Slammer worm crashed Ohio nuke plant network (FirstEnergy, Davis-Besse)

By Kevin Poulsen, SecurityFocus Aug 19 2003 2:45PM

The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall, SecurityFocus has learned.

(snip)

The Davis-Besse plant is operated by FirstEnergy Corp., the Ohio utility company that's become the focus of an investigation into the northeastern U.S. blackout last week.

The incident at the plant is described in an April e-mail to the Nuclear Regulatory Commission (NRC) from FirstEnergy, and in a similarly-worded March safety advisory distributed privately throughout the industry over the "Nuclear Network," an information-sharing program run by the Institute of Nuclear Power Operations. The March advisory was issued to "alert the industry to consequences of Internet Worms and Viruses on Plant Computer Systems," according to the text.

The reports paint a sobering picture of cybersecurity at FirstEnergy.

The Slammer worm entered the Davis-Besse plant through a circuitous route. It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread.

(much more at link)
http://www.securityfocus.com/news/6767

Whoops...

A worm might be responsible after all...


An earlier related discussion:
http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=104&topic_id=188882&mesg_id=188882

ftp://ftp.nerc.com/pub/sys/all_updl/standards/Chuck-Noble-RBB-Letter.pdf

Speaks about the SQL Slammer infecting some electric system controls. This is mentioned in the SecurityFocus article.

From your quote of that letter:

On January 25, 2003 the SQL Slammer Worm was released by an unknown source. The worm significantly disrupted many Internet services for several hours. It also adversely affected the bulk electric system controls of two entities for several hours. These events have been studied in detail. No unintentional control actions and nor service interruptions occured due to these events; however, both entities lost their ability to execute bulk electric system control from their primary control centers for several hours.

However, the report above about the situation at Davis-Besse sounds a bit more serious than the NERC letter makes it out to be.

I have 28 customers running SQL Server, and I tell them to run the latest service pack when one is available.

SQL Slammer is a nuisance only because people run SQL without a password on the master account.

The idiots probably ran SQL 7 or SQL 2000 out of the box with no password, or else they have a vendor that told them to run third party software without the password on the master account.

And deregulating the power industry will help this HOW!?!?!?!?!

I would be willing to bet they got nailed with msblast and it crashed a box running at least their alarm system.

Later,
JM

a few laughs. They don't have the intelligence to understand the problem.

Reporters may be intelligent but simply not have the knowledge, training or experience to write a correct article on IT issues.

OTOH, I can write a technically correct article but frankly, my writing style is very boring. Fact A, Fact B, Fact C, Analysis process, Conclusion. Article finished - audience asleep.

SecurityFocus is pretty heavily read by IT security people. I know a fair number of people in IT security, and SecurityFocus is one of their regular 'morning reads'.

It's probably more 'credible' than The Register (of course, The Register has a far more wicked sense of humor, is less technical than SF, ....and more entertaining, of course).

I have no idea what you are talking about and that probably qualifies me to run First Energy.

(I couldn't remember exactly which of the MS virii this was)
http://www.cert.org/advisories/CA-2003-04.html

Pretty spooky. As a sysadmin I know it can be hard to keep up with security patches sometimes, but knowing that such critical facilities depend on MS Windows Servers does *not* inspire my confidence...

no varmits were toasted.

It shows once again that a system is only as secure as its weakest link.

Just think what could happen if a worm was actually programmed to do damage to some power plant, or the grid.

lights out, and core melt down.. Gulp... Yet another reason not to go nuclear.

Like I said, the world will end in a domino chain reaction set off by nothing.

When a butterfly flutters its wings in North American, it results in a hurricane in China....

How many more of these sort of "glitches" before there's a real crisis?

:kick:

...since we were all just talking about this the other day...

Read the second paragraph:
The breach did not post a safety hazard. The troubled plant had been offline since February, 2002, when workers discovered a 6-by-5-inch hole in the plant's reactor head. Moreover, the monitoring system, called a Safety Parameter Display System, had a redundant analog backup that was unaffected by the worm. But at least one expert says the case illustrates a growing cybersecurity problem in the nuclear power industry, where interconnection between plant and corporate networks is becoming more common, and is permitted by federal safety regulations.

...snip....
Currently, U.S. nuclear plants generally have digital systems monitoring critical plant operations, but not controlling them, said the expert. But if an intruder could tamper with monitoring systems like Davis-Besse's SPDS, which operators are accustomed to trusting, that could increase the risk of an accident.

What is outrageous is the laxity that they approached their network security. There was a 4 lane unprotected expressway past the firewall into their network.

The same company owned the transmission systems that started the cascade failure as owned this reactor. Power transmissions systems are computerized, and can be disrupted via computer controls.

Since a nasty worm was in 'bloom' at the same time as the blackout happened, and the network connected to the failed systems was known to be vulnerable to the worm, and several industry engineers have stated that 'something failed' in the control systems (as to why the cascade grew), I think this bears closer examination.

(on edit: missing conjunction)