Hoe blaster mede-verantwoordelijk was voor de blackout
Aug. 14 Power Outage: Impacts of Blaster & Slammer on the Electric Power Sector
iDEFENSE Security Advisory 09.05.03:
No definitive cause for the massive power outage that struck the Northeastern US and Canada on Aug. 14, 2003, has yet been established. A senior FBI official told Congress on Sept. 4, 2003, that the FBI has not found any evidence of terrorism or criminal hacking in the incident. However, FBI Executive Assistant Director Larry Medford added that the blackout event could represent a "dry run" for potential future terrorist or hacker attacks against the US electrical grid. The US House Energy and Commerce Committee began a two-day inquiry into the causes of the blackout on Sept. 3, 2003.
The possibility of a computer-related cause for the incident merits further investigation, along with other possible theories. In any event, a strong case may now be made that malicious code had some impact on the crisis, even if it was not the primary cause. Specifically, the Blaster worm (ID# 204777, Aug. 11, 2003) appears to have degraded the performance of communications links between utility company data centers and probably exacerbated the crisis. According to Computerworld.com, citing Department of Energy researcher Gary Seifert, Blaster "compounded the problems" as the blackout was unfolding.
Computer Failures at FirstEnergy Prior to Blackout
An Aug. 28, 2003, story in the Cleveland, Ohio, Plain Dealer established that key computers belonging to FirstEnergy Corporation crashed prior to the blackout. FirstEnergy has been at the center of investigations into the incident. Another Plain Dealer report said that FirstEnergy first noticed irregularities in the electrical grid about noon on the 14th — some four hours before the massive blackout struck. Further, "FirstEnergy Corp. could not see mounting transmission line problems in the crucial hour before the ... blackout because its key computers were down." This information first came from officials of two municipal electric systems and is apparently confirmed by transcripts of recorded conversations between FirstEnergy and its Midwest power monitor, according to a Sept. 4, 2003, follow-up report in the Plain Dealer. The director of Oberlin Municipal Light and Power, which is connected to the electrical grid run by FirstEnergy, said "his office called [FirstEnergy's] Akron control center about 3:30 that Thursday to ask why Oberlin had extremely low voltage ... 'The guy told us he didn't know what was wrong, because his computer was down.'" That conversation occurred about 40 minutes before the blackout hit at 4:11 p.m., according to the Plain Dealer.
These statements appear to establish that FirstEnergy was experiencing potentially disabling computer problems prior to the blackout. The cause of the FirstEnergy system crash has not yet been established.
Blaster's Impact in the Wake of the Blackout
While the evidence for what actually occurred during the incident is still inconclusive, the blackout has raised many questions about cyber security in the electric power industry in general. Even if malicious code was not the primary cause, the Blaster worm exacerbated the situation once the crisis was underway and also contributed to some post-event impacts. On Aug. 20, 2003, the Canadian Office of Infrastructure Protection (OCIPEP) issued an Advisory citing concern over possible residual impact from the Blaster worm as Canadian organizations began a resumption of operations and started powering up again after a hiatus due to the blackout (ID# 204950, Aug. 21, 2003). Also, according to an Aug. 29, 2003, Computerworld.com article (citing a former Bush Administration adviser), Blaster degraded the ability of some utility companies in New York state "to restore power in a timely manner because some of those companies were running Windows-based control systems with Port 135 open — the port through which the worm attacked systems."
Slammer's Impact on the Electric Power Industry
Besides the issue of Blaster’s impact on the Aug. 14 blackout, the electric power industry was already reacting to the Slammer incident in January 2003 and trying to come to terms with it. According to a June 20, 2003, report from the North American Electric Reliability Council (NERC), Slammer impacted "some electricity sector systems." A "control center LAN running SQL" that was not patched was breached when it apparently migrated "through corporate networks until it finally reached the critical SCADA network via a remote computer through a VPN connection." The NERC report said that, as the worm propagated, it blocked SCADA traffic at that power station. According to one expert, Slammer "did hit a number of electrical and water control facilities ... the worm itself did not shut the power off, [but] what Slammer did was essentially shut off the control system." Control systems expert Joe Weiss says Slammer in some cases "impacted the telecom provider or hit a router, and basically used up the bandwidth on the router and the control system shared that. So ... the control system was the unintended consequence of the Slammer worm."
A FirstEnergy system at a nuclear power plant (Davis-Besse) was one of the sites infected by Slammer in January 2003. Davis-Besse was not up and operational at the time and has not been up for some 18 months, but it still had two systems that were vulnerable to Slammer at that time (the plant process computer and the Safety Parameter Display System).
FirstEnergy filed a report on the incident with the Nuclear Regulatory Commission (NRC), according to the Plain Dealer. A spokesman said that Slammer did not spread throughout FirstEnergys' computer systems. The spokesman said "it's conceivable that it could have — but it did not. It did not get out of Davis-Besse." According to an Aug. 29, 2003, story in Computerworld.com, “although FirstEnergy has said publicly that Slammer didn’t infect any of the control systems at its Davis-Besse nuclear power plant, ... knowledgeable sources said the worm did cause disruptions." This claim has not been confirmed and may be entirely incorrect. Indeed, the NRC issued an Information Notice about the incident on Sept. 2, 2003 (No. 03-108), saying only that "the worm infection increased data traffic in the site's network" and that an "investigation also found that plant computer engineering personnel were unaware of a security patch that prevented the worm from working."
