Going Dark: A Retrospective on the North American Blackout of 2038

Anantharaman, P., Brady, J.P., Flathers, P., Kothari, V.H., Millian, M.C., Nisen, W.G., Reeves, J., Reitinger, N., Smith, S.W.
Citation:

To appear in proceedings of the New Security Paradigms Workshop (NSPW), Windsor, UK, 2018.

Abstract:

From March 29, 2038, to April 6, 2038, the world observed the North American Blackout of 2038. The blackout left upwards of 300 million people without power, ravaged the world economy, and devastated the global internet. By many accounts, it was the most devastating blackout ever witnessed. That said, its occurrence should not be surprising. While pundits harp on the technical sophistication of the adversary, debate the merits of a kinetic response, and politicize the blackout, the sad reality is that we have, for years, known we were susceptible to such an event. Moreover, we have had the requisite knowledge and tools to avert the blackout, but failed to use them. Plenty has been written on the wide-reaching societal effects of the blackout; our focus will be on the blackout itself.

The blackout of 2038 had two major phases. In the first phase, an active adversary exploited a vulnerability in the implementation of the Wireless Access in SCADA Environment (WASE) protocol that supports the grid. Grid operators acted swiftly and switched to a fallback system to restore power. Unfortunately, the adversary then subverted the fallback system by exploiting a well-known vulnera-bility in DNP3, a popular industrial control system protocol. The led to the second blackout. Eventually, a patched implementation of the WASE protocol was developed and deployed, which restored power.

In hindsight, this blackout stemmed from two erroneous assump-tions. First, immediately following the Texas Brownout of 2020, academics, industry professionals, regulators, and other stakehold-ers advocated for the adoption of a protocol that was formally verified to protect against race conditions (i.e., the cause of the brownout). However, it was wrong to equate formal verificationwith perfect security; we should have heeded the adage from Don-ald Knuth, “[b]eware of bugs in the above code; I have only proved it correct, not tried it.” Second, we wrongly assumed a known-to-be-insecure fallback system would be an adequate stopgap until the primary system was back online.

This paper serves as a postmortem to the North American Blackout of 2038. We analyze how the failures came to pass and the assumptions that underlie them. Moreover, we offer a complete and simple solution to prevent these conditions from ever arising again: the adoption of Language-theoretic Security (LangSec) principles. To this end, we provide and evaluate a preliminary implementation of a LangSec parser for the WASE Short Message Protocol format (WSMP). Additionally, we urge lawmakers and regulatory agencies to mandate the verification of fallback protocols

Publication Status:
To Appear
Publication Type:
Proceedings
Publication Date:
08/28/2018
Copyright Notice:

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

  1. The following copyright notice applies to all of the above items that appear in IEEE publications: "Personal use of this material is permitted. However, permission to reprint/publish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from IEEE."

  2. The following copyright notice applies to all of the above items that appear in ACM publications: "© ACM, effective the year of publication shown in the bibliographic information. This file is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in the journal or proceedings indicated in the bibliographic data for each item."

  3. The following copyright notice applies to all of the above items that appear in IFAC publications: "Document is being reproduced under permission of the Copyright Holder. Use or reproduction of the Document is for informational or personal use only."