Evil Home Stereo

Seems like I missed a follow-up to the article I wrote about last Sunday: The guys at Heise found out that in January there was already a downtime of the primary controlling system of some US power plants which was caused by a W32.Slammer attack. This is described in a letter by Charles E. Noble, chair of the Critical Infrastructure Protection Advisory Group (CIPAG) at the North American Electric Reliability Council (NERC) and working for ISO New England.

In his letter he asks the ballot body for the approval of a draft called “Urgent Action – Cyber Security“. More interesting than the document itself is his rationale for the importance of the document. In his letter he writes:

On January 25, 2003 the SQL Slammer Worm was released by an unknown source. The worm significantly disrupted many Internet services for several hours. It also adversely affected the bulk electric system controls of two entities for several hours. These events have been studied in detail. No unintentional control actions and nor service interruptions occured due to these events; however, both entities lost their ability to execute bulk electric system control from their primary control centers for several hours. Those who have studied these incidents believe that at least one would have been prevented had these actions set forth in the proposed standard been taken.

[...]

I believe the consequences of the Slammer Worm incident in January 2002 effectively point to the potential risk to the electric industry of inadequate cyber security. It is also clear that some electricity sector organizations have not sufficiently secured their cyber assets, particularly assets that may be critical to the support of reliable electric system operations.

Today still nobody knows why exactly the lights went out last Thursday. It seems like it all started when some power grids in Ohio went down. But why could that outage take down the whole area while there should be a system which should prevent such snowball effects? In other words:

But what about this argument the alarms didn’t work? I mean, to some, it may sound like “the dog ate my homework.”

Obviously did Slammer take down exactly such a controlling network in January. In 2001 the CERT/CC cautioned the visitors of their workshops about the vulnerability of the US power supply system (and especially SCADA) against virii and worms. But shortly after the incident last week (they had hardly any time to inspect all involved systems at National Grid USA by then) CERT/CC reported that there were no evidence that the downtime could be caused by a Windows worm.

Let’s see what the investigations initiated by the “personally embarrassed” NERC CEO Michehl R. Gent will reveal…