[Dshield] CNN 'Explores Possibility that Power Outage is Related to Internet Worm'
Johannes B. Ullrich
jullrich at sans.org
Fri Aug 15 14:30:22 GMT 2003
This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
> > Interesting but I don't see how an worm of this magnitude
> (smaller than that of Slammer/Sapphire and others) could
> influence DCS and SCADA systems around the US, particularly
> just in the North East.
Sometimes its not size that matters. This could be just the
fact of a number of things happening at the same time for
unrelated reasons. Just HYPOTHETICAL scenarios:
- due to temperatures, power demand is high (but not
high to cause concerns by itself. Just there is no power
- Lightning hits large power station and shuts it down.
Not a big deal by itself. Even under high load, the
system is able to handle that.
- Control command to request power rerouting goes out.
- Control command uses a proprietary TCP/IP application.
it happens to use port 135. Port 135 is now blocked at
some random ISP interconnect.
- As a result, the power rerouting never happens. The
grid around the original failure is doing down.
- as a result of this outage, power is now drawn from
other parts of the grid. But they never received the
command to increase production, so they collapse as
Sometimes its not all that obvious in a complex system like
this. The effects can be very convoluted. Something to
keep in mind as you try to design your own 'disaster recovery
- overallocation of people. Is the person that you count
on to supervise the building evacuation a volunteer
firefighter? Maybe he won't be around if there is a fire.
- Are your hubs connected to a UPS, and not just the servers?
(there are probably a lot more, better examples).
SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt
-------BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the list