Did the Chinese PLA Attack the U.S. Power Grid?

This article claims that the Chinese Peoples Liberation Army was behind, among other things, the August 2003 blackout:

Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.

One prominent expert told National Journal he believes that China's People's Liberation Army played a role in the power outages. Tim Bennett, the former president of the Cyber Security Industry Alliance, a leading trade group, said that U.S. intelligence officials have told him that the PLA in 2003 gained access to a network that controlled electric power systems serving the northeastern United States. The intelligence officials said that forensic analysis had confirmed the source, Bennett said. "They said that, with confidence, it had been traced back to the PLA." These officials believe that the intrusion may have precipitated the largest blackout in North American history, which occurred in August of that year. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected.

This is all so much nonsense I don't even know where to begin.

I wrote about this blackout already: the computer failures were caused by Blaster.

The "Interim Report: Causes of the August 14th Blackout in the United States and Canada," published in November and based on detailed research by a panel of government and industry officials, blames the blackout on an unlucky series of failures that allowed a small problem to cascade into an enormous failure.

The Blaster worm affected more than a million computers running Windows during the days after Aug. 11. The computers controlling power generation and delivery were insulated from the Internet, and they were unaffected by Blaster. But critical to the blackout were a series of alarm failures at FirstEnergy, a power company in Ohio. The report explains that the computer hosting the control room's "alarm and logging software" failed, along with the backup computer and several remote-control consoles. Because of these failures, FirstEnergy operators did not realize what was happening and were unable to contain the problem in time.

Simultaneously, another status computer, this one at the Midwest Independent Transmission System Operator, a regional agency that oversees power distribution, failed. According to the report, a technician tried to repair it and forgot to turn it back on when he went to lunch.

To be fair, the report does not blame Blaster for the blackout. I'm less convinced. The failure of computer after computer within the FirstEnergy network certainly could be a coincidence, but it looks to me like a malicious worm.

The rest of the National Journal article is filled with hysterics and hyperbole about Chinese hackers. I have already written an essay about this -- it'll be the next point/counterpoint between Marcus Ranum and me for Information Security -- and I'll publish it here after they publish it.

EDITED TO ADD (6/2): Wired debunked this claim pretty thoroughly:

This time, though, they've attached their tale to the most thoroughly investigated power incident in U.S. history." and "It traced the root cause of the outage to the utility company FirstEnergy's failure to trim back trees encroaching on high-voltage power lines in Ohio. When the power lines were ensnared by the trees, they tripped.

[...]

So China...using the most devious malware ever devised, arranged for trees to grow up into exactly the right power lines at precisely the right time to trigger the cascade.

Large-scale power outages are never one thing. They're a small problem that cascades into series of ever-bigger problems. But the triggering problem were those power lines.

Posted on June 2, 2008 at 6:37 AM • 32 Comments

Comments

Clive RobinsonJune 2, 2008 7:17 AM

In the past many people have claimed "they did it" for political or other reasons.

It makes an investigators life difficult especially if the person(s) are effectivly knowledgsable cranks.

One way to determin the truth is to ask the prior/post questions,

PRIOR - If you have the ability what benifit is it to you to carry out the act?

POST - Irrespective of if you have the ability what benifit to you is it claim you did it?

Then consider the answers as a "balance" if the post far outweighs the prior then it is more likley to be a "crank".

So for a calim to be belivable you have to examin the motivation for actually carrying out the act and the benifit gained as a prior consideration.

In the case of the Chinese yes they probably do have the capabilty but what would it benifit them to "show case" it in this way.

If it is to be a weapon of war then you either have to be at war or using it as a deterant show of superiority. As a weapon of this type is usually quickly nullified and is of no further use, then you have to ask why do it?

Basicaly the Chinese option tends to fail the test.

However there is always another option which is the old biological warfare "accidental release" senario which needs different questions.

AnonymousJune 2, 2008 7:41 AM

Clive,

One problem with your analysis. The Chinese never claimed responsibility for the blackout. According to the article, the blackout was accidentally caused by a hacker mapping the power grids network.

