[Dshield] CNN 'Explores Possibility that Power Outage is Relatedto Internet Worm'

Dragos Ruiu dr at kyx.net
Fri Aug 15 21:40:57 GMT 2003

On August 15, 2003 02:27 pm, Geoff Shively wrote:
> On the contrary,
> SCADA is accessed by Remote Terminal Units "RTU's".  SCADA runs under
> Win2000 / XP and the telemetry to the  RTU is accessible via the Internet.
> We know that SCADA and DCS systems are supplied by one of 5 major vendors
> and these system are advertised on the vendors websites to run Microsoft
> Windows versions 95, 2000 and NT. Also advertised is DCOM and RPC support
> within these systems, RPC/DCOM recently became famous as the Lovsan/Blaster
> worm exploited this protocol to spread across the internet. With this said
> it is likely that an infected system infected a SCADA or DCS, and this
> could be why we are seeing large scale outages across the country.

>> > heh,
> >
> >   nice theory....
> >
> >  ... but, power routing and control doesn't happen over the internet
> usually.
> >  It's normally still done by an engineer to engineer phone call. :-)

Yes... but in the power system SCADA is used for data collection. At least
in western Canada, YMMV but I believe this is typical of other systems.
The power routing is still done by humans flipping (really freaking big)
switches - or starting turbines or turning hydro valves. There are
lots of physical procedures and safeguards in the system too.
And people think carefully about those decisions, because the 
fines and regulatory penalties for being out of spec are measured 
in tens of thousands of dollars per minute.

You might be able to interfere with the data going into the power
NOC and fool the operators into making the wrong phone calls.
But arguably you would need to know a lot about the design of the 
system and specific procedures and policy to create an outage 
this way.


pgpkey http://dragos.com/ kyxpgp

More information about the list mailing list