The Risk Elephant in the Room

Much work has gone into addressing known data cybersecurity threats that impact utilities, and this has been ongoing for quite some time. Yet when we look at the threat of kinetic cyberattacks – which can cause extensive, long-term equipment damage – there is a lack of urgency and insight to address the seriousness of this risk across many sectors. The question is, if you do not have the technical capabilities to truly address the threat of kinetic cyberattacks, how can you stop them from happening?

Earlier this year, I had an opportunity to brief congressional House Homeland Security staffers on issues raised during the July 22, 2025, U.S. House Committee on Homeland Security hearing, “Fully Operational Stuxnet 15 Years Later and the Evolution of Cyber Threats to Critical Infrastructure.”

The issues I discussed concerned kinetic cyberattacks, which damage equipment. It was evident from discussions with the staffers, as well as other public discussions, that control system cybersecurity continues to be widely misunderstood. When cybersecurity is discussed, the focus has largely been on data cybersecurity – particularly ransomware attacks – to the exclusion of control system cyber incidents. Other than the well-known but not well-understood Stuxnet attack, cyberattacks with kinetic effects are rarely addressed.

The first premise, often missed, is that equipment damage occurs when physics is compromised, not when networks are compromised. For utilities, there are two aspects of cybersecurity: data cybersecurity, covering information technology (IT) and operational technology (OT) networks, and functional cybersecurity, which involves hardware and processes. Most discussions about cybersecurity tend to focus on data security.

Consider two known kinetic cyberattacks: Aurora and Stuxnet. Both attacked physics and hardware, not networks, and attacks of this kind cannot be detected by network security. Aurora and Stuxnet remain threats to many utilities and should be understood as attack techniques, not isolated incidents.

What Aurora, Stuxnet and other kinetic cyberattacks have in common is that they are designed specifically to cause equipment damage, not simply to exploit cyber vulnerabilities. Consequently, kinetic cyberattacks are issues that require detailed engineering understanding. They cannot be addressed by familiar network cybersecurity measures such as threat hunting, OT network monitoring or multifactor authentication.

Looking at an Aurora Attack
Aurora is reclosing protective relays out of phase with the grid, so the sine waves of the relay and the grid are not synchronized. The lack of synchronization creates damaging mechanical and electrical forces on the alternating current (AC) equipment connected to the relay. Causing the out-of-phase condition can be done either manually or remotely (cyber). There is no malware involved. Aurora uses the protection of the electric grid, arguably the most critical of all infrastructures, as its attack vector. In other words, Aurora is a gap in protection of the electrical grid.

The Aurora vulnerability used remote access to reclose protective relays out of phase with the grid, thereby causing AC equipment to operate in unstable conditions. The unstable out-of-phase conditions generated large torques, current spikes and harmonics that created increased equipment heat. Large torques can damage AC induction motors and generators, while the current spikes can damage transformers – and the increased heat can cause fires in lithium-ion battery energy storage systems.

The hardware damage can make the grid and AC equipment in other industries and facilities unavailable for nine to 18 months or longer. It can take that long because of both the sheer difficulty of repairing the ensuing hardware damage and the long lead times to obtain replacement equipment. Equipment damage can occur with any AC equipment connected to the affected protective relays, whether that equipment is from the utilities or the utilities’ customers. The greater the out-of-phase angle between the equipment and system phase angles, the greater the damage.

Aurora threats generally are not currently addressed by OT security because Aurora is a physics and hardware problem, not a network issue. The effects of an out-of-phase condition are widely known, especially by adversary nations such as Russia, China and Iran, which I will cover later.

Exploring a Stuxnet Attack
Stuxnet was a series of cyber-physical attacks that caused physical damage to targeted nuclear centrifuge systems at selected intervals without being identified as cyber-related. Stuxnet required detailed knowledge of the equipment and processes. Network issues were secondary.

As described in Ralph Langner’s “To Kill a Centrifuge,” there were two different Stuxnet attacks. In each case, the attack changed controller logic to cause increasing long-term, non-catastrophic damage in such a way that the damage would not be identified as cyber-related. One attack changed the centrifuge rotation speeds to damage the centrifuge rotors. The other used spoofed process sensor input to compromise the pressure controllers and overpressure the centrifuge tubes while disabling overpressure protection, doing so in a way that avoided catastrophic damage.

The spoofing of process sensor data was critical to the success of the attacks. Process sensor monitoring at the physics layer would have detected the compromised sensor data being provided to the controllers and operator displays. Network sensor monitoring would not have identified the attack nor the status of the equipment.

