Most Important Protection for GT/ST

Overspeed gets my vote, far and away.

An overspeeding turbine can literally fly apart--throwing turbine blades/buckets through the casing, through walls, into and through piping (steam piping; fuel piping; etc.), and into people unfortunate enough to be in the vicinity. Usually, when a turbine overspeeds it's pretty much a total loss.

Speed control is far and away the most important protection. Loss of lube oil will mean severe damage to bearings and diaphragms and seals, but usually that's repairable--sometimes at great expense, but still repairable.

Slugging a steam turbine with water in the steam piping is also very destructive, but usually repairable.

Exhaust over temperature is very problematic to gas turbines, but, again, usually repairable.

High vibration for any rotating equipment can be very destructive, but usually repairable.

Even for small turbines, there is usually redundant and independent overspeed detection/tripping methods to try to prevent the unit from reaching a destructive overspeed condition.

Overspeed is also not good for the driven device--be it a generator or compressor or pump or fan. They, too, can suffer serious, sometimes irreparable damage.

Sometimes there are redundant protection schemes for other potentially destructive conditions, but there is almost always redundant overspeed detection/protection (or should be!).

Hope this helps!
Barring / Emergency Barring is equally important.

Unless Barring action takes place during Shutdowns/Trips, the shaft of the GT / ST may sag, causing high Vibrations catastrophic for the turbine on following runs.
Dear CSA and Dear All;

May be I'm diverging from the original post but it's an opportunity to get Experts point of view.

"AURORA CYBER ATTACK" is a Hacker's Internet Cyber Attack conducted where a power generator was successfully destroyed. The objective was to show the Smart Grill <b>vulnerability</b> to the public opinion.

Last month I attended a workshop where GE introduced PEDIX digital Plateform and how much IIoT (Industrial Internet Of Things) will be benefit to gas turbines owners/operators
During the debate, someone has pinpointed Aurora Attack and he said "if mechanical overspeed was installed, the reciprocating power Generator will not be destroyed". What do Control experts think about this attack?

GE gas turbines are actually delivered with <b>only</b> electronic overspeed mechanism and mechanical overspeed is abandoned because, regarding GE, mechanical overspeed test stress too much machine components and reduce their life cycle.

May not better to keep mechanical devices as last chance to avoid major catastrophe where electronic devices failed?!! What do you think?


Bob Peterson

A cyber attack that happened almost ten years ago does not interest me all that much. Hopefully whatever hole in their internal security was breached has been plugged.

Personally, I am not thrilled with the idea of having control equipment exposed to the Internet at all. I don't give a rat's you-know-what about any supposed Internet of Things if it exposes the control systems to security issues.

Windows seems to have plugged most of their really bad holes but it also appears like Linux is getting more holes as more hackers start to attack it.

I don't know what the answer is but I am pretty much convinced it will take Hellfire missiles raining down on the hackers who do this kind of stuff to put a stop to it. Targeted assassinations might work as well. At this point it is essentially a war and the only way to win any war is to kill enough of the enemy that the rest of them give up.
Hmmm.... Yes, there's a danger in connecting power generation, transmission and distribution equipment to the Internet. It's certainly food for thought....

The Industrial Internet of Things and P<b>R</b>EDIX is just a way to keep you locked into the OEM for service and support. And, it allows Corporate managers to mistakenly believe their multi-million USD equipment doesn't require trained, experience and thinking humans on the plant to operate, maintain and troubleshoot--thereby reducing manpower costs and pocketing more profits for themselves and other Corporate managers (since fewer and fewer of those profits get distributed to shareholders these days). It's just adding to a false sense of security that automation will protect and solve some problem (the problem of maximizing profits at the expense of people).

This is all looking like it's going to lead to a pretty monumental collapse at some point--and without trained, knowledgeable and thinking PEOPLE to respond and get the equipment up and running, all that money in Corporate Manager's accounts ain't going to do them any good because it's all "digital" and without electricity they can't do anything with it.

As for keeping old technology for prime mover control and protection, I personally don't see the benefit and don't want to go back to those old days and equipments.

The best we can do is be prepared for the eventuality of life without electricity for a few days, maybe more. Having cash on hand (ATMs and credit cards aren't going to work); food; a way to carry and purify water if your potable water supply stock gets depleted; fire-making materials; and a means of listening to radio for information and news (solar or hand-crank), are all good ideas for possibly surviving some time without electricity. Bicycles and hand-operated pumps are also good things to have, maybe even a "little red wagon."

And, let's all hope we never need to use these things--but an ounce of prevention is worth a pound of cure.
> Which protection is considered to be the most important for GT/ST? why?

There is a class of control system vulnerabilities that can cause physical damage to process equipment one of which is Aurora. Aurora is creating an out-of-phase condition that results in damage to any AC rotating equipment including generators and induction motors (out-of-phase damage has been known for more than 100 years). Aurora is not malware nor requires Internet connections. The Aurora event happens so quickly that existing relay protection cannot prevent damage. There are only two suppliers that provide Aurora hardware mitigation. As part of a DOD project, we wrote article on Aurora in the September 2013 issue of Power magazine. The December 2015 Ukrainian hack of the electric grid was the first of the 2 steps of Aurora - the remote opening of the protective relays. The attackers chose not to reclose the relays which would most likely have caused Aurora. You can find more information at

Joe Weiss
[email protected]
Sounds like this link -

When I look at computer logs of public facing machines, I see that the attack traffic never stops - any idea that you will protect by being obscure is just wrong. Having systems constantly connected might sound like a slick idea - and brings benefits - but without really strong security in place, not a good idea.

There are lots of remote control attacks that can be devastating besides GT systems - water pumps can rip apart mains if they are not sequenced correctly.

Securing a system is not simple - think - Open USB ports need to be disabled - and attempts to access should result in a review of security camera footage.. yet no one does this..
Dear xtronics;

Already done. Security camera not yet installed but all the USB ports are disabled and to plug your USB key you need an official written authorization and only company USB are used.

I am sorry for the late reply to this note.

The Aurora vulnerability is not malware. Rather it is a physics issue caused by remotely opening and then reclosing breakers out-of-phase. This will cause damage to any AC-rotating equipment including generators and motors. Overspeed protection will not prevent Aurora. The only way to prevent Aurora is with specific Aurora hardware mitigation devices. To date, there are only two protective relay (breaker) vendors (Cooper and SEL) that make an Aurora hardware mitigation device.

Aurora is not hypothetical as there has already been at least one Aurora event (not the INL test) that has damaged AC-induction motors. There have also been demonstrations of hacking breakers that could result in the Aurora event (again, not the INL test).

I will be giving presentations on this subject at the June 2017 American Nuclear Conference in San Francisco and the DOD-sponsored Cyber-Endeavor Conference at Carnegie-Mellon.

Joe Weiss
[email protected]
The important thing is for the powergen and grid industries to treat cybersecurity as an ongoing, continuous problem rather than a series of discrete vulnerabilities--Advanced Persistent Threats on an ongoing basis. Airgap isn't enough, as social engineering and "inside jobs" have proven repeatedly. Counter-intuitively, the air gap might actually make the problem worse if it discourages updating firmware and software.

One of the biggest arguments for connectivity is to automate patch delivery (and installation, where possible). There is a "don't touch a working system" mentality that still pervades the industry, and frankly it isn't compatible with digital controls anymore. The future is about managing the reality of continuous upgrades, bringing in best practices from the software industry for deployment, bumpless changeover, and rollback.

Just my $0.02.