The ICS cyber security blog post of 09.04 recalls the so-called Aurora test carried out in March 2007 at the Idaho National Laboratory in the USA. The memorable ‘result’ of the test, the seemingly fatal failure of a 2.25 MW generator-diesel unit, is shown in a widely publicised video.
There is also a certain mystique surrounding the test. This is perhaps due to the fact that, although the documents were not classified, access to them was limited until July 2014. The most relevant documents that were made public at the time, running to hundreds of pages, are available here.
The mystique may have been heightened by the fact that, at the time of the test, it was not so trivial that problems affecting the cybersecurity of technology systems can only be effectively understood and addressed in context by close collaboration between experts in cybersecurity and technology disciplines. In its absence, both parties may have overestimated the sophistication of the Aurora test. Given the test objective,
even a student of electrical engineering with a high current could have predicted that (multiple) asynchronous switching of a rotating electrical machine would lead to its damage.
From a cybersecurity point of view, it may seem trivial that a remotely accessible programmable device can eventually be used to perform operations that can be touched remotely.
Even the common reference to the incident (Aurora generator test) needs clarification. In the linked video, it is clearly visible that after repeated shocks to the machine unit, it is not the generator that starts smoking, but the diesel engine that drives it! So the test is perhaps more correctly called the Aurora rotating machine test.
(Note-1. The physics of the damage that can be caused: electricity is generated, transported and distributed in three-phase systems in which each phase is represented by a rotating vector 120-120 degrees apart. If the vectors of two three-phase systems and/or equipment to be interconnected rotate in overlapping – i.e. synchronous – rotation, they can be interconnected without any problems. On the other hand, when the rotating vectors are “coupled” in different or completely opposite positions, currents – albeit short but large – are generated which, both thermally and dynamically, place considerable strain on the connected equipment.)
(Note 2. It may be noted that at the time of the test, simulation technologies were already available – and are now available – to model all the elements and moments of the test, i.e. the test could have produced the known results without the actual and expensive destruction of the rotating machinery unit. This underlines the importance of cooperation between different disciplines!)
(Note 3. It is fortunate that the SeConSys is based on the cooperation of the different disciplines involved.)
But let’s look at the substance of the test! Let us first analyse its timing! In the years before 2007, digital protection and control technologies were already widespread in electrical installations worldwide, including in our country. However, the design and operation of these systems were undoubtedly less affected by cyber security considerations than today. And the vulnerability of electrical technology to these is certainly not widely known.
So the real significance of the Aurora test is not so much the vibrations in the machine unit, the flying parts and the billowing smoke. Rather, it is the birth of the idea that
technological equipment can be physically damaged by manipulating the very devices originally intended to protect and control it!
In 2007, this idea was still a novelty. Documents available as of July 2014 show that the US DHS, recognising the exploitation of Aurora-like ‘vulnerabilities’ as a new attack vector, launched an extensive investigation into critical infrastructure.
And it may also have been an important confirmation for the planners of the Stuxnet attack in the late 2000s – aimed at physically damaging uranium centrifuges – or the December 2016 attack in Ukraine, which also targeted SIEMENS protection relays…
Some elements of the article cited in the post should be treated with some reservation. The very first paragraph of the article is confusing because of the ambiguity of the word “brake”. The test clearly involved a rotating machine breaking down. In comparison, although “brake” can be interpreted as a brake in the case of a rotating machine, it can also be interpreted as “breaker”, which is the common terminology in Hungarian. However, the common English equivalent is ‘circuit breaker’. If the function described, i.e. checking the conditions for synchronous connection and, if this is the case, enabling the connection, is understood, then the common English term is ‘synchro check’ and the device providing this is ‘synchro check relay’. Lastly, the asynchronous starting of any rotating machinery is not primarily a hazard to the circuit-breaker making the starting, but to the rotating machinery unit which is not in the synchronous position. But whether what happened in the test can be called an explosion is also a matter of opinion. It is perhaps more correct to classify what happened as (significant) physical damage. Overall, based on the article, it seems likely that the author is using the terminology “breaker” in the sense of “circuit breaker” as described above. Fortunately, the last two subtitles of the article (“How to mitigate it?” and “Conclusions” respectively) contain correct statements from a power current perspective.
Overall, it is unfortunate neither to over- nor underestimate the importance of the Aurora test. There was
nothing that happened during the test that could not have been predicted “off the spot” from a power point of view without spending a single dollar.
At the same time, the test is an important milestone in the process of events from the recognition of the physical vulnerability of technology to cyber-attack, through the Stuxnet attack, to the 2017 attack on the safety system of an oil refinery in Saudi Arabia.
When, where and what will be the next industrial/energy target to be destroyed?
We welcome messages either agreeing or disagreeing with the above. For example, by responding to them in a new post, a substantive professional exchange of views could be initiated.
Translated by DeepL