A worm in the works

Could disasters loom as more and more pipeline operators switch to Windows NT?

On June 10, 1999, the Olympic Pipe Line Company’s main fuel line ruptured in Bellingham, turning picturesque Whatcom Creek into a blazing torrent of gasoline and killing three people. On the same day Worm.Explore.zip, a particularly nasty software worm disseminated as an attachment through Microsoft API-compliant e-mail programs, ran rampant through various large corporate networks (including Microsoft’s), deleting a random assortment of Microsoft Word, Excel, PowerPoint, and other files.

No one noted the coincidence of the two events at the time. But could it be more than coincidence? Might a computer virus or worm like Worm.Explore.zip threaten pipeline control systems like Olympic’s?

The answer appears to be no in the case of the Olympic accident, but yes or maybe in the case of a growing number of other pipelines around the world.

The potential targets in question are the computerized SCADA (supervisory control and data acquisition) systems that monitor the complex balance of flow, pressure, temperature, and other conditions inside the lines. Olympic’s SCADA system crashed one hour before the Bellingham accident, and a back-up computer also crashed, allowing pressure to build in the pipe. One month later the US Office of Pipeline Safety issued a warning to pipeline operators nationwide, advising them to make sure their control systems wouldn’t suffer similar malfunctions. It reported that an internal “database error . . . hampered controller operations” on the Olympic line. Together with the SCADA processor’s “inadequate reserve capacity” and the chaotic situation, this “may have been prevented the pipeline controllers” from reacting quickly enough.

Following this failure, says Olympic Pipe Line spokesman Pierce Edwards, “we completed an analysis of the SCADA system. As a result, the system parameters have been modified and the system upgraded, including a 750 percent increase in [data] processing capacity.” Officials at Olympic, the US Office of Pipeline Safety, and the National Transportation Safety Board otherwise decline to discuss details of the accident, pending release of an NTSB report that’s taking longer than expected. (The investigation has been complicated by Olympic employees’ refusing to provide information on grounds of self-incrimination.) NTSB spokesman Keith Holloway did confirm last fall that “the computer virus [sic] is one [potential factor] we’re looking into.”

But not one that’s likely to pan out. That’s because, according to Olympic IT manager Dan Swathman, the pipeline’s SCADA system does not run on Windows, which might have made it vulnerable to the e-mail-borne Worm.Explore.zip: “Our current SCADA system is on VMS, from Digital Equipment [now Compaq], running on an Alpha Chip. GMI makes the system. A couple computers are dedicated to it.” And, Swathman adds, these computers are not connected to the Windows-based e-mail and office systems through which the worm could have gotten in.

That’s reassuring—but the broader picture may not be. Across this country, and as far away as China, pipeline systems are switching from VMS and Unix systems to versatile, ubiquitous, user-friendly Windows NT. “The scada market has been moving towards Windows NT as the dominant operating system,” Oil & Gas Journal reported (3/24/97). “The use of NT for the console platform has many advantages, including the ability to display scada screens on the same console as many common business applications which have been developed for the Windows environment. . . . The archival of data in a relational form allows access by other applications outside the scada system. In this way, scada vendors are meeting the requirements of pipeline companies to use scada data in business applications outside the traditional gas-control environment.” In other words, Windows NT lets operators integrate their SCADA and business applications, such as . . . the e-mail through which viruses and worms typically spread.

Representatives of the famously underfunded and ineffective Office of Pipeline Safety say they don’t see a problem here nor do they meddle in companies’ choices of operating systems. “We want them to use the best operating system for their pipeline,” says one. And Microsoft representatives had no comment on the use of Windows NT in control systems and possible security concerns or precautions.

But Matt Saunders, a local expert on Windows NT vulnerability, was less sanguine when informed of such use. “One would hope that their command and control policies dictate that control machines should be isolated from other hosts,” he notes, “But this is rarely the case for most organizations, because it’s simply easier to get work done and ignore the risks.

“It terrifies me that a control system of this nature is being run on NT. It’s simply insane.”