Critical Infrastructure Security, Vulnerability Management

NERC requiring power companies to mitigate Aurora flaw

The North American Electric Reliability Corp (NERC) is requiring that members of the bulk power system implement protections against a vulnerability that could be exploited to cause physical damage to critical systems that provide electricity.

The so-called “Aurora” vulnerability came to light in 2007 with the release of a Department of Homeland Security-commissioned video depicting a generator exploding in a test lab during a simulated cyberattack. The video, taken at the federal government's Idaho National Laboratory and leaked to the media, demonstrated that the Aurora vulnerability could be exploited to cause physical damage to a generator.

For more than three years, NERC's Aurora technical team has worked with subject matter experts in the federal community to develop a technical library with detailed information about the flaw and protection measures to mitigate it, Tim Roxey, NERC's Aurora subject matter expert, told on Friday. The technical library was recently completed and "thoroughly reviewed," Roxey said. 

NERC, the organization responsible for ensuring the reliability of North America's bulk power system, on Wednesday issued a “recommendation” requiring that members of the power grid review the new information about Aurora and assess whether the vulnerability applies to their systems, then take appropriate action to mitigate the threat, Roxey said. The document applies to the roughly 1,900 bulk power system owners, operators and users that are registered with NERC.

“This is a recommendation to industry, and a recommendation comes with expectations,” he added.

Under the recommendation, entities are required by Dec. 12 to provide NERC with a report on their efforts and progress to mitigate the threat. Additionally, every six months thereafter, entities must provide NERC with an update of their efforts until mitigation is complete.

“While there is no single answer to the Aurora vulnerability, these recommendations offer asset owners options to develop and test in their own environments,” Mark Weatherford, vice president and chief security officer at NERC, said in a statement. Weatherford, the former CISO of California, began at NERC this July and is charged with directing the organization's critical infrastructure protection and cybersecurity program.

If properly implemented, the protection measures will prevent or significantly reduce the likelihood of a successful Aurora event, Roxey said.

Meanwhile, mitigating the vulnerability may be very difficult for some entities, requiring the implementation of certain engineering practices, physical controls or cyber controls, he added. Experts at NERC are available to help entities with any issues that might arise in fulfilling the requirement.

“The Aurora vulnerability shows us there is a gap in protection and we need to fill that to help take this issue off the table,” he said.

The new recommendation around Aurora comes in light of prior criticism about NERC's handling of the vulnerability.
“I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security,” Rep. Jim Langevin, D-R.I., said in a 2008 statement before the House subcommittee on cybersecurity. “Everything about the way this vulnerability was handled – from press leaks, to DHS's failure to provide more technical details to support the results of its test, to NERC's dismissive attitude, to the industry's half-hearted approach toward mitigation – leaves me with little confidence that we are ready or willing to deal with the cybersecurity threat.”

NERC initially issued an advisory to the industry about the Aurora flaw in June 2007.

“When the electrical sector put out the first Aurora advisory, we didn't have access to all the engineering details,” Roxey said. “So there was a lot of confusion and the need for further study.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.