![Diagram of Electrical Grid in the Ukraine [6]](https://www.researchgate.net/publication/334111990/figure/fig3/AS:775111657418752@1561812428177/Diagram-of-Electrical-Grid-in-the-Ukraine-6_Q320.jpg)
Available via license: CC BY 4.0
Content may be subject to copyright.
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
1
Abstract-- Physical control systems are increasingly controlled
by reconfigurable, network-enabled devices to increase flexibility
and ease commissioning and maintenance. Such capability creates
vulnerabilities. Devices may be remotely reprogrammed by a
malicious actor to act in unintended ways, causing physical
damage to mechanical equipment, infrastructure, and life and
limb. In this paper, past examples of actual damage to cyber-
physical systems are shown, threats posed by software-controlled
Variable Frequency Drives (VFDs) are analyzed, and a small-scale
version of an attack on ubiquitous VFD equipment is
demonstrated.
Index Terms— Cyberattack, Physical Damage, Energy Storage,
Industrial Control, Internet of Things, Motor Drives
I. INTRODUCTION AND MOTIVATION
HYSICAL industrial control systems are increasingly tied
to the internet to enable remote monitoring and control,
creating new vulnerabilities. Intended to allow simplification
of product lines and ease of installation and commissioning,
such flexibility introduces the potential for misuse. No longer
limited to stealing credit cards, data, or other personal
information, hackers or other malicious actors may now
remotely access hardware, change settings, or reprogram
devices to cause real physical damage on an unlimited scale.
It is typical in engineering training to view physical failures as
statistically independent events, based on principles such as
mean-time-to-failure. But, a cyber attack can occur at any time
and impact many devices simultaneously. This has important
consequences that must be carefully considered and are the
primary contribution of this paper.
II. BACKGROUND
A few selected examples show the breadth of the problem’s
motivations, methods, and potential impacts. The Aurora
Vulnerability, a United States Department of Homeland
Security program established a potential vulnerability. In other
This material is based, in part, upon research supported by the Department
of Energy under Award Number DE-OE0000780 and a seed grant from the MIT
Energy Initiative (MITei).
Matthew G. Angle is with the Department of Electrical Engineering and
Computer Science, Massachusetts Institute of Technology, Cambridge, MA
02139 USA (e-mail: mangle@mit.edu).
Stuart Madnick is with the Sloan School of Management and School of
Engineering, Massachusetts Institute of Technology, Cambridge, MA 02139
USA (e-mail: smadnick@mit.edu).
examples, the power grid in the Ukraine was brought down for
a short time, a pipeline in Turkey was blown up, and malicious
computer worm halted the Iranian nuclear fuel enrichment
program.
A. Aurora Vulnerability
The so-called “Aurora Vulnerability” was demonstrated at
Idaho National Labs as part of a 2007 Department of Homeland
Security investigation of vulnerabilities in the United States
power grid. In the test, researchers used remotely-controllable
relays to connect and disconnect a diesel backup generator to
the grid. The test resulted in the complete destruction of the
generator unit [1].
To understand the mechanism of attack requires an
understanding of generator synchronization. Generator
synchronization is required to connect a generator to the grid.
The states of the grid and generator are determined by two
parameters: voltage and phase. Rotating electric machinery
produces an alternating current waveform of the form Vsin(ωt),
Where V is the amplitude of the voltage, and ω is the frequency
at which it oscillates. In the United States, this frequency is 60
Hz, or approximately 377 radians per second. The three phases
are separated by 120°, forming a balanced set whose sum is
zero.
If the voltage and phase of the generator do not match those of
the grid when the two are connected, current will flow into the
generator and produce torque sufficient to pull the generator
into correct phase alignment. Generator voltage will determine
whether power flows into or out of the generator. The
mechanisms of these actions vary with the type of generator,
but they all result in torque applied to the generator to drag it
into matching phase. To accomplish this task, an instrument
called a synchroscope, as shown in Fig. 1, is normally used. It
shows the relative phases of the machine and grid. The operator
will adjust the speed of the generator to allow the phases of the
James L. Kirtley, Jr. is with the Department of Electrical Engineering and
Computer Science, Massachusetts Institute of Technology, Cambridge, MA
02139 USA (e-mail: kirtley@mit.edu).
Shaharyar Khan is a fellow of the System Design and Management
program, Massachusetts Institute of Technology, Cambridge, MA 02139 USA
(e-mail: shkhan@mit.edu).
Matthew G. Angle, Member, IEEE, Stuart Madnick, Member, IEEE, James L. Kirtley, Jr., Fellow, IEEE,
Shaharyar Khan
Identifying and Anticipating Cyber Attacks that
could cause Physical Damage to Industrial
Control Systems
P
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
2
generator to align with that of the grid, at which point a switch
is used to connect the two [2].
Fig. 1: Typical Synchroscope used for synchronization of electric machinery
to grid
During the Aurora test, electronic switches were used to open
and close the connection of the generator to the grid. When
disconnected, the generator would become unloaded, and
would speed up slightly, pulling it out of phase with the grid.
At this point, the switch would be reconnected, whereby power
would flow into the generator, operating it as a motor to realign
itself with the grid phase. The massive amount of torque
stressed the mechanical components in the generator. By
repeatedly connecting and disconnecting the generator,
mechanical components were driven to failure. The massive
generator, shown in Fig. 2, basically tore itself apart.
