Comment Articles

Did Blaster bring down the US grid?

Bruce Schneier CNET News

Published: 10 Dec 2003 15:40 GMT

Unfortunately, the report doesn't directly address the Blaster worm and its effects on FirstEnergy's computers. The closest I could find is this paragraph, on page 99: "Although there were a number of worms and viruses impacting the Internet and Internet connected systems and networks in North America before and during the outage, the SWG's preliminary analysis provides no indication that worm/virus activity had a significant effect on the power generation and delivery systems. Further SWG analysis will test this finding."

Why the tortured prose? The writers take pains to assure us that "the power generation and delivery systems" were not affected by Blaster. But what about the alarm systems? Clearly they were all affected by something, and all at the same time.

Let's be fair. I don't know that Blaster caused the blackout. The report doesn't say that Blaster caused the blackout. Conventional wisdom is that Blaster did not cause the blackout. But it's certainly possible that Blaster contributed to the blackout. The primary and backup computers that hosted the alarm systems failed at the same time Blaster was attacking Windows computers on the Internet. What operating system were the alarm computers running? Were they on the Internet? These are interesting questions to know the answer to.

And regardless of the answer, there's a very important moral here. As networked computers infiltrate more and more of our critical infrastructure, that infrastructure is vulnerable not only to attacks but also to sloppy software and sloppy operations. And these vulnerabilities are not the obvious ones.

The computers that directly control the power grid are well protected. It's the peripheral systems that are less protected and more likely to be vulnerable. And a direct attack is unlikely to cause our infrastructure to fail, because the connections are too complex and too obscure. It's only by accident -- Blaster affecting systems at just the wrong time, allowing a minor failure to become a major one -- that these massive failures occur.

Earlier this year, the worm knocked out 911 telephone service in Portland. More recently, the Nachi worm disabled ATM machines made by Diebold. As commercial operating systems become more commonplace in critical systems, this sort of thing will become more common.

Bruce Schneier is one of the world's foremost security experts. His latest book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, has just been published.