The Aurora Power Grid Vulnerability and the BlackEnergy Trojan

At recent Industrial IoT security briefings, the Aurora vulnerability has come up repeatedly. Attendees ask, “Is our country’s power grid safe? How can we protect the grid? What is Aurora?” This post provides a look at Aurora, and the BlackEnergy attack that can exploit Aurora.

In March 2007, the US Department of Energy demonstrated the Aurora vulnerability. (See this video from CNN of the actual test: What is happening?

An electric generator spins an electromagnet (the rotor) inside a coil of wire (the stator) to create electric power. The energy spinning the rotor can come from falling water in a hydroelectric power dam, from burning oil in a diesel generator, from steam created by nuclear fission in a nuclear power plant, or from the wind in a windmill. That electric power feeds the power grid for distribution to homes and businesses.

Other generators are also feeding the same grid. In the US, the power on the grid is 60 cycle alternating current. That means the voltage changes from its positive to its negative voltage sixty times per second. As long as the generator is in phase with the rest of the grid, its power will smoothly contribute to the total power of the grid. If the generator gets out of phase, that is, if its output is not synchronized with the power of the grid, the generator is working against the entire power of the rest of the grid.

DoE’s experiment used a 2.25 MW diesel generator. The Aurora vulnerability allows an attacker to disconnect the generator from the grid just long enough to get slightly out of phase with the grid, and then reconnect it. This desynchronization puts a sudden, severe strain on the rotor, which causes a pulse of mechanical energy to shake the generator, damaging the bearings and causing sudden increases in temperature. By disconnecting and reconnecting the generator’s circuit to the grid, the Aurora vulnerability led to the generator’s destruction in about three minutes.

In this test, though, the separate attack cycles (opening the breaker then closing it again) were not continuous. The DoE wanted to get readings from the generator as the attack progressed. In the wild, an attack would take much less time.

Mitigating the Aurora attack

To keep generators from self-destructing, the manufacturers build in safety systems that do not allow a generator to reconnect to the grid if it has been disconnected for 15 cycles (¼ of a second). Some generators may use mechanical relays. More commonly, the safety systems are software-controlled. For monitoring and operations, these systems are network-connected.

The separate open/close cycles in the Aurora attack take less than ¼ second. The attack happens before the safety systems can react.

At present, the mitigations in place are inadequate to mitigate the Aurora attack.

Enter BlackEnergy

BlackEnergy is a Trojan that can launch DDoS attacks, download custom spam, and steal banking credentials. Trend Micro’s Security Intelligence Blog posted a detailed description of the malware in this article in February 2016: This malware has evolved since it was first detected in 2007. An updated variant was observed in 2010. In Nov 2015 BlackEnergy was discovered in attacks against power, mining, and rail companies in Ukraine, including the Dec 23, 2015 attack that cut power to 225,000 people.

The attack used BlackEnergy, delivered through phishing emails directed at employees and others involved with the target companies. The payload included the KillDisk malware, which attackers used to disable boot capabilities on target systems. This prevented their restoration, blocked remote access to systems, and rendered Uninterruptable Power Supply (UPS) systems useless. It also disrupted Serial-to-Ethernet devices. This damage delayed recovery considerably. Most systems could not be used until their firmware had been restored.  See from the US Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT).

Attack, Response, and Mitigation

The attack against Ukraine succeeded because the attackers completed comprehensive reconnaissance over months. They knew the specific equipment in use at each facility, they established backdoors in Human-Machine Interface (HMI) devices at those facilities, and they understood the recovery protocols and procedures at those facilities. They knew that disabling the Serial-to-Ethernet devices would make remote management impossible, stretching personnel to maintain operations and slowing remediation and recovery. They knew which UPSs to disable and how. They were prepared to lock operators out of their consoles (personnel reported that the cursors on the screens moved and could not be interrupted by the keyboard or mouse at the console).

Most importantly, the attackers did not fully exploit the Aurora vulnerability. No generators were destroyed. Power was restored in hours. If generators had been destroyed, recovery could have taken months. Most large generators are custom-built, not sold from inventory. Rebuilding the power grid would have been months and cost millions of dollars. And further, destroying the generators would have been an act of war. The attack was a threat.

The US power grid is equally vulnerable. Power distribution and generation organizations must segment their networks. Scan for malware. Maintain and analyze logs. Prepare for contingencies. Lock down systems. Isolate insecure devices.