Case Profile: Davis-Besse Nuclear Power Plant
On January 25, 2003, the Davis-Besse nuclear power plant in Oak Harbour, Ohio, was infected with the MS SQL 'Slammer' worm. The infection caused a traffic overload on the site network. As a result, the Safety Parameter Display System (SPDS) was inaccessible for almost 5 hours, and the plant process computer was inaccessible for over 6 hours.
A firewall was in place to isolate the control network from the enterprise network; however, there was a T1 connection from a software consulting firm that entered the control network behind the firewall, bypassing all the access control policies enforced by the corporate firewall. The worm infected the consultant's server and was able to enter the Davis-Besse network through the T1 line.
Cause of incident
Fortunately the plant was off-line at the time the attack occurred, so there was no financial loss or safety risk as a result.
Why Tofino would have helped
This is a classic example of vulnerability within the 'Bastion' model of defense. The Bastion model employs a single, robust line of defense to prevent entry. The problem with this model is that once an attacker finds an alternate point of entry, that single line of defense no longer offers any protection. The consultant's T1 connection completely bypassed the firewall at the nuclear plant and provided a direct path for the virus to enter the system.
Tofino's Zone Level Security strategy is based on the concept of Defense in Depth - multiple lines of defense extending throughout the control network. It segments the network into Security Zones, controlling and monitoring all traffic passing between zones. This means that an attack will be contained to the original zone in which it occurs instead of spreading to vulnerable assets throughout the network. In addition, the reporting feature of Tofino would tell operations personnel which zone was affected, so they could locate and terminate the threat quickly.