ADVERTISEMENT
  About the SA Blog Network













Observations

Observations


Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

Expert: A Virus Caused the Blackout of 2003. Will the Next One Be Intentional?

The views expressed are those of the author and are not necessarily those of Scientific American.


Email   PrintPrint



Streetcorner in Toronto, Ontario, during blackout of 2003Kaspersky Labs isn’t as well known in the U.S. as Norton or Symantec, but the company is a major international provider of anti-virus tools. Its co-founder, Evgeny Kaspersky, is one of the world’s most prominent computer security experts. Recently he gave an interview to the German news magazine Spiegel about the future of cyber attacks and the potential for full-scale cyber war. The entire interview is interesting and I encourage you to read it in full, but one particular passage jumped out at me:

Kaspersky: … Everything depends on computers these days: the energy supply, airplanes, trains. I’m worried that the Net will soon become a war zone, a platform for professional attacks on critical infrastructure.

SPIEGEL: When will that happen?

Kaspersky: Yesterday. Such attacks have already occurred.

SPIEGEL: You’re referring to Stuxnet, the so-called “super virus” that was allegedly programmed to sabotage Iranian nuclear facilities.

Kaspersky: Israeli intelligence unfortunately doesn’t send us any reports. There was a lot of talk—on the Internet and in the media—that Stuxnet was a joint U.S.–Israeli project. I think that’s probably the most likely scenario. It was highly professional work, by the way, and one that commands a lot of respect from me. It cost several million dollars and had to be orchestrated by a team of highly trained engineers over several months. These were no amateurs; these were total professionals who have to be taken very seriously. You don’t get in a fight with them; they don’t mess around.

SPIEGEL: What kind of damage can a super virus like this inflict?

Kaspersky: Do you remember the total power outage in large parts of North America in August 2003? Today, I’m pretty sure that a virus triggered that catastrophe. And that was eight years ago.

What gets lost here is the distinction between a targeted virus such as Stuxnet, which appears to have been designed explicitly to disrupt the specialized industrial control systems built by Siemens (and used in Iranian centrifuges), and a virus that generates enough random havoc to incidentally muck up industrial systems, too—a blackout as collateral damage. The security expert Bruce Schneier has written that the Blaster worm contributed to the blackout by disrupting all the secondary systems that help to keep the grid up and running (later reports that Chinese agents specifically targeted the computers have been thoroughly debunked). Schneier writes:

The computer systems we use on our desktops are not reliable enough for critical applications. Neither is the Internet. The more we rely on them in our critical infrastructure, the more vulnerable we become. The more our systems become interconnected, the more vulnerable we become.

In short: we shouldn’t use Windows to run critical industrial applications, as Windows machines are especially vulnerable to targeted viruses and random acts of chaos.

In this month’s issue of Scientific American, Professor David Nicol describes in detail the security problems that plague the U.S. power grid, focusing specifically at the weaknesses involved with using Windows operating systems to run critical infrastructure. In particular, he highlights the problem with upgrades: Unlike the computer systems you use at work, the computers in a power plant can’t be taken down once a week for system maintenance—power needs to keep flowing 24/7/365. Because of this, power plant computers remain vulnerable to known viruses long after security patches become available. Nicol writes:

Grid operators also have a deep-rooted institutional conservatism. Control networks have been in place for a long time, and operators are familiar and comfortable with how they work. They tend to avoid anything that threatens availability or might interfere with ordinary operations.

This is the situation we find ourselves in. Eight years ago a computer virus accidentally killed power to the entire Northeast. The next blackout may be no accident.

 

Photo of a Toronto street corner during the 2003 blackout by John R. Southern (krunkwerke) on Flickr.





Rights & Permissions

Comments 5 Comments

Add Comment
  1. 1. vwlshrtg 6:04 pm 07/20/2011

    Maybe I’m missing something here. Where exactly is the evidence that a virus caused the 2003 Northeast blackout? It was set off by a sagging line hitting a tree, which wasn’t caught because an alarm system failed. Is Kaspersky alleging that the alarm failure was caused by a virus? Given his experience I’m inclined to believe him (and it’s absolutely a believable concept) but simply quoting him saying "I’m pretty sure that a virus triggered that catastrophe" doesn’t seem terribly conclusive. And there’s no additional detail provided in the full interview, either.

    Link to this
  2. 2. jtdwyer 7:34 pm 07/20/2011

    The quote from Bruce Schneier:
    "The computer systems we use on our desktops are not reliable enough for critical applications. Neither is the Internet. The more we rely on them in our critical infrastructure, the more vulnerable we become. The more our systems become interconnected, the more vulnerable we become."

    …could have been attributed to any of many thousands of information systems professionals at any time during the past several decades – it has been common knowledge. Unfortunately, during those decades ambitious opportunists have successfully promoted the use of inadequate systems to provide critical processing requirements.

    Security today is a function of vendors continuously reacting to security holes by repairing exposed system entry points and periodically identifying the presence of viral software infestations. The barn door is never closed until the horses are already gone…

    Society has bought into the idea of connectivity and easy access so completely that proper access control measures that might impede system access are rarely considered in any new system, which are most often assembled from existing and off the shelf components using ad hoc construction methods.

    Critical data, including personal information, is so widely replicated and distributed that there is no responsible custodian. Ask most vendors using that information to correct it and they typically respond by claiming no responsibility for its accuracy since they only acquired it from one of many other sources.

    Why should the public be so amazed that critical infrastructural systems are highly vulnerable? The truth is: this is only the beginning, if not the beginning of the end…

    Link to this
  3. 3. vwlshrtg 7:58 am 07/21/2011

    And Schneier is brilliant too, but even the report he cites regarding the alarm systems didn’t actually implicate a particular virus/trojan/what have you in the blackout. I’m not saying it’s impossible or even implausible. I’d just like some actual evidence.

    Link to this
  4. 4. JWard 5:12 pm 07/21/2011

    I lived in northeast Ohio where the blackout started. I’ve never heard of a virus that makes power lines sag, and I did see them sagging earlier that summer along an interstate. The sag was so bad (perhaps 1/3 of the way to the ground), they looked like jump ropes.

    Link to this
  5. 5. admeralthrawn 2:53 pm 07/23/2011

    "In short: we shouldn’t use Windows to run critical industrial applications, as Windows machines are especially vulnerable to targeted viruses and random acts of chaos."

    This may have been true back in 2000, but since then Windows has been mostly rewritten with security in mind. Most security professionals these days agree that properly-configured (as should be expected in industrial settings) Windows systems are not significantly more or less secure that systems running on other operating systems.

    It is certainly true that Windows is hit by more viruses than other operating systems, but that is mainly because a virus for Windows will affect more systems and thus is a better investment of the author’s time. If one is considering targeted cyber-war attacks, as opposed to random collateral damage, the advantage that less popular operating system have in that regard goes away.

    Link to this

Add a Comment
You must sign in or register as a ScientificAmerican.com member to submit a comment.

More from Scientific American

Scientific American Back To School

Back to School Sale!

12 Digital Issues + 4 Years of Archive Access just $19.99

Order Now >

X

Email this Article



This function is currently unavailable

X