18 years later: Aurora is still an existential threat to critical infrastructures

Control system hardware cybersecurity issues continue to be out of the cybersecurity mainstream. Protective relay issues are a good example. There are several hardware cyber issues associated with protective relays that cannot be detected by network security monitoring. These issues include manipulating registers in the relays and remotely opening and closing the relays.

Aurora incidents are a good example of such an issue. They’re worth reviewing, again.

Aurora is a physical-cyber issue caused by reclosing protective relays out-of-phase with the grid. The lack of synchronization creates damaging mechanical and electrical forces on alternating current (ac) equipment connected to the relays. The out-of-phase condition can be induced either manually or remotely (as in a cyber incident). There is no malware involved in an Aurora incident. Aurora uses the protection of the electric grid, arguably the most critical of all infrastructures, as the attack vector. That is, Aurora is a gap in protection of the electric grid and network monitoring would identify neither an Aurora attack nor change to the operational status of equipment following an Aurora attack.

The Aurora attack was conceived in 2006. The Idaho National Laboratory (INL) wanted to demonstrate to industry that cyberattacks could cause equipment damage equivalent to physical attacks. INL was interested in doing this because existing cyberattack demonstrations were not getting decision-makers’ attention. Inducing an out-of-phase condition in ac electrical equipment was identified as a possibility for demonstrating this type of attack because out-of-phase incidents were known to cause significant physical damage. Government interest about the out-of-phase condition increased when a whitepaper on the out-of-phase vulnerability was presented at a conference partially sponsored by the Chinese in 2006.

The Aurora vulnerability used remote access to reclose protective relays out-of-phase with the grid, thereby causing ac equipment to operate in unstable conditions. The unstable out-of-phase conditions generate large torques, current spikes, and harmonics that create increased equipment heat. The large torques can damage ac induction motors and generators, the current spikes can damage transformers, and the increased heat can cause fires in lithium-ion battery energy storage systems. The hardware damage can make the grid and ac equipment in other industries and facilities unavailable for 9-18 months, or longer. It can take that long because of the sheer difficulty of repairing the hardware damage and the long lead-times of obtaining replacement equipment. Equipment damage can occur with any ac equipment connected to the affected protective relays, whether that equipment is from the utilities or the utilities’ customers. The greater the out-of-phase angle between the equipment and system phase angles, the greater the damage.

In 2006, INL validated the physics of Aurora when it succeeded in damaging a small ac motor by reclosing the motor out-of-phase. The March 2007 INL test was a full-scale test that successfully demonstrated the impact of out-of-phase conditions could damage a large diesel generator.

The INL test did not compromise the relays rather used existing relay settings. (Andy Greenberg’s book Sandworm stated it only took 30 lines of code. In reality, Aurora took zero lines of code). The test met the intent of the Aurora demonstration program—destruction of equipment by bits and bytes, and not by dynamite. Specifically, the damage to the generator included damage to fourteen of sixteen engine cylinders and the destruction of the engine-to-generator coupling. As a result, June 21, 2007, the North American Electric Reliability Corporation (NERC) Electric Sector (ES) – Information Sharing and Analysis Center (ISAC) issued an Advisory on Aurora to Electricity Sector Owners and Operators because the ES-ISAC was aware Aurora could cause significant consequences.

Aurora was initially labeled For Official Use Only. However, in 2015 the Department of Homeland Security (DHS) publicly released more than 800 pages of information about the INL Aurora program. Some of that released information identifies how Aurora could damage ac equipment in refineries, water systems, and pipeline compressor stations.

Aurora is not a hypothetical risk. There have been several domestic and international Aurora events that have damaged critical equipment. Examples include damage to chiller motors in a U.S. data center by relay reclosing from the local utility (the lack of forensics precludes knowing whether the reclosing was malicious or unintentional, or even if done by the utility itself). Another Aurora incident involved the destruction of an Iranian power plant turbine due to a coupling failure similar to the failure of the INL generator. I published this case in December 2020 because of the rarity of a catastrophic coupling failure. And, finally, the December 2016 Russian cyberattack on the Ukrainian power grid attempted to reclose breakers to cause equipment damage — a deliberate attempt to induce an Aurora condition to cause long-term outages.

Get your subscription to Control's tri-weekly newsletter.

In the 2012-time frame, members of Congress (Senator Markey and Congressman Waxman) issued a survey to the utilities on the status of Aurora mitigation because of their concern that Aurora was not being addressed. Their questions included:

1. Does your organization fully understand Aurora?
2. Has your organization assembled a project team to assess Aurora susceptibility and/or develop Aurora mitigation recommendations?
3. What is your plan to respond to customer inquiries regarding Aurora?
4. Has your organization taken steps to mitigate the risk of an Aurora even to attack, as both a consumer and provider of electric power?
5. Is your project plan complete? If not, when do you expect it to be complete? Please indicate within the mitigation plan what types of assets were considered for inclusion.
6. Are your mitigation efforts complete? If not, when do you expect them to be complete?

From 2012 to 2013, DOD initiated a public-private partnership effort to install and monitor Aurora hardware mitigation devices at electric utilities. Two utilities worked with DOD and the effort was documented in the September 2013 Power magazine article, “What You Need to Know (and Don’t) About the Aurora Vulnerability.”

As industry interest in Aurora remained low (anecdotal evidence and responses to the Congressional survey), the Aurora hardware mitigation team worked with Mission Secure Inc. (MSI) to present an Aurora demonstration at the 2016 ICS Cybersecurity Conference. MSI procured a modern digital protective relay to analyze. They arbitrarily chose an SEL751A relay as SEL relays are state-of-the art and prevalent throughout the U.S. electric system. The members of the MSI attack team were not familiar with electric grid operations or protective relays. Yet, within a short period of time, MSI was able to take complete control of the HMI, the SEL relay, etc. At the ICS Cybersecurity Conference, MSI demonstrated a variety of attack scenarios including locking out the operators and administrators, removing the ability to trip, removing the ability to use any of the buttons as manual overrides, and more. The demonstration was not without its detractors. This is why that attack scenario development involved an electric substation manager intimately knowledgeable about relay operation and SEL relays to ensure the test scenarios were credible.