Fig. 2: Screen capture showing Generator used in the Aurora test
This test demonstrated a problem faced by industry, but
previously only as an accident. One example occurred at the
Clinton Power Station Nuclear Plant in Clinton, IL. During a
backup generator test, an out-of-phase synchronization
occurred, damaging the stator windings of the generator and
causing an overvoltage event on the power bus. The cause of
the incident was not immediately known [3]. Other problems
include breakers that close slowly, allowing the generator to
move out of phase between the time that the command to close
is given and the time electrical contact is made [4].
Such vulnerability is not confined to diesel backup generators.
Any electrical generator that is connected to the grid can
experience this problem, including those in wind turbines,
water turbines, fossil-fuel-driven power plants, and nuclear
plants.
While this event was not an attack, it demonstrated a
vulnerability that could be exploited to take a power system out
of commission reliably, suddenly, and for a long time in a
manner that may not initially be recognized as a cyber attack.
B. Ukrainian Power Grid Attack
On December 23, 2015, the lights went off in the Ivano-
Frankivsk region of the Ukraine, shown in Fig. 3. Months
before, a phishing email had been sent to workers at three
electricity companies, causing them to enable macros in an
attached Word document. BlackEnergy3, a malware program,
would then be installed, giving hackers a back door into the
systems in the substation. From here, the attackers performed
surveillance on the network, eventually obtaining login
credentials for remote access to the SCADA (Supervisory
Control and Data Acquisition) systems [5].
Fig. 3: Diagram of Electrical Grid in the Ukraine [6]
The attack had several different prongs. The UPS
(Uninterruptible Power Supplies) that provided backup power
for the control systems were disabled. Then the hackers used
access to the SCADA systems to open switches which
distributed power to the grid. Firmware controlling serial-to-
ethernet controllers was overwritten, preventing further control
of the switches. A telephone Denial-of-Service was mounted
against the power utility call centers, enraging the public.
Finally, a program called KillDisk was used to overwrite the
computers in control centers, preventing any further action on
the part of the operators. While power was out for only one to
six hours, seven 110 kV and twenty-three 35 kV substations
were hit by the attack, resulting in outages to 225,000 customers
[5] [7].
Months after the attack, substations were still being operated
manually. While the attack merely disrupted power
distribution, the potential for physical damage was there. The
attackers chose only to send a message, rather than damage
equipment. Russia has widely been blamed for the attack, but
no one has stepped forward to claim responsibility.
C. Turkish Pipeline
On August 5, 2008, an oil pipeline near Refahiye, Turkey
exploded, shown in Fig. 4. The Turkish government initially
blamed the explosion on a mechanical failure. Later, the
Kurdistan Workers’ Party (PKK) claimed responsibility,
though it is suspected that Russia was behind the attack. The
attack caused a spill of 30,000 barrels of oil and shut down the
pipeline for three weeks. Due to the routing of the pipeline,
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
3
shown in Fig. 5, this cost British Petroleum $5 million per day
in transit tariffs and the State Oil Fund of the Republic of
Azerbaijan $1 billion in lost export revenue [8].
Fig. 4: Explosion of oil pipeline
The pipeline itself was built with security in mind. Most of
it is buried, and substations are surrounded with fences and
barbed wire. Cameras monitor most of its length, and
sophisticated alarms are present to warn of damage.
Fig. 5: Baku–Tbilisi–Ceyhan (BTC) pipeline route
The attack was preceded by two men entering one of the
substations with laptops a few days before the explosions. They
were able to gain entry to the network via a vulnerability in the
security cameras, from which they were able to access the
computers that hosted the SCADA systems. They were able to
cause the pipeline to become over pressurized, an action that
may have directly led to the explosion without a secondary
ignition source. The satellite communications for the alarm
systems had been jammed, and the explosion was eventually
reported by local residents. The security camera footage was
erased, though a single thermal camera was on a different
network and recorded the entry of the two men [8] [9].
This attack consisted of a deliberate act of sabotage that had
measurable economic impact for multiple actors.
D. Stuxnet
Stuxnet is the name given to a software worm that disrupted
the Iranian Uranium enrichment centrifuges, shown in Fig. 6.
Centrifuges are long metal cylinders that are spun at high
speeds, in this case, to separate isotopes of Uranium to build
nuclear weapons or to fuel power plants. These devices are run
right at the mechanical limit of the cylinders, which are placed
inside vacuum chambers to reduce surface drag.
Widely believed to have been developed by the United
States and Israel, Stuxnet utilized four separate zero-day
exploits to infiltrate SCADA systems controlling centrifuges in
Iran and quietly cause failures indistinguishable from normal
mechanical failures. The worm itself was only discovered long
after damage had been done.
Fig. 6: Iranian President Ahmadinejad during inspects centrifuges at Natanz
The worm infected Windows operating systems via the LNK
vulnerability that exploited the auto-play functionality in USB
drives. It could then spread throughout a network through a
vulnerability in print spoolers. From there, it would look for a
copy of the Siemens Step7 software, then PLCs (programmable
logic controllers) controlling certain models of VFDs running
at certain speeds corresponding to operation of centrifuges.
Once the target was identified, the worm would cause the
centrifuges to speed up and slow down, crossing through
mechanical resonances until they failed, while simultaneously
reporting normal operation back to the SCADA system. Since
the Iran attacks, it has been found existing on many other
systems, but with little damage to them.
