Aurora Generator Test

Last updated
The diesel generator used in the Aurora experiment beginning to smoke. Aurora generator starting to smoke.png
The diesel generator used in the Aurora experiment beginning to smoke.

Idaho National Laboratory ran the Aurora Generator Test in 2007 to demonstrate how a cyberattack could destroy physical components of the electric grid. [1] The experiment used a computer program to rapidly open and close a diesel generator's circuit breakers out of phase from the rest of the grid, thereby subjecting the engine to abnormal torques and ultimately causing it to explode. This vulnerability is referred to as the Aurora Vulnerability.

Contents

This vulnerability is especially a concern because most grid equipment supports using Modbus and other legacy communications protocols that were designed without security in mind. As such, they do not support authentication, confidentiality, or replay protection. This means that any attacker that can communicate with the device can control it and use the Aurora Vulnerability to destroy it.

Experiment

To prepare for the experiment, the researchers procured and installed a 2.25 MW (3000 horsepower) generator and connected it to the substation. They also needed access to a programmable digital relay or another device capable of controlling the breaker. Although such access can be through a mechanical or digital interface, in this case the latter was used. [2] [3]

A generator unit consists of a diesel engine mechanically linked to an alternator. In many commercial-industrial settings, multiple generators need to operate together in tandem, in order to provide power to the desired load. A generator that is operating normally is synchronized with either the power grid or with one or more additional generators (for example in an "islanded" independent power network as might be used in a remote location or for emergency backup power). When generators are operating in synchronicity, effectively their alternators are magnetically locked together. [4]

In the Aurora experiment, the researchers used a cyberattack to open and close the breakers out of sync, in order to deliberately maximize the stress. Each time the breakers were closed, the torque induced in the alternator (as a result of the out-of-synchrony connection) caused the entire generator to bounce and shake. The generator used in the experiment was equipped with a resilient rubber rotating coupling (located between the diesel engine and the alternator, thus indirectly connecting the engine's steel crankshaft to the alternator's steel shaft). [3] [5]

During the initial steps of the attack, black rubber pieces were ejected as the rotating coupling was incrementally destroyed (as a result of the extremely abnormal torques induced by the out-of-synchronization alternator on the diesel engine's crankshaft). [5] The rotating rubber coupling was soon destroyed outright, whereupon the diesel engine itself was then quickly ripped apart, with parts sent flying off. [6] Some parts of the generator landed as far as 80 feet away from the generator. [7] In addition to the massive and obvious mechanical damage to the diesel engine itself, evidence of overheating of the alternator was later observed (upon subsequent disassembly of the unit). [3]

In this attack, the generator unit was destroyed in roughly three minutes. However, this process took three minutes only because the researchers assessed the damage from each iteration of the attack. A real attack could have destroyed the unit much more quickly. [6] For example, a generator built without a rotating rubber coupling between the diesel engine and the alternator would experience the crankshaft-destroying abnormal forces in its diesel engine immediately, given the absence of a shock-absorbing material between these two rotating components. A generator unit assembled in this way could see its diesel engine ruined by a single out-of-synchrony connection of the alternator. [5]

The Aurora experiment was designated as unclassified, for official use only. [8] On September 27, 2007, CNN published an article based on the information and video DHS released to them, [1] and on July 3, 2014, DHS released many of the documents related to the experiment as part of an unrelated FOIA request. [5]

Vulnerability

The Aurora vulnerability is caused by the out-of-sync closing of the protective relays. [6]

"A close, but imperfect, analogy would be to imagine the effect of shifting a car into Reverse while it is being driven on a highway, or the effect of revving the engine up while the car is in neutral and then shifting it into Drive." [6]

"The Aurora attack is designed to open a circuit breaker, wait for the system or generator to slip out of synchronism, and reclose the breaker, all before the protection system recognizes and responds to the attack... Traditional generator protection elements typically actuate and block reclosing in about 15 cycles. Many variables affect this time, and every system needs to be analyzed to determine its specific vulnerability to the Aurora attack... Although the main focus of the Aurora attack is the potential 15-cycle window of opportunity immediately after the target breaker is opened, the overriding issue is how fast the generator moves away from system synchronism." [9]

Potential impact

International Spy Museum exhibit for the Aurora Vulnerability DC Spy Museum - Aurora Vulnerability Exhibit.jpg
International Spy Museum exhibit for the Aurora Vulnerability

The failure of even a single generator could cause widespread outages and possibly cascading failure of the entire power grid as occurred in the Northeast blackout of 2003. Additionally, even if there are no outages from the removal of a single component (N-1 resilience), there is a large window for a second attack or failure as it could take more than a year to replace a destroyed generator, because many generators and transformers are custom-built.