InfospongeJune 2, 2008 7:47 AM

There is a habit among the US intelligence community to see threats behind every corner as a means of justifying their existence and placating those in power. See: Iraq, non-existent nuclear weapons belonging to. The real question to ask here is not what the PLA would have to gain by causing blackouts in the US but rather what section of the US 'national security' establishment has the most to gain by ratcheting up animosities with China.

Carlo GrazianiJune 2, 2008 8:01 AM

It's become part of an MO: point to some piece of national infrastructure exposed to hackers, claim the yellow peril is attacking it, then ratchet up the budget request for national cybersecurity.

If PLA "hackers" didn't exist, there's no doubt in my mind that we'd have to invent them.

NFGJune 2, 2008 8:03 AM

Wired News already thoroughly debunked this, with what I believe is a fairly rational analysis:

http://blog.wired.com/27bstroke6/2008/05/...

If I may be bold enough to quote them:

"This time, though, they've attached their tale to the most thoroughly investigated power incident in U.S. history." and "It traced the root cause of the outage to the utility company FirstEnergy's failure to trim back trees encroaching on high-voltage power lines in Ohio. When the power lines were ensnared by the trees, they tripped."

Finally, "So China [...], using the most devious malware ever devised, arranged for trees to grow up into exactly the right power lines at precisely the right time to trigger the cascade."

Anon.June 2, 2008 8:10 AM

No!

It wasn't the Chinese, and it wasn't Blaster. Just like you said, it was an "unlucky series of failures that allowed a small problem to cascade into an enormous failure."

Blame poor vegetation management, poor control room operator practices, poor situational awareness software, and poor engineer support, but don't waste your time blaming the Chinese or Blaster.

I found the official report surprisingly readable and convincing. Check it out here:

https://reports.energy.gov/

anonymous canuckJune 2, 2008 8:36 AM

What a crock ...

First the Govenor of New York in the heat of the moment blames Canada.

Now a complete work of fiction after facts emerge.

Wayne S AndersonJune 2, 2008 9:08 AM

I fear the chinese malware.

Gives a whole new meaning to the term "social engineering".

Malware that can apply tree objects to power line objects in near real time...

Now if only someone could find the uninstaller for the "stupid" patch already applied to so many people.

PoobahJune 2, 2008 9:34 AM

Infosponge... Are you saying that there's no requirement for an intelligence agency? How naive of you.

jumperJune 2, 2008 9:45 AM

This article is not very well sourced. I don't have very much confidence in this information.

"There has never been an official U.S. government assertion of Chinese involvement in the outage, but intelligence and other government officials contacted for this story did not explicitly rule out a Chinese role. One security analyst in the private sector with close ties to the intelligence community said that some senior intelligence officials believe that China played a role in the 2003 blackout that is still not fully understood."

Point the finger in the right direction: The author of this misleading article.

SkepticalJune 2, 2008 9:57 AM

Funny how the country that is so often portrayed by the US media as being backwards, lagging in sophistication, trailing way behind in technological ability, etc., suddenly has the advanced technology to take down the same country (US) that holds itself up as the shining light of advanced technology.

Must be coming up on the DHS and other agencies' budget season...

XoebeJune 2, 2008 10:43 AM

Hanlon's Razor cover this one nicely:

"Never attribute to malice that which can be adequately explained by stupidity."

However, now we are left asking, why the histrionics? Just politicking?

Dick C. FlatlineJune 2, 2008 10:56 AM

Will everyone PLEASE stop MISUSING the word "hacker"???

I am a hacker. Nothing---NOTHING---pisses me off more than hearing that "hackers illegally-penetrated/stole/defaced such-and-such". Hackers have NEVER illegally-penetrated/stolen/defaced ANYTHING.

*CRACKERS* break into things, *HACKERS* design, test and improve things. Forget all that whitehat-blackhat-greyhat PC-apologist crap you've heard from all the TV/internet gasbags (who couldn't hack OR crack if their lives depended on it).

