Slammer worm crashed Ohio nuke plant network (Still Think The Blackout Wasn't A Cyber Attack???)

SecurityFocus News ^ | Aug 19 2003 | Kevin Poulsen

[RepublicanArmy]

The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall, SecurityFocus has learned.

The breach did not post a safety hazard. The troubled plant had been offline since February, 2002, when workers discovered a 6-by-5-inch hole in the plant's reactor head. Moreover, the monitoring system, called a Safety Parameter Display System, had a redundant analog backup that was unaffected by the worm. But at least one expert says the case illustrates a growing cybersecurity problem in the nuclear power industry, where interconnection between plant and corporate networks is becoming more common, and is permitted by federal safety regulations.

The Davis-Besse plant is operated by FirstEnergy Corp., the Ohio utility company that's become the focus of an investigation into the northeastern U.S. blackout last week.

The incident at the plant is described in an April e-mail to the Nuclear Regulatory Commission (NRC) from FirstEnergy, and in a similarly-worded March safety advisory distributed privately throughout the industry over the "Nuclear Network," an information-sharing program run by the Institute of Nuclear Power Operations. The March advisory was issued to "alert the industry to consequences of Internet Worms and Viruses on Plant Computer Systems," according to the text.

The reports paint a sobering picture of cybersecurity at FirstEnergy.

The Slammer worm entered the Davis-Besse plant through a circuitous route. It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread.

"This is in essence a backdoor from the Internet to the Corporate internal network that was not monitored by Corporate personnel," reads the April NRC filing by FirstEnergy's Dale Wuokko. "[S]ome people in Corporate's Network Services department were aware of this T1 connection and some were not."

Users noticed slow performance on Davis-Besse's business network at 9:00 a.m., Saturday, January 25th, at the same time Slammer began hitting networks around the world. From the business network, the worm spread to the plant network, where it found purchase in at least one unpatched Windows server. According to the reports, plant computer engineers hadn't installed the patch for the MS-SQL vulnerability that Slammer exploited. In fact, they didn't know there was a patch, which Microsoft released six months before Slammer struck.

Operators Burdened By 4:00 p.m., power plant workers noticed a slowdown on the plant network. At 4:50 p.m., the congestion created by the worm's scanning crashed the plant's computerized display panel, called the Safety Parameter Display System.

An SPDS monitors the most crucial safety indicators at a plant, like coolant systems, core temperature sensors, and external radiation sensors. Many of those continue to require careful monitoring even while a plant is offline, says one expert. An SPDS outage lasting eight hours or more requires that the NRC be notified.

At 5:13 p.m., another, less critical, monitoring system called the "Plant Process Computer" crashed. Both systems had redundant analog backups that were unaffected by the worm, but, "The unavailability of the SPDS and the PPC was burdensome on the operators," notes the March advisory.

It took four hours and fifty minutes to restore the SPDS, six hours and nine minutes to get the PPC working again.

FirstEnergy declined to elaborate on the incident. The company has become the focus of an investigation into last week's northeastern U.S. blackout. Though the full cause of the blackout has yet to be determined, investigators have reportedly found that it began when an Ohio high-voltage transmission line "tripped" after sagging into a tree. An alarm system that was part of FirstEnergy's Energy Management System failed to warn operators at the company's control center that the line had failed.

Asked if last week's "Blaster" worm might have had a hand in the alarm system failure, just as Slammer disabled the Davis-Besse safety display panel, FirstEnergy spokesman Todd Schneider said, "We're investigating everything right now."

"I have not heard of anything like that," added Schneider. "The alarm system was the only system that was not functioning."

SCADA Issues The Davis-Besse incident was not Slammer's only point of impact on the electric industry. According to a document released by the North American Electric Reliability Council in June, Slammer downed one utility's critical SCADA network after moving from a corporate network, through a remote computer to a VPN connection to the control center LAN.

A SCADA (Supervisory Control and Data Acquisition) system consists of central host that monitors and controls smaller Remote Terminal Units (RTUs) sprinkled throughout a plant, or in the field at key points in an electrical distribution network. The RTUs, in turn, directly monitor and control various pieces of equipment.

In a second case reported in the same document, a power company's SCADA traffic was blocked because it relied on bandwidth leased from a telecommunications company that fell prey to the worm.

Reports on the effect of last week's Blaster worm on the electric grid, if any, have yet to emerge.