Stuxnet is an attack that caused widespread damage to a
system that requires only a few failures to damage the
effectiveness of the whole system. Its operation was carefully
tuned to produce frustrating mechanical failures that would
cause delays in a large program, and it remained hidden until
long after its intended damage had been done [10] [11].
E. Lessons Learned
The motivations, methods, and impacts of cyber attacks
come in different flavors. The Ukranian power grid attack
appears to be politically motivated and caused a relatively
minor inconvenience, stopping well short of the physical
damage that could have been caused with the sort of control
authority obtained for the attack. The Turkish pipeline attack
consisted of a much lower level of effort with real physical
damage that cost many interested parties substantial amounts of
money. Stuxnet was a widely-distributed piece of malware
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
4
with a very specific target, designed to look like a normal
mechanical failure that delayed a massive, state-sponsored
research effort.
III. RELATED RESEARCH
In the past, most cyber attacks to Industrial Control Systems
have either targeted the IT infrastructure (e.g. the Aramco
Shamoon attack) or circuit breakers of the Operational
Technology (e.g., the Ukraine attack [5] [11] [13]). In such
cases, recovery is usually quite fast – either by rebooting the IT
computers or by resetting the breakers. But, if the Operational
Technology (OT) equipment, especially the important, large,
customized equipment, such as generators, is physically
damaged, recovery can take weeks or even months. The largest
reported such attack was to the centrifuges of the Iranian
uranium enrichment facility [7] [12].
Many works have been published which introduce cyber
attacks against industrial control systems. In this paper, we
provide a short overview of the state of the art in industrial
control system security research with a predominant focus on
energy delivery systems.
Morris [18] provides a taxonomy of industrial control system
cyber attacks. The work provides detailed descriptions of 17
attacks, grouped into 4 classes (reconnaissance, response and
measurement injection, command injection and denial of
service) against industrial control systems. The analysis,
however, stops short of explaining the consequences of such
attacks on the physical system.
Experiments demonstrating actual physical damage to
industrial control systems via simulated cyberattacks are
extremely rare. As stated by Krotofil and Gollman [17],
conducting experiments on real systems comes with inherent
risk (due to the hazardous nature of the test) and is costly
because it involves the physical destruction of actual
equipment.
The alternative is to employ theoretic approaches to identify
vulnerabilities in industrial control systems or utilize models of
the physical process and run simulations using software-based
experiments.
Gollman et. al [19] simulate a cyber-physical attack on a
chemical plant. The analysis demonstrates how expert domain
knowledge of the physical components and processes of a
system are required to transform a cyber attack into a cyber-
physical attack. Winniki et. al [20] show via simulations how
it is possible to reverse engineer a controlled physical process
from observations of responses to crafted impulses.
Srivastava et. al [21] analyze vulnerability of the electric grid
using graph theoretic approaches. They conclude, based on
simulations, that an aurora kind of attack has the potential to
cause physical damage to generators, making them unavailable
for restoration operation.
Huang et. al [22] present a risk assessment method to
quantify the impact of cyberattacks on the physical part of the
industrial control system. The applicability of this method is
limited to linear systems (while the vast majority of industrial
control systems are non-linear) and is based on probabilities of
failure of actuators and sensors.
Friedberg et. al [23] provide a hazard analysis methodology
that integrates safety and security analysis into a concise
framework using the System-Theoretic Accident Model and
Processes (STAMP) accident-causality model. The analysis
identifies vulnerabilities in synchronous-islanded operation
microgrids.
As may be evident, there is a plethora of published papers on
the topic of physical damage of industrial control systems
caused by cyber attacks, using a range of different simulation
methods and techniques. To the best of our knowledge, the only
other demonstrated cyber attack (in the academic literature) that
caused physical damage to an industrial control system was the
Aurora Vulnerability, mentioned earlier.
In this part of our study, we want to explore other
vulnerabilities to industrial control systems. We use an
example plant, shown in Fig. 7, as a starting point for our
investigation and demonstrate the exploitation of one such
vulnerability to cause actual physical damage to a VFD.
IV. CASE STUDY
As part of our research, we studied a plant that contained a
gas turbine generator used to provide electricity. Waste heat is
used to fire boilers that produce steam for heating and to drive
chillers which provide chilled water and air conditioning. The
plant also draws on a regional power grid, and the plant’s
generation capability is throttled to most economically supply
power based on fluctuating electricity and natural gas prices.
As an example of the challenges, recently, a water/fuel
injection nozzle was clogged as a result of a contaminated filter
(i.e., not caused by cyber attack). As a result, the turbine was
down for three months while replacement parts were sourced
from the manufacturer in Germany. The point is that repairs can
take a long time, as many components are built specifically for
each installation.
Fig. 7 is an example wiring diagram of such a system,
showing pumps that keep chilled and hot water flowing,
switches that distribute electricity, and all of the major electrical
loads. Many of these components use VFDs, as highlighted in
the diagram, and are automated and controlled remotely from a
control room at the plant. This facility makes for an excellent
study of vulnerabilities in power grids.
The plant has many points that are vulnerable to attack. The
turbine itself is a large, expensive, and complicated system that
may be easily damaged. It must be kept spinning while it cools
to avoid damaging blades. This is accomplished by a system
powered by a lead-acid battery bank. Simply disabling the
charging system and monitoring alarms for this battery bank
could easily cause significant damage to the turbine. Similar
lead-acid battery banks exist to provide start-up power to
backup generators.
