Critical infrastructureDHS releases the wrong FOIA-requested documents, exposing infrastructure vulnerabilities

On 3 July 2014, DHS, responding to a Freedom of Information Act (FOIA) request on Operation Aurora, a malware attack on Google, instead released more than 800 pages of documents related to the Aurora Project, a 2007 research effort led by Idaho National Laboratory to show the cyber vulnerabilities of U.S. power and water systems, including electrical generators and water pumps. The research project found that once these infrastructure systems are infiltrated, a cyberattack can remotely control key circuit breakers, thereby throwing a machine’s rotating parts out of synchronization and causing parts of the system to break down.

A video of a live attack was featured on CNN in 2007. In 2013, Power Magazine described the scope of the Aurora vulnerability, saying it “affects much more than rotating equipment inside power plants. It affects nearly every electricity system worldwide and potentially any rotating equipment — whether it generates power or is essential to an industrial or commercial facility.”

Joe Weiss, a managing partner for Applied Control Solutions, who co-wrote the Power Magazine article, notes that only a few pages of the DHS documents released contained critical information. “Three of their slides constitute a hit list of critical infrastructure. They tell you by name which (Pacific Gas and Electric) substations you could use to destroy parts of grid. They give the name of all the large pumping stations in California.”

Launching an Aurora attack is difficult, but the documents released by DHS could certainly help a would-be hacker. In a 2011 paper for the Protective Relay Engineers’ 64th Annual Conference, Mark Zeller, a service provider with Schweitzer Engineering Laboratories, described what information a hacker would need to execute a successful Aurora attack. The hacker must have knowledge of the local power systems, an understanding of the power system interconnections, “initiate the attack under vulnerable system load and impedance conditions and select a breaker capable of opening and closing quickly enough to operate within the vulnerability window.” He goes on to add that assuming the attack is done remotely, the hacker “needs to understand and violate the electronic media, find a communications link that is not encrypted or is unknown to the operator, ensure no access alarm is sent to the operators, know all passwords, or enter a system that has no authentication.” Government Executive notes that since utilities tend to use publicly available equipment and communication protocols to link different parts of their systems- because they are simpler to run, maintain, repair, and replace- a would-be hacker is likely to be familiar with the connection tools.

On 14 October 2010, the North American Electric Reliability Corporation (NERC) warned that the industry presently lacks a single solution to the Aurora vulnerability. Applied Control Solutions’ Weiss did mention that the Defense Department (DOD) offers for free two devices on the market, “iGR-933 rotating equipment isolation device (REID) and an SEL 751A, that purport to shield equipment from ‘out-of-phase’ states,” but utilities have refused to accept the devices from DOD because doing so would label a facility a “critical facility,” leaving it open to NERC-CIP audits.

Responding to concerns that DHS had released the wrong information, a DHS spokesman told Defense One, “As part of a recent Freedom of Information Act (FOIA) request related to Operation Aurora, the Department of Homeland Security (DHS) National Programs and Protection Directorate provided several previously released documents to the requestor. It appears that those documents may not have been specifically what the requestor was seeking; however, the documents were thoroughly reviewed for sensitive or classified information prior to their release to ensure that critical infrastructure security would not be compromised.”