Skip the navigation

IT links to blackout under scrutiny

Investigators search system logs for evidence of sabotage

By Dan Verton
September 5, 2003 12:00 PM ET

Computerworld - WASHINGTON -- Federal and private-sector officials this week said they still can't rule out cybersabotage or IT-based failures as the cause of the Aug. 14 blackout.
Although no clear evidence has been found to suggest that the blackout was the result of anything other than an internal technical failure, the FBI's Joint Terrorism Task Forces have been working with the U.S. Department of Homeland Security and the private sector since the blackout to search system logs of critical utility control computers for evidence of insider abuse or outside intrusions.
"All eight FBI field offices that were affected and all of the Joint Terrorism Task Forces were convened immediately on Aug. 14 to investigate the potential for terrorist involvement in the blackout," said Larry Mefford, executive assistant director for counterterrorism at the FBI, speaking yesterday at a hearing of the House Select Committee on Homeland Security.
"Our JTTFs are looking at the issue from various perspectives. One is the external threat to see if we have signs of actual sabotage. We have not yet found any evidence of that," said Mefford.
"In addition, we're very concerned about the insider threat -- somebody who would have access to critical systems from a physical standpoint, a sabotage standpoint and a computer-intrusion standpoint," Mefford said. "We have not yet seen evidence of that, but this is [a] preliminary assessment. We are reviewing the computer logs for evidence of that type of activity."
Congress has also turned up the heat on both the government and the private sector to deliver answers on whether a cybersecurity failure in one or more systems could have contributed to the blackout, especially since the power failure occurred at the height of the Blaster worm outbreak.
Government and industry experts speaking unofficially with Computerworld have linked Blaster to the severity of the blackout, since on the day of the blackout Blaster affected the communications networks used to manage the power grid (see story). But the degree to which the hampered flow of data over those networks might have contributed to the blackout is still unclear.
According to a transcript released by the House Energy and Commerce Committee that detailed telephone calls made between FirstEnergy Corp. and the Midwest regional power grid operator only hours before the blackout was triggered, a control room operator at FirstEnergy complained that the Akron, Ohio-based company had "no clue" what was happening because of unspecified computer problems.
"Our computer is giving us fits too," the operator said. "We don't even know the status of some of the stuff around us."
Responding to accusations that his company may have triggered the cascading failure, H. Peter Burg, chairman and CEO of FirstEnergy, said yesterday at a hearing of the House Energy and Commerce Committee that events on FirstEnergy's system "in and of themselves could not account for the widespread nature of the outage."
However, Burg acknowledged that FirstEnergy did experience problems with its Energy Management System on Aug. 14. The system includes file servers, process-control servers and workstations that capture data from supervisory control and data acquisition systems, which are used to manage large industrial operations.
"We are still evaluating the functionality of that system that was available to our dispatchers during this time frame," Burg said.
Computerworld requested an interview with FirstEnergy CIO Ali Jamshidi to explain what types of problems the company's computer systems were experiencing on the day of the blackout. However, a company spokesperson said FirstEnergy wouldn't be making any IT personnel available for interviews until the investigation into what those problems were is completed.
Joseph L. Welch, chairman of International Transmission Co. in Michigan, told Congress that the systems that failed were those underlying communication.
"There are three electronic systems through which control-area operators and security coordinators communicate system status, convey warnings, etc.," said Welch. "I asked my staff and operators to determine what information was conveyed via that route. They informed me that there were no records or reports of the line outages which were so critical to this event.
"Without such information, there is no way for control-area operators or security coordinators to take actions necessary to mitigate problems, especially those events in other systems which could affect our system," Welch said.
Meanwhile, Michehl Gent, president of the North American Electric Reliability Council in Princeton, N.J., who also spoke at the Energy and Commerce hearing, said initial analysis of data taken from the system logs of the various utilities involved in the blackout shows that the IT infrastructure at various points throughout the regional grid wasn't recording critical events properly.
"Each event, which might be a relay or circuit-breaker operation or an electrical fault, is time-stamped as it occurs," said Gent. "We discovered that many of these time stamps were not accurate because the computers that recorded the information became backlogged or the clocks from which the time stamps were derived had not been calibrated to the national time standard."
In a related development, Rep. Edward J. Markey (D-Mass.), a senior member of both the House Energy and Commerce Committee and the Homeland Security Committee, sent a letter on Aug. 22 to the U.S. Nuclear Regulatory Commission requesting detailed information on the effect the January outbreak of the Slammer worm had on the systems that control FirstEnergy's Davis-Besse nuclear power plant in Oak Harbor, Ohio.
"It may be too soon to know whether the Blaster worm was involved in [the Aug. 14] blackout," wrote Markey. "However, it is clear that cybersecurity was deeply flawed at the Davis-Besse nuclear reactor just a few months before the blackout occurred."



Our Commenting Policies