Physics issues such as Aurora are not understood by many ICS cyber security experts – this can be an existential miss

On January 28, 2019, CSO magazine published an article on Aurora - https://www.csoonline.com/article/3336061/critical-infrastructure/why-america-is-not-prepared-for-a-stuxnet-like-cyber-attack-on-the-energy-grid.html. The author was good enough to speak with me after the article was released, as I didn’t understand why he wanted pro/con discussions on issues related to physics. The physics issues that can damage critical equipment with long replacement times are of existential importance because they can affect the long term viability of the electric grid.

Aurora has been widely misunderstood: what has come to be known as the “Aurora vulnerability” is the opening and then reclosing of protective relays out-of-phase with the grid. The Aurora vulnerability constitutes a gap in protection of the electric grid as the Aurora event occurs before existing relay protection, including synchronization check relays, can operate. Opening relays causes short term outages. Reclosing relays, analog or digital, out-of-phase with the grid creates a large torque and current spike that will damage AC rotating equipment and transformers connected to the affected substation which can result in very long-term outages (many months to even years).

An Aurora event becomes a cyber incident if remote access is used to open and then reclose the relays. An Aurora event also can be caused by physically switching the relay on and off at the breaker panel. There are protections available. Using Aurora isolation devices appropriately, Aurora becomes a non-issue. Without specially designed Aurora isolation devices, you can’t protect the AC rotating equipment and transformers connected to these substations from an Aurora event. Unfortunately, very few US utilities have installed the appropriate Aurora mitigation in the recommended manner. As Aurora occurs within milliseconds, OT network monitoring will not detect this issue in time, if at all.

I supported DOD on the Aurora hardware mitigation program for several years. Consequently, I am well-aware of what Aurora is and isn’t. The March 2007 Aurora test by the Idaho National Laboratory (INL) was to demonstrate that a cyber event could cause kinetic damage with the hope that industry would take control system cyber security more seriously. For reasons only they can answer, the North American Electric Reliability Corporation (NERC) downplayed the test in ways that led, and continue to lead, many electric utilities to disregard the test and Aurora. In fact, NERC testimony twice misinformed Congress on Aurora (these occurred at US House Congressional hearings in 2007 – I testified at this hearing- and in 2008 - https://legacyexternalwebsitefiles.balch.com/upload/NERC%20Cyber%20Security%20Testimony%20(Langevin).pdf. Moreover, the CNN tape of the Aurora test (https://www.youtube.com/watch?v=fJyWngDco3g ) was misleading, as Aurora is neither malware nor an attack just on a diesel generator.

At least one actual Aurora incident (not the INL test) has caused equipment damage that did not affect diesel generators but Alternating Current (AC) induction motors. Aurora turns most critical infrastructure discussions on their head as they tend to assume the grid must be protected at all costs. Aurora, however, uses the electric grid itself as the attack vector with the grid protection as the attack vehicle – what can protect you when you are using the protection against yourself? Unfortunately knowledge of Aurora is now available to potential threat actors as DHS declassified more than 800 pages of INL’s Aurora program from the 2014 time frame, and this information found its way onto hacker websites world-wide.

Cyber security experts who may not understand the physics of these systems can provide misleading information, and some of that appeared in the CSO article.  "Doing that [an Aurora-like attack] at scale is extremely difficult," says Patrick Miller, managing partner at ICS security consultancy Archer International. "There are manual protective devices in place that operate in some cases electromechanically and not digitally."  But as noted above, Aurora can occur whether there are electromechanical or digital relays. "Any such attack would also not cascade across the United States because of the way the energy grid was built historically, Miller points out. It's physically impossible to get through a phase shifter at the interconnection points between the Texas and eastern and western grids." However, because existing relay protection is not fast enough to prevent an Aurora event, phase shifter protection is irrelevant for Aurora events. As the Russians have installed BlackEnergy malware in the US grids since at least 2014, we can assume they have detailed knowledge of the grid and ample opportunity to create multiple Aurora events in different locations. The range of damage and impact of the Aurora event depends on the equipment connected to the substations. Generally, distribution substations would affect less equipment than would transmission substations.

The aspect of the threat many cyber security experts focus on is the temporary disruption of power distribution. “A nationwide blackout as described in the 2014 Congressional report is a realistic threat”, Joe Slowik, a senior threat analyst knowledgeable about energy grid security, told a group of journalists earlier this month at the offices of Dragos, a consultancy that specializes in ICS security. “A worm that could knock out the energy grid is entirely plausible" he said. As mentioned, a worm or other forms of malware can cause wide-spread outages, but if they do not damage critical grid equipment the outages will be short-lived (see 2003 Northeast outage and 2015/2016 Ukrainian cyber attacks). The Dragos report on Crashoverride/Industroyer addressed remotely opening the relays and keeping the relays opened which causes short term outages such as what occurred in the Ukraine. That’s a real threat, and one that has inflicted real disruption but less attention has been paid to attacks or incidents that can cause permanent damage to critical equipment, especially to critical equipment that’s difficult to replace, and whose destruction can cause outages of months, not just hours or days. The Dragos report, for example, did not address reclosing the relays (i.e., Aurora) which causes physical damage and long term outages.

It is the physics issues, such as Aurora, that cause long-term damage and require engineering expertise. Consequently, there is a need to have both network cyber security and engineering expertise to properly address ICS cyber security, particularly from physics issues which are existential issues.

Joe Weiss