There have been numerous discussions about cyber risk within NERC, the utilities, and ICS equipment suppliers. Aurora is an unresolved risk that could have significant impact on the utilities, suppliers of relay protection devices, and utility customers with 3-phase rotating equipment.
To date, the only information available to most people about the Aurora vulnerability is the 2007 CNN tape showing the diesel generator smoking. There are several other documents floating around, but many are either proprietary or classified. Even the original ICS-CERT report is still classified as For Official Use Only (FOUO).
One of these documents in particular is the July 22, 2011 IEEE paper on Aurora mitigation devices (“Aurora” Vulnerability: Reliability Analysis of Hardware Mitigation Devices”) – the “Quanta report”. This paper was a summary of the report commissioned by Dominion/Virginia Power. The study concluded that that security is significantly compromised at off-nominal frequencies and that Aurora hardware mitigation devices are prone to mis-operations. This report has done a great deal of damage by implying that the Aurora mitigation devices will cause grid issues. Several utilities have used the Quanta report as a basis for not installing any Aurora mitigation devices. Unfortunately, the report has several very questionable assumptions. They include applying initial conditions that the hardware mitigation was not designed to address such as slower developing faults, or off nominal grid frequencies. Existing protection will address “slower” developing faults and off nominal grid frequencies (<59 Hz or >61 Hz). The Aurora hardware mitigation devices are for the very fast out-of-phase condition faults that are currently gaps in protection (i.e., not protected by any other device) of the grid. The Aurora hardware mitigation devices have been demonstrated in laboratory conditions to not cause undue risk to the electric grid. The DOD Aurora mitigation program is monitoring the performance of the Aurora mitigation devices in actual plant conditions in a monitoring only mode (i.e., not as a part of the plant’s protection system) so as not to cause any impacts on grid operation.
Some utilities are starting their own programs to evaluate the Aurora threat, by testing mitigation devices in their labs or installing them in monitoring mode in their power plants and substations, because they realize that there is a gap in protection and want to proactively protect their investments. Very recently, a small Aurora test facility has been constructed to address a number of questions including the erroneous Quanta report and clarify some important facts from the original 2007 INL test. One key point of the demonstration is that Aurora can damage 3 phase AC induction motors, not just generators. This means that ALL utility customers with 3 phase AC motors running pumps, chillers, etc can be at risk from any utility substation that has not implemented the Aurora hardware mitigation devices! Moreover, high magnitude currents flowing as a result of a fault on the secondary side of a transformer have been shown to produce sufficient internal forces in the windings to cause transformer damage. This should be cause for concern for all utilities.
The tape from this testing will be part of an Aurora session at the October ICS cyber security conference (www.icscybersecurityconference.com).