Aurora vulnerability: origin, explanation and solutions

Posted date
26/09/2019
Autor
INCIBE (INCIBE)
Aurora_ICS

In 2007, an experiment called Aurora Generator Test was carried out in the Idaho National Laboratory (INL). The aim of the experiment was to demonstrate the importance of cybersecurity in industrial infrastructure, particularly in the power grid. For this, they carried out a series of attacks, consisting of opening and closing the circuit breaks of a diesel generator, causing them to heat up and subsequently explode.

After twelve years, this vulnerability still exists, threatening not only electrical plants’ diesel generators, but also electric components and rotating systems connected to the power grid.

What dis the experiment consist of?

For the experiment, a 2.25 MW diesel generator was used that implemented the Modbus protocol to communicate with the devices. The controlled cyberattack consisted of disconnecting the generator from the network long enough for the synchronization to be lost and later reconnecting it to the network.

First, they increased the frequency above which the power grid operates to then explode the brake system in charge of lowering the operating frequency. This frequency difference between the generator and the network triggered a response from the relays that damaged the brakes and caused severe shocks in the machine, resulting in an explosion three minutes after it was reconnected to the network.

The results of the experiment were classified until 2014, when the American Department of Homeland Security (DHS) shared the information concerning the attack, along with mitigating measures. Previously, they had forced the country's power companies to implement security measures in order to prevent potential attackers from taking advantage of the vulnerability.

How were they able to accomplish this?

In each electrical system there is a frequency at which, both motors and generators connected to the network, have to work. In the United States, this frequency is 60 Hz, while in Europe it is 50 Hz. In electrical machines, there are devices called relays that control the use of the brakes in order to maintain a constant frequency. The problem is that an attacker can take advantage of the lack of authentication, authorisation and encryption of many industrial protocols used (DNP, Modbus, IEC 60870-5-103, IEC 61850, Telnet, QUIC4/QUIN and Cooper 2179) to send commands to the devices and to disable the brake system, manipulate the protection relays or disconnect a system from the power grid.

There are synchro-phasors in power plants, which are devices associated with protection relays that assess the argument and the voltage or intensity phase, in order to verify that there are no anomalous values and to keep the power grid stable. When a machine is connected to the system and there is a high frequency difference between the machine and the system, the braking system is activated. If there is a very large difference, unstable torques can occur, resulting in serious damage to the installations, even explosions, as in the case of the experiment.

Inadequate performance of the relays can cause desynchronization without disconnecting the electric machine from the network. When variations in frequency occur, other values such as voltage and intensity can also be affected, causing unwanted oscillations in the power grid.

In addition to generators or electric motors, other devices that are particularly affected by a frequency variation due to the Aurora vulnerability are transformers, since outside their nominal operating conditions they may be seriously damaged.

In the aforementioned DHS report, a series of measures were defined in order to avoid adverse events in the power grid, considered a critical infrastructure in most countries. The most immediate measures consisted of installing protection relays and varying the braking system.

In order for an attacker to compromise a relay remotely, they first need certain information, such as:

  • Electronic architecture, typology and number of devices.
  • Use of non-encrypted communications.
  • Device authentication, especially those that use passwords by default, weak or not required.

Aurora SEL

- Information needed for a cyberattack exploding the Aurora vulnerability. Source: Schweitzer Engineering Laboratories. -

How to mitigate it?

There are a wide variety of solutions for the Aurora vulnerability that could be implemented based on the system’s cost and characteristics. In 2010, the North American Electric Reliability Corporation (NERC), ordered the implementation of measures for critical infrastructures, in order to mitigate the Aurora vulnerability through the CIP-002 standard.

  • Switch closing delay supervision: by implanting a protection relay, which ensures a delay in the release of the brakes, preventing a window of opportunity for an Aurora attack. It is a cost-effective solution and significantly reduces the possibility of suffering the vulnerability. If we assume that the attacker has access to the brake and the control switch, making a change in the time controller would not be a very useful solution, since the attacker has numerous possibilities for causing a system failure.
  • Switch command supervision: if the brake system must be closed again due to certain conditions, a monitoring and control scheme can be implemented in the protection relay. This measure allows a normalised closure for fault conditions. If the system is vulnerable to unauthorised access in the communications channel, an automatic shutdown system is a good option.
  • Closure supervision: another method to control an unauthorised brakes closure is to implement a second relay that validates the actions of the control relay. This relay will not have any connection or communication with the outside. Furthermore, it will be configured with a different password and physically installed in a different space than the main relay.
  • Frequency inverter: this protection consists of calculating the frequency’s phase angle to check if any changes are being made. The relay system is turned on speeding up or slowing down in order to offset the frequency.

Subsequently, the DHS report was declassified in 2014 so that other countries and companies knew about the vulnerability and could take steps to solve it.

Conclusions

Despite twelve years having passed since the discovery of this problem, today there are numerous industrial systems that work with electric machines and still do not have protection measures against this vulnerability. For this reason, there is a need to raise awareness among such companies so that they take steps in this regard and thus be able to operate more securely, since prevention costs are negligible compared to the losses that may be generated.

Relay protection schemes are an easy to implement option for limiting Aurora vulnerability, along with redundant and well-segmented testing methods, that make the desynchronization or connection of a synchronized machine to the network by an attacker more difficult. Later, more specific measures, such as those previously noted in the mitigation section, must be implemented, taking into account the system type and operation. Industrial systems related to power generation are the most exposed to the Aurora vulnerability and, therefore, must have all available protective measures.

Go top