The Slammer attacks came after years of warnings about the vulnerability of power plants and electric distribution systems to cyber attack. A 1997 report by the Clinton White House's National Security Telecommunications Advisory Committee, which conducted a six-month investigation of power grid cybersecurity, described a national system controlled by Byzantine networks riddled with basic security holes, including widespread use of unsecured SCADA systems, and ample connections between control centers and utility company business networks.

"[T]he distinct trend within the industry is to link the systems to access control center data necessary for business purposes," reads the report. "One utility interviewed considered the business value of access to the data within the control center worth the risk of open connections between the control center and the corporate network."

Future Safety Concerns An energy sector cybersecurity expert who's reviewed nuclear plant networks, speaking on condition of anonymity, said the trend of linking operations networks with corporate LANs continues unabated within the nuclear energy industry, because of the economic benefits of giving engineers easy access to plant data. An increase in plant efficient of a couple percentage points "can translate to millions upon millions of dollars per year," says the expert.

He says Slammer's effect on Davis-Besse highlights the dangers of such interconnectivity.

Currently, U.S. nuclear plants generally have digital systems monitoring critical plant operations, but not controlling them, said the expert. But if an intruder could tamper with monitoring systems like Davis-Besse's SPDS, which operators are accustomed to trusting, that could increase the risk of an accident.

Moreover, the industry is moving in the direction of installing digital controls that would allow for remote operation of plant functions, perhaps within a few years, if the NRC approves it. "This is absolutely unacceptable without drastic changes to plant computer networks," says the expert. "If a non-intelligent worm can get in, imagine what an intruder can do."

Jim Davis, director of operations at the Nuclear Energy Institute, an industry association, says those concerns are overblown. "If you break all the connections and allow no data to pass from anywhere to anywhere, you've got great security -- but why'd you put the digital systems in the first place?," says Davis.

Davis says the industry learned from the Davis-Besse incident, but that the breach didn't prove that connections between plant and corporate networks can't be implemented securely. "You can put a well-protected read-only capability on a data stream that provides you reasonable assurance that nobody can come back down that line to the control system," says Davis.

Last year the NEI formed a task force to develop updated cybersecurity management guidelines for the industry. The results -- which will be secret -- are expected within a few months. As part of a research effort earlier this year, the NEI's task force worked with the NRC and a contractor to review cybersecurity at four nuclear power plants. The details of the review are classified as "Safeguards" material, but Davis says the investigation found no serious problems. "There are no issues that generate a public health and safety concern," says Davis.

"Sometime people get very anxious about digital systems and what you could or couldn't do with digital systems, but in lots of cases you've got switches and valves and little override buttons on this thing and that thing that could cause a component to shut down as quickly as any digital system," Davis says.

Despite the Slammer breach, FirstEnergy was apparently not in violation of NRC's limited, and aging, cybersecurity regulations. For its part, the commission wouldn't comment on the incident. The NRC has faced fierce criticism for not acting sooner to curb far more serious physical safety problems at the plant.

[RepublicanArmy]

I think someone's head at FirstEnergy Corp. should roll big time.

[AnimalLover]

MICROSOFT WORKING WITH THE FEDS, VIRUS ATTACKS MAY BE TERRORISM

Posted by AnimalLover to prarie earth On News/Activism 08/22/2003 2:13 AM PDT #25 of 25

Maybe you might like to look this over?

[AnimalLover]

http://www.freerepublic.com/focus/f-news/968431/posts

Sorry, forgot the address!

[prarie earth]

According to Time Magazine the CIA has not ruled out terrorism on the power grid.

[bets]

I also think it was software failure, which only failed due to a worm/virus. (otherwise, it should have stopped the overload, cascading effect, and should have done its programmed warnings)

[prarie earth]

Im amazed that this information has been held back this long.

[bets]

It's these darned pc networks. If companies and utilities would have stuck w/mainframes and midranges, they wouldn't be in this cheesy, duct-taped, vulnerable, pc networked boat. (can you tell I don't like pc-based networks?)

[prarie earth]

Yep, and how vulnerable are we still?

[bets]

Forever vulnerable, as long as we have these pc-based networks supposedly protected by firewalls watching ports and bad OS software. This is because the software companies won't admit the vulnerabilities to the buyers AND the buyers (network "experts") won't admit to their bosses that they have holes in their systems. See?

[prarie earth]

And the stuff was poorly written to begin with.

[bets]

I remember about 13 yrs ago I sat in front of a Navy Admiral in his office in a Navy base, having flown there just to have him ask myself and two other software people ONE QUESTION: "Can a virus infect the system you're working on for us?"

