Next Thursday, the NERC Critical Infrastructure Protection Committee (CIPC) will have a session on Aurora - the Idaho National Lab demonstration of destroying a diesel generator via a cyber attack. The session will include utilities and vendors. The same day, 500 miles away, PowerGen will be holding a mega session on security. Aurora is a vulnerability unique to rotating equipment which means power generation. The NERC CIPC is not composed of power generation experts. PowerGen is arguably the largest power generation conference of the year.
Aurora was first identified in the March time frame and in the June time frame an ES ISAC Advisory was issued. The ES ISAC Advisory was meant to address what was considered a very important vulnerability. Yet the Advisory did not require identification of all equipment that could be affected as critical. It also referenced NERC CIP-002 which many utilities have used to exclude power plants from being defined as critical cyber assets. The Advisory also was sent to other industries in early September. I was made aware of this when a large oil/gas company called me and asked why the Advisory did not address more pressing plant control system cyber vulnerabilities.
In the October 17th Congressional hearings, the Executive Vice President of NERC was asked how many utilities had responded to a survey on Aurora. His answer to the Congressional Committee was approximately 75% of the transmission providers. Unfortunately, transmission providers have no rotating equipment - how could they respond?
I was at a conference in Washington last month when a large city-owned water company asked me why their local utility refused to tell them what they were doing about Aurora. The fascinating aspect to this was the utility in question had spun off their generation and only had transmission and distribution. Yet, the utility wouldn't tell the water utility they weren't affected and they needed to talk to the independent generators in the area. The utility in question is very active in the NERC CIP process.
Joe Weiss