Idaho National Laboratory Idaho National Laboratory (INL) is one of the national laboratories of the United States Department of Energy and is managed by the Battelle Energy Alliance. Historically, the lab has been involved with nuclear research, although the labora ...

ran the Aurora Generator Test in 2007 to demonstrate how a

cyberattack A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content. The rising dependence on increasingly complex and inte ...

could destroy physical components of the electric grid. The experiment used a computer program to rapidly open and close a

diesel generator A diesel generator (DG) (also known as a diesel genset) is the combination of a diesel engine with an electric generator (often an alternator) to generate electrical energy. This is a specific case of an engine generator. A diesel compress ...

's circuit breakers out of phase from the rest of the grid, thereby subjecting the engine to abnormal torques and ultimately causing it to explode. This vulnerability is referred to as the ''Aurora Vulnerability''. This vulnerability is especially a concern because most grid equipment supports using

Modbus Modbus (or MODBUS) is a client/server data communications protocol in the application layer. It was originally designed for use with programmable logic controllers (PLCs), but has become a ''de facto'' standardization, standard communication pr ...

and other legacy

communications protocol A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any variation of a physical quantity. The protocol defines the rules, syntax, semantics (computer science), sem ...

s that were designed without security in mind. As such, they do not support

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...

confidentiality Confidentiality involves a set of rules or a promise sometimes executed through confidentiality agreements that limits the access to or places restrictions on the distribution of certain types of information. Legal confidentiality By law, la ...

, or replay protection. This means that any attacker that can communicate with the device can control it and use the Aurora Vulnerability to destroy it.

Experiment

To prepare for the experiment, the researchers procured and installed a 2.25 MW (3000 horsepower) generator and connected it to the substation. They also needed access to a programmable digital relay or another device capable of controlling the breaker. Although such access can be through a mechanical or digital interface, in this case the latter was used. A generator unit consists of a diesel engine mechanically linked to an alternator. In many commercial-industrial settings, multiple generators need to operate together in tandem, in order to provide power to the desired load. A generator that is operating normally is synchronized with either the power grid or with one or more additional generators (for example in an "islanded" independent power network as might be used in a remote location or for emergency backup power). When generators are operating in synchronicity, effectively their alternators are magnetically locked together. In the Aurora experiment, the researchers used a cyberattack to open and close the breakers out of sync, in order to deliberately maximize the stress. Each time the breakers were closed, the torque induced in the alternator (as a result of the out-of-synchrony connection) caused the entire generator to bounce and shake. The generator used in the experiment was equipped with a resilient rubber rotating coupling (located between the diesel engine and the alternator, thus indirectly connecting the engine's steel crankshaft to the alternator's steel shaft). During the initial steps of the attack, black rubber pieces were ejected as the rotating coupling was incrementally destroyed (as a result of the extremely abnormal torques induced by the out-of-synchronization alternator on the diesel engine's crankshaft). The rotating rubber coupling was soon destroyed outright, whereupon the diesel engine itself was then quickly ripped apart, with parts sent flying off. Some parts of the generator landed as far as 80 feet away from the generator. In addition to the massive and obvious mechanical damage to the diesel engine itself, evidence of overheating of the alternator was later observed (upon subsequent disassembly of the unit). In this attack, the generator unit was destroyed in roughly three minutes. However, this process took three minutes only because the researchers assessed the damage from each iteration of the attack. A real attack could have destroyed the unit much more quickly. For example, a generator built without a rotating rubber coupling between the diesel engine and the alternator would experience the crankshaft-destroying abnormal forces in its diesel engine immediately, given the absence of a shock-absorbing material between these two rotating components. A generator unit assembled in this way could see its diesel engine ruined by a single out-of-synchrony connection of the alternator. The Aurora experiment was designated as unclassified,

for official use only For Official Use Only (FOUO) is an information security designation used by some governments. United States Among U.S. government information, FOUO was primarily used by the U.S. Department of Defense as a handling instruction for C ...

. On September 27, 2007, CNN published an article based on the information and video DHS released to them, and on July 3, 2014, DHS released many of the documents related to the experiment as part of an unrelated FOIA request.

