Skip to comments.US Nuclear Regulator Warns on Worms
Posted on 09/05/2003 9:01:34 PM PDT by Hal1950
The US Nuclear Regulatory Commission this week warned nuclear power plant operators to implement safeguards against the Slammer worm, which took systems at one such plant offline in January.
The advisory details exactly how the Davis-Besse power plant in Ohio, operated by FirstEnergy Corp, had its "safety parameter display system" and "plant process computer" made unavailable for several hours by the worm.
The news of the outage came to light after a report by SecurityFocus.com two weeks ago. It is particularly concerning as Slammer was preventable - it exploited a vulnerability in SQL Server that Microsoft Corp had issued a patch for six months earlier.
The NRC said its advisory, dated August 29, is intended to alert power plant operators of "the recent identification of a potential vulnerability of the plant computer network to infection" by Slammer.
According to the NRC, on January 25 the safety parameter display system became unavailable for almost five hours due to the infection, which flooded the network with traffic, and the plant process computer was unavailable for over six hours.
The NRC said in a statement that regulations require systems directly related to safety to be isolated from the network or to have send-only capabilities. The agency said the two systems infected do not affect the safe operation of nuclear power plants.
Davis-Besse has been out of operation since February 2002 at an estimated cost of $500m, due to an NRC inspection that found a corrosion hole in the reactor's carbon steel lid, according to the Cleveland Plain Dealer newspaper.
According to the NRC's advisory, the Slammer worm was able to infect the plant via FirstEnergy's corporate network, to which it is connected. The corporate network was in turn infected via an unsecured T-1 connection put in place by a third-party contractor.
The FirstEnergy network did have a firewall in place that was configured to block UDP, the protocol on which Slammer traveled, but the undocumented and insecure T-1 essentially made this useless.
The NRC also said that plant IT staff were not aware that there was a vulnerability in SQL Server, or that there was an exploit on the loose, despite the fact that Microsoft and the CERT Coordination Center had issued advisories on both.
The NRC said that Davis-Besse have now added procedures for documenting external network connections, patching against this one specific vulnerability, and reviewing future patch advisories. The plant has also put a firewall between itself and its corporate network.
If my IT staff said that to me, they'd be out of jobs. SQL Slammer was a nearly 100% preventable attack through Microsoft alone. 100% preventable if you had the proper software in place as a safeguard. Being vulnerable to SQL Slammer was almost inexcuseable as admins had over 6 months to patch. MS Blaster was a different story due to the exploit being released only 4 weeks after the vulnerability was released.
I was Blaster-proof via Windows Update long before it ever showed up.
HINT: MANY companies have restrictions in place that allow their critical servers to only be rebooted once a month, once a quarter -- even only once a year.
Well, not really. You need to understand the purpose of these "plant parameter displays". They were originally installed after Three-Mile_Island so that the management could dial in from home and see what was going on in the plant.
They are for information only and control nothing.
People don't seem to realize that the newest nuclear plants completed in the US were built with 60's analog technology, much of it 3-15 PSI pneumatic!
Sure, they have pasted on a few digital monitoring systems over the years, but that's all they do: monitor.