Bugtraq mailing list archives
Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
From: "Geoff Shively" <gshively () pivx com>
Date: Fri, 15 Aug 2003 11:21:08 -0700
This email was origionaly posted to bugtraq early on in the 'crisis' but due to obvious congestion and instability issues it wasnt posted for a while. Since this post I have done much research on SCADA, DCS, and HMI (Human Machine Interface) systems. These systems run primarily on Windows and rely on RPC for remote monitoring. If this doesnt sound like an overwhealiming coincidance than I dont know what does. [ http://216.239.37.104/search?q=cache:w7lnOBBrPxUJ:st-div.web.cern .ch/st-div/ST2001WS/Proceedings/Session42/Sollander.pdf+SCADA+ Windows+RPC&hl=en&ie=UTF-8 "The data transmission layer is used to transport data from the equipment to at least one controlor monitoring application. This is usually done by remote procedure calls (RPC) or a middle-wareover a TCP/IP network." - CERN ] There has been much talk about this on DShield and Full Disclosure if anyone is interested in reading more. Cheers, Geoff Shively, CHO PivX Solutions, LLC Are You Secure? http://www.pivx.com ----- Original Message ----- From: "Bernie, CTA" <cta () hcsin net> To: <bugtraq () securityfocus com> Cc: "Geoff Shively" <gshively () pivx com> Sent: Friday, August 15, 2003 11:09 AM Subject: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
It is ridiculous to accept that a lightning strike could knock out the grid, or the transmission system is over stressed. There are many redundant fault, limit and Voltage-Surge Protection safeguards and related instrumentation and switchgear installed at the distribution centers and sub stations along the Power Grid that would have tripped to prevent or otherwise divert such a major outage. I believe that the outage was caused by the MSblaster, or its mutation, which was besieged upon the respective vulnerability in certain control and monitoring systems (SCADA and otherwise) running MS 2000 or XP, located different points along the Grid. Some of these systems are accessible via the Internet, while others are accessible by POTS dialup, or private Frame relay and dedicated connectivity. Being an old PLC automation and control hack let me say that there is a very good plausibility that the recent East Coast power outage was due to an attack by an MBlaster variant on the SCADA system at the power plant master terminal, or more likely at several of the remote terminal units "RTU". SCADA runs under Win2000 / XP and the telemetry to the RTU is accessible via the Internet. From what I recall SCADA based monitoring and control systems were installed at many water / sewer processing, gas and oil processing, and hydro-electric plants. I also believe that yesterdays flooding of a generator sub- facility in Philadelphia was also due to an MBlaster variant attack on the SCADA or similarly Win 2000 / XP based system. To make things worst, the Web Interface is MS ActiveX. Now lets see, how can one craft an ActiveX vuln vector into the blaster? Oh, and for the wardrivers, SCADA can be access via wireless connections on the road. puts a new perspective on sniffing around sewer plants. It is also reasonable to assume that we could have a similar security threat regarding those system (SCADA and otherwise based on MS 2000 or XP) involved in the control, data acquisition, and maintenance of other critical infrastructure, such as inter/intra state GAS Distribution, Nuclear Plant Monitoring, Water and Sewer Processing, and city Traffic Control. IMO I think we will see a lot of finger pointing by government agencies, Utilities, and politicians for the Grid outage, until someone confess to the security dilemma and vulnerabilities in the systems which are involved in running this critical infrastructure. Regardless of whether the Grid outage can be attributed to the blaster or its variant, this is not entirely a Microsoft problem, as it reeks of poor System Security Engineering practiced by the Utility Companies, and associated equipment and technology suppliers. Nonetheless, the incident will cause lots of money to be earmarked by the US and Canadian Governments, to be spent in an attempt to solve the problem, or more specifically calm the public. This incident should be fully investigated, and regulations passed to ensure that the Utility companies and their suppliers develop and implement proper safeguards that will help prevent or at least significantly mitigate the effects of such a catastrophe. Conversely, I do not want to see our Government directly involved in yet another "business", which has such a controlling impact over our individual lives. - On 14 Aug 2003 at 15:18, Geoff Shively wrote:Just flipped on CNN, watching the masses snake through the streets of Manhattan as correspondents state that this could be an affect of the blaster worm. Interesting but I don't see how an worm of this magnitude (smaller than that of Slammer/Sapphire and others) could influence DCS and SCADA systems around the US, particularly just in the North East. Thoughts? Cheers, Geoff Shively, CHO PivX Solutions, LLC- **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> *******************************************************
Current thread:
- CNN: 'Explores Possibility that Power Outage is Related to Internet Worm' Geoff Shively (Aug 15)
- Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm' Bernie, CTA (Aug 15)
- Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm' Geoff Shively (Aug 15)
- Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm' Dragos Ruiu (Aug 18)
- Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm' Geoff Shively (Aug 15)
- Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm' Yannick Van Osselaer (Aug 15)
- Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm' Virtual Master (Aug 15)
- Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm' Bernie, CTA (Aug 15)