Now mind you, this was 13 or so yrs ago, before viruses were well known or rampant. Anyway, we had the pleasure of without hesitation saying "no," because we're working on a mainframe system w/such and such an OS, and there are no viruses that can infect such a system. He asked us if we were sure. We looked him in the eye and said "yes. positive." and we left. That was pretty much our purpose for flying to his base - that one question which he wanted to ask us face to face.

Today systems are flimsy and pc-server based -- cheap alternatives to the real thing, chosen by people trying to save money and use lower salaried, less-experienced network people (vs. the higher paid mainframe/midrange experts). When it comes to such an important system, our power grid, there should be no such scrimping. Just like w/the Navy Admiral who took the safety of his men and resources seriously.

[prarie earth]

Looks like the stuff is going to hit the proverbial fan pretty soon..

[JustPiper]

August 19, 2003 No.553

Al-Qa'ida Claims Responsibility for Last Week's Blackout

Al-Qa'ida's Abu Hafs Brigades has claimed responsibility for "Operation Quick Lightning in the Land of the Tyrant of this Generation," referring to the blackout last week in the Northeast and Midwest United States. A communiqué by the Abu Hafs Brigades was published at http://groups.yahoo.com/group/abubanan2/message/330. This is the third communiqué by the "Brigades" that is being published by the same web-group; in the first, they accepted responsibility for the downing of an airplane in Kenya. The second accepted responsibility for the Jakarta bombing of the Marriott hotel on August 5, 2003.

The new communiqué says that in compliance with the orders of Osama bin Laden to strike at the American economy, the Brigades struck two important electricity supply targets on the East coast. The Brigades say that they cannot reveal how they did it, because they will probably have to use the same method again soon. The communiqué also claimed that the operation was meant as a present for the Iraqi people.

The following are excerpts from a report by the London-based Arabic daily Al-Hayat about the communiqué: [1]


The Blackout was 'a Realization of bin Laden's Promise to Offer the Iraqi People a Present'

"A communiqué attributed to Al Qaeda claimed responsibility for the power blackout that happened in the U.S. last Thursday, saying that the brigades of Abu Fahes Al Masri had hit two main power plants supplying the East of the U.S., as well as major industrial cities in the U.S. and Canada, 'its ally in the war against Islam (New York and Toronto) and their neighbors.'

"The communiqué assured that the operation 'was carried out on the orders of Osama bin Laden to hit the pillars of the U.S. economy,' as 'a realization of bin Laden's promise to offer the Iraqi people a present.'

'The Americans Lived a Black Day they will Never Forget'

"The statement, which Al-Hayat obtained from the website of the International Islamic Media Center, didn't specify the way the alleged sabotage was carried out. The communiqué read: 'let the criminal Bush and his gang know that the punishment is the result of the action, the soldiers of God cut the power on these cities, they darkened the lives of the Americans as these criminals blackened the lives of the Muslim people in Iraq, Afghanistan and Palestine. The Americans lived a black day they will never forget. They lived a day of terror and fear… a state of chaos and confusion where looting and pillaging rampaged the cities, just like the capital of the caliphate Baghdad, and Afghanistan and Palestine were. Let the American people take a sip from the same glass.'

'The U.S. will not Live in Peace until Our Conditions are Met'

"It added: 'we heard amazing statements made by the American and Canadian enemies which have nuclear physics universities and space agencies, that lightning hit and destroyed the two plants. And we are supposed to believe this nonsense. If the blackout occurred in one or two cities, their lie would have been credible. But the fact is that the blackout hit the entire East and part of Canada.'

"The communiqué continued: 'one of the benefits of this strike is that the U.S. will not live in peace until our conditions are met, such as releasing all the detainees including Sheikh Omar Abdulrahman, and getting out of the land of the Muslims, including Jerusalem and Kashmir.'

"The authors of the communiqué said that the strikes aimed at 'hitting the major pillar of the U.S. economy (the Stock Exchange)… [and] the UN, which is opposed to Islam, and is based in New York. It is a message to all the investors that the U.S. is no longer a safe country for their money, knowing that the U.S. economy greatly relies on the trust of the investor…'

'The Gift of Sheikh Osama bin Laden is on Its Way to the White House'

"The communiqué mentioned that some economists said the blackout in the U.S. and Canada would cost the U.S. Treasury no less than ten billion U.S. dollars and in order to 'break the hearts of U.S. officials, just know that the cost paid by the Moujahideen to sabotage the power plants was a mere seven thousand dollars. Die of sorrow!'

