Regulators alert nuclear-power plants to online viruses
Thursday, September 04, 2003
By Ted Bridis, The Associated Press
WASHINGTON -- Government regulators are warning nuclear plant operators about computer outages caused by Internet infections, confirming disruptions of two important internal systems in January at a nuclear power plant already shut down.
The Nuclear Regulatory Commission said safety was not compromised at the Davis-Besse nuclear power plant along Lake Erie in Ohio, partly because the plant was shut down in February 2002 after workers found a hole in the 6-inch-thick steel cap covering the plant's reactor vessel.
The two computer systems affected by the widespread "Slammer" Internet disruption in January are regularly used by plant operators for monitoring pressure and temperature during accidents, but they are not formally considered safety equipment, NRC spokesman Matthew Chiramal said.
In an information notice disclosed Tuesday, the commission urged operators of the nation's 103 nuclear plants to act to prevent such problems.
The government did not make these steps mandatory. But Chiramal said: "They're supposed to take something like this pretty seriously. If they have something like this, they should go ahead and fix it."
The NRC also said it published its recommendations nearly nine months after the incident because the plant's operator, FirstEnergy Nuclear, only recently acknowledged the disruptive effects of the Slammer infection on its systems. A plant spokesman publicly confirmed the infection Aug. 20.
The government said FirstEnergy Nuclear determined that a contractor had established an unprotected high-speed computer connection to its corporate network that allowed the "Slammer" infection to spread internally. The utility also had failed to install a corrective software patch from Microsoft Corp. that had been available since July 2002.
"Even with these failures, the plant wasn't in violation of cybersecurity guidelines the NRC has in place. Those guidelines must be totally wrong," said Chris Wysopal of AtStake Inc., who will testify next week at a congressional hearing on defending computers against worms and viruses. "This just showed a lack of best practices."
The government last year ordered plant operators to monitor computer connections that bypass protective technology, such as firewalls. FirstEnergy told regulators that, although the order was sent to technology employees, it was never forwarded to the plant's computer engineers.
FirstEnergy said last month that it planned to significantly reduce its technology department, laying off 185 to 230 of its 1,000 technology workers. It said those employees were no longer needed because of new technology that made it more efficient and because of its $4.5 billion merger in 2001 with GPU Inc.
Since the infection, FirstEnergy Nuclear said it has been documenting all external connections to its computer network, installing more protective software and instructing employees to be diligent about patches.
The NRC said it requires all plant safety systems to be isolated from other parts of a company's computer network or be connected in limited ways that prevent disruptions from affecting them.
The attacking infection, alternately called "Slammer" or "Sapphire," never was traced. It scanned for victim computers so randomly and aggressively that it saturated many of the Internet's largest data pipelines, slowing e-mail and Web surfing globally.
Disruptions shook popular perceptions that vital national services, including banking operations and 911 centers, were largely immune to such attacks.
A North American Electric Reliability Council report this summer described the Slammer infection blocking commands that operated some power utilities, although it caused no outages.
post-gazette.com |
