When most people think of the AURORA cybersecurity threat today, they recall an image of an out-of-control generator during a 2007 demonstration test. But the threat didn’t end in 2007. Despite the widespread impact of any AURORA attack and the relatively low cost of mitigating against such attacks, virtually no utilities have taken action to protect the grid and its users from potentially devastating consequences.
Perhaps because the public has been more obsessed in recent years by cybersecurity breaches involving everything from social media accounts to classified military secrets, the amount of attention given to the ongoing threat posed by the AURORA vulnerability has been out of proportion to the extent and severity of the threat. The AURORA vulnerability affects much more than rotating equipment inside power plants. It affects nearly every electricity system worldwide and potentially any rotating equipment—whether it generates power or is essential to an industrial or commercial facility.
If the threat is so widespread, why isn’t industry more concerned and active in seeking solutions? There are a number of possible reasons, from innocent lack of awareness to fear of greater regulation to a desire to avoid unnerving large customers (who may decide they’re better off developing a self-generation plan, thus resulting in a lost customer).
New Systems Require New Security
Reliable operation of the electric grid has always been a primary goal of utilities and other power generators as well as system operators at all levels. To accomplish this goal, utilities monitor system conditions, test system equipment, and conduct system maintenance. Ensuring the reliability and physical security of generation facilities, transmission interchanges, substations, office buildings, and control centers is standard practice for most utilities.
These operation and security practices have worked well in the past; however, with the advent of new communication technologies, a new paradigm in security practices has emerged. This new paradigm is known as cybersecurity.
Cybersecurity encompasses the securing of digital systems, communication systems, and control systems from intentional and unintentional cyber intrusion and physical compromise. The potential for cybersecurity intrusion on a system grid is proportional to the amount of electronic communications to and from control systems that operate on a utility’s networks.
Sometimes the argument is made that isolation of a utility’s network from any external communication makes it secure. However, it is very difficult to “air gap” a system—keep it electronically isolated—and even an air gap does not make a system completely secure from physical access and compromise.
There are many avenues for a cybersecurity intrusion, and one is the vulnerability known as AURORA.
What Is AURORA?
An AURORA attack results when a circuit breaker or breakers are opened and closed, resulting in an out-of-phase condition that can damage alternating current (AC) equipment connected to the grid. A demonstration of this for the Department of Homeland Security, conducted at the Idaho National Laboratory (INL) in 2007, was broadcast by CNN. The results of this specific test demonstrated that the threat associated with rapidly disconnecting and reconnecting a generator to the grid, but out of phase—via physical or cyber intrusion of control systems conducted maliciously or unintentionally—could have serious effects on system operation. Connecting AC equipment out-of-phase is a known vulnerability, but doing it maliciously was brought to light by the test conducted by INL.
There has been confusion about what actually occurred during the AURORA test at INL. That test was planned by relay experts to reflect real conditions with no equipment such as synchronous check relays disabled. Unfortunately, there has been little public information to document what actually occurred; consequently, misinformation about the event has resulted.
The real concern is that the existing protection in all substations worldwide excludes the rapid response needed to mitigate an AURORA-type event.
This means there is a gap in grid protection that can only be mitigated by a hardware fix.
Cybersecurity and AURORA Conditions
Control systems are designed for reliability, safety, and functionality. Many of these systems were originally designed before communication networking was commonplace. Consequently, cybersecurity was of little concern. In the case of electro-mechanical relays that still operate on some utilities’ systems, the only potential for system compromise results from physical access to the relay. Many design features of digital control systems enable these systems to be more operator-friendly and functional. Digital communication networking has become an important cost-saving tool, with many features that allow it to be used for remote monitoring and control of critical systems. Consequently, there is an opportunity where industrial control systems that use digital communications networks can be exploited, turning these features into vulnerabilities.
The presence of control systems within a system grid is vast and provides substantial productivity improvements. However, it also introduces a significant amount of exposure concerning cyber intrusion and physical security. Communication protocols used by control systems and SCADA systems vary based on the design practices of utilities. The most common protocols are DNP, Modbus, IEC 60870-5-103, IEC 61850, Telnet, QUIC4/QUIN, and Cooper 2179. Compromising any of these protocols would allow the malicious party to control these systems outside utility operations.
It is understood that compromising the protocol is not the only step in gaining control of a utility’s SCADA or control systems because of the passwords associated with each piece of equipment. However, compromise of a communication protocol allows access to devices and the ability to compromise their associated passwords.
