A report published this week by the US Federal Energy Regulatory Commission made the same conclusion as November’s interim report. A combination of system and human failure at energy companies led to the blackout, FERC said.
Speculation at the time was rampant that the Blaster worm was behind the outage. Blaster targeted unpatched Windows systems and was spreading rapidly on August 14 last year, when the outage occurred.
But the FERC probe found no evidence that worms or viruses circulating on the internet at the time of the power outage had an effect on power generation and delivery systems of the companies directly involved in the power outage, the report says.
FERC also said that there was no evidence that malicious actors caused or contributed to the power outage, following reports that the Al Qaeda terrorist group had claimed responsibility for causing the blackout.
However, the report also says: A failure in a software program not linked to malicious activity may have significantly contributed to the power outage. The unnamed vendor has since provided industry with the necessary information and mitigation steps.
FirstEnergy Corp, which takes most of the blame in the report, said last November that it had identified a previously undetected flaw in vendor software that resulted in the loss of an alarm function, affecting our operators’ understanding of events on our system.
Whenever worms have been mentioned in the context of the blackout, the language has always been the same – that they did not have any significant impact on power generation and delivery systems. This has raised eyebrows.
Why the tortured prose? Bruce Schneier, security author and CTO of Counterpane Internet Security Inc, wrote in November. But what about the alarm systems? Clearly they were all affected by something, and all at the same time.
The FERC report does conclude that failures in alarm systems, which could have alerted engineers to emerging issues, were partly to blame for the problem escalating and becoming a cascading failure that affected an estimated 50 million people.
Speculation was fed by news last August that the Davis-Besse power plant in Ohio had certain safety display systems taken out of action for several hours in January 2003 by the Slammer worm, which also exploited a Microsoft vulnerability.
Davis-Besse, an inactive power plant, was infected via a WAN connection to the offices of its corporate parent, FirstEnergy Corp, which in turn had become infected via an unsecured T-1 line put in place by a third-party contractor.
And this week’s report makes it clear that FirstEnergy, which with 4.4 million customers in three eastern states calls itself the US’s fifth-largest power utility, takes most of the blame for the August outage.
This article is based on material originally published by ComputerWire
