On October 13, 2010, the North American Electric Reliability Corporation (“NERC”) issued an industry AURORA alert making recommendations to entities and requiring entities to report on progress made by December 13, 2010. The entities will then have to make updates to NERC every six months until the mitigation is completed to address any vulnerabilities. The new alert divided recommended mitigation elements into two categories: 1) Protection and Control Engineering, and 2) Electronic and Physical Security Mitigation Measures.
In early 2007, the Department of Homeland Security conducted a mock cyber attack, and that experiment was dubbed “AURORA.” In the simulated cyber attack, a generator malfunctioned, and a video of the simulated attack was broadcast on television. The AURORA project then became the subject of a congressional hearing and eventually prompted FERC to direct NERC to address cyber vulnerabilities.
NERC first issued an AURORA vulnerability notice to the industry in response to the simulated cyber attack on June 21, 2007, and that advisory identified several measures necessary to mitigate cyber vulnerabilities. NERC announced that it has also established a restricted technical library with other federal agencies to evaluate the engineering complexities of AURORA, and since 2007, NERC’s AURORA technical team has been working with subject matter experts to fully comprehend the engineering data and other issues surrounding AURORA weaknesses.
NERC’s press release on the industry alert is available here.