Critical infrastructures include water, oil/gas, pipelines, chemicals, manufacturing, telecommunications, transportation, etc. Their continued operation requires the electric utility industry to be available. However, the electric utility industry is also a cyber threat to all of those end-users. That threat is Aurora. As a result, Aurora throws the traditional concept of interdependencies on its ear.
Aurora is a gap in protection of the electric grid. Despite the 2007 CNN tape on Aurora, a good deal of information on Aurora is still classified as For Official Use Only (FOUO) by the Federal government, and Proprietary or Confidential by the utility industry. This makes it difficult to obtain detailed information on vulnerabilities and mitigation programs and effectively enables some in the utility industry to misrepresent information about the Aurora threat as facts. Starting 3-phase AC equipment out-of-phase is a known problem addressed in basic electrical engineering courses as starting AC equipment out-of-phase has caused catastrophic damage. An Aurora attack is a deliberate attempt to damage or destroy susceptible downstream rotating equipment by altering or defeating breaker synchronism check controls or operating an upstream breaker in a manner that can lead to an out-of-synchronism reconnection to the grid. For example, such an attack may include remote or local access to protection devices, allowing the attacker to suppress alarms, change set points, and remove configured and designed protections. Unless the Aurora hardware fix has been implemented, Aurora potentially affects ALL electric substations by allowing the grid to apply a torque on downstream rotating equipment or increase the mechanical stresses on transformer windings. Even more insidious, the applied torque happens so rapidly that existing monitoring systems may not be able to detect it. This was evident in the 2007 INL test when the load dispatcher did not know the generator was being torn apart until it failed.
The 2007 CNN tape on Aurora paints a very misleading picture. There are several important points about Aurora:
- It does not require the Internet
- It does not require the use of the Windows OS
- Like Stuxnet, it is an engineering attack against a process
- It can be initiated internally or externally via physical or cyber access
- It has been demonstrated to cause physical damage
- It is not relay vendor-specific and can affect all relay manufacturers
- As it is a physical gap in protection of the electric grid, it can only be mitigated by hardware
- Traditional IT security training or mitigation does not address Aurora
- As early as 2005, the Chinese understood the Aurora concept
- There appears to be at least one intentional Aurora incident that occurred overseas
Aurora can affect any load - water plants, refineries, data centers, ships, steel mills, factories, pipelines, mass transit, etc. Specifically, it can damage or destroy equipment such as generators, compressors, induction motors, chillers, transformers, turbines, etc. In 2008, Tim Roxey, then of Constellation Energy and now NERC's Chief Cyber Security Officer, prepared slides for the nuclear sector on the potential impacts of Aurora. On the bottom of one of the slides Tim identified the two PG&E substations that could cause an Aurora event that would impact the rotating equipment at the Chevron refinery in Richmond, CA. One troubling aspect of Aurora is end-use customer facilities could implement extraordinary physical and cyber security precautions to protect electrical switchgear from compromise inside their physical and electronic control perimeters and still be vulnerable to an attack from an out of phase reclosing of an upstream substation circuit breaker. Because of the potential impact on utility loads, the NERC Aurora Advisories tasked the utilities to inform their customers about Aurora. I wonder how many utilities (a) understand the Aurora threat, (b) have implemented a hardware solution, or (c) have informed their customers about this problem.
One of the reasons Aurora is not well understood is because many in industry feel there is already sufficient mitigation - the synchronous (sync) check relay. The synch check relay is only a part of the protection circuit when the generator is spinning up to be synchronized with the grid. It is not in use once the generator is connected to the grid. For example, the synch check relay does not protect the generator from a situation where the generator is disconnected and quickly reconnected to the grid. There is little understanding in industry that the sync check relay does not prevent damage from an Aurora event which is what also led to so many people questioning the INL test as they assumed the sync check relays must have been bypassed. More disconcerting, the sync check relay was at the root of at least one out-of-phase incident that physically destroyed a generator step-up transformer.
It is not possible for a utility to be cyber secure without addressing Aurora. The Aurora fix is less than $1000/ unit. Since hardware costs are so low, what is keeping the utilities from implementing the Aurora hardware fix and making Aurora go away? There appears to be two reasons. The first is the fear of spurious trips affecting grid reliability. Dominion Energy tasked Quanta to perform an analysis of the two mitigation devices - the Cooper iGR-933 Rotating Equipment Isolation Device (REID) and the Schweitzer (SEL) 751a relay. The Quanta analysis claims the Aurora mitigation devices would cause spurious trips. However, there are a number of dubious assumptions in the report. The second reason is not technical but my conjecture. That is, the 2007 NERC Aurora Advisory included language about CIP-002. It stated: "This measure calls for Digital Protection and Control Devices (DPCD) capable of closing breakers that can adversely impact critical electrical rotating equipment to be identified as Critical Cyber Assets (CCA) associated with the NERC CIP-002 Standard. This then requires enhanced cyber security measures, documentation, and compliance measures are enacted per NERC Standards CIP-002 through -009 for these devices." My belief is the utilities are concerned that if they implement the Aurora hardware mitigation, their substations would become NERC Critical Cyber Assets and therefore be subject to the NERC CIPs and associated audits. As this would apply to all substations, there has been a great deal of pushback. Because of this fear, the country is still at risk. This is the reason DOD is funding Aurora hardware mitigation projects at willing utilities to get other utilities to recognize the cure is not worse than the disease. In fact, it is expected the field demonstrations will show the Aurora mitigation can have additional reliability benefits particularly with power quality monitoring and other Smart Grid applications.
Until the utilities change course, the grid will not be secure and continue to be a potential cyber threat to other critical infrastructures.