IT links to blackout under scrutiny
Investigators search system logs for evidence of sabotage
Computerworld - WASHINGTON -- Federal and private-sector officials this week said they still can't rule out cybersabotage or IT-based failures as the cause of the Aug. 14 blackout.
Although no clear evidence has been found to suggest that the blackout was the result of anything other than an internal technical failure, the FBI's Joint Terrorism Task Forces have been working with the U.S. Department of Homeland Security and the private sector since the blackout to search system logs of critical utility control computers for evidence of insider abuse or outside intrusions.
"All eight FBI field offices that were affected and all of the Joint Terrorism Task Forces were convened immediately on Aug. 14 to investigate the potential for terrorist involvement in the blackout," said Larry Mefford, executive assistant director for counterterrorism at the FBI, speaking yesterday at a hearing of the House Select Committee on Homeland Security.
"Our JTTFs are looking at the issue from various perspectives. One is the external threat to see if we have signs of actual sabotage. We have not yet found any evidence of that," said Mefford.
"In addition, we're very concerned about the insider threat -- somebody who would have access to critical systems from a physical standpoint, a sabotage standpoint and a computer-intrusion standpoint," Mefford said. "We have not yet seen evidence of that, but this is [a] preliminary assessment. We are reviewing the computer logs for evidence of that type of activity."
Congress has also turned up the heat on both the government and the private sector to deliver answers on whether a cybersecurity failure in one or more systems could have contributed to the blackout, especially since the power failure occurred at the height of the Blaster worm outbreak.
Government and industry experts speaking unofficially with Computerworld have linked Blaster to the severity of the blackout, since on the day of the blackout Blaster affected the communications networks used to manage the power grid (see story). But the degree to which the hampered flow of data over those networks might have contributed to the blackout is still unclear.
According to a transcript released by the House Energy and Commerce Committee that detailed telephone calls made between FirstEnergy Corp. and the Midwest regional power grid operator only hours before the blackout was triggered, a control room operator at FirstEnergy complained that the Akron, Ohio-based company had "no clue" what was happening because of unspecified computer problems.
"Our computer is giving us fits too," the operator said. "We don't even know the status of some of the stuff around us."
Responding to accusations that his company may have triggered the cascading failure, H. Peter Burg, chairman and CEO of FirstEnergy, said yesterday at a hearing of the House Energy and Commerce Committee that events on FirstEnergy's system "in and of themselves could not account for the widespread nature of the outage."
However, Burg acknowledged that FirstEnergy did experience problems with its Energy Management System on Aug. 14. The system includes file servers, process-control servers and workstations that capture data from supervisory control and data acquisition systems, which are used to manage large industrial operations.
"We are still evaluating the functionality of that system that was available to our dispatchers during this time frame," Burg said.
Computerworld requested an interview with FirstEnergy CIO Ali Jamshidi to explain what types of problems the company's computer systems were experiencing on the day of the blackout. However, a company spokesperson said FirstEnergy wouldn't be making any IT personnel available for interviews until the investigation into what those problems were is completed.
Joseph L. Welch, chairman of International Transmission Co. in Michigan, told Congress that the systems that failed were those underlying communication.
"There are three electronic systems through which control-area operators and security coordinators communicate system status, convey warnings, etc.," said Welch. "I asked my staff and operators to determine what information was conveyed via that route. They informed me that there were no records or reports of the line outages which were so critical to this event.
"Without such information, there is no way for control-area operators or security coordinators to take actions necessary to mitigate problems, especially those events in other systems which could affect our system," Welch said.
Meanwhile, Michehl Gent, president of the North American Electric Reliability Council in Princeton, N.J., who also spoke at the Energy and Commerce hearing, said initial analysis of data taken from the system logs of the various utilities involved in the blackout shows that the IT infrastructure at various points throughout the regional grid wasn't recording critical events properly.
"Each event, which might be a relay or circuit-breaker operation or an electrical fault, is time-stamped as it occurs," said Gent. "We discovered that many of these time stamps were not accurate because the computers that recorded the information became backlogged or the clocks from which the time stamps were derived had not been calibrated to the national time standard."
In a related development, Rep. Edward J. Markey (D-Mass.), a senior member of both the House Energy and Commerce Committee and the Homeland Security Committee, sent a letter on Aug. 22 to the U.S. Nuclear Regulatory Commission requesting detailed information on the effect the January outbreak of the Slammer worm had on the systems that control FirstEnergy's Davis-Besse nuclear power plant in Oak Harbor, Ohio.
"It may be too soon to know whether the Blaster worm was involved in [the Aug. 14] blackout," wrote Markey. "However, it is clear that cybersecurity was deeply flawed at the Davis-Besse nuclear reactor just a few months before the blackout occurred."
- IT Security - Fighting the Silent Threat "IT Security - Fighting the Silent Threat" is a global report into business attitudes and opinions on IT security. Download the report now...
- Cutting Complexity - Simplifying Security This white paper looks at how the latest IT Systems Management solutions can simplify and automate a vast range of routine IT management...
- Your Data under Siege: Defeating the Enemy of Complexity Even if you have adequate antivirus protection, are there still holes in your IT security armor? Is lack of bandwidth to manage the...
- Build Your IT Security Business Case In this latest whitepaper from Kaspersky Lab, you'll find useful facts, examples and business case arguments to help you get buy-in and commitment...
- Pre-Engineered solutions from VCE Simplify Core Infrastructure Implementation In this video, the CTO of Purdue Pharma, a privately held pharmaceutical company explains how Purdue transformed their data center infrastructure with VCE.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now All Disaster Recovery White Papers | Webcasts