Slammer worm crashed Ohio nuke plant network

Securityfocus.com ^ | 8/19/03 | Kevin Poulsen

[JerseyHighlander]

The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall, SecurityFocus has learned.

The breach did not post a safety hazard. The troubled plant had been offline since February, 2002, when workers discovered a 6-by-5-inch hole in the plant's reactor head. Moreover, the monitoring system, called a Safety Parameter Display System, had a redundant analog backup that was unaffected by the worm. But at least one expert says the case illustrates a growing cybersecurity problem in the nuclear power industry, where interconnection between plant and corporate networks is becoming more common, and is permitted by federal safety regulations.

The Davis-Besse plant is operated by FirstEnergy Corp., the Ohio utility company that's become the focus of an investigation into the northeastern U.S. blackout last week.

[JerseyHighlander]

Well, that's one for the record books. Somewhere on FR I read that the WH cyberterrorism task force czar resigned due to lack of plausible threat and lack of interest from the WH. First Energy, looks like the media is going to "create a summer trend" about their questionable safety record.

[martin_fierro]

Just D'oh.

[backhoe]

You were kind enough to post these links:

FREE PC PROTECTION:

Spybot S&D: Removes lurking spyware.
AdAware: Removes lurking spyware.
Bayden Systems Popup Popper: Blocks popup ads well in MSIE
MailWasher: Good for pre-screening & bouncing SPAM
AVG Anti-Virus Free Edition: Free anti-viral protection
ZoneAlarm: Excellent Firewall

...and they are very helpful.

[flamefront]

The same thing happened to SCADA systems in Ohio during the blackout. Now wether this was a contributing factor to human errors entering into the control of the transmission lines is yet to be addressed. Hopefully someone (other than the FBI liars) will admit the possibility of terrorism as well.

At 3:06 p.m., a 345-kilovolt transmissionline owned by Ohio-based FirstEnergy shut down for reasons that experts haven't determined. FirstEnergy, which owns four of the five lines in question, reported that an automatic system that was suppose to flash a warning on controllers' computer screens failed to operate after the line went down.

I guess if another blackout happens while the worms are circulating, it will be undeniable as a contributing factor.

[flamefront]

Thanks. Perhaps only the SCADA servers are UNIX but the terminals, where after all the operators would be viewing the system, likely are not.

Consider another expert -

Being an old PLC automation and control hack let me say that there is a very good plausibility that the recent East Coast power outage was due to an attack by an MBlaster variant on the SCADA system at the power plant master terminal, or more likely at several of the remote terminal units "RTU". SCADA runs under Win2000 / XP and the telemetry to the RTU is accessible via the Internet.

[Steve Schulin]

The email mentioned in this article was publicly released by NRC and is available as pdf file here.

[Ed_in_NJ]

This article makes the whole industry look like neanderthals: connecting plants to corporate networks (which are of course linked to the 'net), patches not being made, operators not aware, industry spokesman saying 'life not threatened' (several deaths attributed to power outages, and many more threatened), and defending lax practices to save money - not what 'threat management' is supposed to be.

Swiss cheese operation / accident waiting to happen.