Highlights
– Reactor at Hatch Nuclear power plant in Baxley, Georgia forced into emergency shutdown
– Network configuration and software updates were responsible for failure
– Successive failures demonstrate danger to critical infrastructure
On March 7, 2008 Unit 2 of the Hatch nuclear power plant near Baxley, Georgia was forced into an emergency shutdown as a result of a misconfiguration in the plant’s computer network.
Accessible Networks
According to a report filed with the Nuclear Regulatory commission, a contractor responsible for managing the technology operations upgraded software on a computer on the power plant’s administrative network. The software upgrade was supposed to enable synchronization between computers on the administrative network and the industrial control system network. Unfortunately, the software update forced a reboot, which in turn caused a reset of data on the control system. The plant’s safety system mistakenly interpreted this reset and subsequent lack of data as a drop in the water reservoirs that cool the plants nuclear fuel rods. The safety system assumed that the fuel rods were then overheating and therefore in an attempt to prevent a perceived meltdown the safety system triggered an automatic shutdown of the power plant.
Previous Failures
This is not the first time a nuclear power plant has been shut down as a result of a network failure. According to a Nuclear Regulatory Commission (NRC) notice released on April 17, 2007, an incident on August 19, 2006, at Unit 3 of the Browns Ferry Nuclear Power Plant in Athens, Alabama forced the operators of the plant to conduct an emergency shutdown. In effect, the failure, described as a “data storm” in the congressional letter, is a Denial of Service (DoS) attack. Quite simply, the programmable logic control device’s failure caused as excessive spike in traffic on the control system network. This spike in traffic overwhelmed the other controllers that control the flow of water through the reactor. As a result, these controllers were unable to respond to legitimate traffic on the control system network.
Additionally, a June 20, 2003, report from the North American Electric Reliability Corporation (NERC) detailed how the Slammer worm, a self-propagating malware designed to exploit vulnerabilities in Microsoft SQL Server, traversed the Internet and disrupted the internal systems of the Davis-Besse nuclear power plant in Ohio. According to the NERC, “The worm … apparently [migrated] through the corporate networks until it finally reached the critical SCADA network via a remote computer through a VPN connection.”
The Danger of Networked Control Systems
These previous failures are significant because they demonstrate the increasing vulnerability to the nation’s critical infrastructure. Each of these failures were directly attributable to the fact that the control systems responsible for maintaining and administering critical infrastructure such as a nuclear power plant were connected to the other networks and in some cases the public Internet.
These connections introduced various problems such as excessive data or a lack of data into the control systems networks. These control system networks are not only fragile but they operate with very little margin for error, as they are directly responsible for the smooth functioning of a vital piece of critical infrastructure. As such, any issues typically lead to disastrous consequences such as an emergency shutdown.
That two nuclear power plants in the past two years have “crashed” as a result of problems in the control systems networks is firm evidence of the potential threat to our critical infrastructure. As such, the potential that adversaries, such as China, have mapped these vulnerabilities and would be able to exploit them in future crises is a very real possibility.