Thanks Dan for the tip.
First a reading tip to save you time. Most of the 840 pages are weekly reports from the DHS Control System Security Program (CSSP). There is a ton of repetition as each week’s report carries forward all of the previous week’s items. So go straight to page 750 and you will see the reports going backwards from 19-23 Nov 2007 to 22-26 Jan 2007.
The most interesting excerpt is from the 12-16 March 2007 report:
The CSSP large scale validation test of a significant control systems vulnerability (Pandora) was successfully completed at the Idaho National Laboratory on March 4, 2007. Results and findings from the test are being documented and significant follow-on activities are anticipated. The Tiger Team formed to coordinate activities for this vulnerability will meet on March 13. to U/S Foresman is scheduled to be briefed the afternoon of March 13. Briefings to Secretary Chertoff, House Homeland Security Committee and White House Homeland Security Council are anticipated.
After that Pandora entry there is no other mention of Pandora in the weekly reports. It evidently was classified and changed its name to Aurora. A meeting to discuss the technical details of the Aurora vulnerability appears next in the 19-23 Nov 2007 weekly report on page 751.
There were mentions of this “large scale validation test of a significant control system vulnerability (Pandora)” in the weekly reports prior to the test. A few other tidbits:
_____
It’s been seven years since that turbine shook and the smoke came out, yet I always thought Aurora was a lost opportunity.
The real beauty of the Aurora demonstration was it clearly showed that a cyber attack could affect a physical process. The specific vulnerability they chose to achieve this, while not unimportant, was not the main point to take from Aurora. It was an effective and dramatic demonstration.
Aurora should have led a massive DHS and US Government push to address the insecure by design ICS that run the critical infrastructure. Instead of taking this and leading a massive PR and bully pulpit campaign building off of this expensive but effective demonstration, people lost their jobs because the video and secret got out.
Perhaps the idea of physical damage through a cyber attack struck too close to Stuxnet, or maybe it didn’t have the internal support and program to leverage the successful demo. Whatever the reason it was a lost opportunity.
I knew it was lost during the Congressional Hearings. Senators and Representatives asked the august panel from DHS, NERC, utilities, etc. if the Aurora problem had been fixed. Rather than use the question to pivot and highlight Aurora is a small symptom of the larger problem, the experts would go into the plan in place to address Aurora.
I can’t end this long post without a nod to my friend Joe Weiss. He has beating the Aurora drum harder and longer than anyone else. Perhaps this will give him more ammunition for his cause. It is difficult to reconcile Pandora being called “a significant control system vulnerability”, being classified, resulting in all those briefings, tiger teams, remediation plans, … and the relatively small expenditure and effort to address the “Aurora vulnerability”.
and just in case you want to see the video again: