According to a Nuclear Regulatory Commission (NRC) notice released on April 17, 2007, an incident on August 19, 2006, at Unit 3 of the Browns Ferry Nuclear Power Plant in Athens, Alabama forced the operators of the plant to conduct a ‘manual scram’ – or emergency shutdown (source).
The Failure at Brown’s Ferry
The NRC notice states, “The initial investigation into the dual pump trip found that the recirculation pump variable frequency drive (VFD) controllers were nonresponsive.” The notice continued, “the Unit 3 condensate demineralizer controller had failed simultaneously with the Unit 3 VFD controllers. The condensate demineralizer primary controller is a dual redundant programmable logic control (PLC) system connected to the ethernet-based plant integrated computer system (ICS) network.” The NRC notice concluded, “the root cause of the event was the malfunction of the VFD controller because of excessive traffic on the plant ICS network.”
Alarmed and likely confused by the notice, US Representatives chairing the Homeland Security Committee and the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology wrote a letter to the chairman of the US Nuclear Regulatory Commission regarding cybersecurity, and requested an investigation into “the source of the data storm described” (source).
Source of the ‘Data Storm’
In effect, the failure, described as a “data storm” in the congressional letter, is a Denial of Service (DoS) attack. Quite simply, the PLC control device’s failure caused as excessive spike in traffic on the ICS network. This spike in traffic overwhelmed the VFD controllers that control the flow of water through the reactor. As a result, the VFD controllers were unable to respond to legitimate traffic on the ICS network.
It is unclear at this point why the PLC control device failed, or if a malicious external hacker could have caused this failure. The congressional letter stated, “it is possible that this incident could have come from outside the plant.” The letter continued, “unless and until the cause of the excessive network load can be explained, there is no way for either the licensee (power company) or the NRC to know that this was not an external distributed denial-of-service attack” (source).
A spokesman for the Tennessee Valley Authority, the public power company that runs the Browns Ferry power plant, countered by stating, “the integrated control system (ICS) network is not connected to the network outside the plant” (source). In effect, the power company claimed that an external attacker could not have caused the PLC control device failure because an external attacker could not have accessed the PLC control device.
One Vulnerability = Total Compromise
Recent history demonstrates that external attackers have a way of accessing networks that are allegedly not connected to the Internet. A June 20, 2003, report from the North American Electric Reliability Corporation (NERC) details how the Slammer worm, a self-propagating malware designed to exploit vulnerabilities in Microsoft SQL Server, traversed the Internet and disrupted the internal systems of the Davis-Besse nuclear power plant in Ohio. According to the NERC, “The worm … apparently [migrated] through the corporate networks until it finally reached the critical SCADA network via a remote computer through a VPN connection” (source). This singular, and likely undocumented, VPN connection collapsed the cyber security architecture of the Davis-Basse nuclear power plant and effectively allowed an external attacker to access the plant’s internal control network.
As a result, the US Congressional committees are justified in their concern and their requests for additional information on the failures at Brown’s Ferry should be taken seriously. It is not enough that the operators of Brown’s Ferry have installed a firewall on the ICS traffic that in theory will mitigate the risks of future ‘data storms’.
A determined attacker would likely be able to pass this firewall and still be able to execute an attack on the ICS network and possibly cause further disruptions to the nuclear power plants operations.