ML032970134

From kanterella
Jump to navigation Jump to search
G20030637/LTR-03-0695 - Rep. Markey Ltr Re Infection of Davis Besse Nuclear Plant by Slammer Worm Computer Virus - Follow-up Questions
ML032970134
Person / Time
Site: Davis Besse Cleveland Electric icon.png
Issue date: 10/20/2003
From: Markey E
US HR (House of Representatives)
To: Diaz N
NRC/Chairman
References
G20030637, LTR-03-0695
Download: ML032970134 (8)
v  d  e


Text

V EDO Principal Correspondence Control FROM: DUE: 11/03/03 EDO CONTROL: G20030637 DOC DT: 10/20/03 FINAL REPLY:

Representative Edward J. Markey TO:

Chairman Diaz FOR SIGNATURE OF : ** PRI ** CRC NO: 03-0695 Chairman Diaz DESC: ROUTING:

Infection of the Davis Besse Nuclear Plant by Travers the "Slammer" Worm Computer Virus - Follow-up Norry Questions Paperiello Kane Collins Dean DATE: 10/22/03 Burns/Cyr Caldwell, RIII ASSIGNED TO: CONTACT: Dyer, NRR NSIR Zimmerman SPECIAL INSTRUCTIONS OR REMARKS:

Coordinate response with Region III and NRR.

Ref. G20030501.

-[akl. 1;?_Cq- 17 OtKi s. sacY{-0

OFFICE OF THE SECRETARY CORRESPONDENCE CONTROL TICKET DatePrinted:Oct22, 2003 09:23 PAPER NUMBER: LTR-03-0695 LOGGING DATE: 10/22/2003 ACTION OFFICE: EDO AUTHOR: Rep. Edward Markey AFFILIATION: REP ADDRESSEE: Nils Diaz

SUBJECT:

Request a more detailed response to previous corres about the infection of the Davis-Besse nuclear power plant by the "Slammer" worm computer virus ACTION: Signature of Chairman DISTRIBUTION: Chairman, Comrs, RF, OCA to Ack.

LETTER DATE: 10/20/2003 ACKNOWLEDGED No SPECIAL HANDLING:

NOTES: Commission Correspondence FILE LOCATION: ADAMS DATE DUE: 11/05/2003 DATE SIGNED:

EDO -- G20030637

EDWARD J. MARKEY' 2108 AYBURN HOUSE OFFICE BUILDING WASHINGTON.OC 20515-2107 7m DmsT~~~~~~cT.

. . ~~~~~~~~~~~~~~(202)225-2838 MASSACXUSETTS . .

ENERGY AND COMMERCE COMMIrrEE

  • ~RANKING MEMBER (Inrcc ~ti>~tt~~~~fc'5HG TET UT 0
  • ~~SUBCOMMITTEE ON. 5.1HIGH9- M STREETlI SUITRD.IM01 TELECOMMUNICATIONS AND MEDFORDMA02155
  • .THE INTERNET (781) 396-2900 SELECT HOM cbmmrEE N ELANCD MITECOnY ' *~