Mitigations

The Aurora vulnerability can be mitigated by preventing the out-of-phase opening and closing of the breakers. Some suggested methods include adding functionality in protective relays to ensure synchronism and adding a time delay for closing breakers. [10]

One mitigation technique is to add a synchronism-check function to all protective relays that potentially connect two systems together. To implement this, the function must prevent the relay from closing unless the voltage and frequency are within a pre-set range.

Devices such as the IEEE 25 Sync-Check relay and IEEE 50 can be used to prevent out-of-phase opening and closing of the breakers. [11]

Diesel engines can also be equipped with independent sensors that detect abnormal vibration signatures. It is possible to design such a sensor to immediately trigger a complete shutdown of the generator upon detection of a single major excursion from the vibration signature of a normally operating engine. [12] However, the damage from that single excursion might already be substantial, particularly if a resilient rubber coupling between the engine and the alternator is not present.

Criticisms

There was some discussion as to whether Aurora hardware mitigation devices (HMD) can cause other failures. In May 2011, Quanta Technology published an article that used RTDS (Real Time Digital Simulator) testing to examine the "performance of multiple commercial relay devices available" of Aurora HMDs. To quote: "The relays were subject to different test categories to find out if their performance is dependable when they need to operate, and secure in response to typical power system transients such as faults, power swing and load switching... In general, there were technical shortcomings in the protection scheme’s design that were identified and documented using the real time testing results. RTDS testing showed that there is, as yet, no single solution that can be widely applied to any case, and that can present the required reliability level." [13] A presentation from Quanta Technology and Dominion succinctly stated in their reliability assessment "HMDs are not dependable, nor secure." [14]

Joe Weiss, a cybersecurity and control system professional, disputed the findings from this report and claimed that it has misled utilities. He wrote: "This report has done a great deal of damage by implying that the Aurora mitigation devices will cause grid issues. Several utilities have used the Quanta report as a basis for not installing any Aurora mitigation devices. Unfortunately, the report has several very questionable assumptions. They include applying initial conditions that the hardware mitigation was not designed to address such as slower developing faults, or off nominal grid frequencies. Existing protection will address “slower” developing faults and off nominal grid frequencies (<59 Hz or >61 Hz). The Aurora hardware mitigation devices are for the very fast out-of-phase condition faults that are currently gaps in protection (i.e., not protected by any other device) of the grid." [15]

Timeline

On March 4, 2007, Idaho National Laboratory demonstrated the Aurora vulnerability. [16]

On June 21, 2007, NERC notified industry about the Aurora vulnerability. [17]

On September 27, 2007, CNN released a previously classified demonstration video of the Aurora attack on their homepage. [1] That video can be downloaded from here.

On October 13, 2010, NERC released a recommendation to industry on the Aurora vulnerability. [17]

On July 3, 2014, the US Department of Homeland Security released 840 pages of documents related to Aurora. [5]

See also

Related Research Articles

<span class="mw-page-title-main">Electric generator</span> Device that converts other energy to electrical energy

In electricity generation, a generator is a device that converts motion-based power or fuel-based power into electric power for use in an external circuit. Sources of mechanical energy include steam turbines, gas turbines, water turbines, internal combustion engines, wind turbines and even hand cranks. The first electromagnetic generator, the Faraday disk, was invented in 1831 by British scientist Michael Faraday. Generators provide nearly all the power for electrical grids.

<span class="mw-page-title-main">Starter (engine)</span> Device used to start an internal combustion engine

A starter is a device used to rotate (crank) an internal-combustion engine so as to initiate the engine's operation under its own power. Starters can be electric, pneumatic, or hydraulic. The starter can also be another internal-combustion engine in the case, for instance, of very large engines, or diesel engines in agricultural or excavation applications.

