[Dshield] CNN 'Explores Possibility that Power Outage is Related to Internet Worm'

Johannes B. Ullrich jullrich at sans.org
Fri Aug 15 14:30:22 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


> > Interesting but I don't see how an worm of this magnitude
>  (smaller than that of Slammer/Sapphire and others) could 
> influence DCS and SCADA systems around the US, particularly 
> just in the North East.

Sometimes its not size that matters. This could be just the
fact of a number of things happening at the same time for
unrelated reasons. Just HYPOTHETICAL scenarios:

- due to temperatures, power demand is high (but not 
  high to cause concerns by itself. Just there is no power
  to spare).

- Lightning hits large power station and shuts it down.
  Not a big deal by itself. Even under high load, the 
  system is able to handle that.

- Control command to request power rerouting goes out.

- Control command uses a proprietary TCP/IP application.
  it happens to use port 135. Port 135 is now blocked at
  some random ISP interconnect. 

- As a result, the power rerouting never happens. The
  grid around the original failure is doing down. 

- as a result of this outage, power is now drawn from 
  other parts of the grid. But they never received the
  command to increase production, so they collapse as
  well.

Sometimes its not all that obvious in a complex system like
this. The effects can be very convoluted. Something to 
keep in mind as you try to design your own 'disaster recovery
plan'. E.g:

- overallocation of people. Is the person that you count
  on to supervise the building evacuation a volunteer
  firefighter? Maybe he won't be around if there is a fire.

- Are your hubs connected to a UPS, and not just the servers?

(there are probably a lot more, better examples).



-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-------BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/PO59R1p7hYJvB/wRAmvHAJwOQEoht5M9PMMNs4h0xG4Zn9ZnqwCfSjAW
qkwT6p2ZkI+/3HLa5n5HCx8»i
-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list