Aps&e 7IJI4' of Aqern~tntatibess *88 1 CONCORD STREET, SUITE 102

  • ~~~~~1a~~~~~jingtoti,

-* ~ HwiOEngton, 3AN 20515-2107

~~~~~~~~~V.1I~~~~4LVI FRAMINGHAMMA01702

(~~~508) 976-2900

  • RESOURCES COMMITTEE . , * * * -- ., ~~~~~~~~~~~~~~~~~~~~~whou October 20, 2003 The Honorable Nils J. Diaz Chairman:
.  : Nuclear Regulatory Commission Washington, D.C. 20555

Dear Mr. Chairman:

Thank.you for your reply to my letter of August 22, 2003 about the infection of the Davis-Besse nuclear plant by the "Slammer" worm computer virus. This incident raises a number of important nuclear safety and homeland security issues of concern to me both as aMember of the Energy and Commerce Committee and of the Homeland

. Security Committee. I appreciate your responses to the questions posed in my letter.

Unfortunately, many of the responses appear to be vague, incomplete, or contradictory.

As you know, the Davis-Besse nuclear power plant operated by FirstEnergy Corp.

  • . inIOak-Harbor, Ohio, was infected with the Slammer worm on January 25, 2003. As
  • . . reported in August by Security FocusNews, the Worm disabled two computer systems at:

Davis-Besse for several hours. The worm's attack was successful because plant computer engineers had failed to install a securitypatch to the Microsoft SQL 2000 server, even though the patch had been available for six months prior to the attack. .

.- In order to better understand the facts and circumstances surrounding this incident, the Commission's policies, regulations and oversight activities with respect to licensee cybersecurity, and related matters, I wrote to you on August 22, 2003 with a

.. series of questions regarding this matter. Your October 2, 2003 response to my letter, while welcome, fails to answer many of myfindamental questions and concerns about
  • . . the Commission's oversight and regulatory efforts pertaining to cyber security. For this reason; I herebyrequest yori assistance and cooperation in providing me with responses

-toa series of follow-up questions. I.would respectfully request that such responses be, provided no later than November 15, 2003. .

First, the specific Davis-Besse plant infection is troubling You state that neither

.of the two systems attacked by the virus "affect the safety of the facility". I find it very surprising that the infected "Safety Parameter Display System" (SPDS) and the 'Plant Process Computer.' (PPC) do not affect the safety of the plant. As you explain in your

  • response, these systems "assist the operators in monitoring plant parameters".

See httv//wv.securitVf6cus.com/news/6767/.

PAPER

  • *INTEDONRECYCLEDO
  • Isn't it the case that SPDS was put in place as a direct result of the failure of monitoring equipment at the Three Mile Island nuclearplant during the March 28, 1979 accident?
  • Isn't it also the case that SPDS relays critical plant safety parameters to the NRC Operations Center in real time?
  • Isn't the monitoring of plant safety parameters and processes relevant to and necessary for the safe operation of a nuclear power plant?
  • If not, why does the plant run these systems?
  • What computer systems, if infected, would adversely impact the safety of the plant, and how did these escape infection from the Slammer worm?
  • Could these safety-critical systems be infected by other viruses or deliberate hacking attempts? Why or why not?
  • . You also note in your cover letter that the Davis-Besse plant was "in a safely defueled condition" at the time of the infection. This is not reassuring: future computer

-wormswill not be polite enough to attack only defueled plants.

. What would the safety consequences of the Slammer infection have been if the plant had been fueled and operational?

What impact would the infection have had on the ability of the licensee to monitor

  • the plant's operation and properly respond to any problem?
  • Has the NRC staff or the licensee undertaken a worst-case analysis of the impact of having these systems malfunctioning or inoperative when the reactor was operating? If so, what were the findings and recommendations of this analysis? If
  • not, why not?
  • shutting down the MS SQL 2000 server. Would this shutdown have been possible during standard plant operation without either negative safety consequences or shutting down the reactor first?

Second, this infection highlights the importance of general nuclear plant

. cybersecurity. Davis-Besse was infected because of a T1 connection that bypassed the plant's firewall. Your response indicates that the NRC alerted FirstEnergy (and other NRC licensees) to this potential vulnerability in February 2002, and Information Notice 2003-14 notes that First Energy's Information Technology personnel claimed to have

"'addressed" the issue. But the Ti line reportedly remained in place because plant

  • computer engineers were never informed of the vulnerability or the decision to address it.
  • When the NRC alerted licensees to the vulnerability exploited by the Slammer worm, did it also require by Order or regulation that the licensees address the vulnerability? If not, why not?
  • Has the Davis-Besse licensee been cited or subjected to any penalty for their
  • Information Technology personnel falsely claiming to have addressed the TI issue, when in fact the company's relevant computer engineers were never

