ML032370476
| ML032370476 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 08/22/2003 |
| From: | Markey E US Congress, US HR (House of Representatives) |
| To: | Diaz N NRC/Chairman |
| References | |
| FOIA/PA-2003-0399, G20030501, LTR-03-0548 | |
| Download: ML032370476 (5) | |
Text
EDO Principal Correspondence Control FROM:
DUE: 09/04/03 Rep. Edward J. Markey EDO CONTROL: G20030501 DOC DT: 08/22/03 FINAL REPLY:
Chairman Diaz FOR SIGNATURE OF :
ROUTING:
Concerns Press Report that in January a Computer Virus Penetrated a Private Computer Network at First Energy's Davis Besse Nuclear Power Plant DATE: 08/22/03 Travers Paperiello Kane Norry Collins Dean Burns/Cyr Caldwell, RIII Borchardt, NRR Merschoff, CIO ASSIGNED TO:
NSIR CONTACT:
Zimmerman SPECIAL INSTRUCTIONS OR REMARKS:
Coordinate with RIII and NRR.
Teib'a":
IS£ CO, -- );
I I
2!5e; S51-Cy
- J06-6 i
OFFICE OF THE SECRETARY CORRESPONDENCE CONTROL TICKET 0-0
- DatePrinted
- Aug 22,2003 13:13 PAPER NUMBER:
ACTION OFFICE:
LTR-03-0548 EDO LOGGING DATE: 08122/2003 AUTHOR:
AFFILIATION:
ADDRESSEE:
SUBJECT:
ACTION:
DISTRIBUTION:
LETTER DATE:
ACKNOWLEDGED SPECIAL HANDLING:
NOTES:
Edward Markey REP Nils Diaz Concerns press reports that in January a computer virus was able to penetrate a private computer network at First Energy's Davis Besse nuclear power plant Signature of Chairman Chairman, Comrs, RF, OCA to Ack 08t22/2003 No Commission Correspondence FILE LOCATION:
Adams DATE DUE:
09/08/2003 DATE SIGNED:
I EDO -- G20030501
EDWARD J. MvARKEY 2108 RAY8URN HOUSE UFICE BUILDINE WASHINGTON. DC 2D51 5-407 7TH DwmcrZMASSACIUS TrI 12021 225-2835 ENYERGY AND COMMEllCE CO'MDr~lL OISTRICT OFFICES:
SUBCOMMT ON congrteuv of tje untteb tatc U HIGH STREET. SUITE 101 TELECOMMUNICATIONS'AND MDOD A05 13E 1i4TERNET
-f81) 352900 ROMELND SECUITY 128 in-51B-2107 lE8CONCORD STREE SUITE 102 Wabntmn 20515-2107 1GHMA07 RESOURCESCOMMITI EE**-
August 22, 2003 1,e 1,onorabeNils J. Diaz Chpl~iin
- 1'cleai Regulatory Commission W: as D.C. 20555
- ~~
b DaMr.WChkir-a:-
- .:a:*..
t I
ritng to ruest more infornation regarding press repdrts that in Jamiar.
203,;a computer vWirus was able to penetrate a private computer network at First
, ~~~Eeg~-Drav, s*it esse Iuclear powzer plnt in Oho.. le m.prt idicate t the vrs k-on
-- r the 'S1a ner'
~Worm.- disabled a safety monitoring system for neatly five hours, de-ite6a-beef by plant personnel that the network Was protected by g firewal
-- -Sev other press rPorts hive speculated thit First Energ's power p end/or -
-ldted ;
s~i-it M
nds distribtion infrasrcm aybe somehowimplicated in&the events that led to last week's blacout I ara concerned that cyber-sicurity flaws at
.. vis-Bes3c, prlo~with other potent-al puchflaws at other nuclea power plants in Ohio,
-*.ay havienderd the system vulnerle to more recent viruses such as the. 'laste'.:
-worm, whi at its peak aiity levels at precisely the same time that the blackout.
octed4 ; _.
^ The Augst 192003ilssuo of SFoc ousiNew? reported thin Juaij, 6e
-an tmer yrorn entered the Davis-Bease plantby penetrating the unsecured network of n..
