Aurora Generator Test

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
The diesel generator used in the aurora experiment beginning to smoke.

Idaho National Laboratory ran the Aurora Generator Test in 2007 to demonstrate how a cyberattack could destroy physical components of the electric grid.[1] The experiment used a computer program to rapidly open and close a diesel generator's circuit breakers out of phase from the rest of the grid and cause it to explode. This vulnerability is referred to as the Aurora Vulnerability.

This vulnerability is especially a concern because much grid equipment supports using Modbus and other legacy communications protocols that were designed without security in mind. As such, they don't support authentication, confidentiality, or replay protection, which means any attacker that can communicate with the device can control it and use the Aurora Vulnerability to destroy it. This is a serious concern, as the failure of even a single generator could cause widespread outages and possibly cascading failure of the entire power grid, like what occurred in the Northeast blackout of 2003. Additionally, even if there are no outages from the removal of a single component (N-1 resilience), there is a large window for a second attack or failure, as it could take more than a year to replace it, because many generators and transformers are custom-built for the substation.

The Aurora vulnerability can be mitigated by preventing the out-of-phase opening and closing of the breakers. Some suggested methods include adding functionality in protective relays to ensure synchronism and adding a time delay for closing breakers.[2] Most modern day generators have many protections against out-of-sync generator breaker operations. Devices such as the IEEE 25 Sync Check relay as well as IEEE 46,47,50, and 53 are commonly used to prevent out-of-phase opening and closing of the breakers from ever happening. In addition the majority of the generator relays used do not have any type of communication they inhibit generator breaker operation by not allowing breaker close circuit from operating.[citation needed]

Experiment[edit]

To prepare for the experiment, the researchers procured and installed a 2.25 MW generator and connected it to the substation. They also needed access to a programmable digital relay or another device that controls the breaker. That access could have been through a mechanical or digital interface.[3]

In the experiment, the researchers used a cyberattack to open and close the breakers out of sync, to maximize the stress. Each time the breakers were closed, the torque from the synchronization caused the generator to bounce and shake, eventually causing parts of the generator be to ripped apart and sent flying off.[4] Some parts of the generator landed as far as 80 feet away from the generator.[5]

The unit was destroyed in roughly three minutes. However, this was only because the researchers assessed the damage from each iteration of the attack. A real attack could have destroyed the unit much more quickly.[4]

The experiment was designated as unclassified, for official use only.[6] On September 27, 2007, CNN published an article based on the information and video DHS released to them,[1] and on July 3, 2014, DHS released many of the documents related to the experiment as part of an unrelated FOIA request.[7]

Vulnerability[edit]

The Aurora vulnerability is caused by bypassing the protective relays.[4] This would require knowledge of the switchgear for that particular plant and then access to that gear and then physical jumpers placed to enable this to happen.[citation needed] Proper security of electrical switchgear rooms will prevent this from happening. While certainly plausible this would be highly unlikely.[citation needed]

"A close, but imperfect, analogy would be to imagine the effect of shifting a car into Reverse while it is being driven on a highway, or the effect of revving the engine up while the car is in neutral and then shifting it into Drive."[4]

"The Aurora attack is designed to open a circuit breaker, wait for the system or generator to slip out of synchronism, and reclose the breaker, all before the protection system recognizes and responds to the attack... Traditional generator protection elements typically actuate and block reclosing in about 15 cycles. Many variables affect this time, and every system needs to be analyzed to determine its specific vulnerability to the Aurora attack... Although the main focus of the Aurora attack is the potential 15-cycle window of opportunity immediately after the target breaker is opened, the overriding issue is how fast the generator moves away from system synchronism."[8]

Mitigations[edit]

The Aurora vulnerability is caused by the out-of-sync closing of the protective relays. As such, any mechanism that prevents the out-of-sync closing would mitigate the vulnerability.

One mitigation technique is to add a synchronism-check function to all protective relays that potentially connect two systems together. To implement this, the function must prevent the relay from closing unless the voltage and frequency are within a pre-set range. Additionally, the synchronism-check could monitor the rate of change of the frequency and prevent closing above a set rate.[2]

Criticisms[edit]

There was some discussion as to whether Aurora hardware mitigation devices (HMD) can cause other failures. In May 2011, Quanta Technology published an article that used RTDS (Real Time Digital Simulator) testing to examine the "performance of multiple commercial relay devices available" of Aurora HMDs. To quote: "The relays were subject to different test categories to find out if their performance is dependable when they need to operate, and secure in response to typical power system transients such as faults, power swing and load switching... In general, there were technical shortcomings in the protection scheme’s design that were identified and documented using the real time testing results. RTDS testing showed that there is, as yet, no single solution that can be widely applied to any case, and that can present the required reliability level."[9] A presentation from Quanta Technology and Dominion succinctly stated in their reliability assessment "HMDs are not dependable, nor secure."[10]

Joe Weiss, a cybersecurity and control system professional, disputed the findings from this report and claimed that it has misled utilities. He wrote: "This report has done a great deal of damage by implying that the Aurora mitigation devices will cause grid issues. Several utilities have used the Quanta report as a basis for not installing any Aurora mitigation devices. Unfortunately, the report has several very questionable assumptions. They include applying initial conditions that the hardware mitigation was not designed to address such as slower developing faults, or off nominal grid frequencies. Existing protection will address “slower” developing faults and off nominal grid frequencies (<59 Hz or >61 Hz). The Aurora hardware mitigation devices are for the very fast out-of-phase condition faults that are currently gaps in protection (i.e., not protected by any other device) of the grid."[11]

Timeline[edit]

On March 4, 2007, Idaho National Laboratory demonstrated the Aurora vulnerability.[12]

On June 21, 2007, NERC notified industry about the Aurora vulnerability.[13]

On September 27, 2007, CNN released a previously-classified demonstration video of the Aurora attack on their homepage.[1] That video can be downloaded at here.

On October 13, 2010, NERC released a recommendation to industry on the Aurora vulnerability.[13]

On July 3, 2014, the US Department of Homeland Security released 840 pages of documents related to Aurora.[7]

See also[edit]

References[edit]

  1. ^ a b c "Mouse click could plunge city into darkness, experts say", CNN, September 27, 2007. Source: http://www.cnn.com/2007/US/09/27/power.at.risk/index.html
  2. ^ a b "Myth or Reality – Does the Aurora Vulnerability Pose a Risk to My Generator?", Mark Zeller, Schweitzer Engineering Laboratories, Inc, https://www.selinc.com/WorkArea/DownloadAsset.aspx?id=8504
  3. ^ FOIA response documents, page 91. Source: http://s3.documentcloud.org/documents/1212530/14f00304-documents.pdf
  4. ^ a b c d FOIA response documents, page 59. Source: http://s3.documentcloud.org/documents/1212530/14f00304-documents.pdf
  5. ^ International Spy Museum, Master Script, Source: http://www.spymuseum.org/files/resources/master-script_8_13_13.pdf
  6. ^ FOIA response documents, page 134. Source: http://s3.documentcloud.org/documents/1212530/14f00304-documents.pdf
  7. ^ a b FOIA Request - Operation Aurora. Source: https://www.muckrock.com/foi/united-states-of-america-10/operation-aurora-11765
  8. ^ "Common Questions and Answers Addressing the Aurora Vulnerability", Mark Zeller, Schweitzer Engineering Laboratories, Inc, https://www.selinc.com/workarea/downloadasset.aspx?id=9487
  9. ^ QT e-News, Quanta Technology, Volume 2, Issue 2, Spring 2011. Source: http://quanta-technology.com/sites/default/files/doc-files/2011-05-Spring-QT-News.pdf , page 3
  10. ^ QT e-News, Quanta Technology, Aurora Vulnerability Issues & Solutions Hardware Mitigation Devices (HMDs), July 24, 2011. Source: https://www.smartgrid.gov/sites/default/files/doc/files/Aurora_Vulnerability_Issues_Solution_Hardware_Mitigation_De_201102.pdf
  11. ^ "Latest Aurora information – this affects ANY electric utility customer with 3-phase rotating electric equipment!", Unfettered Blog, September 4, 2013. Source: http://www.controlglobal.com/blogs/unfettered/latest-aurora-information-this-affects-any-electric-utility-customer-with-3-phase-rotating-electric-equipment/
  12. ^ "U.S. video shows hacker hit on power grid", USA Today, September 27, 2007, http://usatoday30.usatoday.com/tech/news/computersecurity/2007-09-27-hacker-video_N.htm
  13. ^ a b NERC Press Release, NERC Issues AURORA Alert to Industry, October 14, 2010. Source: http://www.ect.coop/wp-content/uploads/2010/10/PR_AURORA_14_Oct_10.pdf

External links[edit]