Such potential cyber intrusion may not call to mind an AURORA condition, but the cyber intrusion or physical compromise of control systems allows for the virtual control of the physical opening or closing of associated protective devices that could contribute to an AURORA condition. Many circuits of utilities carry varying load profiles, from resistive to inductive loads. These circuits may include rotating equipment. This load profile allows for an AURORA condition to take place, indicating that AURORA is not as unique or isolated an incident as might be suggested in previous discussions or research.
One AURORA Attack Can Affect Multiple Facilities
An electricity system comprises generation resources, transmission facilities, distribution facilities, and participation within an energy marketplace. In order for marketplace transactions to take place, a reliable and secure grid is required for the transfer of energy. If a utility’s power grid becomes compromised by a cybersecurity threat, then the reliability of operation of that grid is in question and the interconnection of resources and execution of market transactions becomes compromised.
This effect on generation resources, transmission facilities, and the energy marketplace goes beyond a utility’s system grid to having an effect on other systems through interconnections such as flow gates and source/sinks that make up market agreements and transactions. Consequently, the cybersecurity measures one utility takes can affect other utilities through the various interconnections that exist. If one utility has a less-robust cybersecurity response plan than that of other interconnected utilities, then the interconnected utilities’ cybersecurity response plan effectiveness could be comprised due to a cyber intrusion. Therefore, if a cyber intrusion of one generator or utility’s control systems takes place, then a potential AURORA event could have an effect on other interconnected facilities.
How the AURORA Vulnerability Affects End Users
An AURORA event can affect electricity customers directly and indirectly. The indirect impact is AURORA damaging generators, which can result in loss of load and a potential grid collapse. The direct impact of an AURORA event on end users is seldom understood.
An AURORA event consists of the out-of-sync reconnecting of three-phase rotating equipment. Three-phase equipment includes not only generators but also synchronous induction motors. This means that customer loads in manufacturing facilities, pipelines, refineries, electrified mass transit, and even data centers and power plants are directly at risk from AURORA.
As AURORA can damage or destroy large equipment, the potential impact on end users can be extremely large, and the resulting risk to the utilities that serve these customers can be significant.
Mitigation is relatively inexpensive and straightforward. It entails placing a hardware device between each substation and its loads. That device monitors for the rapid out-of-phase condition associated with an AUORA event and isolates the substation from its loads before the torque of the grid can be applied to the equipment loads.
To date, only two relay protection suppliers provide an AURORA mitigation device: Cooper Power Systems, which offers the iGR-933 Rotating Equipment Isolation Device (REID, Figure 1), and Schweitzer Engineering Laboratories, which offers its SEL 751A feeder protection relay (Figure 2).
|2. Another mitigation device. The SEL 751A feeder protection relay includes AURORA mitigation features and can be used for industrial and utility feeder protection. Courtesy: Schweitzer Engineering Laboratories|
Implementing the AURORA hardware mitigation devices should not be a major undertaking. The devices are the same size and form factor as many other relay devices. They are relatively inexpensive (less than a few thousand dollars each) and have wiring configurations similar to other relays, minimizing installation issues. Typically, there would be one AURORA mitigation device for each substation relay that is connected to customer loads. For a small utility with 20 substations, this could be 10 to 80 devices. For a large utility with 12,000 substations, it could be 1,000 to 24,000 devices.
Compare the cost of installing these devices with the potential impact and risk to the utility from an AURORA event. As AURORA can damage or destroy large generators, motors, or transformers, the cost is both for the equipment replacement and facility downtime. Many large industrial facilities can have downtime costs of more than one million dollars per day. Equipment replacement times can easily be months. The risk should be obvious.
Developing an AURORA Cybersecurity Response Plan
In developing a cybersecurity response plan a utility can create a cybersecurity framework that best addresses its system conditions. When a utility develops its cybersecurity response plan it must consider the roles of IT, operations, and management functions.
In the case of IT, a cybersecurity response plan should define the responsibilities of IT and provide IT staff with the flexibility needed to adjust to the unique network conditions that occur as a result of advancements of technology relating to the support of grid operations. It is important that the IT role does not infringe upon the role of operations in the security of grid operations. Instead, it is important for the cybersecurity response plan to create a framework that develops a symbiotic relationship between IT and operations groups.
