Critical Infrastructure Remains a Blind Spot in Taiwan’s Defense Preparedness

Critical Infrastructure Remains a Blind Spot in Taiwan’s Defense Preparedness

Critical Infrastructure Remains a Blind Spot in Taiwan’s Defense Preparedness

Two rolling blackouts across Taiwan, occurring within the space of a week in May—both resulting from malfunctions at Taiwan Power Company’s (Taipower, 台電) Hsinta Power Plant (興達電廠) in Kaohsiung—have raised concerns about the vulnerability of Taiwan’s infrastructure to potential cyber or kinetic attacks by China.

The short-term power outages occurred on May 13 and May 17, affecting hundreds of thousands of households nationwide in select rationing areas. Coinciding with an unexpected surge in COVID-19 cases in northern Taiwan, the blackouts fueled rumors online that Beijing may have been attempting to exploit a moment of distraction in Taiwan to probe its energy grid, with a view to exacerbating pressure on the central government. The government dispelled such rumors, and Taipower provided explanations regarding the twin incidents and reasons for the blackouts.

Although there was no apparent involvement by hostile forces in the May incidents, the vulnerability of Taiwan’s energy grid was nevertheless put on full display. Amid a surge in demand for electricity, such as during Taiwan summers, all four coal-fired generators at the Hsinta Power Plant must operate in parallel. During the May 13 incident, a malfunction at a communication system in a transformer station in Kaohsiung resulted in the Hsinta Power Plant being unable to distribute energy. According to the Ministry of the Interior, the malfunction caused two coal-fired generators and two natural gas generators at Hsinta to trip, reducing output by 1.6 million kilowatts. Besides human error, an aging power infrastructure also represents potential risks for a steady and reliable supply of energy in Taiwan. One month prior to the twin outages, Kaohsiung Mayor Chen Chi-mai (陳其邁) had already said he hoped the Hsinta Power Plant, which has been in operation for 40 years, would be decommissioned as early as 2025, and replaced with a more modern system.

Vulnerability to Hostile Acts

The combination of aging power plants and narrow energy margins during peak demand exposed by May’s incidents underscores the vulnerability of Taiwan’s energy sector, and the lack of political will over successive administrations to remedy the situation. This, in turn, creates an opening for hostile forces seeking to disrupt Taiwan’s energy supply. Besides cyber attacks that could replicate the kind of human or technical errors that contributed to the blackouts in May, a hostile regime could rely on local proxies, such as the China Unification Promotion Party (中華統一促進黨, CUPP), pro-Beijing organized crime, or infiltrators, to conduct sabotage operations.

Such acts, whether cyber or man-made, could be committed to undermine support for the Taiwan government, to compound pressure on the government in times of emergency, or as part of an initial phase in an attempted invasion of Taiwan by the People’s Liberation Army (PLA). Combined with disruptions to the public transportation grid and telecommunication, such attacks would pose a tremendous challenge to the government’s ability to mobilize forces to respond to an eventual assault by the PLA.

As Ian Easton of the Project 2049 Institute notes, citing the Chinese publication Informatized Joint Operations (信息化聯合作戰), the PLA could also launch kinetic attacks on “fuel supplies and the power grid. Like island nations everywhere, Taiwan is almost totally dependent upon imported oil and natural gas. There are large emergency stockpiles for war, but these are hardly bottomless. The PLA plans to fire missiles and drop bombs on Taiwan’s oil refineries, tank farms, and pipelines. During this phase of the bombing, we are told that hydro-electrical power plants, thermal power stations, and electrical transformers would also be stricken and burned. Command nodes in the power grid would be targeted by cyber attacks. The stated objective of such attacks is to place a strain on the civilian populace.” Hostile disruptions to public utilities, including supply of water and electricity, could also be used to cripple output in Taiwan’s high-tech sectors, such as the semiconductor industry.

External forces, combined with local agents, could also launch a disinformation campaign in parallel to exacerbate the effects of disruptions caused by cyber or man-made attacks, cause confusion and panic, and undermine confidence in government authorities. There are precedents for such coordinated attacks, such as those committed by Russia against Estonia in 2007 and the cyber attack against the Colonial Pipeline in the United States earlier this year by elements suspected of being based in Russia. (Moscow denies the government was involved in the attack). It is also suspected that the state-based Chinese hacker group RedEcho was behind an attack on India’s power grid that caused a massive power outage in Mumbai in October 2020 amid an eight-month standoff in Eastern Ladakh.

