SQL Slammer Impacts Drill Site

Event Year: 2003 Reliability: Confirmed
Country: United States
Industry Type: Petroleum

SQL Slammer virus entered the Corporate Intranet from the internet onto the Automation Segments/VLANS. This Denial of Service attack produced large enough quantities of traffic to use up resources on routers and switches. SQL sources on the Automation segment were 3 PSs running Bently Series One software and 2 PCs with the newer version of WonderWare that uses MS-SQL server. These 5 PCs represent only a small portion of the 70+ PCs on the Automation segments and were distributed at 3 different facilities. The business segments on site also had several MS-SQL server apps running. Although separated by VLANS, the Automation and Business traffice shared common switches and routers.


Traffic was intermittent between Operator Consoles and the SCADA servers. Traffic was also intermittent between those Drillsite PLCs/DeltaV DCSs and the SCADA system that were connected by Ethernet. Although the site was isolated from the corporate intranet early on, there were enough local business apps running MS-SQL server that were infected that the operators at one of the facilities did not have any remote alarming for their drillsites for several hours. At the time of this incident, the main facility DCSs had a proprietary, non Ethernet HMI interface so facility impact was minimal. Impact to support staff was significant as it took several days to track down and patch all Automation and Business offending systems.

Action Description: Patched or removed the MS-SQL servers on the Automation segments and installed separate firewall, routers and switches between the corporate intranet and the Automation network.