How 30 Lines Of Code Destroy A 27-Ton Generator

Harin - Nov 04, 2020

The whole process from when the malicious file was sent to the generator to when the machine started shaking was less than a second.

In one cold winter morning in March 2007, Mike Assante was on his way to the Idaho National Laboratory (INL) to participate in a secret experiment: the Aurora experiment. The project’s aim was to demonstrate that digital attacks could have serious physical consequences, even for critical infrastructure such as power grids.

Besides Assante and other engineers, there were other officials from the US Department of Homeland Security, the North American Electric Reliability Corporation (NERC), and directors of several electric companies across the country. The room they were standing in is like NASA’s control room with screens and data displayed in real-time.

Nasa Control Room — NASA’s control room with a series of screens and data streams displayed in real-time.

The screens projected live footage from all different angles of a giant diesel generator. The size of a school bus, this giant machine weighed 27 tons (the equivalent of a medium tank).

Placed in a power-generating station about a mile away, this machine could generate enough electricity to power an entire hospital or a naval warship. Even the heatwave it emitted could create ripples on the camera image.

Assante and researchers at INL had bought this generator for $300,000 from an oil refinery in Alaska. But the researchers’ task was to destroy it, not with conventional physical weapons but with a 140KB data file – smaller than a gif file that you share on Twitter today.

Will a protector turned into an attacker?

Three years before the experiment, Assante who specializes in both grid architecture and computer security, had thought about how a hacker could bypass security to attack the power grids. Not just turning the switches on and off and causing an overload, hackers could also reprogram the elements in the grid operating without human inspection.

Generator — The generator in the Aurora experiment.

Among them, Assante was particularly interested in protective relays. They are designed as a safety mechanism to deal with hazardous situations that could happen to the electrical system. If the line overheats or a generator becomes out of sync with the systems, the protective relay will detect and open the circuit breakers, disconnect malfunctioning parts, protect the hardware, and even prevent fire.

But what if even this protective relay is paralyzed, or worse, manipulated to become a hacker's tool? That was the question that the Aurora experiment sought to answer.

The Aurora experiment

At 11:33 am, the experiment began. The attack was carried out in an office a few miles away from the generator to simulate a hacker’s remote attack. The attack started by sending nearly 30 lines of code from a computer to the protective relay.

Until the moment of the attack, the generator was still operating like normal. Diesel fuel and air were injected into the combustion chamber and burned precisely to shift the piston and rotate a steel shaft inside the generator engine at a rate of almost 600rpm.

Aurora Experiment — The Aurora vulnerability.

This movement was transmitted through a rubber belt to reduce vibration and reach the main generator: a shaft with branches wrapped around copper wires and placed between two large magnet blocks to generate electrical current. Rotate the axis fast enough, you will have an alternating current at 60Hz.

The protective relay was attached to the generator. It was designed to not connect to the electrical system if the current it produced was out of sync with the 60Hz frequency. But Assante’s malicious data file reprogrammed the protective device, making it work against its own logic.

At 11:33 am, the generator’s protective relay was still perfectly synchronized with the electrical network. But then, it started to behave weirdly when it opened the circuit breaker to disconnect the generator.

Disconnected from the Idaho National Laboratory’s electrical grid, the generator instantly accelerated and spun faster and faster. As soon as the protective relay detected that the generator’s rotation was out of sync with the network, the infected circuit of the protective relay reconnected the generator to the network.

The moment the generator reconnected to the network, it encountered a braking force from the other generators in the network. This was to pull the speed of the accelerating generator back to its slower initial speed to synchronize with other generators.

Monitoring Room — Researchers monitored the event through the screens.

Through the monitor in the room where the controlled hack happened, everyone saw a 27-ton machine suddenly shook violently and let out a whip-like sound. The whole process from when the malicious file was sent to the generator to when the machine started shaking was less than a second.

Different parts of the generators started popping out of the machine. Inside, the belt between the two rotating spindles of the generator seemed to be torn apart.

A few seconds later, the machine vibrated again as the infected protective relay repeated its cycle. This time, a thick cloud of white smoke began to emit from the generator, probably due to the burning of the internal parts.

By the third cycle, the machine began to show that it couldn’t handle it anymore. The white smoke had turned to grey and became thicker. By the fourth cycle, the thick black smoke that emitted from the machine had flown 10 meters above the chimney and then faded, signaling the 27-ton generator's last beat.

After the experiment, in the inspection room, the researchers discovered that the spindle crashed into the inside wall of the engine, creating deep holes in both parts and left metal debris everywhere inside the machine. In the generator part, the coil and its insulation melted and caught fire. The whole machine had turned into an unusable pile of scrap.

The experiment showed just how a few lines of code could have a physical impact. They could damage the most important equipment of the entire electrical grid to the point that it was irreparable.

Real-world consequences

About a decade later, what was demonstrated in the Idaho National Laboratory happened in a real event.

By the end of 2016, a cyberattack on three power distribution centers in western Ukraine left 230,000 residents frozen in the cold with a six-hour power outage.

The hackers not only disconnected the transformers in the area but also disabled the backup generators of these centers. As a result, it took engineers a longer period of time to restore the electrical system.

But the most horrifying event was the one caused by the NotPetya malware not long after that. It paralyzed the operations of 76 ports under Maersk’s management, causing ships with millions of tons of cargo unable to dock.

At that time, many global businesses became the victims of the malware, including FedEx courier, Mondelex confectionery company, pharmaceutical company Merck, manufacturer Reckitt Benckiser (owner of Durex, and Lysol),…

Maersk Line — It paralyzed the operations of 76 ports under Maersk’s management, causing ships with millions of tons of cargo unable to dock.

Yet, the scale of the attack even reached the national level as it swept through Ukraine’s computer networks. At least in Kyiv, the malware attacked the computer systems of more than 22 banks, 6 electricity companies, 4 hospitals, and 2 airports. A Ukrainian official estimated that the malware had wiped out around 10% of the country’s computers.

According to the White House’s statistics, the total damage of the NotPetya malware could reach over $10 billion, surpassing even the WannaCry ransomware that caused damage from $4 billion to $8 billion. Until now, there hasn’t been any malicious malware that can reach the scale of NotPetya.

>>> China Attacked Indian Satellite Systems Several Times In The Last Decade