Slammer worm crashed Ohio nuke plant network (Still Think The Blackout Wasn't A Cyber Attack???)

The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall, SecurityFocus has learned.

The breach did not post a safety hazard. The troubled plant had been offline since February, 2002, when workers discovered a 6-by-5-inch hole in the plant's reactor head. Moreover, the monitoring system, called a Safety Parameter Display System, had a redundant analog backup that was unaffected by the worm. But at least one expert says the case illustrates a growing cybersecurity problem in the nuclear power industry, where interconnection between plant and corporate networks is becoming more common, and is permitted by federal safety regulations.

The Davis-Besse plant is operated by FirstEnergy Corp., the Ohio utility company that's become the focus of an investigation into the northeastern U.S. blackout last week.

The incident at the plant is described in an April e-mail to the Nuclear Regulatory Commission (NRC) from FirstEnergy, and in a similarly-worded March safety advisory distributed privately throughout the industry over the "Nuclear Network," an information-sharing program run by the Institute of Nuclear Power Operations. The March advisory was issued to "alert the industry to consequences of Internet Worms and Viruses on Plant Computer Systems," according to the text.

The Slammer worm entered the Davis-Besse plant through a circuitous route. It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread.

"This is in essence a backdoor from the Internet to the Corporate internal network that was not monitored by Corporate personnel," reads the April NRC filing by FirstEnergy's Dale Wuokko. "[S]ome people in Corporate's Network Services department were aware of this T1 connection and some were not."

Users noticed slow performance on Davis-Besse's business network at 9:00 a.m., Saturday, January 25th, at the same time Slammer began hitting networks around the world. From the business network, the worm spread to the plant network, where it found purchase in at least one unpatched Windows server. According to the reports, plant computer engineers hadn't installed the patch for the MS-SQL vulnerability that Slammer exploited. In fact, they didn't know there was a patch, which Microsoft released six months before Slammer struck.

Operators Burdened By 4:00 p.m., power plant workers noticed a slowdown on the plant network. At 4:50 p.m., the congestion created by the worm's scanning crashed the plant's computerized display panel, called the Safety Parameter Display System.

An SPDS monitors the most crucial safety indicators at a plant, like coolant systems, core temperature sensors, and external radiation sensors. Many of those continue to require careful monitoring even while a plant is offline, says one expert. An SPDS outage lasting eight hours or more requires that the NRC be notified.

At 5:13 p.m., another, less critical, monitoring system called the "Plant Process Computer" crashed. Both systems had redundant analog backups that were unaffected by the worm, but, "The unavailability of the SPDS and the PPC was burdensome on the operators," notes the March advisory.

It took four hours and fifty minutes to restore the SPDS, six hours and nine minutes to get the PPC working again.

FirstEnergy declined to elaborate on the incident. The company has become the focus of an investigation into last week's northeastern U.S. blackout. Though the full cause of the blackout has yet to be determined, investigators have reportedly found that it began when an Ohio high-voltage transmission line "tripped" after sagging into a tree. An alarm system that was part of FirstEnergy's Energy Management System failed to warn operators at the company's control center that the line had failed.

Asked if last week's "Blaster" worm might have had a hand in the alarm system failure, just as Slammer disabled the Davis-Besse safety display panel, FirstEnergy spokesman Todd Schneider said, "We're investigating everything right now."

"I have not heard of anything like that," added Schneider. "The alarm system was the only system that was not functioning."

SCADA Issues The Davis-Besse incident was not Slammer's only point of impact on the electric industry. According to a document released by the North American Electric Reliability Council in June, Slammer downed one utility's critical SCADA network after moving from a corporate network, through a remote computer to a VPN connection to the control center LAN.

A SCADA (Supervisory Control and Data Acquisition) system consists of central host that monitors and controls smaller Remote Terminal Units (RTUs) sprinkled throughout a plant, or in the field at key points in an electrical distribution network. The RTUs, in turn, directly monitor and control various pieces of equipment.

In a second case reported in the same document, a power company's SCADA traffic was blocked because it relied on bandwidth leased from a telecommunications company that fell prey to the worm.

Reports on the effect of last week's Blaster worm on the electric grid, if any, have yet to emerge.

The Slammer attacks came after years of warnings about the vulnerability of power plants and electric distribution systems to cyber attack. A 1997 report by the Clinton White House's National Security Telecommunications Advisory Committee, which conducted a six-month investigation of power grid cybersecurity, described a national system controlled by Byzantine networks riddled with basic security holes, including widespread use of unsecured SCADA systems, and ample connections between control centers and utility company business networks.

