In 2007 the Idaho National Laboratory ran the Aurora Generator Test in 2007 to demonstrate how a cyberattack could destroy physical components of the electric grid. The experiment used a computer program to rapidly open and close a diesel generator's circuit breakers out of phase from the rest of the grid, thereby subjecting the engine to abnormal torques and ultimately causing it to explode. This vulnerability is referred to as the Aurora Vulnerability.
To prepare for the experiment, the researchers procured and installed a 2.25 MW (3000 horsepower) generator and connected it to the substation. They also needed access to a programmable digital relay or another device capable of controlling the breaker. Although such access can be through a mechanical or digital interface, in this case the latter was used.
A generator unit consists of a diesel engine mechanically linked to an alternator. In many commercial-industrial settings, multiple generators need to operate together in tandem, in order to provide power to the desired load. A generator that is operating normally is synchronized with either the power grid or with one or more additional generators (for example in an "islanded" independent power network as might be used in a remote location or for emergency backup power). When generators are operating in synchronicity, effectively their alternators are magnetically locked together.
In the Aurora experiment, the researchers used a cyberattack to open and close the breakers out of sync, in order to deliberately maximize the stress. Each time the breakers were closed, the torque induced in the alternator (as a result of the out-of-synchrony connection) caused the entire generator to bounce and shake. The generator used in the experiment was equipped with a resilient rubber rotating coupling (located between the diesel engine and the alternator, thus indirectly connecting the engine's steel crankshaft to the alternator's steel shaft).
During the initial steps of the attack, black rubber pieces were ejected as the rotating coupling was incrementally destroyed (as a result of the extremely abnormal torques induced by the out-of-synchronization alternator on the diesel engine's crankshaft). The rotating rubber coupling was soon destroyed outright, whereupon the diesel engine itself was then quickly ripped apart, with parts sent flying o Some parts of the generator landed as far as 80 feet away from the generator. In addition to the massive and obvious mechanical damage to the diesel engine itself, evidence of overheating of the alternator was later observed (upon subsequent disassembly of the unit).
In this attack, the generator unit was destroyed in roughly three minutes. However, this process took three minutes only because the researchers assessed the damage from each iteration of the attack. A real attack could have destroyed the unit much more quickly. For example, a generator built without a rotating rubber coupling between the diesel engine and the alternator would experience the crankshaft-destroying abnormal forces in its diesel engine immediately
Potential Impact: The failure of even a single generator could cause widespread outages and possibly cascading failure of the entire power grid as occurred in the Northeast Failure of 2003. Additionally, even if there are no outages from the removal of a single component (N-1 resilience), there is a large window for a second attack or failure as it could take more than a year to replace a destroyed generator, because many generators and transformers are custom-built.
Asymmetric Warfare: taking down the U.S. power grid means winning a war on day one without dropping a single bomb. Why would an adversary not do this?