informed of the situation and took no action to ameliorate it? If so, what penalty

  • has been imposed? If not, why not?
  • In the future, does the NRC plan to issue Orders or regulations to require corrective action by licensees as soon as it becomes aware of cyber vulnerabilities such as the one exploited by the Slammer worm? If not, why not?
  • Will the NRC now require by Order or regulation that all network connections to nuclear plants go through a firewall? If not, why not?
  • Has the NRC changed the standards by which it judges whether a licensee has sufficiently addressed an Order or regulation relating to cyber security in order to
  • confirm that action has actually been taken?
  • Will the NRC in the future confirm that plant computer engineers ultimately enact orders, rather than rely on assurances of IT personnel?

Even with the backdoor T1 line in place, the infection apparently could have been avoided if plant computer engineers had installed the Microsoft SQL Server 2000 patch released on July 10, 2002 - six months before the infection. 2

. Will the NRC now require by Order or regulation that licensees install computer security patches within a reasonable time of when they become available? If not, whynot?

! Will the NRC now require its regional offices and resident inspectors to confirm that action has been taken by a licensee to instill computer security patches within a reasonable time after the NRC has alerted licensees or ordered action? If not, why not?

You explain in your response that the NRC has conducted pilot studies of cybersecurity at four of the nation's .104 nuclear power plants. These studies included

. efforts to penetrate the systems and identified "common vulnerabilities relating to the network architecture".

  • Which four plants were the subjects of these studies? Why were they chosen?
  • What specific cyber vulnerabilities (if any) were found at these plants, and what was done to fix them?
  • .
  • Did these studies include combined cyber and physical attack simulations? If so, what did they conclude regarding such.attacks? If not, why not?
  • In the past five years, what other nuclear plants have.been either infected with a computer virus or subject to computer hacking attempts? In each instance, what
  • action(s) were taken by the Commission and by the licensee in response to the virus/hacker attack?
  • Does the NRC intend to study cyber security at any facilities beyond the four covered by the pilot studies? If so, which plants will it study and when? If not, why is it not studying cyber security at the other 100 U.S. nuclear plants?

2 Seehttiilwww.nicrosoft.com/sqVdownloadsl .

Please provide me with a copy of the pilot studies mentioned in your letter as soon as they are completed. Please also provide me with copies of all orders, advisories and regulations that are issued as a consequence of these studies.

You also report that the NRC is working with the nuclear industry's trade association, the Nuclear Energy Institute (NEI) to develop cybersecurity guidelines.

  • In addition to consulting with the trade association for the nuclear utility industry, is the NRC consulting with governmental and private, non-NEI cybersecurity experts in developing these guidelines? If so, with whom is the NRC consulting?

If not, why is the NRC not consulting with other parties?

Specifically, is the NRC consulting with the Department of Homeland Security's National Cyber Security Division3 , the National Institute of Standards and Technology's Computer Security Resource Center4 , or the internationally recognized CERT Coordination Center at Carnegie Mellon University 5 in developing these guidelines? If not, why not?

  • is the NRC holding public hearings or soliciting public comment about these

- guidelines? If so, please provide details. If not, why not?

. Will the cybersecurity guidelines be binding on licensees by Order or regulation?

What will be the penalties for non-compliance?

  • If the guidelines are not binding, how will the NRC ensure that the nation's nuclear plants are secure against cyber attacks?
  • When will these guidelines be sent to licensees?

Please send me the cybersecurity guidelines as soon as they have been finalized.

Third, I am still trying to ascertain whether cyber attacks or computer viruses may have been involved with the August 14, 2003 blackout that paralyzed much of the Northeast and Midwest. You state that the NRC has "no information" that the blackout was caused by the Blaster worm or other cybersecurity flaw. However, the transcript of the conversation between operators at the Midwest ISO control center during the blackout specifically mentions computer troubles. For instance, while trying to figure out which lines were functional, an operator at FirstEnergy states "We have no clue. Our computer is giving us fits, too, and we don't know the status of some of the stuff around us.' Later the same operator says We are trying to [figure out what is going on]. Our computer is not happy and is not cooperating either."7

  • Is the NRC investigating the possible role of the Blaster worm specifically and cybersecurity generally in the August 14, 2003 blackout? If so, what role is the NRC playing in this investigation and what has it learned? If not, why not?

