[Dshield] power outages all across North Eastern US

Jon R. Kibler Jon.Kibler at aset.com
Fri Aug 15 01:23:14 GMT 2003


Geoff Shively wrote:
> 
> Any SCADA or DCS techs or system architects on dshield... thoughts?
> 

It has been about 4 years since I have done any serious SCADA work, and I really haven't kept up with the latest. However, back then, most of the SCADA systems either had their own custom O/S, one of the Real-Time O/Ses (usually UNIX based), some larger ones were based on Solaris or HP-UX, and some low-end ones were basically glorified PLCs (programmable logic controllers).

I would not be surprised if some have not adopted Windows/CE -- or whatever they call it these days -- (was it vulnerable?) or some variant there of. Also, many of the systems did have DOS or Windows-based MMIs. 

I think Kenneth Coney is probably onto the most likely scenario, when he said "... more often accessed remotely by technicians using a company supplied laptop", if indeed this is a worm initiated failure. If someone's laptop got infected, then was used to access a secure internal network... need I say more? (Worse, a lot of companies are outsourcing their SCADA, DCS, and PLC work to specialty shops whose technicians carry a laptop from place to place. In addition to the infection problem, a dishonest contractor could be stealing all sorts of highly confidential intellectual property without anyone being aware that the theft occurred or being able in any way to trace such a theft.)

The other problem, and I think in this case a less likely worm-related scenario, is that to reduce infrastructure costs, many utilities have started using the Internet instead of dedicated telco or microwave links between control rooms and remote facilities. If the Internet had been the source of the problem, I think we would have seen a failure REAL EARLY into this worm.

Bottom line: I seriously doubt that this worm is the cause of the power outage. However, I have to admit that when I first heard about it on NPR, the worm was the first thing that entered my mind -- even before terrorism -- as the cause. At one level, it is almost too much of a coincidence, the timing of the failure and the presence of the worm.

I guess only time will tell.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA




More information about the list mailing list