Latest Aurora information – this affects ANY electric utility customer with 3-phase rotating electric equipment!

There have been numerous discussions about cyber risk within NERC, the utilities, and ICS equipment suppliers. Aurora is an unresolved risk that could have significant impact on the utilities, suppliers of relay protection devices, and utility customers with 3-phase rotating equipment.

To date, the only information available to most people about the Aurora vulnerability is the 2007 CNN tape showing the diesel generator smoking. There are several other documents floating around, but many are either proprietary or classified. Even the original ICS-CERT report is still classified as For Official Use Only (FOUO).  

One of these documents in particular is the July 22, 2011 IEEE paper on Aurora mitigation devices (“Aurora” Vulnerability: Reliability Analysis of Hardware Mitigation Devices”) – the “Quanta report”. This paper was a summary of the report commissioned by Dominion/Virginia Power. The study concluded that that security is significantly compromised at off-nominal frequencies and that Aurora hardware mitigation devices are prone to mis-operations. This report has done a great deal of damage by implying that the Aurora mitigation devices will cause grid issues. Several utilities have used the Quanta report as a basis for not installing any Aurora mitigation devices. Unfortunately, the report has several very questionable assumptions. They include applying initial conditions that the hardware mitigation was not designed to address such as slower developing faults, or off nominal grid frequencies. Existing protection will address “slower” developing faults and off nominal grid frequencies (<59 Hz or >61 Hz). The Aurora hardware mitigation devices are for the very fast out-of-phase condition faults that are currently gaps in protection (i.e., not protected by any other device) of the grid. The Aurora hardware mitigation devices have been demonstrated in laboratory conditions to not cause undue risk to the electric grid. The DOD Aurora mitigation program is monitoring the performance of the Aurora mitigation devices in actual plant conditions in a monitoring only mode (i.e., not as a part of the plant’s protection system) so as not to cause any impacts on grid operation.  

Some utilities are starting their own programs to evaluate the Aurora threat, by testing mitigation devices in their labs or installing them in monitoring mode in their power plants and substations, because they realize that there is a gap in protection and want to proactively protect their investments.  Very recently, a small Aurora test facility has been constructed to address a number of questions including the erroneous Quanta report and clarify some important facts from the original 2007 INL test. One key point of the demonstration is that Aurora can damage 3 phase AC induction motors, not just generators. This means that ALL utility customers with 3 phase AC motors running pumps, chillers, etc can be at risk from any utility substation that has not implemented the Aurora hardware mitigation devices!  Moreover, high magnitude currents flowing as a result of a fault on the secondary side of a transformer have been shown to produce sufficient internal forces in the windings to cause transformer damage. This should be cause for concern for all utilities. 

The tape from this testing will be part of an Aurora session at the October ICS cyber security conference (www.icscybersecurityconference.com).

Joe Weiss

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • As timing would have it, I posted the blog a few hours before I received my September copy of Power magazine. For those interested in the details of Aurora, the article is entitled: "What you Need to Know (and Don't) About the AURORA Vulnerability. Joe Weiss

    Reply

  • Since the original AURORA test bed at Idaho Labs in 2007 much has been said about the merits of the test conducted and many conjectures concerning its validity have been made. It is important to remember that AURORA is not an isolated case that exists outside the cybersecurity framework. To the contrary it is an integral part of the cybersecurity framework that is being discussed within the industry and government. Many arguments were made about the setup of the test bed as to whether it represented a real world scenario. Many of these questions were a result of a reaction to limited amounts of information available concerning the test bed and the test itself. The limited amount of information caused many engineers and technicians to fill in the blanks based on their experience and perspective of the matter. So what is the truth? Two utilities are currently conducting AURORA test beds within real world systems to determine the effects of AURORA. In these test beds data is being gathered that will provide greater insight into the effect of AURORA and its effect on system operations, system reliability and system security. Where there is some fairness to the comments concerning the original lab test bed, these tests being conducted will shed a brighter and more informative light on AURORA’s effects. AURORA is a part of the cybersecurity considerations that need to be considered by companies. It is important for us to remember that if we dismiss valid potential threats simply because we believe that it will not happen then we create and provide the weapon of our own demise to our enemies. Let us never forget 9/11 which we thought would never happen.

    Reply

RSS feed for comments on this page | RSS feed for all comments