Google Aurora vs ICS Aurora – An industry and DHS debacle

This is actually two blogs in one. The first is about DHS releasing critical information they weren’t even asked for. The second is about the lack of progress on addressing a subject that DHS made public.

May 17, 2014, a request was made under the Freedom of Information Act (FOIA) to obtain copies of material in the possession of DHS particular on Operation Aurora or Elderwood Group. Operation Aurora consisted of coordinated Internet-based malicious activities and associated behavior against identified targets utilizing specialized malicious software. Targets cited in material and identified in media outlet articles describing Operation Aurora include Adobe Systems, Northrop Grumman, Juniper Networks and Rackspace. Google published existence of Operation Aurora into public domain on 12 January 2010. Unfortunately, Operation Aurora was also the name given to the project at the Idaho National Laboratory. It shouldn’t take a genius to realize what happens when DHS gives the same name to two different programs. Unfortunately, on July 3, 2014, DHS released more than 800 pages of previously For Official Use Only (FOUO) information on the INL Aurora project to a website the ICS community generally would not visit.

As I have been persistently mentioning, Aurora is a physical gap in protection of the electric grid – everywhere! It was demonstrated at INL in March 2007 with the accompanying CNN tape. However, until July 3, 2014 DHS specified Aurora as FOUO meaning the only public information was the CNN tape.

July 6th, Dan Goodin of Ars Technica came across hundreds of pages recently released information related to and resulting from the Aurora experiment from March 2007, in which a SCADA-controlled turbine was “supposedly” damaged. The material was released as a result of a FOIA request. Dan asked me again what the consensus opinion was about Aurora. His memory is that it was largely discredited. He was right in that industry (and even the California PUC) continues to discredit Aurora. However, the pertinent question to ask was if Aurora was real. If Aurora is real it doesn’t matter that there is a consensus trying to pretend it isn’t. You have NERC and DOE to thank for the fact we are even having this discussion because they were the organizations responsible for misleading industry then and now. The previous President of NERC was threatened with Contempt of Congress for lying to Congress about Aurora in 2008 (the hearing minutes are on the House Homeland website). You have DHS to thank for keeping Aurora specified as FOUO for almost 7 years which has prevented industrial end-users from knowing what was real. You have Dominion Energy to thank sponsoring a project by Quanta to discredit the Aurora hardware mitigation using questionable assumptions.

A reasonable question would be to ask why are utilities fighting a real problem that every freshman electrical engineering student learns. I believe the answer is that the utility industry is focused on passing NERC CIP audits. The reason can be found in the first NERC Advisory on Aurora – if a utility has any devices that can be affected by Aurora it is classified as a NERC Critical Asset and must be addressed by the NERC CIPs. Large utilities like PG&E, SCE, Southern, and Entergy, have more than 10,000 substations and don’t want to have to perform cyber security audits of every substation even though Aurora affects every substation. Why is this a problem beyond the electric industry? Because the electric substations are the vehicles for destroying the AC rotating equipment of their customers. The release of these FOUO DHS documents identify Aurora threats being refineries, water systems, and pipelines.

Where are we today? After all these years, with the exception of two utilities implementing the Aurora hardware mitigation, the rest are doing paper studies to attempt to justify their systems are not susceptible to Aurora. What is even more interesting are the two utilities performing the hardware mitigation are so small they have no NERC CIP critical assets. Consequently, the only two utilities ACTUALLY trying to address Aurora are those that do not have to meet the NERC CIPs! June 25, 2014 at the Cyber Endeavor Conference at the Naval PostGraduate School, DOE again tried to play down Aurora and play up what industry was doing. EPRI issued a report on Aurora in December 2013 where they didn’t talk to anyone from the INL test or the utilities implementing the Aurora hardware fix. How else is this possible to read other than an attempt to justify an unjustifiable approach?

With the continuing lack of physical security at some substations and utilities with some substation equipment directly connected to the Internet (see my previous blogs), the stage is set for Aurora conditions that could affect multiple parts of the grid for months. FERC and DOD seem to think this is a real problem, why doesn’t DOE and NERC?

DHS is now claiming they meant to release the INL Aurora information because it is 7 years old and Aurora is no longer a problem. Who is kidding who? This information was not requested. There are only two utilities implementing the Aurora hardware mitigation identified in the documentation. Additionally, the DHS information release identifies specific refineries, water systems, and pipelines that can be susceptible to Aurora. I hope those equipment owners can sleep better because DHS says it is longer a problem.

This is at least the second time DHS has been caught unprepared and had to come up with an excuse to explain away a problem.

Joe Weiss