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
5
Fig. 7: Electrical layout of the a plant showing 350 hp Chilled Water Pump
The turbine is also supported by systems that regulate natural
gas pressure. These are pneumatic-actuated regulators that step
down pressure from a 300 PSI line pressure to a 25 PSI feed for
the boilers. A loss of pneumatic pressure would, at minimum,
cause a turbine shutdown. The lesson is that this complicated
piece of hardware is supported by many other complicated
systems, each with vulnerabilities of their own. An attack is as
simple as identifying one point in one support system, and the
turbine may be shut down or irreparably damaged.
Many ways to access the controls of the various systems
exist. Each of the control units on the more modern pieces of
hardware (chillers, turbine) has a remote monitoring system
installed by the manufacturer with a communication line out.
Some versions of these systems have only remote monitoring
capability, while others have remote control authority. Industry
experts that we conferred with confirmed that they do both
configuration and firmware updates remotely over the internet
and that the whole industry is moving in that direction. Various
strategies exist for isolating them from remote commands, but
at the expense of the inability to use common two-way
communication protocols, such as TCP/IP.
The turbine, in particular, has a system installed that allows
remote monitoring by the manufacturer. We were fortunate
enough to talk with Siemens technicians while they were
working on the turbine. They told us that there are many similar
systems, and while most provide them with only remote
monitoring privileges, a few allow remote engineering
privileges, meaning that they can remotely control the turbine.
As described in the Department of Homeland Security (DHS)
guide for managing remote access for industrial control systems
[24], the typical method to facilitate this connection is
straightforward; the network switch that is connected to the
master PLC is simply connected to a router that has internet
access. When connected, the vendor connects to the web
interface of the master PLC and begins remote administration
of the device and other field equipment connected to it.
Remote access introduces several vulnerabilities in the
security architecture of the industrial control system. For
instance, an attacker may send direct malicious commands to
the data acquisition equipment or manipulate the database that
records process control parameters (or historical data). An
effective attack may be able to export the HMI screen back to
the attacker which may be used to gain an intimate
understanding of the operations to be used in subsequent attacks
or launch Man-in-the-middle attacks by spoofing the operator
HMI displays and fully controlling the control system.
A 2017 advisory by DHS against one of the vendors that
provides remote monitoring capability (OSIsoft) warns of a
security vulnerability in one of its products that “could allow
the attacker to spoof a PI Server or cause undefined behavior
within the PI Network Manager” [25]. While it is unclear at this
time what the exact differences are between remote monitoring
and remote control hardware, or if the same hardware is used
and certain capabilities are precluded via software
configuration, the point is that remote access capability
introduces vulnerabilities that could be exploited by malicious
actors.
Outside contractors are used to maintain various systems,
including the VFDs that drive all of the larger pumps in the
system. The contractor that maintains the VFDs in the plant
reports that it has never updated the firmware, but does
periodically plug a laptop into the devices to monitor their
operation. In some models of VFDs, a firmware update may be
pushed over this same connection, and operating parameters
may be changed. Either of these actions is sufficient to damage
either the VFD or the load attached to it. By changing operating
parameters, grossly incorrect control strategies may be imposed
on physical hardware. The ability to change the firmware
provides the ability to do much more or potentially non-obvious
damage. In this case, infecting the computer system of the
contractor may be sufficient to introduce malware into the plant
systems.
Another outside company is used to make recommendations
on turbine throttle. The plant is set up to optimize expense,
purchasing power from the grid as well as natural gas to fire the
turbine. The throttle settings are changed up to three times per
day to take advantage of fluctuating electricity and gas prices.
This company has monitoring capability for the plant, but it is
unknown exactly what hardware is installed to do so or its
capability.
The computers in question, while normally “air gapped” run
old versions of Windows that are no longer supported,
presenting many software vulnerabilities that could be
exploited to damage the plant or provide service outage.
The plant has several targets and methods of breaking in to
them. The power distribution switches are controlled from the
control room, presenting a situation that could unfold in a
similar manner to the Ukraine power grid attack, albeit on a
smaller scale. The turbine synchronization is controlled from
the control room, which allows the same sort of control that was
exploited in the Aurora demonstration, destroying a generator,
although protection relays are present to hopefully prevent
these sorts of faults. The steam and chilled water valves are
remotely controlled from the control room, so a situation
similar to the Turkish pipeline, minus the flammable mixture in
the pipes, could be orchestrated. Almost all of the hardware is
either remotely monitored or monitored by an outside company.
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
6
Anything that allows communication in this manner may be
coopted to cause mischief or worse.
The security of such a facility is also vulnerable to human
error. In some studies, it was discovered that files containing
movies had been transferred to computers in the control room
of a plant. They were presumably brought in on a USB drive
and connected to a computer that is “air gapped” from the
internet, meaning that it does not have network connectivity.
So, even presumably “air gapped” facilities can be vulnerable
to inevitable human errors.
V. POTENTIAL FOR CATASTROPHIC CYBER ATTACK
In typical facilities, it is expected that mechanical components
(e.g., pumps) will eventually experience failures. So, various
approaches are used to mitigate the impact, such as extra
capacity, redundant equipment, and/or backups.
But these approaches are largely based on the notion of
independence of mechanical failures. That is, the probability of
a high-quality pump failing is small, but the probability of two
failing at the same is extremely small, etc.