"The communiqué ended with: 'we tell the Muslims that this is not the awaited strike, but it is called the war of skirmishes (to drain the enemy), and that the American snakes are enormous and need to be consumed and weakened to be destroyed. We tell the people of Afghanistan and Kashmir that the gift of Sheikh Osama bin Laden is on its way to the White House; then the gift of Al Aqsa, and do we know what is the gift of Al Aqsa, where and when? The answer is what you are seeing!'


[1] Published in English on Dar Al-Hayat website, August 18, 2003, http://english.daralhayat.com/arab_news/08-2003/Article-20030818-14bdd659-c0a8-01ed-0079-6e1c903b7552/story.html



http://www.memri.org/bin/latestnews.cgi?ID=SD55303

[JustPiper]

Thread

[whipitgood]

The obvious question here is this: Is Al Quida just claiming responsibility for something that happened, or could they really have caused it? Seems like the former would be the likely answer. Hard to believe that Al Quida has anyone with the savvy to put together and pull off an operation like this. Hate to underestimate my enemy, but really now!

[Ed_in_NJ]

Also posted HERE.

[boris]

Mission-critical computers should never be connected to the internet.

If they need to communicate it should be through a separate, independent network which intersects the internet at no point.

--Boris

[FairOpinion]

"The Slammer attacks came after years of warnings about the vulnerability of power plants and electric distribution systems to cyber attack. A 1997 report by the Clinton White House's National Security Telecommunications Advisory Committee, which conducted a six-month investigation of power grid cybersecurity, described a national system controlled by Byzantine networks riddled with basic security holes, including widespread use of unsecured SCADA systems, and ample connections between control centers and utility company business networks.

Nobody took it seriously, unfortunately.

What we are experiencing now is a real wake up call, or should be about cyberattacks. Just hope this is not a prelude/phase I to something worse.

Cyber-Attacks by Al Qaeda Feared. Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say -- June 27, 2002

[Dog]

Still think that blackout wasn't a cyber attack??

[Dog]

Hey Joe check this out.

[FairOpinion]

"Still think that blackout wasn't a cyber attack?? "

--

I remember it well, how some of us, who even dared to entertain the possibility got flamed.

BTW, here is another interesting article & also see article in Post #13 in that thread:

The Next Worm Could Disable U.S. Communications and Computers
http://www.freerepublic.com/focus/f-news/968707/posts

[Dog]

Look at this passage..

FirstEnergy declined to elaborate on the incident. The company has become the focus of an investigation into last week's northeastern U.S. blackout. Though the full cause of the blackout has yet to be determined, investigators have reportedly found that it began when an Ohio high-voltage transmission line "tripped" after sagging into a tree. An alarm system that was part of FirstEnergy's Energy Management System failed to warn operators at the company's control center that the line had failed.

Asked if last week's "Blaster" worm might have had a hand in the alarm system failure, just as Slammer disabled the Davis-Besse safety display panel, FirstEnergy spokesman Todd Schneider said, "We're investigating everything right now."

"I have not heard of anything like that," added Schneider. "The alarm system was the only system that was not functioning."

[MEG33]

I know there is a possibility but I have no opinion.I need experts for that!Al Queda taking credit wouldn't sway me.

[Dog]

I didn't ask you to put a tin foil hat on....doesn't it strike you as odd that First Energy was breached by a worm.........then this same Energy Company is at the center of the largest blackout in this nations history..

[FixitGuy]

What is the type of insanity called that would have ANY power plant accessable via the "Internet".

It's crazy that something this important doesn't have its own totally secure network!

[MEG33]

I know this:Our government computers,utility computers,business computers,etc are woefully inadequate to stop cyberterrorism.The fact the same company had a worm shut down a safety panel does set off "my"alarm.

[r9etb]

I didn't ask you to put a tin foil hat on....doesn't it strike you as odd that First Energy was breached by a worm.........then this same Energy Company is at the center of the largest blackout in this nations history..

No, it doesn't strike me as odd. Plants go down. Networks get viruses. No need to connect them unnecessarily.

Actually, my question has to do with the reliability of this source, and this article.

The virus that penetrated the system was Slammer, back last January. Other than a lot of speculation, there is no evidence that the latest virus had anything to do with the blackout.

It may or may not have -- we don't know -- but the clear implication of this article is that the plant was hit by the new worm.

As for me, I think there are all manner of non-virus possibilities for the shutdown. And even if the virus did shut down A PLANT, that's still not what caused the problem. The blackout was caused by the failure (whatever it was) propagating through the power grid -- something that was not supposed to happen.