It is curious that the NRC would issue such a finding only now — some eight months after the incident and only a day before Congressional hearings on the blackout were due to begin. One reason might be the fact that at least one member of Congress, Rep. Edward Markey (D-MA), has already called for an investigation by the Nuclear Regulatory Commission into "whether a worm or virus was at the root of the transmission problems that preceded the blackout." Knowing that the Slammer incident in January 2003 at Davis-Besse might be used as a basis within which to discuss Blaster and the Aug. 14 blackout, the NRC may have issued the notice now in an effort to fend off potential criticism that it is not on top of the situation or possibly to try to better frame the discussion.
In any event, whatever the full impact of Slammer was at Davis-Besse or elsewhere in the electric power sector, it is obvious that there is a problem when malicious code can have any impact whatsoever on a system within a nuclear power plant.
Apparently as a result of Slammer's impact and related issues, the NERC in June 2003 recommended a number of "Cyber Practices for Consideration" for the electric power industry that included critical asset identification, systems management (a rigorously managed security patch process) and business continuity planning. It was further recommended that electric power organizations update their "service level agreements with telecommunications providers to help assure no interruption of service due to an attack of this kind." It is not known which of these NERC recommendations from June, 2003, if any, were implemented throughout the industry prior to the debilitating power outages of Aug. 14.
Remote Access Connectivities to SCADA Systems
The Aug. 14 incident highlights concern over remote access connectivities to SCADA (Supervisory Control and Data Acquisition) systems that are widely used in the electric power industry. An Aug. 14, 2003, article in Computerworld.com expressed experts' concerns over "the vulnerabilities posed by the energy industry's deliberate efforts to connect SCADA systems — the real-time computers used to manage grid capacity and flow — to corporate LANs as a way of improving statistical tracking and sales of excess grid capacity."
These control systems were originally designed to be "closed" systems, that is, without access to the Internet or other outside connectivities. The need for greater economic efficiencies has changed that situation, and now many of these systems, in order to remain economically viable, have a remote dial-in capability.
According to Weiss, "although the PC-based software used by operators to monitor power stations ... is usually protected by firewalls, the real-time control electronics that they oversee is not." Indeed, there is a vital need "to develop firewalls, intrusion detection, encryption and authentication ... for control systems," but Weiss does not see Congressional funding for greater cyber security in the industry at this point going to secure control systems.
Though this does not specifically address what occurred during the Aug. 14 blackout, it is clear that the fact that there are remote connectivities and vulnerabilities from Windows-based LANs to some SCADA systems requires that these factors now be better understood and dealt with in the aftermath of the blackout.
General Malicious Code Concerns Affecting the Power Industry
According to an extensive study titled "Cyber Security of the Electric Power Industry" (produced by the Institute for Security Technology Studies, Dartmouth College, December 2002), some SCADA and other control systems are "vulnerable to malicious attacks or other cyber impacts." While some of the IT systems that connect to control systems have been secured from vulnerabilities, the report says that "technologies are not available to secure the control systems themselves." Additionally, knowledge of these issues is readily available around the world, according to the study. Its authors conclude that "terrorists, hostile nation-states or malicious computer hackers pose a threat to the sector."
How Did We Get Into Such a Situation?
As the Dartmouth study points out, the process of opening up the electric sector to these kinds of vulnerabilities did not occur overnight. It really began with deregulation of the industry. As the electric power industry sought to cut costs and consolidate, it looked for cost-cutting measures to do so. One of the areas where that was possible was in purchasing off-the-shelf commercial operating systems (usually Micosoft operating systems) to replace proprietary systems. The latter were often inherently more secure because hackers were not familiar with them.
FERC January 2004 Standards
There is movement underway to try to improve this situation. The Federal Energy Regulatory Commission (FERC) is seeking to mandate "minimum security measures for physical and cyber security" for the electric energy industry that are supposed to begin to take effect on Jan. 1, 2004. However, the situation is far from being resolved and, as the report makes clear, the industry is also still very far away from developing a secure network architecture.
Technical Analysis of Blaster and DCOM RPC Calls
It is still necessary to try to understand how Blaster might have affected networks related to data communications between the electrical utility centers or in other ways during the Aug. 14 blackout. A key point is that even one Windows-based system on a network that becomes infected with the worm can adversely affect performance of any other system or computer on the network, Windows-based or otherwise.
iDEFENSE has done research into the DCOM Remote Procedure Call (RPC) at the heart of Blaster and will publish a special technical report titled "The Impact of Blaster on DCOM RPC Calls".
Conclusions: Only Nine Seconds Til Darkness
The cascading effect of the power blackout was astonishing in its rapidity. According to numerous accounts, the main event occurred within nine seconds. Its suddenness is another factor pointing to the possibility that, whatever the ultimate cause or causes of the blackout turn out to be, network failures possibly brought on in part by malicious code probably made the incident much worse.
There is still much more that needs to be understood about the events of Aug. 14, 2003, and the impacts which malicious code may have had upon the situation. The investigations are ongoing. What is most important for the future safety and reliability of the electrical grid is that responsible authorities in both the government and the electric utilities do everything they can to mitigate the current state of cyber vulnerabilities within the electric power industry.