But, that independence does not apply to a cyber attack that
damages multiple components at the same time as easily as it
damages one. As illustrated earlier, recovery from such
physical damage can take a long time, which could lead to a
catastrophic large-scale and long-term disruption to energy
delivery.
VI. SMALL-SCALE DEMONSTRATION OF VULNERABILITY OF
VFDS
A VFD is used to drive an electric machine at a variable
speed. Applications usually include pumps and fans, where
load is throttled by changing the shaft speed driving the
equipment. Such devices have become ubiquitous in industrial
environments, driving a majority of large motor loads.
Fig. 8: Block representation of VFD
A VFD consists of two main functional blocks, as shown in
Fig. 8. There is a rectification stage, which takes alternating
current (AC) power and turns it in to direct current (DC) power.
This is usually a diode bridge, or in some cases, an active
rectifier where controllable switches are used to improve
performance. An inverter stage then turns DC back to AC, but
at a different frequency and voltage than the original. This
usually consists of a series of switches that are driven with a
variable duty cycle to produce the proper output waveform.
This output waveform is scaled to properly drive the attached
motor. Various schemes exist to drive machines. A common
one is a simple volts/Hz scaling, where the voltage of the AC
waveform is scaled with the frequency. As the motor spins
faster, the voltage required to drive it increases proportionally,
keeping the flux inside the machine constant. Other, more
complicated schemes model various parameters inside the
motor and attempt to control them directly. Vector control is a
popular scheme.
Sitting between the two stages is an energy storage element.
This consists of capacitors that store charge at an intermediate
DC voltage to provide power to the driven motor. They are
referred to as DC link capacitors. These capacitors are sized
such that their voltage does not change appreciably throughout
a single cycle. Given that power coming in from the rectifier is
at comparatively low frequency, these devices are usually quite
large and store large amounts of energy.
A power factor correction stage is often placed between the
rectifier and energy storage elements. Its function is to cause
power to be drawn at a power factor close to 1. Power factor is
a measure of offset between the voltage and current waveforms
drawn from the source. At a power factor of 1, the voltage and
current are in phase. If the two are not in phase, the load draws
reactive power, which does no real work, but is still charged for
by the utility. Electric machines run at light load (reduced
throttle) often draw significant reactive power, increasing their
running costs
A. VFD Test Kit
Shown in Fig. 9 is a Texas Instruments High Voltage Motor
Development Kit. This is a unit built around TI’s C2000 motor
control chip and includes all of the hardware necessary to
evaluate its function in driving a machine. In the lab, it is used
to build custom motor drives. For our purposes in this project,
it is a complete VFD with the added benefit of being supplied
with source code with which we are immediately familiar. Such
kits are sold with the idea that the control chip will be easily
evaluated by a company’s engineers and in turn used in their
product lines.
Fig. 10 shows the block diagram of the TI motor driver. We
can see the two main functional blocks mentioned above. The
left side shows the AC mains (Vac) feeding a diode rectifier.
On the middle right, we see a box labeled, “PWM” that contains
the switches that comprise the inverter. In between, we have
the power factor correction stage (PFC) as well as storage
capacitors attached to the DC bus.
Fig. 9: Texas Instruments High Voltage 1 hp Motor Control Development Kit
The immediately interesting aspect of this layout, from a
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
7
cybersecurity perspective, which is shared by many VFDs used
in industrial environments, is the power factor correction stage
combined with the DC link capacitors. The power factor
correction stage consists of two boost converters that operate
out-of-phase with one another. By turning them on and off at
opposite times, they draw power at near unity power factor.
Boost converters are usually used in battery-powered
electronics to boost the voltage from the battery level to that
required by the device. They are also used in devices like
flashes for cameras to create voltages high enough to fire a
flash, which can be in the hundreds of volts range, from a
battery at single digit volts. In our case, we rectify 120 V AC,
then pass it through the power factor correction stage which
brings it up to the ~400 V DC bus. The DC bus is monitored,
and the drive signals to the power factor correction stage are
adjusted to keep the DC bus voltage in the proper range. The
important aspect here is that a large energy storage device is
kept in its proper range by software control.
Fig. 10: Block Diagram of TI Motor Drive
A DC link capacitor stores a large amount of energy. In the
lab, they are known to explode when they are exposed to
excessive AC current, reverse biased, or exposed to voltages
larger than their rating.
B. VFD vulnerability to malicious software
To demonstrate vulnerability to malicious software, the
firmware in the VFD was modified to intentionally allow the
voltage on the DC bus to run away.
Fig. 11 and Fig. 12 show modifications performed to disable
software control of the power factor correction stage and
protection of the DC bus voltage. In Fig. 12, the converter is
set up to run in an open-loop diagnostic mode, and then line 360
is modified to command a constant duty cycle, in this case .5.
In Fig. 13, the procedures that protect the DC bus voltage are
simply commented out. This prevents the unit from shutting
down once the voltage rating is exceeded.
The result of these software tweaks is shown in Fig. 13. The
oscilloscope is showing the drive signal to the power factor
correction stage (PWM 4A from Fig. 10). This was performed
to demonstrate control of the duty cycle feeding the power
factor correction stage. Also seen in Fig. 13 are the capacitors
on the DC bus, they are the cylindrical items in the drive on the
far right.
Fig. 11: Duty cycle modification on line 360
Fig. 12: Disabling of overvoltage protections (lines 1031-1036)
Fig. 13: Demonstration of Duty Cycle control on Power Factor Correction
stage
The capacitors on the DC bus are rated to 450V. The DC
bus is somewhat less than this to ensure a long component life.
When run open-loop and with no load connected to it, the
voltage on the output of a boost converter will rise without limit.
In our case, we expect the capacitors to begin leaking current,
eventually constraining voltage on the output of the boost
converter far beyond their voltage rating. It will then be only a
matter of time before the capacitors catastrophically fail, as the
current leakage will heat the fluid inside until the point where
the case bursts. If one of the capacitors shorts internally, it may
cause further damage to the rest of the capacitors on the bus.
Fig. 14 shows the result of a small-scale test of this concept.
The power factor correction stage was set to run open-loop, and
the voltage protection shutdowns were disabled. Voltage on the
bus rose to approximately 550 V, and the capacitors exploded
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
8
one by one. While there was no violent explosion or damage to
nearby structures, it did fill a large outside area with smoke.
The DC bus in this case stores 200 Joules at rated voltage, or
the energetic equivalent of approximately seven firecrackers
[12].
Once all of the capacitors had exploded, voltage rose to the
point where one of the switches in the converter failed, causing
an internal short and blowing the input fuse on the VFD. In an
industrial setting, this would have disabled any load attached to
it, but only after significant damage had been done to the
capacitors, the VFD, and possibly nearby equipment.
Fig. 14: Small Scale Test showing destruction of DC link capacitors
C. Larger scale vulnerability possibilities
Capacitors scale with output power of the drive. Shown in
Fig. 15 is the DC link capacitor bank of a 100 hp drive. The
white cylinders are capacitors, and the metal plates on the ends
are the DC bus bars.
Fig. 15: DC Link Capacitors on 100 hp Inverter
The capacitors in the DC link are 7290 µF and rated to 280
V. If they were to explode in the same manner as the
demonstration, they would release approximately 1700 Joules,
or about 60 firecrackers [12].
In an industrial setting, VFDs may be much larger. In the
plant studied, there are several large VFDs driving chilled water
pumps. One large VFD driving a 350 hp pump is highlighted in
the electrical layout drawing of the plant presented earlier in
Fig. 7.
Fig. 16 shows a 500 hp VFD. The cabinet contains breakers
and large cooling devices, but also very large energy storage
capacitors on a DC bus that could be attacked in the same way
as the capacitors in the 1 hp unit in the demonstration above.
Fig. 16: Size comparison with 500 hp VFD
D. Cybersecurity vulnerabilities and prior VFD energy
storage failure examples
Modern VFDs may be configured and commissioned over a
network connection. Firmware may be remotely pushed to the
device over the network as well. Such capabilities may be
readily exploited by malicious actors to cause damage to the
VFD itself or the machinery connected to it.
Many attack surfaces exist for VFDs in industrial settings.
Features may be used by a malicious hacker to damage the
hardware attached to the drive. One such feature is the ability
to skip certain frequencies when starting up or running. This is
done to prevent excitation of resonances in the mechanical
systems the drives are controlling. This feature, being a user
programmable setting, may be queried from the network on
many drives. It is then a simple matter to command the drive
to operate at the damaging frequency [13] [14].
As mentioned earlier, there are other ways to cause an
energy storage capacitor to fail. Fig. 17 and Fig. 18 show the
result of a capacitor failure in the harmonic filter of the cruise
ship Queen Mary II. In this case, the dielectric oil inside the
capacitor evaporated over time, eventually allowing an arc to
form inside the capacitor. The heat generated from the
flashover caused an increase in pressure, which ruptured the
case, spraying out the remaining oil, which presented a
conduction path to the bus bars. This caused a major arc flash
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
9
event, destroying the compartment and even blowing out the
door to the compartment (Fig. 18).
Fig. 17: Capacitor Explosion on Queen Mary II REF SB4-10
In this case, the damage to one capacitor did not disable the
ship, but simultaneously damaging several harmonic filter
capacitors on the main propulsion motors could strand the ship.
This has obvious military implications as well with the move to
electric propulsion.
This sort of damage can be caused by many factors,
including excessive harmonic content in the output of the motor
drives. This is something that could be intentionally caused by
very subtle, unnoticeable, changes to the way in which the
output stage of the drive operates, causing very large amounts
of damage at unpredictable times.
Fig. 18: Steel Door from Harmonic Filter Capacitor bank on Queen Mary II
REF SB4-10
An example of unintentional physical damage caused by a
VFD is shown in Fig. 19. This is the guard surrounding the
coupling on an 18000 hp pump owned by ExxonMobil. In this
case, a speed feedback signal was improperly wired around a
filter, creating an unfiltered feedback path that caused a system
resonance at the natural frequency of the coupling. Resulting
torque pulsations quickly destroyed the coupling, requiring
repair and research to determine the cause of the failure. While
there was expensive damage done to the machine, down time
was likely the real cost. Stuxnet was an example of exactly the
same phenomenon, except implemented intentionally as an
attack.
