I have written frequently about the Aurora vulnerability. In preparation for a new book, I was able to find information about an actual Aurora event. The event affected a non-utility facility (no generator involved) where it experienced multiple Aurora events over a multi-day span. The events originated from the utility which was outside the facility’s control (Aurora can affect nuclear plants, refineries, water facilities, pipelines, hospitals, data centers, and other critical facilities who “are at the mercy” of the utility for Aurora mitigation). The Aurora events damaged motors with one of the motors out of operation for weeks. If the motors would have been large industrial motors such as those used in power plants, refineries, mining, etc., the motors could have taken many months to repair or replace. The controller logs showed no breaker operation though the mechanical counter showed breaker operation. (This is similar to what occurred with the March 2007 INL test. The SCADA operator saw no impact until the generator coupling broke and the generator was isolated from the grid despite the fact the generator was being physically damaged without being seen. The lack of adequate forensics can impact predictive maintenance programs and confidence in remaining life estimates for critical equipment.). Finally, existing protection failed to prevent the damage. (The 2007 INL generator test, a small scale motor test at INL, and a small scale DOD Aurora test facility have all validated that existing relay protection will not prevent an Aurora event from occurring with its potential resulting damage.) This is the gap in protection of the electric grid affecting all electric substations independent of protective relay vendor. Additionally, I am aware of at least one international facility with significant damage that appears to be Aurora-related.
The demonstration of hacking a protective relay used for Aurora mitigation at the October 2016 ICS Cyber Security Conference showed how an Aurora mitigation device could be used as the Aurora initiation device www.controlglobal.com/unfettered. The 2015 Ukrainian cyber attack and the hacking demonstration should be a wake-up call to address the Aurora vulnerability.
Joe Weiss