Vulnerability

The Aurora vulnerability is caused by the out-of-sync closing of the

protective relay In electrical engineering, a protective relay is a relay device designed to trip a circuit breaker when a Electrical fault, fault is detected. The first protective relays were electromagnetic devices, relying on coils operating on moving parts ...

s. "A close, but imperfect, analogy would be to imagine the effect of shifting a car into Reverse while it is being driven on a highway, or the effect of revving the engine up while the car is in neutral and then shifting it into Drive." "The Aurora attack is designed to open a circuit breaker, wait for the system or generator to slip out of synchronism, and reclose the breaker, all before the protection system recognizes and responds to the attack... Traditional generator protection elements typically actuate and block reclosing in about 15 cycles. Many variables affect this time, and every system needs to be analyzed to determine its specific vulnerability to the Aurora attack... Although the main focus of the Aurora attack is the potential 15-cycle window of opportunity immediately after the target breaker is opened, the overriding issue is how fast the generator moves away from system synchronism."

Potential impact

DC Spy Museum - Aurora Vulnerability Exhibit

The failure of even a single generator could cause widespread outages and possibly

cascading failure A cascading failure is a failure in a system of interconnection, interconnected parts in which the failure of one or few parts leads to the failure of other parts, growing progressively as a result of positive feedback. This can occur when a singl ...

of the entire power grid as occurred in the Northeast blackout of 2003. Additionally, even if there are no outages from the removal of a single component (N-1 resilience), there is a large window for a second attack or failure as it could take more than a year to replace a destroyed generator, because many generators and transformers are custom-built.

Mitigations

The Aurora vulnerability can be mitigated by preventing the out-of-phase opening and closing of the breakers. Some suggested methods include adding functionality in

s to ensure synchronism and adding a time delay for closing breakers. One mitigation technique is to add a synchronism-check function to all protective relays that potentially connect two systems together. To implement this, the function must prevent the relay from closing unless the voltage and frequency are within a pre-set range. Devices such as the IEEE 25 Sync-Check relay and IEEE 50 can be used to prevent out-of-phase opening and closing of the breakers. Diesel engines can also be equipped with independent sensors that detect abnormal vibration signatures. It is possible to design such a sensor to immediately trigger a complete shutdown of the generator upon detection of a single major excursion from the vibration signature of a normally operating engine. However, the damage from that single excursion might already be substantial, particularly if a resilient rubber coupling between the engine and the alternator is not present.

Criticisms

There was some discussion as to whether Aurora hardware mitigation devices (HMD) can cause other failures. In May 2011, Quanta Technology published an article that used RTDS (Real Time Digital Simulator) testing to examine the "performance of multiple commercial relay devices available" of Aurora HMDs. To quote: "The relays were subject to different test categories to find out if their performance is dependable when they need to operate, and secure in response to typical power system transients such as faults, power swing and load switching... In general, there were technical shortcomings in the protection scheme’s design that were identified and documented using the real time testing results. RTDS testing showed that there is, as yet, no single solution that can be widely applied to any case, and that can present the required reliability level." A presentation from Quanta Technology and

Dominion A dominion was any of several largely self-governance, self-governing countries of the British Empire, once known collectively as the ''British Commonwealth of Nations''. Progressing from colonies, their degrees of self-governing colony, colon ...

succinctly stated in their reliability assessment "HMDs are not dependable, nor secure." Joe Weiss, a cybersecurity and control system professional, disputed the findings from this report and claimed that it has misled utilities. He wrote: "This report has done a great deal of damage by implying that the Aurora mitigation devices will cause grid issues. Several utilities have used the Quanta report as a basis for not installing any Aurora mitigation devices. Unfortunately, the report has several very questionable assumptions. They include applying initial conditions that the hardware mitigation was not designed to address such as slower developing faults, or off nominal grid frequencies. Existing protection will address “slower” developing faults and off nominal grid frequencies (<59 Hz or >61 Hz). The Aurora hardware mitigation devices are for the very fast out-of-phase condition faults that are currently gaps in protection (i.e., not protected by any other device) of the grid."

Timeline

On March 4, 2007, Idaho National Laboratory demonstrated the Aurora vulnerability. On June 21, 2007, NERC notified industry about the Aurora vulnerability. On September 27, 2007, CNN released a previously classified demonstration video of the Aurora attack on their homepage. That video can be downloaded fro
here
On October 13, 2010, NERC released a recommendation to industry on the Aurora vulnerability. On July 3, 2014, the

US Department of Homeland Security The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior, home, or public security ministries in other countries. Its missions involv ...

released 840 pages of documents related to Aurora in response to an unrelated FOIA request.