"[T]he distinct trend within the industry is to link the systems to access control center data necessary for business purposes," reads the report. "One utility interviewed considered the business value of access to the data within the control center worth the risk of open connections between the control center and the corporate network."

Future Safety Concerns An energy sector cybersecurity expert who's reviewed nuclear plant networks, speaking on condition of anonymity, said the trend of linking operations networks with corporate LANs continues unabated within the nuclear energy industry, because of the economic benefits of giving engineers easy access to plant data. An increase in plant efficient of a couple percentage points "can translate to millions upon millions of dollars per year," says the expert.

He says Slammer's effect on Davis-Besse highlights the dangers of such interconnectivity.

Currently, U.S. nuclear plants generally have digital systems monitoring critical plant operations, but not controlling them, said the expert. But if an intruder could tamper with monitoring systems like Davis-Besse's SPDS, which operators are accustomed to trusting, that could increase the risk of an accident.

Moreover, the industry is moving in the direction of installing digital controls that would allow for remote operation of plant functions, perhaps within a few years, if the NRC approves it. "This is absolutely unacceptable without drastic changes to plant computer networks," says the expert. "If a non-intelligent worm can get in, imagine what an intruder can do."

Jim Davis, director of operations at the Nuclear Energy Institute, an industry association, says those concerns are overblown. "If you break all the connections and allow no data to pass from anywhere to anywhere, you've got great security -- but why'd you put the digital systems in the first place?," says Davis.

Davis says the industry learned from the Davis-Besse incident, but that the breach didn't prove that connections between plant and corporate networks can't be implemented securely. "You can put a well-protected read-only capability on a data stream that provides you reasonable assurance that nobody can come back down that line to the control system," says Davis.

Last year the NEI formed a task force to develop updated cybersecurity management guidelines for the industry. The results -- which will be secret -- are expected within a few months. As part of a research effort earlier this year, the NEI's task force worked with the NRC and a contractor to review cybersecurity at four nuclear power plants. The details of the review are classified as "Safeguards" material, but Davis says the investigation found no serious problems. "There are no issues that generate a public health and safety concern," says Davis.

"Sometime people get very anxious about digital systems and what you could or couldn't do with digital systems, but in lots of cases you've got switches and valves and little override buttons on this thing and that thing that could cause a component to shut down as quickly as any digital system," Davis says.

Despite the Slammer breach, FirstEnergy was apparently not in violation of NRC's limited, and aging, cybersecurity regulations. For its part, the commission wouldn't comment on the incident. The NRC has faced fierce criticism for not acting sooner to curb far more serious physical safety problems at the plant.

I remember about 13 yrs ago I sat in front of a Navy Admiral in his office in a Navy base, having flown there just to have him ask myself and two other software people ONE QUESTION: "Can a virus infect the system you're working on for us?"

Now mind you, this was 13 or so yrs ago, before viruses were well known or rampant. Anyway, we had the pleasure of without hesitation saying "no," because we're working on a mainframe system w/such and such an OS, and there are no viruses that can infect such a system. He asked us if we were sure. We looked him in the eye and said "yes. positive." and we left. That was pretty much our purpose for flying to his base - that one question which he wanted to ask us face to face.

Today systems are flimsy and pc-server based -- cheap alternatives to the real thing, chosen by people trying to save money and use lower salaried, less-experienced network people (vs. the higher paid mainframe/midrange experts). When it comes to such an important system, our power grid, there should be no such scrimping. Just like w/the Navy Admiral who took the safety of his men and resources seriously.

August 19, 2003 No.553

Al-Qa'ida Claims Responsibility for Last Week's Blackout

Al-Qa'ida's Abu Hafs Brigades has claimed responsibility for "Operation Quick Lightning in the Land of the Tyrant of this Generation," referring to the blackout last week in the Northeast and Midwest United States. A communiqué by the Abu Hafs Brigades was published at http://groups.yahoo.com/group/abubanan2/message/330. This is the third communiqué by the "Brigades" that is being published by the same web-group; in the first, they accepted responsibility for the downing of an airplane in Kenya. The second accepted responsibility for the Jakarta bombing of the Marriott hotel on August 5, 2003.

