How would you react if I told you the United States government paid for a project that eventually told any enemy how to attack our electric grid? The Department of Defense did in fact spend money on a project to identify vulnerabilities to critical infrastructure. Specifically, the Aurora Project focused on how easy it would be to attack electrical generators, water pumps, and other pieces of infrastructure. These vulnerabilities can be extended to the electric grid, which was concerning. The Department of Homeland Security eventually released this report through a Freedom of Information act (FOIA) request, accidentally of course. Normally this would not be a big deal, but this report included some details that could tell any bad actor who read it how to complete a meaningfully successful attack on the electrical grid.
During this project the Idaho National Laboratory (INL) exposed a vulnerability that allowed an attacker to remotely open and close key circuit breakers on a machine. This can cause the machine’s rotating parts to fall out of synchronization, effectively causing the system to break down. However, this vulnerability has the ability to affect nearly every electricity system around the world and potentially any rotating equipment. Some of the information included in the report is even described as a hit list of critical infrastructure. It named substations to target in order to destroy parts of the electrical grid. It included the names of physical locations that were vulnerable to attack.
Of course there are some additional hurdles to cross before a fully successful attack could be completed, but this revelation still brought a lesson or two. So, where’s the lesson in all of this? The lesson is certainly for the government to be careful with what you fund and be even more careful about what you release. The defense budget includes a wide variety of funds for a wide variety of projects. It is important for projects like this to be funded because they are able to reveal our own faults. We need to know where we might fail so we can then fix those problems. In the end it seems like more of an embarrassment that this report was so easily released. I guess someone just needs to pay more attention to what they are doing.