Andy Greenberg from Wired wrote an interesting article, “How 30 lines of code blew up a 27-ton generator,” about the Aurora demonstration held on March 3, 2007, at the Idaho National Laboratory (INL). The Wired article is based on conversations Andy had with Mike Assante; they and the Aurora incident are also discussed in Greenberg’s book Sandworm. The account is interesting, but it can leave readers with the misapprehension that the Aurora demonstration was a malware demonstration. The Aurora vulnerability wasn’t and didn’t take any lines of code to damage the generator.
Some background on Aurora
I knew Mike Assante for about twenty years and knew the others involved with the INL Aurora test. Starting in December 2011, I was part of a DOD team that was working with interested utilities on the Aurora hardware mitigation program that resulted from the 2007 INL test (only 2 utilities took advantage). As a result, I was able to check my recollections with experts from the Aurora INL and hardware mitigation teams.
There was a meeting at INL before the test, with many representatives from the government in attendance. However, there were only three industry personnel who attended the meeting, and they were test participants (see below for their comments). There were no utility executives in attendance. There was a closed-door DHS briefing in Atlanta to industry the week following the INL test to present the results of the test to owner-operators in various industries. The publicly available “CNN tape” was created later in 2007.
I have blogged extensively on Aurora and the blogs can be found at www.controlglobal.com/unfettered. Additionally, the Aurora hardware mitigation team wrote an article for the 2013 issue of Power magazine, “What You Need to Know (and Don’t) About the AURORA Vulnerability”, I did a 2019 webinar for Waterfall on Aurora - https://www.controlglobal.com/blogs/unfettered/waterfall-security-podcast-on-aurora-and-the-need-for-engineers/, and November 4, 2020, I did a 90-minute webinar for the Save The Grid Coalition on Aurora. There were 24 people on the call of which 2 were aware of Aurora - the ex-DHS Director who was responsible for the Aurora test and the utility lead for one of the two Aurora hardware mitigation projects. To the rest, the detailed Aurora information was new. Now consider that Aurora was initially classified at the For Official Use Only level. However, in 2015, DHS declassified more than 800 pages on Aurora and many hackers found the declassified information.
Aurora was a cyber event, but not a demonstration of malware
In the 2004-2006 time frame, DHS and the various national labs were conducting numerous control system cyber hacking demonstrations. However, the demonstrations were not sufficient to change the industry executives’ minds about the importance of control system cyber security. Consequently, there was a need for a demonstration that a cyberattack could cause kinetic damage. The INL test was meant to demonstrate that:
- a cyberattack could cause physical damage using existing equipment and programming
- malware wasn’t needed to cause a destructive cyber attack
- the equipment protection could be turned into the attack vector
- the electric grid could be the attacker damaging other infrastructures.
The wrong people are addressing Aurora
Aurora is not a malware event but a protective relay issue. According to the person who designed and performed the test, there was no software added to the relay. In fact, it wasn’t possible to add software to the relay. It was simply using the appropriate relay settings and reclosing the breaker at the “optimal” out-of-phase condition using a laptop (what made the test cyber). The existing relays were not hacked, and no relay protection was bypassed – the test was not rigged. The damage was produced because the Aurora impacts occur before existing relay protection can operate. This is the gap in protection of the electric grid. This gap was further validated in a small-scale test by DOD several years later. The very large torques generated in the out-of-phase condition physically destroyed the generator as much as if sticks of dynamite had been placed inside the generator.
The three industry test participants had the following to say: “The Aurora project did demonstrate the ability to exploit the capability of modern protective equipment and cause them to serve as a destructive weapon. I feel that the same results could be achieved by any competent power system protection engineer if provided access and the desire to do so.” “These types of results could be expected if similar operations occurred against a utility or industrial plant.” “With this demonstration…it is clearly time we address the security and integrity of substation devices and protection equipment.”
Despite what some people have written, Aurora events have occurred domestically and overseas causing significant physical damage. An Aurora event impacted a domestic data center damaging the chiller motors. It is unclear if the destruction of a fossil power plant oversea was an Aurora attack – it does show the hallmarks. Misunderstandings of Aurora are very serious as Aurora attacks could compromise the industrial infrastructure of the nation. Yet for whatever reasons, the Aurora vulnerability and INL test continue to have the following misconceptions:
- Existing protection will thwart the attack
- Software patch will fix the problem
- Breakers too slow
- No access
- Simply too hard
- Problem already fixed
- Only generators are vulnerable
- Aurora test generator easily repaired
- Test was faked
Moreover, the question remains why hasn’t Aurora been addressed in the NERC grid exercises or the DARPA Plum Island test. Additionally, the 2019 Dragos report (https://www.dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-Based-ICS-Attacks.pdf) stated that “direct manipulation of equipment to achieve an Aurora-like impact is either extremely difficult, or outright impossible”.
It is short-sighted to focus on any one particular Aurora attack scenario as there are several that could be used.
The Aurora risk isn’t confined to generators
There’s one other issue about Aurora events worth noting: Aurora is not confined to generators. Because of the CNN tape, people focus on the generators without realizing that an Aurora event can also affect Alternating Current (AC) induction motors, motor control center (MCCs), and other AC equipment. This means that critical industrial and manufacturing plants could be crippled using an Aurora type attack. In the answer to one of the questions at the Save the Grid Coalition call, the engineer from one of the Aurora hardware mitigation programs explained how they were protecting the large AC induction motors in one of the largest food processing plants in the country (there were no generators involved). Damage to the motors could have shut down the food plant resulting in $1Million/hour impacts as the food would have had to be destroyed. Depending on the configuration, Aurora also could damage transformers and variable frequency drives.
Aurora could be exploited by adversaries
As noted in the recent indictment of the Russian GRU cyber operators who, among other things, were active in the 2015 hacking of the Ukrainian power grid, they could have caused an Aurora event in Ukraine. They remotely opened the relays to turn the lights out, after all, and it would have been possible had the so chosen to reclose the breakers. This could have caused an Aurora event damaging critical infrastructure equipment and leading to very long outages. It’s sobering to recall that the Russian BlackEnergy malware has been detected in the US grids since 2014. We can’t always count on their showing the same restraint they did around Kiev in 2015.
Joe Weiss
