Automation Giant Faces U.S. Government Probe Over China Operations

Investigation of Rockwell looks at whether its software might allow access to critical U.S. government and industrial infrastructure

The Biden administration is investigating whether Rockwell Automation, one of the world’s largest industrial technology and information companies, is exposing critical U.S. infrastructure, military and other government assets to a potentially serious cyberattack through one of its China-based facilities, according to U.S. officials and documents reviewed by The Wall Street Journal.

The Milwaukee-based information giant provides productivity-improvement software and cybersecurity services to computer platforms used in the national power grid as well as by the U.S. Navy and Coast Guard and other parts of the federal government, among other customers, according to the company’s website.

The U.S. government investigation is focused on employees based at the company’s facility in Dalian, China, who might have access to software codes that connect with those computer systems. The probe includes the inspectors general at the Energy Department and the Defense Department as well as the Justice Department’s Commercial Litigation Branch, according to the documents.

Investigators are looking into potential vulnerabilities that might allow access from China to critical U.S. government and industrial infrastructure and computer systems, according to a memorandum of investigative activity, which documents evidence in the course of a probe. The memorandum, dated Jan. 24, details testimony from a whistleblower interviewed by government investigators from the three agencies.

A spokeswoman for Rockwell Automation said the company hasn’t been notified of any investigation related to the company’s work in Dalian but would fully cooperate if it receives such a notification. She added that Rockwell’s supply chain, development practices and hiring processes comply with applicable laws and regulations.

The Energy Department and its Office of Inspector General declined to comment. The Commercial Litigation Branch of the Justice Department and the Pentagon’s Office of Inspector General didn’t respond to requests for comment.

The possible remedies or recommendations that the U.S. government could seek as a result of the probe couldn’t be determined. The investigation is in its early stages and could result in no action against Rockwell.

Authorities are reviewing concerns about Rockwell’s Dalian operations in the context of a federal directive that restricts vendors from countries including China that are deemed a threat to national security from providing technology and hardware to the federal government, according to the investigative memorandum.

The focus of government investigators on business practices in China of a major U.S. government contractor shows the extent to which relations between the two countries have become defined by mutual suspicion and U.S. concerns over Beijing’s efforts to boost its technological prowess and intelligence-gathering by infiltrating American computer networks. The scrutiny of Rockwell comes after the U.S. government campaigned globally to stymie China’s Huawei Technologies, a provider of telecommunications-infrastructure hardware, saying it threatened U.S. national security because Beijing can compel Chinese companies to hand over data.

Rockwell shares closed down 2.8% Wednesday at $270.09.

In the memorandum, the whistleblower alleged that Rockwell does its code development, support and patching—updating software to fix vulnerabilities—using only Chinese nationals at the facility in Dalian, a port city at the southern tip of China’s Liaoning province.

As a result, some companies and government entities that do business with Rockwell are worried about potential security implications, the memorandum said and U.S. officials confirmed.

Among those concerns: the potential for Chinese nationals working at the facility or the Chinese state operating through those employees to identify and exploit vulnerabilities in Rockwell code to hack into U.S. systems before those bugs are addressed.

The U.S. officials and documents didn’t suggest that Rockwell has any current vulnerabilities in its products’ software codes.

Rockwell has had operations in Dalian since 1994, but the growing tensions between the U.S. and China in recent years have prompted changes to U.S. regulations. Those changes require companies operating in countries known for conducting aggressive cyber operations, such as China, Russia and Iran, to monitor personnel and restrict access that locals have to product code.

The U.S. has vowed in recent years to degrade or counter cybersecurity threats before they reach U.S. networks, including those of the federal government and its contractors.

Many U.S. corporations have pulled out of Russia in the midst of global condemnation of its invasion of Ukraine last year and crippling Western sanctions. U.S. investment in China has also been in the political crosshairs, especially from Congress.

While some American companies have shifted operations elsewhere, many are reluctant to retreat, pointing to China’s huge market and its central role in supply chains. 

Last month, the U.S. Chamber of Commerce warned of the mounting risks of doing business in China, particularly in the midst of Beijing’s new counterespionage law, “which casts a wide net over the range of documents, data or materials considered relevant to national security.”

Rockwell Chief Financial Officer Nick Gangestad said Wednesday that security is a top priority and, if necessary, the company would consider moving its software operations out of China.

“It’s something that could be addressed,” Mr. Gangestad said at the Oppenheimer Industrial Growth Conference. “We recognize that the global threat landscape is evolving and we work closely with the U.S. government and we will continue to work closely with the U.S. government to monitor that environment and if needed, if we need to take action, we of course will take that action.”

