IT Links to Blackout Investigated

Feds search system logs for signs of sabotage

WASHINGTON -- Federal and private-sector officials last week said they still can't rule out cybersabotage or IT-based failures as the cause of the Aug. 14 blackout.

Although no clear-cut evidence has been found to suggest that the blackout was the result of anything other than an internal technical failure, the FBI's Joint Terrorism Task Forces have been working with the U.S. Department of Homeland Security and the private sector since the blackout to search system logs of critical utility control computers for evidence of intentional insider abuse or outside intrusions.

"All eight FBI field offices that were affected and all of the Joint Terrorism Task Forces were convened immediately on Aug. 14 to investigate the potential for terrorist involvement in the blackout," said Larry Mefford, executive assistant director for counterterrorism at the FBI, speaking Sept. 4 at a hearing of the House Select Committee on Homeland Security.

"Our JTTFs are looking at the issue from various perspectives. One is the external threat to see if we have signs of actual sabotage. We have not yet found any evidence of that," said Mefford.

"In addition, we're very concerned about the insider threat, somebody who would have access to critical systems from a physical standpoint, a sabotage standpoint and a computer intrusion standpoint," Mefford added. "We have not yet seen evidence of that, but this is [a] preliminary assessment. We are reviewing the computer logs for evidence of that type of activity."

Congress has also turned up the heat on both the government and the private sector to deliver answers on whether a cybersecurity failure in one or more systems could have contributed to the blackout, especially since the power failure occurred at the height of the Blaster worm outbreak.

Government and industry experts speaking unofficially with Computerworld have linked Blaster to the severity of the blackout, since on the day of the blackout Blaster affected the communications networks used to manage the power grid . But the degree to which the hampered flow of data over those networks might have contributed to the blackout is still unclear.

According to a transcript released by the House Energy and Commerce Committee that detailed telephone calls made between FirstEnergy Corp. and the Midwest regional power grid operator just hours before the blackout, a control room operator at FirstEnergy complained that the Akron, Ohio-based company had "no clue" what was happening because of unspecified computer problems.

"Our computer is giving us fits," the operator said. "We don't even know the status of some of the stuff around us."

Responding to accusations that his company may have triggered the cascading failure, H. Peter Burg, chairman and CEO of FirstEnergy, said at a Sept. 4 hearing of the House Energy and Commerce Committee that events on FirstEnergy's system "in and of themselves could not account for the widespread nature of the outage."

But Burg did say that FirstEnergy experienced problems with its Energy Management System on Aug. 14. That system includes file servers, process-control servers and workstations that capture data from supervisory control and data acquisition systems, which are widely used to manage large industrial operations.

"We are still evaluating the functionality of that system that was available to our dispatchers during this time frame," Burg said.

Computerworld requested an interview with FirstEnergy CIO Ali Jamshidi to explain what types of problems the company's computer systems were experiencing Aug. 14. However, a company spokesperson said FirstEnergy wouldn't make any IT personnel available for interviews until the investigation into those problems is completed.

Meanwhile, Michehl Gent, president of the North American Electric Reliability Council, who also spoke at the Sept. 4 Energy and Commerce hearing, said initial analysis of data taken from the system logs of the various utilities involved in the blackout shows that the IT infrastructure at various points throughout the regional grid wasn't recording critical events properly.

"Each event, which might be a relay or circuit-breaker operation or an electrical fault, is time-stamped as it occurs," said Gent. "Many of these time stamps were not accurate because the computers that recorded the information became backlogged or the clocks from which the time stamps were derived had not been calibrated to the national time standard."

In a related development, Rep. Edward J. Markey (D-Mass.), a senior member of both the House Energy and Commerce Committee and the Homeland Security Committee, sent a letter on Aug. 22 to the U.S. Nuclear Regulatory Commission requesting information on the effect the January outbreak of the Slammer worm had on the systems that control FirstEnergy's Davis-Besse nuclear power plant.

"It may be too soon to know whether the Blaster worm was involved in [the Aug. 14] blackout," wrote Markey. "However, it is clear that cybersecurity was deeply flawed at the Davis-Besse nuclear reactor just a few months before the blackout occurred."

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon