other power conversion. Inject AC in antiphase to the grid and you could limit the amount of power being drawn or increase heat losses.

        In a larger-scale 3-phase power set-up, even just being able to reduce the effectiveness of a single phase could be a useful attack.

        3-phase equipment may not have a neutral line, and that imbalance has to go somewhere- and that's back through the supply lines. So pre-inverter HVAC could be compromised in a datacenter.

        Even modern inverter-driven HVAC could suffer problems if it's assuming it will see three pretty-much-balanced phases- the smoothing capacitors are sized for the ripple from 3 phases, dropping to one or two working phases increases losses, heat production, and mechanical wear but may not be enough of a failure to kick on a UPS.

        Working slightly out of phase could increase the frequency of the drawn power, leading to arcing in relays, with more advanced attacks like that affecting equipment that gets its time-base from the grid frequency.

        Being able to apply extra current after monitoring points could trip safety measures as an imbalance is detected between the measured incoming and outgoing current flows.

        And that's just from things I've screwed up before (on a smaller scale). I'm sure a State-funded actor would have a playbook an inch thick just on how to use this sort of thing to screw with power systems.

  11. tip pc Silver badge

    Will we develop our own kit making capabilities?

    In Huawei's case, the decision to remove its kit was made largely out of fears that Beijing can legally compel companies to share data with it, which could in theory include data collected from operations in other countries.

    Other nations also legally require companies to share data collected in operations in foreign nations.

    I was employed by a foreign country operating in the uk and received some shares, I have to fill out a form for the foreign finance company declaring I’m not of that nation and I have to declare my nin. There is a part on the form to explain if I’m withholding my foreign tax details & an option for ‘it’s illegal to declare my info to a foreign government” (words to that effect) which iirc applies to Australians.

    Not hard to find examples of foreign companies gathering data in uk citizens and sending back to the home nation

    https://www.reuters.com/legal/legalindustry/data-collection-eu-troubled-waters-us-companies-2022-02-25/#:~:text=U.S.%20and%20EU%20regulators%20had,a%20series%20of%20privacy%20principles.

    While that example isn’t the foreign state requesting the information, once it’s on foreign shores their domestic laws may not require your permission for your data stored or processed there to be examined by that state.

    Also some nations collaborate to share info and use their partners to sift through their own citizens data

    https://en.wikipedia.org/wiki/Five_Eyes#:~:text=In%20recent%20years%2C%20documents%20of,law%20of%20the%20respective%20nations.

    https://www.fivecast.com/blog/intelligence-sharing-for-partner-nations/

  12. tip pc Silver badge

    Won’t be long before China & Russia have starlink clones

    Like GPS clones, Russia and China will have starlink like clones meaning they will have space based comms direct to devices as small as a phone across nations foreign to them.

    VPN’s, firewalls, traffic scanners etc etc will be useless against satellite communications that bypasses them.

    Case in point, if you had grid monitoring systems installed on high voltage transmission pylons would you connect them together via copper, fibre or radio.

    I’d be using radio as would still work if something broke the copper or fibre cables.

    Using radio means an antenna with likely clear line of sight to the sky meaning it could receive satellite communications & likely transmit to satellites too providing a back door into your secure grid.

    None of this is a problem if you can’t consider our friends may not be friends at some point in the near future.

    1. xyz Silver badge

      Re: Won’t be long before China & Russia have starlink clones

      OMG... They're breeding Musks??

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like