Wednesday, December 10, 2003

Bruce Schneier on Northeast Blackout

Bruce Schneier wrote about the possible role of MSBlaster in the 14 August 2003 northeast electrical blackout. He reports on the November interim report (.pdf) by a joint US-Canadian taskforce:

"The coincidence is too obvious to ignore. At 2:14 p.m. EDT, the MSBlast worm was dropping systems all across North America. The report doesn't explain why so many computers--both primary and backup systems--at FirstEnergy were failing at around the same time. But MSBlast is certainly a reasonable suspect.

Unfortunately, the report doesn't directly address the MSBlast worm and its effects on FirstEnergy's computers. The closest I could find is this paragraph, on page 99: "Although there were a number of worms and viruses impacting the Internet and Internet connected systems and networks in North America before and during the outage, the SWG's preliminary analysis provides no indication that worm/virus activity had a significant effect on the power generation and delivery systems. Further SWG analysis will test this finding."'

Bruce's article makes valid points. Until the panel explains why the electricity monitoring systems failed, MSBlaster will remain as likely a suspect as any.

I found the report's goals interesting:

"Phase I: Investigate the outage to determine its causes and why it was not contained.

Phase II: Develop recommendations to reduce the possibility of future outages and minimize the scope of any that occur."

This sounds exactly like an incident response plan I use at client sites. In recognizes that determining what happened is important, but that total prevention of future incidents is impossible.