Concerns about the company’s practices first surfaced last year amid what the memorandum described as contentious contract renewal discussions between Rockwell and a South Carolina branch of Dominion Energy, an American energy company that generates, transmits and distributes electricity and natural gas.

The talks hit a roadblock when Dominion sought to include contract provisions such as data-breach reporting requirements, third-party security assessments and restrictions on computer-software support from countries including China, Russia and Iran, according to the memorandum and officials familiar with negotiations.

Rockwell, according to the U.S. officials and the memorandum, told Dominion that all code written in China is checked for bugs and tested against cyberattacks by the company’s personnel in the U.S., procedures that the Rockwell spokeswoman confirmed.

Rockwell told Dominion that its internal security and compliance practices made the provisions Dominion wanted unnecessary, according to the account detailed in the investigation.

Rockwell also told Dominion that it secures its equipment through an internal cybersecurity program and that there is no outside entity reviewing the code or systems, nor was there any way Dominion could review the code itself, the memorandum said. 

Dominion signed a six-month agreement with Rockwell through March 31, rather than the original plan of negotiating a five-year contract.

A person familiar with Rockwell’s security and compliance practices disputed the characterization of talks with Dominion but didn’t offer specifics.

Aaron Ruby, a spokesman for Dominion, confirmed that details in the memorandum about the recent contract negotiations with Rockwell are accurate.

Neither side would comment on the current status of contract talks since the short-term agreement expired.

“Rockwell Automation provides maintenance services for legacy control systems at some of our facilities,” Mr. Ruby said. “None of these services involve cyber, remote or unsupervised access to our systems. Furthermore, we do not accept any services from Rockwell that are based in China, Russia, Iran, Belarus or any other hostile nation.”

Rockwell’s spokeswoman said the company’s software development work in China “is limited and largely focused on sustaining a small number of mature products that have been in the market for a long time and have undergone multiple years of development and testing.”

Cybersecurity experts said that from the viewpoint of assessing cybersecurity risk, it made no difference whether a product was considered mature or new, since vulnerabilities can still exist. “Mature code is not a thing,” said Bruce Schneier, a computer-security expert and lecturer at the John F. Kennedy School of Government at Harvard University. 

The current allegations by the whistleblower follow citations in 2021 and 2022 by the Department of Homeland Security about bugs in Rockwell software. In three instances, DHS’s Cybersecurity and Infrastructure Security Agency released advisories, with the relevant fixes, for vulnerabilities in Rockwell products that an attacker could exploit to inject code into affected systems.

Rockwell’s spokeswoman said the advisories were part of an established vulnerability disclosure program, and Rockwell worked closely with the government to address the issues.

According to its website, Rockwell Automation’s products and software have been installed successfully on board various Navy and Coast Guard ships since 1997.

Since starting operations in China in 1988, Rockwell Automation has rapidly expanded across the country, according to its website. The company now has over 2,000 employees in 34 offices across China, a global research and development center in Shanghai, a software development center in Dalian and two manufacturing facilities.

Rockwell’s longstanding partnerships with dozens of Chinese universities are a cause for concern among U.S. officials, as are ties between Chinese employees and military-linked universities, according to the investigation and U.S. officials who spoke to the Journal. Several China-based Rockwell employees list themselves online as being graduates of, or affiliated with, universities known as the Seven Sons of National Defense because of their links with China’s People’s Liberation Army.

According to data from Strider Technologies, a technology startup that focuses on global intelligence, some of Rockwell’s employees in China have direct ties to national universities linked to the Chinese military, state-owned enterprises, government-run talent programs and other elements of the government.

The statistics, reviewed by the Journal, show that at least 217 current Rockwell employees in China have a direct relationship to a civilian university that is designated as a supporter of China’s national defense objectives or is administered by a government body with responsibility for national defense. At least 15 current Rockwell employees were found to have, or have had, a direct relationship to a government-controlled organization.

“Companies are on the front lines of U.S.-China strategic competition,” said Greg Levesque, chief executive of Strider. “They’re increasingly the target or the vehicles for state-sponsored actors seeking to compromise U.S. critical infrastructure.”

A person familiar with Rockwell’s security and compliance practices said the company’s hiring practices include background and other pre-employment checks, such as by third parties. The person declined to comment on specific employees or on the Strider research and didn’t elaborate on any personnel-vetting procedures.