Lessons learned from Aurora
On the SCADSec blog site, Ed Beroset stated the following: I've attended a number of security conferences at which speakers would gravely intone that "we have not yet learned the lessons of Aurora." When I've probed a bit deeper, I've found that there is a very wide range of interpretations as to what those might be. My questions for this group are: 1) what is "the lesson of Aurora"? and 2) what has been done about it? and 3) what's left to do?
In response to Ed, there are a number of lessons-learned specifically from Aurora:
1) Make sure we are on the same page. There are two distinct "cyber Aurora" attacks. Google Aurora and the INL Aurora that destroyed the diesel generator. My focus is on the INL Aurora.
2) Understand the problem. Aurora is a physical gap in protection of the electric grid- it is physics and not a network problem. As it is physics, it requires a hardware solution.
3) Determine if the people making claims are experts. There were a very limited number of people that attended the INL test. In 2007, DHS briefed end-users in a closed session. Since Aurora is still FOUO that means there are a limited number of people who can be expected to understand the issue.
4) Get the right people involved. Aurora affects protective relays not cyber networks. Because the INL test was identified as cyber, the protective relay experts were generally excluded.
5) Don't obfuscate a problem to confuse the attackers. DHS made a decision early on to make Aurora For Official Use Only (FOUO) which made the technical information generally unavailable to people who did not have appropriate access to such information. The only public information was the CNN tape which was somewhat misleading. Consequently, the attackers may have been confused but the end-users certainly were. Moreover, there was significant confusion as to what really was done in the Aurora test at INL and the rumor mill worked overtime. Unfortunately, much of what is in the public domain is incomplete, misleading or incorrect. This is why we will have the first public session on the Aurora test at INL at the October ICS Conference (www.icscybersecurityconference.com) by some of the people who were actually involved in the test.
6) Don't politicize a technical problem. Somehow Aurora has managed to fall into a political morass involving DOE, DHS, NERC, industry lobbyists, etc. This is a real problem with a real solution - let's refocus the effort on understanding the problem and get on with implementing the solution!