References

{{reflist, 30em, refs= {{cite web , url=http://www.cnn.com/2007/US/09/27/power.at.risk/index.html , title=Mouse click could plunge city into darkness, experts say , website=CNN , date=September 27, 2007 , access-date=January 30, 2020 {{cite web , url=https://www.selinc.com/WorkArea/DownloadAsset.aspx?id=8504 , title=Myth or Reality – Does the Aurora Vulnerability Pose a Risk to My Generator? , last=Zeller , first=Mark , website=Schweitzer Engineering Laboratories, Inc , access-date=January 30, 2020 {{cite web , url=https://www.selinc.com/workarea/downloadasset.aspx?id=9487 , title=Common Questions and Answers Addressing the Aurora Vulnerability , last=Zeller , first=Mark , website=Schweitzer Engineering Laboratories, Inc , access-date=January 30, 2020 {{cite web , url=https://www.muckrock.com/foi/united-states-of-america-10/operation-aurora-11765 , title=FOIA Request - Operation Aurora , website=Muckrock , date=17 May 2014 , access-date=January 30, 2020 {{cite web , url=http://s3.documentcloud.org/documents/1212530/14f00304-documents.pdf , title=FOIA Request - Operation Aurora , website=Muckrock , page=59 , access-date=January 30, 2020 {{cite web , url=http://s3.documentcloud.org/documents/1212530/14f00304-documents.pdf , title=FOIA Request - Operation Aurora , website=Muckrock , page=91 , access-date=January 30, 2020 {{cite web , url=http://s3.documentcloud.org/documents/1212530/14f00304-documents.pdf , title=FOIA Request - Operation Aurora , website=Muckrock , page=134 , access-date=January 30, 2020 {{cite web , url=http://usatoday30.usatoday.com/tech/news/computersecurity/2007-09-27-hacker-video_N.htm , title=U.S. video shows hacker hit on power grid , website=USA Today , date=September 27, 2007 , access-date=January 30, 2020 {{cite web , url=http://www.nerc.com/fileUploads/File/PressReleases/PR_AURORA_14_Oct_10.pdf , archive-url=https://web.archive.org/web/20110812185541/http://www.nerc.com/fileUploads/File/PressReleases/PR_AURORA_14_Oct_10.pdf , archive-date=2011-08-12 , title=NERC Issues AURORA Alert to Industry , website=NERC , date=October 14, 2010 , access-date=January 30, 2020 {{cite web , url=http://www.spymuseum.org/files/resources/master-script_8_13_13.pdf , page=217 , title=Master Script , website=INTERNATIONAL SPY MUSEUM , access-date=January 30, 2020 {{cite web , url=https://quanta-technology.com/sites/default/files/doc-files/2011-05-Spring-QT-News.pdf , page=3 , title=QT e-News , website=Quanta Technology , access-date=January 30, 2020 {{cite web , url=https://www.smartgrid.gov/sites/default/files/doc/files/Aurora_Vulnerability_Issues_Solution_Hardware_Mitigation_De_201102.pdf , title=Aurora Vulnerability Issues & Solutions Hardware Mitigation Devices (HMDs) , website=Quanta Technology , date=July 24, 2011 , access-date=January 30, 2020 {{Dead link, date=May 2024 , bot=InternetArchiveBot , fix-attempted=yes {{cite web , url=http://www.controlglobal.com/blogs/unfettered/latest-aurora-information-this-affects-any-electric-utility-customer-with-3-phase-rotating-electric-equipment/ , title=Latest Aurora information – this affects ANY electric utility customer with 3-phase rotating electric equipment! , website=Unfettered Blog , date=September 4, 2013 , access-date=January 30, 2020 {{cite web , url=https://www.pes-psrc.org/kb/published/reports/J-7_AURORA_final.pdf , title=Avoiding unwanted reclosing on rotating apparatus (Aurora) , website=Power System Relaying and Control Committee , access-date=January 30, 2020

External links

Aurora Revisited — by its original project lead
- OTbase
What You Need to Know (and Don’t) About the AURORA Vulnerability
- Power
The All-Too-Real Cyberthreat NOBODY is Prepared for (Aurora)
- Breaking Energy

- ComputerWorld
New docs show DHS was more worried about critical infrastructure flaw in '07 than it let on
- ComputerWorld
DHS Releases Hundreds of Documents on Wrong Aurora Project
- Threat post

- infracritical.com
SECURING THE U.S. ELECTRICAL GRID
- thepresidency.org

- InfoSec
AURORA Vulnerability Background
Southern California Edison (SCE) Cyberattacks Cyberwarfare Computer security in the United States Energy infrastructure Industrial computing Electrical grid