Slammer Impact on Ohio Nuclear Plant

Event Year: 2003 Reliability: Confirmed
Country: United States
Industry Type: Power and Utilities

On January 25, 2003, Davis-Besse nuclear power plant was infected with the MS SQL Server 2000 worm. The infection caused data overload in the site network, resulting in the inability of the computers to communicate with each other.

First Energy Nuclear’s (the licensee’s) corporate network, which is linked with Davis-Besse’s plant network, is connected to external networks via a firewall. A firewall is a system or systems that enforce an access control policy between networks. Among the many access control policies that Davis-Besse’s corporate firewall enforced was the policy of disallowing any data using the UDP into the network by closing port 1434 (MSSQL) of the firewall. This policy would have protected Davis-Besse’s networks from the MS SQL worm infection except that the corporate network had a T1 connection behind the firewall that provided a path for the worm to enter the system. This T1 line was used by one of the licensee’s consultants who provided an application software that ran on a server. This connection bypassed all the access control policies that the corporate firewall was enforcing, including the policy of preventing data that used the UDP from coming into the corporate network.

The consultant’s company network server allowed use of the UDP for data transfers and was infected by the MS SQL worm. When the consultant established a T1 line connection at the licensee’s corporate site, this action opened a path by which the worm that infected the consultant’s company server was sent to the licensee’s corporate network through the T1 line. The worm then randomly infected any servers on the corporate network that had port 1434 open.

Because the MS SQL worm resided in only memory, shutting down the server removed the worm from the server’s memory, ridding the server of the infection. The licensee isolated the server from the site network, installed the MS security patch, and reconnected the server to the site network.


The slowness in computer processing speed began in the morning and by 4:50 p.m., the Safety Parameter Display System (SPDS) became unavailable and remained unavailable for 4 hours 50 minutes. By 5:13 p.m., the plant process computer was lost and remained unavailable for 6 hrs and 9 minutes.

Although the operators were burdened by these losses, the event was not deemed significant since the plant control and protection functions were not affected.

Action Description: In response to this event, Davis-Besse implemented the following corrective actions: (1) required network services to document all external connections to internal network, (2) installed the security patch for the MS SQL Server 2000 vulnerability, (3) installed a firewall between the plant network and the corporate network, (4) established a requirement to monitor and filter the data coming into the plant network to the same standard as the corporate firewall, and (5) implemented a process for computer engineering personnel to review security patches for systems supported and install them within an acceptable timeframe.