[GSWarrior]

I know the black out was a stressful time for those caught up in it, but there are those in the Third World and inside our country who want to paint a picture of confusion, terror and mayhem. It just doesn't wash.

[null and void]

Nothing to see here, move along...

[r9etb]

Nothing to see here, move along...

If you're talking about the article, I agree.

It implies a whole lot, but there are no facts -- just speculation.

Added to that, the article seems to misunderstand the cause of the blackout.

The blackout was not caused by the dropout of a single power plant (whether or not it was brought down by the Blaster worm). It was caused by the failure of the power grid to properly compensate for the loss of the plant -- something that I don't think the worm could have touched.

It may well be that some worm or other caused the blackout. But this article doesn't make a convincing case for it.

[BOBTHENAILER]

"If a non-intelligent worm can get in, imagine what an intruder can do."

Scary stuff in this thread. My only question to the al Qaeda claim, is, if they could do it once, why would they stop?

[swarthyguy]

Mainframes for security bump.

Darn gremlins in the electric grid again.

"Evidence of absence is not absence of evidence" - Condi Rice.

[null and void]

Scary stuff in this thread. My only question to the al Qaeda claim, is, if they could do it once, why would they stop?

To have time to get the fire bombers, bug spreaders, bridge busters and water poisoners in position, now that they know they really can shut down an entire region?

[BOBTHENAILER]

Interesting point.

[1Old Pro]

Very interesting. I was flabbergasted that everyone and his brother rushed to the microphones just minutes after the blackout to declare that it was definately NOT terrorism. Yet we still don't know what caused this.

Reminds me of how everyone swore that the TWA 800 crash was positively NOT terrorism, yet they never really satisfied people with their "cause".

[Petronski]

I love nuclear power, but the thought that someone runs a nuclear facility with Windows is enough to scare the poop out of a guy.

[chimera]

The computer doesn't run the plant. The SPDS (which I have worked on in an earlier life) is more of an operator aide. Training programs emphasize that operators not trust any particular redundant system to the exclusion of others, so no one is going to take what's on the SPDS as the exclusive indicator of what's happening (especially if its acting flaky). The safety systems are hardwired and don't connect to any computer in terms of function. Remember, this is technology developed 'way before the age of interconnectivity.

As far as "remote operation" of nuclear plants, it ain't gonna happen. NRC is nothing if not deliberate and cautious to the extreme. Software-based control of balance-of-plant systems might be a possibility, but nothing on the nuclear side of the plant. That's all going to remain hardwired, beefy, and robust old-school technology.

[hattend]

Why would a computer that controls the safety systems on a nuclear reactor be connected to the outside world via the internet?

[monkeywrench]

I think they do that to keep stock numbers from falling.

[chimera]

Why would a computer that controls the safety systems on a nuclear reactor be connected to the outside world via the internet?

It doesn't. The safety systems are standalone and hardwired. The SPDS is an auxiliary system that makes the data a little easier to read, but doesn't do anything in terms of control. The actual plant status is always available on hardwired displays (meters, chart recorders, mimic board, etc.).

I was involved in a research program that involved the use of software as part of a digital safety system. It was a processor running binary code that wasn't connected to any network. The NRC put the kibosh to that because of alleged v&v issues. There weren't any, given the simplicity of the system, but still they demanded to know what effect and consequence there might be for any bit in the system changing its state in an unexpected manner.

[mabelkitty]

I heard something to that effect last Saturday from someone who works there. I got no details, but it was something to the effect that, "This was an impossibility."

Sounded like a hacker or virus to me.

[mabelkitty]

How do you know it wasn't interal sabotage?
Know how many visas we have in this country doing IT work?

[mabelkitty]

Cleveland doesn't even have generators for its water system. That's worse to me.

[GOP_1900AD]

How many H1Bs and Greencard holders who are also part of Al Qaida cells do First Energy and Detroit Edison employ? Note the large concentrations of such folks in these two companies areas of operations.

[oceanview]

the virus has be introduced onto a system inside the corporate firewall, it cannot "get in" so long as even basic firewall prudence is used.

[tophat9000]

I manage data backbones.......... This is asinine; safety and control systems have no need to be connected to the public internet....

[JustPiper]

Bump!

[JustPiper]

"Evidence of absence is not absence of evidence" - Condi Rice.

Great Condi quote!

[JustPiper]

What about someone being their for hands-on sabotage?

[JustPiper]

How do you know it wasn't interal sabotage? Know how many visas we have in this country doing IT work?

Bump!