Aurora was first publicly demonstrated at the Idaho National Laboratory (INL) in March 2007. Subsequent to the test, DHS held an invitation-only meeting with the utilities at the March PCSF meeting followed by NERC publishing the first NERC Aurora Advisory.
Aurora has a number of unique aspects:
The Aurora phenomena is a PHYSICAL gap in protection of the electric grid that affects EVERY substation (not just in North America)
Aurora demonstrated that cyber could exploit this physical gap in protection and cause physical damage
Aurora can ONLY be mitigated by hardware
Aurora affects generators as seen in the CNN tape, but also ALL AC motors and transformers
Aurora makes the utility the vector for the threat
Because of the For Official Use Only (FOUO) designation and the erroneous information, industry is generally misinformed about what actually happened at the Aurora test and what Aurora actually is
The misinformation is even higher among the utilities’ customers
DOD is responsible for assuring continuity of electric power at critical defense facilities. As such, DOD recognized the potential impacts from Aurora and initiated an Aurora hardware mitigation program. As a result, DOD is supporting two electric utilities in Aurora hardware implementation programs to demonstrate that the Aurora mitigation will not cause reliability issues.
Why is industry fighting a phenomena that every first year electrical engineering student learns? I believe it is because the first NERC Advisory stated that if a substation device was susceptible to Aurora, it was designated a NERC Critical Asset. This means EVERY substation without the Aurora fix should be a NERC Critical Cyber Asset and subject to the NERC CIPs – not a very popular idea considering the onerous audits associated with being a NERC Critical Asset.
NERC is leading the fight against Aurora. In the 2007-8 time frame, the President of NERC misled Congress twice. NERC has turned down offers to brief the NERC Aurora Committee about the Aurora field testing. NERC is aware of the two utility hardware demonstration projects. Even worse, a NERC employee tried to pressure one of the utility’s to not do the field testing – who is NERC trying to protect?
Last month, EPRI issued a report on Aurora. As I am not an EPRI member, I have not seen the report. EPRI did not contact me, either of the utilities doing the field testing, the DOD sponsor, or anyone involved in the hardware mitigation and on-going Aurora testing. The October ICS Cyber Security Conference had a session devoted to Aurora explaining technically why existing relay protection is inadequate to prevent Aurora. Unfortunately, neither EPRI nor their contractors attended even though the session was well advertised. Doesn’t that strike anyone as odd or is this another case of trying to “drylab” a result? This appears to be similar to what happened with the Dominion Quanta report where they used very questionable assumptions to “prove” that Aurora mitigation would not work. I know firsthand of many utilities that are unwilling to even have a telecom, much less a meeting with DOD, on Aurora so they can claim to be unaware of the problem.
Lawyers are filing lawsuits against Target because of the recent cyber attacks claiming they should have known. With Aurora, it will be the utilities’ customers that will be hit. It will be interesting to see how the utilities try to defend themselves against an Aurora event saying they didn’t know.