- imcta ess contaco, and the proce~ed through a T1 iine that bridgd t;
- e orknd dIavis-Besse's corporate network. The T1 lineturndd-out to be onef several th compleely bypassed the company'sfirewall. The Slanmerworm'was
-,eprted tbethetiei ssspreading computerworm in history, infecting-more ta 90%
of vulnerable hosts within 10 minutes d can ing network outages, cancelled flighs,
- ~~~~~
.1%.......~:.
-Accordingto the Secuy Focus News report, by 9 AM on January25 (the time
-S~amgmerjaegnto nfept computers arond the world) us notied slow perfornce o;D aes sbusiness network The worm then spread to the plant network where
-wri kers had not installed the Microsoft security patch made available 6 months earlier.
By 4 PM, nuclear power plant workers noticed a slowdown on the plant network At 4:50 PM, the congestion created by the worm crashed the plant's computerized display panel (the'SafetyParameter Display System, or SPDS), and at 5:13 PM,the Plant Process.
'See J/Eww w stfocus.comfnews*6767 2SCC ht:f/www.cs.berlkley.edu/t-weaver/sashphire/
.:t Computer (PP) crashed. While both systems had redundant analog backups, a March 2003 advisory distributed by the nuclear industry reportedly stated that "the unavaiiability of SPDS and PPC was burdensome to the operators." It took 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and SO minutes to restore the SPDS and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and 9 minutes to restore the PPC.
This press report also drew from other reports from the North American Electric Reliability Council to detWil other cyber-security matters that could be relevant to last we's blackout:
The Slammer worm also cut one utility's critical Supervisory Control and Data Acquisition Network (SCADA, used to monitor substation characteristics, such as kilowatt-hour use and voltage and amperage readings. Utilities can also trak electric use in homes and businesses through automated meter reading units placed in strategic parts of the network).
The Slammer worm also blocked another company's SCADA traffic because it relied on bandwidth leased from a telecoucations company that was affected bytheworm.
It may be too soon to know whether the Blaster worm was involved in last week's blackout However, it is clear that cyber-security was deeply flawed at the Davis-Besse nuclear reactorjust a few months before the blackout occurred. Consequently, I ask for your prompt assistance in responding to the following questions:
- 1) What proposals has the NRC made to strengthen its cyber-security regulations since September 11, 2001? Ifno such changes were made, why not?
- 2) Was First Energy in violation of NRC's cyber-security regulations when the Davis-Besse plant was penetrated by the Slmmer worm? If so, what penalty did the NRC impose?
- 3) What proposals has the NRC made to strengthen its cyber-security regulations since the Slammer worm penetrated the Davis-Besse plant in January 2003? If no such changes were made, why not, since the incident clearly highlighted a serious and cxploitable problem?
- 4) Please provide copies of al cyber-security reviews the NRC has performed on individual reactors or industry-wide since September 11, 2001. If no such reviews have been performed, why not?
- 5) Has the NRC inspected the cyber-security measures taken by other nuclear reactors in order to determine whether they are in compliance with NRC regulations? If so, what was the result? If not, why not?
- 6) Does the NRC ever conduct tests of the adequacy of cyber-security at nuclear power plants? How often? How many plants have been tested, and what were the results? Do these tests consist of NRC attempts to penetrate the plants' networks in order to determine whether hackers, a virus or a cyber-texrrist could do so?
.7) Is ther any evidence tat last week's blackout could have been caused by the Blaster worm or some other cber-security flaw? If so, please provide it?
- 8) Do you believe it is possible that a cyber-attack could successfully penetrate nuclear reactor networks and result in an outage of that reactor and/or a more widespread outage? Why or why not?
Thank you very much for your attention to this important matter. Please provide your response no later than Friday, September 12, 2003. If you have any questions or concerns, please have your staff contact Dr. Michal Freedhoff or Mr. Jeff Duncan of my staff at 202-225-2836.
Sincerely, Edward J. Mik
/)
cc: The Honorable Spencer Abraham, Secretary U.S. Department of Energy cc: The Honorable Tom Ridge, Secretary U.S. Department of Homeland Security cc: The Honorable Pat Wood, Chairman Federal Energy Regulatory Commission cc: Miciehl Gent, President North American Electricity Reliability Council