Fig. 19: VFD-induced Coupling Failure on 18000 hp LPG Compressor [15]
The cost of physical damage incurred as a result of a cyber
attack on an industrial control system varies widely between
industries based on the application, the complexity of the attack
as well as the target component. Some attacks may impact the
cost of production, whereas others may cause worker fatalities
or injuries. Past safety or accident incident reports from
governmental and regulatory agencies can be a good starting
point to develop initial understanding of the costs associated
with cyber-physical attacks using analogical reasoning. For
instance, querying the Accident Search database compiled by
Occupational Safety and Health Agency (OSHA), revealed at
least two cases where VFD explosions resulted in worker
injuries (including third degree burns in one case) [26]. The
quantification of cyber-risk is a rich topic in its own right and
while we provide some guidance on how to quantify risk of
cyber attack on an industrial control system, it is beyond the
scope of this paper.
VII. CONCLUSION
Electronics with energy storage components or that control
physical systems are capable of a wide variety of physical
damage should the software that controls them, be improperly
configured or maliciously attacked. This phenomenon is
immediately obvious to anyone who has spent time in the lab
building such devices, as mistakes are often righted with a fire
extinguisher. But large-scale electrical energy storage devices
in a variety of systems contain sufficient energy to cause serious
damage.
The small-scale VFD demonstration presented here scales to
catastrophic damage in an industrial setting, potentially
endangering personnel as well as industrial processes. Through
the demonstration we have added to the small list of
documented experiments that show physical damage through
exploitation of vulnerabilities in industrial control system
components. The techniques discussed in this paper are
adaptable to cause other modes of physical damage in a wide
variety of industries; from critical infrastructure such as electric
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
10
utilities and gas and water distribution facilities, to mining
operations and building management systems.
Given the ever-increasing occurrences of cyber attacks, for
many different purposes, engineers must investigate, in
advance, such threats to their industrial control systems and
take preemptive measures to prevent or minimize the impact of
such attacks.
VIII. ACKNOWLEDGMENT AND DISCLAIMER
This material is based, in part, upon research supported by
the Department of Energy under Award Number DE-
OE0000780, a seed grant from the MIT Energy Initiative
(MITei), and Cybersecurity at MIT Sloan: the Interdisciplinary
Consortium for Improving Critical Infrastructure
Cybersecurity.
Disclaimer: Neither the United States Government nor any
agency thereof, nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process disclosed, or
represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial product,
process, or service by trade name, trademark, manufacturer, or
otherwise does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the United States
Government or any agency thereof. The views and opinions of
authors expressed herein do not necessarily state or reflect those
of the United States Government or any agency thereof.
IX. REFERENCES
[1] J. Meserve, "Sources: Staged cyber attack reveals vulnerability in
power grid," 26 September 2007. [Online]. Available:
http://www.cnn.com/2007/US/09/26/power.at.risk/.
[2] M. J. Thompson, Fundamentals and Advancements in Generator
Synchronizing Systems.
[3] M. T. Coyle, "USNRC 50-461: Licensee Event Report (LER) No.
2000-002-00," 2000. [Online]. Available:
https://www.nrc.gov/docs/ML0036/ML003698812.pdf.
[4] L. Scott Anderson and Lawrence C. Gross, Jr., "Avoid Generator
and System Damage Due to a Slow Synchronizing Breaker,” 24th
Annual Western Protective Relay Conference, October 1997.
[5] K. Zetter, "Inside the Cunning, Unprecedented Hack of Ukraine’s
Power Grid," 3 March 2016. [Online]. Available:
https://www.wired.com/2016/03/inside-cunning-unprecedented-
hack-ukraines-power-grid/.
[6] "Ukranian National Electric Grid," [Online]. Available:
http://www.geni.org/globalenergy/library/national_energy_grid/ukrai
ne/ukrainiannationalelectricitygrid.shtml.
[7] "Analysis of the CyberAttack on the Ukranian Power Grid," 18
March 2016. [Online]. Available:
http://www.nerc.com/pa/CI/ESISAC/Documents/E-
ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
[8] Jordan Robertson and Michael Riley, "Mysterious ’08 Turkey
Pipeline Blast Opened New Cyberwar," 10 December 2014.
[Online]. Available:
https://www.bloomberg.com/news/articles/2014-12-10/mysterious-
08-turkey-pipeline-blast-opened-new-cyberwar.
[9] H. English, "Turkish official confirms BTC pipeline blast is a
terrorist act," 14 August 2008. [Online]. Available:
http://www.hurriyet.com.tr/turkish-official-confirms-btc-pipeline-
blast-is-a-terrorist-act-9660409.
[10] D. Kushner, "The Real Story of Stuxnet," 26 February 2013.
[Online]. Available: http://spectrum.ieee.org/telecom/security/the-
real-story-of-stuxnet.
[11] K. Zetter, "An Unprecedented Look at Stuxnet, the World’s First
Digital Weapon," 3 November 2014. [Online]. Available:
https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.
[12] J. Zimbelman, "How Big is ‘BIG!’?: Comparing Forms of Energy
Release,"[Online]. Available:
http://www.si.edu/Content/consortia/Zimbelman_presentation.pdf.
[13] K. Zetter, "There’s a Scary Easy Way for Hackers to Remotely
Attack Industrial Motors," 13 January 2016. [Online]. Available:
http://www.slate.com/blogs/future_tense/2016/01/13/vulnerability_le
ts_hackers_burn_industrial_motors.html.
[14] "Variable Frequency Drives - VFD Vulnerabilities," 14 March 2016.
[Online]. Available: http://www.alphaguardian.net/variable-
frequency-drive-vfd-vulnerabilities/.
[15] J. Kocur, in Proceedings of the 37th Turbomachinery Symposium.
