- A generator vulnerability first identified years ago remains a threat, and the accidental release of U.S. Department of Homeland Security documents over the summer may have made the situation worse for utilities, Government Executive reports.
- In 2007 the Idaho National Laboratory's Aurora Project demonstrated how a remote attacker could damage generators by opening and closing certain circuit breakers to ultimately push a machine's rotating parts out of alignment.
- In July, responding to a Freedom of Information Act request for information on the unrelated "Operation Aurora," DHS mistakenly released more than 800 pages of information related to the generator vulnerability including the location of sensitive pieces of infrastructure.
North Korea's recent cyberattack on Sony Pictures Entertainment — the Federal Bureau of Investigation determined the attack originated there — has officials worried about the spread of attacks to critical infrastructure like the nation's power grid.
More than seven years ago the Idaho National Laboratory revealed it was possibly to damage physical grid infrastructure through a cyber attack that focused on switching on and off key circuit breakers to throw rotating equipment out of alignment. And in 2010, the North American Electric Reliability Corporation issued an alert to the industry, noting at the time "there is no single answer to the Aurora vulnerability."
So why hasn't the Aurora vulnerability been patched?
Government Executive reports the solution is a fairly simple piece of hardware the Department of Defense will provide to utilities for free. But because installing it would designate those facilities as "critical" and open them up to compliance audits by the North American Electric Reliability Corp., none have taken the offer.
It's still a very difficult attack to pull off, experts say, but nations like Iran and North Korea have shown they have the capability. Which is why the DHS' accidental release of Aurora documents could be costly. The agency had been queried for documents on the unrelated cyber attack "Operation Aurora," which targeted Google and other well-known companies. Instead, it released a trove of information including the names of Pacific Gas & Electric substations which could be vulnerable.