Misconceptions about Aurora - why isn't more being done

Aurora is a reliability gap in the protection of the electric grid (it is a global issue not just North American). It involves opening and closing a circuit breaker or breakers, resulting in an out-of-phase condition that can damage loads including generators and motors. The 2007 Aurora test at the Idaho National Laboratory (INL) was a demonstration that if someone can gain access to a controller, the attacker will cause physical damage. As Aurora is a gap in protection of the electric grid, one way to prevent an Aurora attack is by hardware mitigation.

After talking to many people, it became evident there are serious misconceptions about Aurora, the validity of the INL testing, and the rationale for not implementing hardware mitigation. I wanted to address these issues:

1) The project started in March 2006 by providing proven facts to relevant government agencies.

2) Aurora exploits basic physics. It is a basic tenet of power engineering that you do not close a breaker with the grid out of phase. Creating an out-of-phase condition and starting equipment (intentionally or unintentionally - doesn't have to be malicious) will create significant torque on the equipment that can cause substantial hardware damage.

3) Power engineers know of this problem which is the reason synch-check relays exist. However, in the case of Aurora, a synch-check relay will not protect you from the event. The reason for the Aurora-specific hardware mitigation is that existing protection cannot be set to allow the grid to operate reliably as nuisance trips will ensue. The Aurora hardware mitigation will protect the rotating equipment before the first reclosure occurs damaging the equipment (examples include the SEL-751A and Cooper iGR-933).

4) Aurora will affect rotating equipment connected to the grid.

5) There have been a number of claims that the INL test was "rigged" and that INL had disabled the protection for the grid and generator. This is not true. Protection was in place for the generator as well as the grid. In fact, the protection was configured by independent consultants to industry standards (not INL) and independently reviewed by industry observers. All protection typically found on a generator of this type connected to the grid was fully enabled during the attack including synch check relays and vibration sensors to name a few. Additionally, even though the operator was aware of the test, he did not see any impact on the grid until the generator was destroyed.

6) Aurora is real. There have been many cases where out-of-phase conditions have substantially damaged and destroyed equipment. These events were not called Aurora, because it wasn't given a name yet. It was simply called a "million-dollar mistake". I am sure there have been a number of people who have lost their jobs because they accidentally closed a breaker on rotating equipment out of phase.

7) Many times Aurora has been characterized as malware, a virus, a Trojan, etc. Aurora is not a cyber event. It is an electrical (physical) event that can be caused by cyber - a cyber-physical event. Hence, the reason to have cyber security protection.

As a member of numerous international standards committees and having talked to many industry and regulatory people about this, one wonders why there hasn't been more activity to mitigate this very real problem.

Joe Weiss