The Department of Homeland Security (DHS) mistakenly released hitherto little-known details on an experiment conducted in 2007 in which researchers destroyed a 27-ton diesel generator via a cyberattack on its control system.
Details about the experiment, code-named Aurora, were inadvertently released by DHS in response to a Freedom of Information Act request for information about Operation Aurora, a completely different issue involving a series of cyberattacks against Google and other entities in 2010.
MuckRock posted a copy of the 840-page document from DHS earlier this week.
The document suggests that DHS was considerably more concerned about the threat to critical industrial control systems highlighted by Aurora than it generally let on. Security experts have long maintained that the DHS and industry stakeholders have downplayed potential threats to critical infrastructure and have done nothing to address the problem.
The document highlights facts that are difficult to reconcile, said Dale Peterson, founder and CEO of Digital Bond, a company that specializes in control systems security.
"The error by DHS in releasing the wrong Aurora documents is a bit embarrassing for them," Peterson said, noting that the document suggests that the agency considered the Aurora vulnerability to be a significant threat to industrial control systems.
"They classified the program after they understood the impact," he said. The document shows that DHS set up tiger teams, attended Congressional hearings and White House briefings, and created action plans to address issues highlighted by the experiment.
Even so, little has happened by way of remedial action in the seven years since, Peterson said. "So one of two things happened. Aurora was, in fact, not a significant control system vulnerability. It was an expensive demo with hyped results. Or, Aurora was a significant control system vulnerability that has not yet been addressed seven years later."
The DHS did not respond to a request for comment.
The Aurora experiment made headlines in 2007 when CNN aired video footage of a generator being reduced to smoking, metal-spewing junk as the result of malicious code execution on the computer controlling the system.
The Idaho National Laboratory prepared the demo for the DHS to show how malicious attackers could take advantage of control system vulnerabilities to cause physical damage to critical infrastructure .
The newly public document shows that DHS spent some $2.8 million on the test and considered the vulnerability that allowed the generator to be destroyed as a significant flaw affecting utilities, refineries, pipelines and water systems. The greatest potential for exploitation exists in the utility sector, the DHS document noted.
One document notes how an actual attack could be carried out quickly. "There were intentional pauses between each iteration of the attack in order to assess damage and maintain safety protocols. An actual attack could have been conducted much faster," DHS officials noted.
Sign up for Computerworld eNewsletters.