In late February 2007, the ES-ISAC (Electric Sector - Information Sharing and Analysis Center) was informed of a potential cyber vulnerability dubbed Aurora which, if exploited by an attack, would have significant consequences. Consequently, DHS designated discussions of the Aurora vulnerability as FOUO (for Official Use Only). On March 4, 2007, the Idaho National Laboratory (INL) demonstrated the vulnerability. The vulnerability and the mitigation measures were reviewed in closed sessions with the NERC Critical Infrastructure Protection Committee in March 2007 and again in June 2007.  On June 20, 2007, an ES-ISAC Advisory was issued to generation owners and operators and transmission owners and operators in the electricity sector while the Nuclear Energy Institute (NEI) issued a set of mitigation measures for nuclear power plant operators.  The ES-ISAC Advisory contained a set of mitigation measures that needed to be promptly implemented (yet an advisory has NO mandatory implementation requirements) to address the identified vulnerability.  These measures required (there is that word again that makes it look like regulation which it is not) coordination with transmission owners and operators as well. September 27, 2007 CNN aired a tape of the Aurora vulnerability presumably supplied by DHS.

One would expect that a vulnerability as significant as this with such wide-spread notification and notoriety would be addressed post-haste. WRONG! One would at least think that the information would be made available to cognizant end-users – WRONG AGAIN! The FOUO designation continues despite the repeated airing of the CNN tape and the fact that there are over 182,000 references to the Aurora vulnerability in a simple Google search.

We held the August 2008 Applied Control Solutions Control System Cyber Security Conference in Burr Ridge, IL. Since Cooper Power Systems had produced a patented solution for Aurora (the patent itself is available on the Web), Cooper was asked to give a presentation on Aurora - their first public presentation. For most of the attendees including end-users, it was their first explanation of the Aurora vulnerability. One water utility mentioned their local electric provider refused to answer any questions on Aurora. Last week, I had a chance to discuss this issue with a nuclear utility representative. He mentioned they have multiple transmission providers most of whom refused to tell the nuclear utility anything about their Aurora issues - so much for coordination between transmission providers and generation operators. Yesterday a utility relay protection engineer sent me an e-mail asking about Aurora. Why ask me?  He was not able to get access to the information from his own utility because of the FOUO designation. I could go on with the anecdotes, but hopefully you get the picture.

Any question as to why we need regulation?

Joe Weiss