Myth or reality — Does the Aurora vulnerability pose a risk to my generator?

There have been many reports of cyberintrusions, hacking, unauthorized operations, and malicious attacks on the electric power system. Many of these reports are uncorroborated and strengthen the skepticism of the very people in position to prevent these invasions. One vulnerability that has drawn substantial discussion is the Aurora vulnerability, which focuses on electric power generators. Since the dramatic video and interview on the television news in 2007 showing how to cause severe damage to a generator, many generation providers are concerned they could become a victim. This paper discusses the Aurora vulnerability, how it is implemented, what the risk factors are, who is vulnerable, and what steps will mitigate this risk. Standard generator protection is not sufficient to thwart a well-executed Aurora attack. This paper presents how the Aurora vulnerability works, what key indicators show a risk, what different methods can be used to initiate an attack, and what modifications can be made to control systems to minimize risk. Many of the recommendations from this paper are low-cost mitigation techniques that can readily be incorporated into standard practices at a generating facility. Comprehensive mitigation techniques include protection and control, electronic and physical security, monitoring, training, risk assessment, and information protection. Making positive changes in these areas can help to maintain control of generators and protect these critical assets.