Image: At a May 14th press conference, Taipower spokesman Chang Ting-shu (張廷抒) (left) explains the cause of the May 13th power outage that caused rolling blackouts throughout much of Taiwan. (Image source: Taiwan Central News Agency)

Preparation, Mitigation, and Response

As one author notes in a recent report on Taiwan’s cybersecurity, “a culture of accountability is noticeably absent from both its public and private sectors,” which has resulted in cybersecurity flaws being concealed or merely reported as “system abnormalities.” Thus, despite the progress that has been made in Taiwan’s preparedness to respond to potential cyber attacks against the private and public sector, greater effort must be made to ensure accountability and transparency, and to plug blind spots that are sure to be exploited by a hostile foreign force like China. Ransomware attacks by private or patriotic hackers, as well as the disabling of key infrastructure by PLA cyber units in the opening phase of more traditional military operations, are therefore two areas of Taiwan’s defense preparedness that merit further investment. Some initiatives, such as a joint information security MOU signed between Taipower and the Ministry of Justice Investigation Bureau (MJIB) in September 2019 to strengthen information security and ensure the security and reliability of the power supply in Taiwan, are steps in the right direction. However, more needs to be done.

Besides countering, mitigating the effects of, and identifying the perpetrators of cyber attacks, Taiwan must do more to ensure physical protection at key infrastructure sites. Besides on-site physical protection such as restricted zones and better surveillance, proper background checks—and, where necessary, the assignation of security clearances—should be normalized to ensure that employees at critical infrastructure sites are trustworthy and that they are not acting as potential agents of a foreign power. (The implementation of a security clearance system is urgently needed across the Taiwanese government system, but that is a subject for another day.)

Besides bolstering on-site security, the Taiwanese government must also make the necessary investments to modernize power plants and other networked elements of the country’s infrastructure. Greater effort should also be put into ensuring sufficient and undisrupted supply of electricity through redundancy, parallel systems, and auxiliary storage facilities. Grid stabilization projects, such as that at Hornsdale in South Australia, are examples of projects that could be taken up by Taiwan. The government should also invest in large-scale battery energy storage systems (BESS) to store energy collected by solar panels, wind farms, and other alternative energy sources in order to help stabilize the grid whenever distribution is affected. All these can reduce the frequency of blackouts in both peacetime and war, and would make it more difficult for a hostile external agent or saboteurs to knock out Taiwan’s energy sector in a single blow.

As Evan A. Feigenbaum and Jen-yi Hou (侯仁義) point out in a 2020 paper for the Carnegie Endowment for International Peace, there is also room for much closer cooperation between Taiwan and the United States on energy storage technology. Such storage solutions may include virtual power plants (VPP), which use cloud-based distribution to aggregate nationwide capacity from various energy sources; [1] Tesla’s Megapack; and carbon capture and sequestration (CCS) technology. Energy storage infrastructure would help reduce Taiwan’s reliance on coal and natural gas—both of which are imported and therefore subject to interruption or embargo—to stabilize its grid. As Feigenbaum and Hou observe, CCS plays to Taiwan’s industrial strengths and could in fact represent a new business sector, as no major country has yet to dominate this nascent technology.

Taiwan will never be able to completely defend its critical infrastructure against external assault, cyber attacks, and sabotage. However, by improving security, increasing redundancy, and investing in new sources of energy and storage, it can bolster its resilience and thereby augment its deterrent capacity against an external aggressor. The incidents last month at Hsinta have made it clear that the energy grid—and by extension, Taiwan as a whole—is particularly vulnerable to sabotage. Such blind spots should be remedied before they can be exploited by actors with malicious intentions.

The main point: Recent nationwide blackouts caused by two glitches at a power plant in Kaohsiung have drawn attention to the fragility of Taiwan’s energy grid, and its potential vulnerability to sabotage by hostile forces. Various measures—such as modernizing the grid, boosting on-site security, and building redundancy and storage capacity through new technologies—could help reduce the risks of a catastrophic knock-out blow by China. 

[1] According to Germany’s Next Kraftwerke, one of the pioneers of modern VPPs, it’s “a network of decentralized, medium-scale power generating units such as wind farms, solar parks and combined-heat-and-power units, as well as flexible power consumers and storage systems.” Quoted in https://www.greentechmedia.com/articles/read/so-what-exactly-are-virtual-power-plants.