Prior to Stuxnet, it was assumed that cyberattacks would have clearly different characteristics than unintentional incidents, simple mistakes and accidents. However, Stuxnet demonstrated that cyberattacks could be made to look like equipment malfunctions. This is how Stuxnet was able to compromise equipment for more than a year before being identified as a cyberattack. Thus, control system incidents may not be expeditiously identified as cyber-related – if at all. The lack of cyber-related identification inhibits cyber defenders from being involved in investigations where control system incidents have not been identified as cyber-related.

Adversary Nations Have Employed Attacks
In 2016, a Russian researcher from Moscow demonstrated the capability of hacking process sensor data at the Industrial Control Systems Cybersecurity Conference. That same year, Russia introduced a cyberattack on the Ukrainian power grid to reclose breakers and cause equipment damage – a deliberate attempt to induce an Aurora condition and cause a long-term outage.

In 2017, Russian intelligence services also attempted a kinetic cyberattack, subsequently called Triton, against a Saudi Arabian petrochemical facility. The intent of the Triton attack was to blow up the Petro Rabigh petrochemical plant. The Russian kinetic cyberattack was a two-part attack: first hacking the control systems to cause the plant to operate in an unsafe condition, then initiating the Triton malware to prevent the Triconex safety systems from safely shutting down the plant.

The safety system attack was unsuccessful because Triconex is a triple-redundant safety system, with the fail-safe option being an automatic plant shutdown. The complexity of the software caused the Triton malware to shut down the plant twice before it was identified. The first time the plant shut down, the incident was only identified as a malfunction, with no cyber indications from the network monitoring. As a result, the plant restarted with the Triton malware still in the engineer’s Triconex workstation until the plant shut down again two months later when the Triton malware was initially identified. This lack of malware detection allowed the attackers to remain unimpeded in the system for two additional months.

Another example came in November 2023, when Iran cyberattacked Unitronics controllers in multiple U.S. critical infrastructures and may have compromised PLC logic in a way similar to Stuxnet.

Finally, there is the threat of compromised hardware made in China. The Chinese installed hardware backdoors in large Chinese-made electric transformers to take control of the transformers, which resulted in issuance of the presidential executive order titled “Securing the United States Bulk-Power System.” There are almost 600 high-voltage Chinese-made transformers in the U.S. electric grid. When one of these transformers was sent to Sandia National Laboratories for examination, the report of findings was classified as top secret.

If voltages are maliciously changed or protective relays are compromised, physical damage could be done to the transformers and other equipment. The Chinese have also installed inverters in battery energy storage systems with remote communications. This could enable China to remotely communicate with protective relays to cause Aurora incidents or overheat lithium-ion batteries.

This all amounts to cyber battlespace preparation.

Guidance is Lacking
Much of the guidance issued by the U.S. government misses the full import of kinetic cyberattacks. On August 13, 2025, the Cybersecurity & Infrastructure Security Agency (CISA) and its partners issued “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators,” a report that identifies and prioritizes OT asset inventories. However, the document does not address OT safety topics. This omission is puzzling given that safety is a prime OT consideration and has been specifically exploited by kinetic cyberattacks.

The OT devices Aurora and Stuxnet exploited were part of the identified inventory. According to the report, “A structured OT taxonomy enables better data analytics by providing a clear framework for organizing and analyzing data. This leads to valuable insights that can drive continuous improvement and innovation.”

However, that assumes the devices are uncompromised, authenticated and include cyber forensic capabilities, which is not the case. There is no guidance in the CISA report to address how OT control system field devices can be exploited or protected, as these are not network devices. The issues exploited by Aurora and Stuxnet cannot be addressed by simply having an asset inventory and taxonomy. With kinetic cyberattacks, you do not know if the sensor readings going to the transformer or turbine are readings from the OT devices or from Beijing.

Engineering Needs a Seat at the Security Table
Data cybersecurity is a known threat to both IT and critical infrastructure applications. However, the major threats to critical infrastructures are kinetic cyberattacks that can cause extensive, long-term equipment damage – and we are not ready. Kinetic cyberattacks have yet to be explicitly addressed in any sector’s cybersecurity guidance, including electric, oil and gas, maritime, food and agriculture.

Network security organizations do not have the technical capabilities to address kinetic cyberattacks, which are engineering-based and do not compromise the integrity of the data packets – just the data in the packets.

Without engineering participation, kinetic cyberattacks cannot be detected or mitigated. Appropriate workforce development for control system cybersecurity is needed. Also needed is government guidance that better addresses the issues exploited by Aurora, Stuxnet and China. And we have not even touched upon how much more widespread and extensive the damage could be if artificial intelligence were incorporated into these attacks.

Kinetic cyberattacks can no longer be misunderstood and ignored. Take proactive steps now by involving your engineering team and creating a security posture strong enough to withstand such attacks. The threat is real, and a successful attack could devastate your utility’s ability to provide service.

About the Author: Joe Weiss, P.E., CISM, is managing partner of Applied Control Solutions LLC in Cupertino, California.