The role of the operations team in the development of a cybersecurity response plan is the cybersecurity and physical security of the utility’s control systems and facilities. The programming of control system devices and the testing of those devices and communication between the devices needs to be a function of operations. The mapping of data points for SCADA systems and communication of that data should be the responsibility of both operations and IT. Operations are key in identifying AURORA conditions that exist on the system so those conditions can be addressed as a part of their cybersecurity measures.
The role of management in the development of a cybersecurity response plan is to provide guidance in the development of the plan and emphasize the importance of this plan to employees. Management has a very important role in influencing company culture to ensure security effectiveness and system reliability. If the culture does not change, any efforts made in developing and implementing a cybersecurity response plan become inconsequential.
NERC’s Response to AURORA
On June 21, 2007, the North American Electric Reliability Corp. (NERC) ES-ISAC issued an initial Advisory Alert to registered entities, informing those entities of AURORA. The advisory, titled Mitigation Measure 8—Implement NERC Critical Infrastructure Protection (CIP) Standards CIP-002 through CIP-009, included this statement:
The implementation CIP-002 through 009 is required for electricity sector entities by 2010 (upon FERC approval of the standards). While the purpose of the standards is to ensure the reliability of the grid, the standard allows the owners and operators latitude in identifying critical assets and critical cyber assets. This measure calls for DPCD (Digital Protection and Control Devices) capable of closing breakers that can adversely impact critical electrical rotating equipment to be identified as Critical Cyber Assets (CCA) associated with the NERC CIP-002 Standard. This then requires enhanced cyber security measures, documentation, and compliance measures are enacted per NERC Standards CIP-002 through -009 for these devices.
It can be argued that defining all substations that implemented AURORA hardware mitigation to be considered NERC CCAs could have curtailed the implementation of these devices.
A second Advisory Alert was issued to the utility industry on Oct. 13, 2010, with the intention that it would be used by the industry to provide information on a utility’s knowledge of AURORA and the mitigation plans it may have undertaken since the initial AURORA alert. Responses to this report are required every six months in order to provide information concerning each utility’s ongoing AURORA mitigation efforts.
However, the second advisory states: “This NERC Recommendation is not the same as a Reliability Standard, and a failure to implement this Recommendation will not constitute the sole basis for an enforcement action. However, pursuant to Rule 810 of NERC’s Rules of Procedure, you are required to acknowledge receipt of this Recommendation and report to NERC on the status of your activities in relation to this Recommendation.”
Taken together, these NERC alerts advise utilities to, at their cost, place a significantly larger number of their power grid assets under statutory regulation, review, and audit via the CIP standards and then tell NERC how well they are doing at identifying and protecting those assets. This effort by NERC has some beneficial effects in providing a forum for utility communication concerning AURORA efforts. However, it is still each utility’s responsibility to develop an effective cybersecurity plan and robust company program to guard against cyber intrusion, including an AURORA event.
Treating a new cyber threat through standard alerts and voluntary measures only brings further scrutiny to a complex and highly regulated regime of compliance. It has only served to drive those at risk to a regulatory, rather than a physical response. The self-incriminating feature promoted by the NERC alerts, and lack of AURORA mitigation plans, let alone a comprehensive cyber response effort, has left our critical infrastructures at risk.
It is important to remember that the primary motivation of a utility concerning cybersecurity should be a utility’s desire to have a secure and reliable grid. Though it is important that NERC act as a monitoring agency for the Federal Energy Regulatory Commission, NERC guidance and requirements should not be the motivating factor for a utility in developing a cybersecurity response plan.
As noted, there is no requirement to implement the recommendation for hardware mitigation. Consequently, the dollar impact to the utility can be staggering. Additionally, utility customers’ appetite for risk to their facilities needs to be considered. Are they willing to trust their utility, which has chosen not to install the mitigation and gamble that things will be OK or…?
Current Industry Response to AURORA: Mostly Silence
To date, only two utilities are implementing an AURORA hardware mitigation program. These programs are designed to demonstrate to industry that AURORA mitigation will not negatively impact the reliability of the electric grid, as has been postulated by one utility’s study. It is the authors’ hope that other utilities will see the wisdom of addressing this potentially significant vulnerability. ■
— Michael Swearingen is manager, regulatory policy for Tri-County Electric Cooperative. Steven Brunasso is technology operations manager for a municipal electric utility. Joe Weiss is managing partner of Applied Control Solutions. Dennis Huber is with Booz Allen Hamilton. Michael and Steven are from the utilities participating in the AURORA hardware mitigation studies. Joe and Dennis are supporting the utility efforts.