Homeland Security Dept. Blunder Opened Door to Cybersecurity Attacks on Power and Water Systems

Monday, January 05, 2015
Aurora power grid vulnerability mitigation device (photo: Schweitzer Engineering Laboratories)

Sometimes even when it’s trying to do the right thing, the Department of Homeland Security (DHS) steps on a rake. A recent miscue by the department could make it easier for someone to bring down the nation’s power grid.


A Freedom of Information Act request was filed with DHS for documents on Operation Aurora, which was a cyberattack on Google. The department responded with 800 pages of documents, according to Patrick Tucker at Defense One. However the documents weren’t about Operation Aurora, but were instead on the Aurora Project, which in 2007 demonstrated how easy it would be to disable the nation’s electric and water supply grids.


The Aurora Project showed that by opening and closing various circuit breakers on a system, parts are thrown out of synchronization and the system can break. A demonstration of the potential was even shown on CNN. Many of those controls are able to be accessed remotely, which leaves open the possibility that hackers could wreck U.S. electric and water systems.


“The Aurora vulnerability affects much more than rotating equipment inside power plants. It affects nearly every electricity system worldwide and potentially any rotating equipment—whether it generates power or is essential to an industrial or commercial facility,” according to an article written in 2013 for Power magazine. One of the authors, Joe Weiss, called DHS’ mistake “breathtaking.”


“Three of their slides constitute a hit list of critical infrastructure. They tell you by name which [Pacific Gas and Electric] substations you could use to destroy parts of grid. They give the name of all the large pumping stations in California,” Weiss, who works for the Navy on eliminating Aurora vulnerabilities, told Defense One.


The vulnerability could be fixed with a piece of equipment being offered to utilities for free by the Department of Defense, but utilities haven’t availed themselves of the offer because of concerns that their facilities would be labeled “critical” and be subject to further regulation.

-Steve Straehley


To Learn More:

Forget the Sony Hack, This Could Be the Biggest Cyber Attack of 2015 (by Patrick Tucker, Defense One)

What You Need to Know (and Don’t) About the AURORA Vulnerability (by Michael Swearingen, Steven Brunasso, Joe Weiss, and Dennis Huber, Power)

Operation Aurora Request (Muckrock)

Eight Months Later, San Jose Power Station Attack Looks More Ominous (by Ken Broder, AllGov California)


Leave a comment