<span class="mw-page-title-main">Alternator</span> Device converting mechanical into electrical energy

An alternator is an electrical generator that converts mechanical energy to electrical energy in the form of alternating current. For reasons of cost and simplicity, most alternators use a rotating magnetic field with a stationary armature. Occasionally, a linear alternator or a rotating armature with a stationary magnetic field is used. In principle, any AC electrical generator can be called an alternator, but usually the term refers to small rotating machines driven by automotive and other internal combustion engines.

<span class="mw-page-title-main">Dynamic braking</span> Dynamic braking is the use of the traction motors as generators when slowing a vehicle.

Dynamic braking is the use of an electric traction motor as a generator when slowing a vehicle such as an electric or diesel-electric locomotive. It is termed "rheostatic" if the generated electrical power is dissipated as heat in brake grid resistors, and "regenerative" if the power is returned to the supply line. Dynamic braking reduces wear on friction-based braking components, and regeneration lowers net energy consumption. Dynamic braking may also be used on railcars with multiple units, light rail vehicles, electric trams, trolleybuses, and electric and hybrid electric automobiles.

<span class="mw-page-title-main">Motor–generator</span> Device for converting electrical power to another form

A motor–generator is a device for converting electrical power to another form. Motor–generator sets are used to convert frequency, voltage, or phase of power. They may also be used to isolate electrical loads from the electrical power supply line. Large motor–generators were widely used to convert industrial amounts of power while smaller motor–generators were used to convert battery power to higher DC voltages.

<span class="mw-page-title-main">Recloser</span>

In electric power distribution, automatic circuit reclosers (ACRs) are a class of switchgear designed for use on overhead electricity distribution networks to detect and interrupt transient faults. Also known as reclosers or autoreclosers, ACRs are essentially rated circuit breakers with integrated current and voltage sensors and a protection relay, optimized for use as a protection asset. Commercial ACRs are governed by the IEC 62271-111/IEEE Std C37.60 and IEC 62271-200 standards. The three major classes of operating maximum voltage are 15.5 kV, 27 kV and 38 kV.

<span class="mw-page-title-main">Synchroscope</span>

In AC electrical power systems, a synchroscope is a device that indicates the degree to which two systems are synchronized with each other.

<span class="mw-page-title-main">Diesel generator</span> Combination of a diesel engine with an electrical generator

A diesel generator (DG) (also known as a diesel genset) is the combination of a diesel engine with an electric generator (often an alternator) to generate electrical energy. This is a specific case of engine generator. A diesel compression-ignition engine is usually designed to run on diesel fuel, but some types are adapted for other liquid fuels or natural gas (CNG).

Power system protection is a branch of electrical power engineering that deals with the protection of electrical power systems from faults through the disconnection of faulted parts from the rest of the electrical network. The objective of a protection scheme is to keep the power system stable by isolating only the components that are under fault, whilst leaving as much of the network as possible in operation. The devices that are used to protect the power systems from faults are called protection devices.

Islanding is the intentional or unintentional division of an interconnected power grid into individual disconnected regions with their own power generation.

<span class="mw-page-title-main">Engine-generator</span> Combination of an electrical generator and an engine in a single part

An engine–generator is the combination of an electrical generator and an engine mounted together to form a single piece of equipment. This combination is also called an engine–generator set or a gen-set. In many contexts, the engine is taken for granted and the combined unit is simply called a generator. An engine–generator may be a fixed installation, part of a vehicle, or made small enough to be portable.

<span class="mw-page-title-main">Dynamo</span> Electrical generator that produces direct current with the use of a commutator

A dynamo is an electrical generator that creates direct current using a commutator. Dynamos were the first electrical generators capable of delivering power for industry, and the foundation upon which many other later electric-power conversion devices were based, including the electric motor, the alternating-current alternator, and the rotary converter.

In an alternating current (AC) electric power system, synchronization is the process of matching the frequency, phase and voltage of a generator or other source to an electrical grid in order to transfer power. If two unconnected segments of a grid are to be connected to each other, they cannot safely exchange AC power until they are synchronized.

<span class="mw-page-title-main">Electric power system</span> Network of electrical component deployed to generate, transmit & distribute electricity

An electric power system is a network of electrical components deployed to supply, transfer, and use electric power. An example of a power system is the electrical grid that provides power to homes and industries within an extended area. The electrical grid can be broadly divided into the generators that supply the power, the transmission system that carries the power from the generating centers to the load centers, and the distribution system that feeds the power to nearby homes and industries.