[16] "Iran’s gas flow to Turkey halted after pipeline blast – official,"
[Online]. Available: https://www.rt.com/news/364502-turkey-gas-
explosion-iran/.
[17] Krotofil, Marina and Dieter Gollmann. “Industrial control systems
security: What is happening?” 2013 11th IEEE International
Conference on Industrial Informatics (INDIN) (2013): 664-669.
[18] Morris, Thomas H. and Wei Gao. “Industrial Control System Cyber
Attacks.” ICS-CSR (2013).
[19] Gollmann, Dieter et al. “Cyber-Physical Systems Security:
Experimental Analysis of a Vinyl Acetate Monomer Plant.”
CPSS@ASIACSS (2015).
[20] Winnicki, Alexander et al. “Cyber-Physical System Discovery:
Reverse Engineering Physical Processes.” CPSS@AsiaCCS (2017).
[21] Srivastava, Anurag Kumar et al. “Modeling Cyber-Physical
Vulnerability of the Smart Grid With Incomplete Information.” IEEE
Transactions on Smart Grid 4 (2013): 235-244.
[22] Huang, Kaixing, et al. “Assessing the Physical Impact of
Cyberattacks on Industrial Cyber-Physical Systems.” IEEE
Transactions on Industrial Electronics, vol. 65, no. 10, 2018, pp.
8153–8162., doi:10.1109/tie.2018.2798605.
[23] Friedberg, Ivo et al. “STPA-SafeSec: Safety and security analysis for
cyber-physical systems.” J. Inf. Sec. Appl. 34 (2017): 183-196.
[24] “Configuring And Managing Remote Access For Industrial Control
Systems | ICS-CERT." 2010. [Online]. Available: https://ics-cert.us-
cert.gov/Abstract-Configuring-and-Managing-Remote-Access-
Industrial-Control-Systems. (Accessed 11 Aug. 2018)
[25] “Advisory (ICSA-17-164-02), OSIsoft PI Server 2017”, Industrial
Control System Cyber Emergency Response Team ICS-CERT,
2017. [Online]. Available: https://ics-cert.us-
cert.gov/advisories/ICSA-17-164-02. (Accessed 11 Aug. 2018)
[26] "Accident Report Detail | Occupational Safety And Health
Administration." [Online]. https://www.osha.gov/ (Accessed 11 Aug.
2018)
X. BIOGRAPHIES
Matthew G. Angle is a Postdoc in the Department of Electrical Engineering
and Computer Science at the Massachusetts Institute of Technology. He
received his SB (2007), MEng (2011), and Ph.D. (2016) degrees in Electrical
Engineering from MIT.
Stuart Madnick is the John Norris Maguire (1960) Professor of Information
Technology and a Professor of Engineering Systems at the Massachusetts
Institute of Technology. He has been an MIT faculty member since 1972. He
has served as the head of MIT’s Information Technologies Group in the MIT
Sloan School of Management for more than twenty years. Currently he is the
Director of MITs Interdisciplinary Consortium for Improving Critical
Infrastructure Cybersecurity, (IC)3. He is the author or co-author of over 350
books, articles, or reports including the book Computer Security in 1979 and
the classic textbook on Operating Systems, plus several patents. His current
research interests include cybersecurity, information integration technologies,
semantic web, software project management, internet applications, and the
strategic use of information technology. Madnick has been active in industry,
as a key designer and developer of projects such as IBM’s VM/370 operating
system and Lockheed’s DIALOG information retrieval system. He has served
as a consultant to major corporations, including IBM, AT&T, and Citicorp. He
has also been the founder or co-founder of five high-tech firms, and currently
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see http://creativecommons.org/licenses/by/3.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
11
operates a hotel in the 14th century Langley Castle in England. Madnick holds
an SB in electrical engineering, an SM in management, and a PhD in computer
science from MIT.
James L. Kirtley Jr. is Professor of Electrical Engineering at the
Massachusetts Institute of Technology. He has also worked for General
Electric, Large Steam Turbine Generator Department, as an Electrical Engineer,
for Satcon Technology Corporation as Vice President and General Manager of
the Tech Center and as Chief Scientist, and was Gastdozent at the Swiss Federal
Institute of Technology. He continues as a Director for Satcon. Dr. Kirtley
attended MIT as an undergraduate and received the degree of Ph.D. from MIT
in 1971. Dr. Kirtley is a specialist in electric machinery and electric power
systems. He served as Editor in Chief of the IEEE Transactions on Energy
Conversion from 1998 to 2006 and continues to serve as Editor for that journal
and as a member of the Editorial Board of the journal Electric Power
Components and Systems. Dr. Kirtley was made a Fellow of IEEE in 1990. He
was awarded the IEEE Third Millenium medal in 2000 and the Nikola Tesla
prize in 2002. Dr. Kirtley was elected to the United States National Academy
of Engineering in 2007. He is a Registered Professional Engineer in
Massachusetts.
Shaharyar Khan is a fellow (S.M) of the System Design and Management
(SDM) program at the Massachusetts Institute of Technology. He received his
BASc Hons. (2010) degree in Mechanical Engineering from the University of
Waterloo. He has worked as a structural design engineer for BWX technologies,
designing and analyzing critical components for nuclear power plants. He has
also worked as a Site Project Engineer at a nuclear generating station, deploying
tools for reactor inspections and maintenance. He is a Registered Professional
Engineer in Ontario, Canada.