If you whip out a pistol and rob your own bank, you are NOT a "blackhat bank customer", you are a BANK ROBBER. If you break the law, you are a CRIMINAL. Calling CRIMINALS "hackers" is politically-correct media-babble spewing from known fonts of wisdom (cough) like the Cartoon News Network.

2FundingJune 2, 2008 11:25 AM

Who really knows? After 911, truth and funding are inversely proportional. Hope that the money is properly used.
Internet is now being treated as a hostile weapon.
Who really cares? Who is John Galt? Until things change, we are stuck with what we all know is a joke.

Joe BuckJune 2, 2008 11:28 AM

Sorry, Dick, the good guys have already lost that battle. We can't stop people from using the word "hacker" in this way; the language has changed.

AndrewJune 2, 2008 11:38 AM

The real point here is that massively complex systems can fail in unexpected ways based on comparatively minor issues.

"For want of a nail, a kingdom was lost."

One of the solutions is redundancy. Another solution is repair capacity. Yet a third solution is stockpiling critical parts, especially those with long lead times for production and delivery. However all of these look like inefficiency and a waste of money at budget time.

So does an aggressive vegetation management program and some decent IT support for power company computers. Until fifty million people can't flip on the lights because some idiot decided to run a business-critical function on a Windows machine.

Blame China? That's just pathetic.

Miles BaskaJune 2, 2008 11:49 AM

Truth is a combination of events, sparked by overgrown trees on wires and a race condition in monitoring software.

But that may all be a cover for the work of the Atomic Mole People.

xd0sJune 2, 2008 12:26 PM

I for one welcome our arborean, power cutting overlords! They'll get the Chinese next, then who is laughing :)

Sam HappierJune 2, 2008 1:10 PM

This kind of junk, and the consultants that made others buy into it, is one of the reasons I walked away from my infosec career.

Davi OttenheimerJune 2, 2008 2:01 PM

ah, this reminds me of Y2K power-grid failure speculation by the CIA. US intelligence was convinced their power-grid controls were too weak to survive unscathed.

it also reminds me of a recent hint by an intelligence officer that a country other than the US has recently experienced a power-failure due to cyber-attack. it was all nudge nudge know-what-i-mean, rather than specifics, unfortunately. but apparently it has happened somewhere in the world.

also reminds me how lynne cheney and her hubby dick were so convinced in 2001 that the next great threat to America was coming from china, she resigned from the national security commission (hart-rudmann) in protest. she disagreed with the silly bi-partisan experts who wanted to implement controls that would help avert a 9/11 incident. apparently cheney wanted to really stick it to the chinese, or maybe the russians too, since they were the only "real" threats.

have to stop thinking about that sorry chapter in history.

hey, anyone want to wager about that houston H1 datacenter transformer explosion yesterday? chinese hackers, unruly environment/nature...or just another plan by an infamous reconstruction company to win a new contract?

derekJune 2, 2008 2:29 PM

Look at the author's bio. He is an aspiring screenwriter. No wonder he is writing stuff like this.

Clive RobinsonJune 2, 2008 11:49 PM

@ Anonymous at June 2, 2008 07:41,

You say,

"One problem with your analysis."

And,

"The Chinese never claimed responsibility for the blackout"

You second point appears to be correct, but it is not a problem with the analysis you just have to pick the correct crank making the claims 8)

The article author claimed that various other people claimed it was the Chinese.

Further he did not name them just the usual "senior sources" nonsense which I am told in the US is journolistic short hand for an "insider who gives off the record comment" (or self interested bull ;).

Further what the author does is to deliberatly add gravitas to the supposed contacts statment over and above what was said.

So posibly two or more persons making claims, the author and his supposed sources who are unnamed.

You note I say author not journolist as I have my doubts (from the quoted text of the) article from the way he builds his argument.

You went on to say that the artical (again apparently incorrectly) states that it was a "hacker mapping the power grids network". Which I indicated was a possibility with my last sentance of my previous post.

Now as a person not from the US I'm not familier with the publisher of the artical are they perhaps related to the "National enquirer" I hear of from films, sitcoms and soaps with it's wonderfull UFO and Alien Abduction stories?

