Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

DHS Mistakenly Releases 840-pages of Critical Infrastructure Documents Via Mishandled FOIA Request

Aurora Vulnerability

Aurora Vulnerability

DHS Releases Trove of Documents Related to Wrong “Aurora” in Response to Freedom of Information Act (FOIA) Request

The U.S. Department of Homeland Security (DHS) has mistakenly released hundreds of documents, some of which contain sensitive information and potentially vulnerable critical infrastructure points across the United States, in response to a recent Freedom of Information Act (FOIA) request about a cyber-security attack.

The Operation Aurora attack was publicized in 2010 and impacted Google and a number of other high-profile companies. However, DHS responded to the request by releasing more than 800 pages of documents related to the ‘Aurora’ experiment conducted several years ago at the Idaho National Laboratory, where researchers demonstrated a way to damage a generator via a cyber-attack.

The documents are posted on MuckRock.com. The information request was made May 17. On July 3, the agency replied with the mistaken documents.

When contacted by SecurityWeek, the DHS declined to comment about the situation.

Of the documents released by the DHS, none were related to the Operation Aurora cyber attack as requested.

According to a blog post by Dale Peterson, founder of Digital Bond, many of the 840 pages are comprised of old weekly reports from the DHS’ Control System Security Program (CSSP) from 2007. Other pages that were released included information about possible examples of facilities that could be vulnerable to attack, such as water plants and gas pipelines (pages 70 and 71). Other pages were redacted due to their sensitivity.

Aurora Vulnerability in Critical Infrastructure

“The real beauty of the Aurora demonstration was it clearly showed that a cyber attack could affect a physical process,” blogged Peterson. “The specific vulnerability they chose to achieve this, while not unimportant, was not the main point to take from Aurora. It was an effective and dramatic demonstration.”

Advertisement. Scroll to continue reading.

In the Aurora experiment, the researchers demonstrated the dangers of a malicious attacker disconnecting and reconnecting a generator to the electric grid out of phase. The exact extent of the danger utilities face and whether or not enough has been done to mitigate the issue has been the subject of some debate. Joe Weiss of Applied Control Solutions said he believes the issue has been downplayed.

“What you have is a physical problem that cyber is able to exploit,” explained Weiss, in an interview with SecurityWeek. “This physical problem affects every single substation everywhere. Period.”

The North American Electric Reliability Corporation (NERC) did not respond to a request for comment today by SecurityWeek.

“To me the only thing that is still a mystery about Aurora is the precise mechanics of what commands were sent to which device in order to cause the destruction of the generator,” said Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. “The basic principles have been out in the public domain for a very long time.”

“The basic principle,” he said, “is that you disconnect the generator from the grid, and within milliseconds it starts speeding up because it has no load anymore….If you time it right and you reconnect it to the grid when it’s out of sync, now there’s enormous force on the generator to bring it back into sync.”

According to information on the MuckRock site, the person who filed the FOIA request received a “no-responsive documents” response from the FBI in reaction to the FOIA request, while the National Security Agency notified him that his request for information is being processed.

The incident the FOIA request was actually about, the Operation Aurora cyber attack, impacted dozens of organizations, including Juniper Networks and aerospace and defense company Northrop Grumman, and is believed by many to have been perpetrated by hackers from China. The Chinese government denied any involvement when the attack was made public.

Related: ICS Cyber Security Conference

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...