[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'

To: bugtraq@securityfocus.com
Subject: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
From: "Bernie, CTA" <cta@hcsin.net>
Date: Fri, 15 Aug 2003 14:09:12 -0400

It is ridiculous to accept that a lightning strike could knock 
out the grid, or the transmission system is over stressed. There 
are many redundant fault, limit and Voltage-Surge Protection 
safeguards and related instrumentation and switchgear installed 
at the distribution centers and sub stations along the Power 
Grid that would have tripped to prevent or otherwise divert such 
a major outage. 

I believe that the outage was caused by the MSblaster, or its 
mutation, which was besieged upon the respective vulnerability 
in certain control and monitoring systems (SCADA and otherwise) 
running MS 2000 or XP, located different points along the Grid. 
Some of these systems are accessible via the Internet, while 
others are accessible by POTS dialup, or private Frame relay and 
dedicated connectivity.

Being an old PLC automation and control hack let me say that 
there is a very good plausibility that the recent East Coast 
power outage was due to an attack by an MBlaster variant on the 
SCADA system at the power plant master terminal, or more likely 
at several of the remote terminal units "RTU".  SCADA runs under 
Win2000 / XP and the telemetry to the RTU is accessible via the 
Internet.

>From what I recall SCADA based monitoring and control systems 
were installed at many water / sewer processing, gas and oil 
processing, and hydro-electric plants. 

I also believe that yesterdays flooding of a generator sub-
facility in Philadelphia was also due to an MBlaster variant 
attack on the SCADA or similarly Win 2000 / XP based system.  

To make things worst, the Web Interface is MS ActiveX. Now lets 
see, how can one craft an ActiveX vuln vector into the blaster?

Oh, and for the wardrivers, SCADA can be access via wireless 
connections on the road… puts a new perspective on sniffing 
around sewer plants.

It is also reasonable to assume that we could have a similar 
security threat regarding those system (SCADA and otherwise 
based on MS 2000 or XP) involved in the control, data 
acquisition, and maintenance of other critical infrastructure, 
such as inter/intra state GAS Distribution, Nuclear Plant 
Monitoring, Water and Sewer Processing, and city Traffic 
Control. IMO

I think we will see a lot of finger pointing by government 
agencies, Utilities, and politicians for the Grid outage, until 
someone confess to the security dilemma and vulnerabilities in 
the systems which are involved in running this critical 
infrastructure.

Regardless of whether the Grid outage can be attributed to the 
blaster or its variant, this is not entirely a Microsoft 
problem, as it reeks of poor System Security Engineering 
practiced by the Utility Companies, and associated equipment and 
technology suppliers.

Nonetheless, the incident will cause lots of money to be 
earmarked by the US and Canadian Governments, to be spent in an 
attempt to solve the problem, or more specifically calm the 
public. 

This incident should be fully investigated, and regulations 
passed to ensure that the Utility companies and their suppliers 
develop and implement proper safeguards that will help prevent 
or at least significantly mitigate the effects of such a 
catastrophe. 

Conversely, I do not want to see our Government directly 
involved in yet another "business", which has such a controlling 
impact over our individual lives. 

-

On 14 Aug 2003 at 15:18, Geoff Shively wrote:

> Just flipped on CNN, watching the masses snake through the
> streets of Manhattan as correspondents state that this could be
> an affect of the blaster worm.
> 
> Interesting but I don't see how an worm of this magnitude
> (smaller than that of Slammer/Sapphire and others) could
> influence DCS and SCADA systems around the US, particularly just
> in the North East.
> 
> Thoughts?
> 
> 
> Cheers,
> 
> Geoff Shively, CHO
> PivX Solutions, LLC
> 
-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta@hcsin.net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************

Follow-Ups:
- Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
  - From: "Geoff Shively" <gshively@pivx.com>

References:
- CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
  - From: "Geoff Shively" <gshively@pivx.com>

Prev by Date: Re: PointGuard: It's not the Size of the Buffer, it's the Addressof the Pointer
Next by Date: Re: Need help. Proof of concept 100% security.
Prev by thread: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
Next by thread: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
Index(es):
- Date
- Thread