The new communiqué says that in compliance with the orders of Osama bin Laden to strike at the American economy, the Brigades struck two important electricity supply targets on the East coast. The Brigades say that they cannot reveal how they did it, because they will probably have to use the same method again soon. The communiqué also claimed that the operation was meant as a present for the Iraqi people.

The following are excerpts from a report by the London-based Arabic daily Al-Hayat about the communiqué: [1]

The Blackout was 'a Realization of bin Laden's Promise to Offer the Iraqi People a Present'

"A communiqué attributed to Al Qaeda claimed responsibility for the power blackout that happened in the U.S. last Thursday, saying that the brigades of Abu Fahes Al Masri had hit two main power plants supplying the East of the U.S., as well as major industrial cities in the U.S. and Canada, 'its ally in the war against Islam (New York and Toronto) and their neighbors.'

"The communiqué assured that the operation 'was carried out on the orders of Osama bin Laden to hit the pillars of the U.S. economy,' as 'a realization of bin Laden's promise to offer the Iraqi people a present.'

'The Americans Lived a Black Day they will Never Forget'

"The statement, which Al-Hayat obtained from the website of the International Islamic Media Center, didn't specify the way the alleged sabotage was carried out. The communiqué read: 'let the criminal Bush and his gang know that the punishment is the result of the action, the soldiers of God cut the power on these cities, they darkened the lives of the Americans as these criminals blackened the lives of the Muslim people in Iraq, Afghanistan and Palestine. The Americans lived a black day they will never forget. They lived a day of terror and fear… a state of chaos and confusion where looting and pillaging rampaged the cities, just like the capital of the caliphate Baghdad, and Afghanistan and Palestine were. Let the American people take a sip from the same glass.'

'The U.S. will not Live in Peace until Our Conditions are Met'

"It added: 'we heard amazing statements made by the American and Canadian enemies which have nuclear physics universities and space agencies, that lightning hit and destroyed the two plants. And we are supposed to believe this nonsense. If the blackout occurred in one or two cities, their lie would have been credible. But the fact is that the blackout hit the entire East and part of Canada.'

"The communiqué continued: 'one of the benefits of this strike is that the U.S. will not live in peace until our conditions are met, such as releasing all the detainees including Sheikh Omar Abdulrahman, and getting out of the land of the Muslims, including Jerusalem and Kashmir.'

"The authors of the communiqué said that the strikes aimed at 'hitting the major pillar of the U.S. economy (the Stock Exchange)… [and] the UN, which is opposed to Islam, and is based in New York. It is a message to all the investors that the U.S. is no longer a safe country for their money, knowing that the U.S. economy greatly relies on the trust of the investor…'

'The Gift of Sheikh Osama bin Laden is on Its Way to the White House'

"The communiqué mentioned that some economists said the blackout in the U.S. and Canada would cost the U.S. Treasury no less than ten billion U.S. dollars and in order to 'break the hearts of U.S. officials, just know that the cost paid by the Moujahideen to sabotage the power plants was a mere seven thousand dollars. Die of sorrow!'

"The communiqué ended with: 'we tell the Muslims that this is not the awaited strike, but it is called the war of skirmishes (to drain the enemy), and that the American snakes are enormous and need to be consumed and weakened to be destroyed. We tell the people of Afghanistan and Kashmir that the gift of Sheikh Osama bin Laden is on its way to the White House; then the gift of Al Aqsa, and do we know what is the gift of Al Aqsa, where and when? The answer is what you are seeing!'

[1] Published in English on Dar Al-Hayat website, August 18, 2003, http://english.daralhayat.com/arab_news/08-2003/Article-20030818-14bdd659-c0a8-01ed-0079-6e1c903b7552/story.html

http://www.memri.org/bin/latestnews.cgi?ID=SD55303

"The Slammer attacks came after years of warnings about the vulnerability of power plants and electric distribution systems to cyber attack. A 1997 report by the Clinton White House's National Security Telecommunications Advisory Committee, which conducted a six-month investigation of power grid cybersecurity, described a national system controlled by Byzantine networks riddled with basic security holes, including widespread use of unsecured SCADA systems, and ample connections between control centers and utility company business networks.

Nobody took it seriously, unfortunately.

What we are experiencing now is a real wake up call, or should be about cyberattacks. Just hope this is not a prelude/phase I to something worse.

Cyber-Attacks by Al Qaeda Feared. Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say -- June 27, 2002

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.