On maritime vessels, noise and vibration are not the same but they have the same origin and come in many forms. The methods to handle the related problems are similar, to a certain level, where most shipboard noise problems are reduced by controlling vibration.

Hastings Power Station was a gas turbine power station situated in Hastings in East Sussex, England. It was built on the site of the Broomgrove coal-fired power station. When the power station was completed in 1966 it had two 55-megawatt (MW) gas turbine generating sets; the first set was commissioned in January 1966 and the second two months later in March.

The DC distribution system has been proposed, as a replacement for the present AC power distribution system for ships with electric propulsion.

<span class="mw-page-title-main">Magneto</span> Electricity-producing machine

A magneto is an electrical generator that uses permanent magnets to produce periodic pulses of alternating current. Unlike a dynamo, a magneto does not contain a commutator to produce direct current. It is categorized as a form of alternator, although it is usually considered distinct from most other alternators, which use field coils rather than permanent magnets.

An electromagnetic pulse (EMP), also referred to as a transient electromagnetic disturbance (TED), is a brief burst of electromagnetic energy. The origin of an EMP can be natural or artificial, and can occur as an electromagnetic field, as an electric field, as a magnetic field, or as a conducted electric current. The electromagnetic interference caused by an EMP can disrupt communications and damage electronic equipment. An EMP such as a lightning strike can physically damage objects such as buildings and aircraft. The management of EMP effects is a branch of electromagnetic compatibility (EMC) engineering.

<span class="mw-page-title-main">SNCF Class CC 70000</span>

SNCF CC 70000 was a class of two prototype high power diesel-electric locomotives numbered CC 70001 and 70002. They were built at the same time as a diesel-hydraulic version, BB 69000.

References

  1. 1 2 3 "Mouse click could plunge city into darkness, experts say". CNN. September 27, 2007. Retrieved January 30, 2020.
  2. "FOIA Request - Operation Aurora" (PDF). Muckrock. p. 91. Retrieved January 30, 2020.
  3. 1 2 3 Greenberg, Andy (October 23, 2020). "How 30 Lines of Code Blew Up a 27-Ton Generator". Wired . Retrieved December 11, 2021.
  4. Greenberg, Andy (October 23, 2020). "How 30 Lines of Code Blew Up a 27-Ton Generator". Wired . Retrieved December 11, 2021.
  5. 1 2 3 4 5 "FOIA Request - Operation Aurora". Muckrock. 17 May 2014. Retrieved January 30, 2020.
  6. 1 2 3 4 "FOIA Request - Operation Aurora" (PDF). Muckrock. p. 59. Retrieved January 30, 2020.
  7. "Master Script" (PDF). INTERNATIONAL SPY MUSEUM. p. 217. Retrieved January 30, 2020.
  8. "FOIA Request - Operation Aurora" (PDF). Muckrock. p. 134. Retrieved January 30, 2020.
  9. Zeller, Mark. "Common Questions and Answers Addressing the Aurora Vulnerability". Schweitzer Engineering Laboratories, Inc. Retrieved January 30, 2020.
  10. Zeller, Mark. "Myth or Reality – Does the Aurora Vulnerability Pose a Risk to My Generator?". Schweitzer Engineering Laboratories, Inc. Retrieved January 30, 2020.
  11. "Avoiding unwanted reclosing on rotating apparatus (Aurora)" (PDF). Power System Relaying and Control Committee. Retrieved January 30, 2020.
  12. S R W Mills (2010). Vibration Monitoring & Analysis Handbook. British Institute of Non-Destructive Testing.
  13. "QT e-News" (PDF). Quanta Technology. p. 3. Retrieved January 30, 2020.
  14. "Aurora Vulnerability Issues & Solutions Hardware Mitigation Devices (HMDs)" (PDF). Quanta Technology. July 24, 2011. Retrieved January 30, 2020.[ permanent dead link ]
  15. "Latest Aurora information – this affects ANY electric utility customer with 3-phase rotating electric equipment!". Unfettered Blog. September 4, 2013. Retrieved January 30, 2020.
  16. "U.S. video shows hacker hit on power grid". USA Today. September 27, 2007. Retrieved January 30, 2020.
  17. 1 2 "NERC Issues AURORA Alert to Industry" (PDF). NERC. October 14, 2010. Archived from the original (PDF) on 2011-08-12. Retrieved January 30, 2020.