3 See http://www.dhs.gov/dhsvublic/displavteme=52.

4 See httn//csrc.nist.gov/.

5 See htt://www.cert.orz/.

6 See htM.://eneMvcommerce.ouseov/j 08hearings/09032003Hearingl061/d.pdf, page 32, line 20.

7 See htto://enerWvcommercehousegov/1 08/hearin s/09032003Hearing1 0611d.pdf page 33, line 17.

Finally, you state that FirstEnergy was not in violation of NRC's requirements when the Davis-Besse plant was infected, but that the NRC has issued a notice to licensees regarding this incident.

  • Why did the NRC take over seven months from the date of the Davis-Besse
infection (January 25, 2003) to issue information Notice 2003-14 (August 29, 2003)? Had I not written you on this subject, would this information notice have ever been sent?
  • If the Slanmer worm didn't affect safety at the Davis-Besse plant and there was no violation, why did the NRC send out Information Notice 20003-14 at all?
  • If allowing a computer virus to penetrate backdoor on a Ti line, bypass a computer firewall at a nuclear facility, and infect systems used for monitoring nuclear power plant operations is not a violation of NRC regulatory requirements, doesn't that suggest these requirements are inadequate and may need revision?

I look forward to your reply. The NRC has a serious responsibility to keep our nation's nuclear plants safe from harm.physical, cyber and otherwise. I appreciate your efforts on nuclear cybersecurity to date and I hope you will continue to pay close

-attention to this critical issue. If you have any questions or concerns, please have your staff contact Dr. Colin McCormick or'Mr. Jeff Duncan of my staff at 202-225-2836.

Sincerely, Edward J. Markey (

Member of Congress (I

.N..EWS FROM ED MARIKEY United:States Congress Mas'sachuseftsSeventh District FORIMMEDIATE RELEASE - CONTACT: Jeff Duncan -

October 20, 2003  ; or Colin McCormick (202) 225-2836 REP. MARKEY DEMANDS BETTER CYBER SECURITY AT NUCLEAR POWER PLANTS Plantinfection highlights computer vulnerabilitiesat nuclearpowerplants WASHINGTON, DC - Representative Edward Markey (D-MA), Senior Member of the Select Committee on Homeland Security and Ranking Member on the Telecommunications and the Internet Subcommittee today released a letter to Nils Diaz, Chairman of the Nuclear Regulatory Commission, urging improved cybersecurity at the nation's 104 licensed nuclear power plants.

"I am concerned that nuclear power plants across the country may be vulnerable to computer viruses and computer hacking," Rep. Markey said. "The safety of these plants depends on their computer systems, which could be targeted by cyber terrorists."

The Nuclear Regulatory Commission (NRC) oversees safety and licensing of U.S. nuclear power plants. On January 25, 2003, the Davis-Besse nuclear plant operated by FirstEnergy Corp. in Oak Harbor, Ohio was infected with the "Slarnmer" worm computer virus. Two computer systems at the plant were disabled for over four hours. The infection occurred because the plant had a backdoor TI network connection that bypassed the standard network firewall. The Slammer worm attacked the plant's Microsoft SQL 2000 server, and successfully infected it because plant computer engineers had failed to install a security patch made available six months prior to the attack.

An earlier letter from Rep. Markey to Chairman Diaz on August 22, 2003 asked for information about the NRC's plans to improve nuclear cybersecurity in light of the Davis-Besse situation and press reports indicating that computer problems at FirstEnergy may have played a role in the August 14, 2003 blackout.

One week after Markey's letter, and more than six months after the Slammer worm hit the Davis-Besse facility, the NRC issued a notice to other licensees alerting them to the threat posed by the virus. Chairman Diaz replied that the NRC is conducting "pilot studies" of cybersecurity at four nuclear plants, and is consulting with the Nuclear Energy Institute, an industry organization, to develop guidelines. However, the NRC did not indicate whether the Commission has coordinated its efforts with other government agencies with expertise in cybersecurity, such as the Department of Homeland Security's National Cyber Security Division, or consulted with any non-nuclear industry cyber security experts. The NRC has also not required that network connections to nuclear plant computers go through a firewall or that security patches be installed promptly.

Rep. Markey concluded, "We face an array of threats to our security in the post-September 11 world, and cyber terrorism is one of them. Simple steps, like making sure that all network connections to a nuclear plant go through a firewall, or that nuclear plant computer engineers quickly install security patches, could do a lot to help. But we also need to develop a comprehensive, clear and effective plan for nuclear plant cyber security, with input from government, industry and independent experts. Otherwise our nuclear power plants are sitting ducks for hackers, or worse, for terrorists."

Additional information is available at Rep. Markey's website, http://www.house.gov/markev.

Retrieved from "https://kanterella.com/w/index.php?title=ML032970134&oldid=2640350"