More seriously though I have some doubts about the trees being the cause as well. In the UK we had a train come of the rails at points and there where obvious liabilities involved. At one point the company with responsability for maintanence claimed it was deliberate sabotage by persons unknown. It appears that it was actualy due to poor training of the maintanence people, though it is difficult to say as paperwork apparently was not kept correctly...

If you are an organisation facing potentialy vast liability claims you want to shift the blaim else where or at the very least reduce any negligence on your behalf.

If there is "no pilot to blaim" or "subcontractor" then the next best thing is an "act of God".

Having worked in the energy supply business (oil) at the sharp end (off shore) designing remote control and comand systems (T'lem / SCADA) I have a small degree of insider knowledge of this and have a small collection of "war stories" to "dine out on".

The real problem with cascade failiers like fire gutted buildings is finding the start point (seat of the fire) and the cause and why it happened (accident or otherwise).

You eventualy develop a jaundiced view that there are "no accidents only failiers of processes" and that there are "no acts of god only insufficient fore sight / prevention". Also the "feeling neigh certainty" that all ways at the bottom the root cause is money and those with the responsability to manage it's expenditure pointing the finger anywhere but at themselves.

GordonSJune 3, 2008 6:56 AM

There seems to be a lot of this nonsense being directed against China by the American press, politicians and agencies of late.

I can only imagine that there must be some political subtext, and the American public (and indeed the wider, western audience) are supposed to swallow this crap, just as they did the rubbish about Iraq having WMDs.

The unfortunate thing is that this stream of propaganda probably will have the desired effect of breeding (more) xenophobia and racism amongst many people :(

FredJune 3, 2008 5:16 PM

The "National Journal" at least has contradictory quotes/theories on the Florida blackout. In the beginning, it says:

"According to this individual, who cited sources with direct knowledge of the investigation, a Chinese PLA hacker attempting to map Florida Power & Light’s computer infrastructure apparently made a mistake."

And further down, there is more speculation:

"Bennett, the former head of the Cyber Security Industry Alliance, said that if China has penetrated power plants and the power grid, it serves as a show of force to the United States and is likely meant to deter any U.S. military intervention on behalf of Taiwan. He noted that the Florida blackout occurred only a few days after the Navy shot down a failing U.S. satellite with a missile designed to intercept inbound ballistic missiles."

So what was it, an accident or a show of force? If they can't even decide on this, how much do they actually now about the rest?

RyanJune 3, 2008 9:45 PM

This reminds me of a very good book by Charles Perrow called 'Normal Accidents'. He discusses a number of similar situations in which system failures resulted from the unlikely convergence of multiple component failures. His basic thesis is that any system will fail given enough time, and that the only solution is to control the probability of failure. He argues that the critical factors influencing this probability is the complexity of the system and the interdependence of the system. Tightly coupled, well understood systems don't fail very often, and highly distributed chaotic systems don't fail very often, but a complex, highly coupled system cannot be prevented from failing at some point. He uses this analysis to argue against nuclear power, saying that both the probability of failure and the cost of failure are high.

Bill McGonigleJune 5, 2008 3:13 PM

Why are these mutually exclusive? Jeffrey Lee Parson admitted to making a copy-cat version of Blaster, but the original author is still at large. Is there information that excludes the PLA from the list of suspects for BlasterA? Since FirstEnergy has never admitted to being compromised (that I know of) any introductory vector could be imagined.

canadaJune 23, 2008 10:25 AM

I know the RPC/Blaster exploit came out of China, and I have the proof in firewall log files.
I watched probes to a SCADA server coming in from a Linux box months before the August Black-Out attack.

note the RPC (Remote Procedural Call) inherent in all Windows XP
Windows 2000 products.)
exploit utilized by win blaster group of virus/Trojans
sobig.f etc..
http://www.sophos.com/virusinfo/articles/...


I've screen shots of applications
used on my server for
network protection and counter surveillance.

I have a trace.jpg file which is a captured shot of another application used to reverse trace the offending IP address, in this case to 210.2.22.18 China.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..