Winter Risk Management

Some recent fun in the fluffy stuff. Ride safely:

Just like information security on a large corporate network. Want me to explain how to achieve NERC CIP 002-009 compliance, or perhaps avoid HIPAA fines…let’s go skiing. Speaking of tips, when in Vail on a big powder day head for Red Square:

Way to go Heath!

Utility limiter kills veteran

A truly gut wrenching story is now being circulated about a WWII veteran who slowly froze to death after a utility company installed a device that shut off his power. The Star Tribune title gives a good indication of where things are headed: Freezing death of Mich. man in house sparks anger, soul-searching, resolve to prevent repeat

On Jan. 13, a worker with the city-owned utility installed a “limiter” on Schur’s electric meter after four months of unpaid bills. The device restricts power and blows like a fuse if usage rises past a set level. Electricity is not restored until the device is flipped back on by the homeowner, who must walk outside to the meter.

City Electric Light & Power did not contact Schur face-to-face to notify him of the device and explain how it works, instead following its usual policy by leaving a note on the door. But neighbors said Schur rarely, if ever, left the house in the cold.

At some point, the device evidently tripped and was not reset, authorities said. Schur’s home was heated by a gas furnace, not electricity, but some gas furnaces do not work properly if the power is out.

Should the neighbors have monitored his situation and intervened, should the utility have interfaced with their customer more? This all begs the question of monitoring and surveillance as well as privacy. Perhaps the most pressing issue for some is that the man was elderly and needed special care, but it is not clear how and when this level of detail can be managed before the utility enters into security issues around privacy? On the flip side, if a customer has paid their bill regularly for fifty years, how difficult can it be for a utility to wait a couple months until temperatures/conditions are safe before terminating power and starting an investigation?

Also worth noting is that the utility in question is a municipal entity and therefore escaped a law designed specifically to prevent this type of tragedy.

CyberWar Against Kyrgyzstan

A Russian ‘cybermilitia’ is being blamed for disrupting Kyrgyzstan networks:

…what’s worrisome to [Don Jackson, the director of threat intelligence at SecureWorks] is the speed with which this attack was mounted. “To put some perspective on this, it’s been an escalating pattern from Estonia to Georgia to here,” he said, referring to the 2007 and 2008 attacks against other former Soviet republics. “The attacks are more closely coinciding with events that are core to the Russian interest, with increasingly fast response and quick mobilization.

“When it once took days or weeks, now we’re seeing it within hours,” Jackson said.

The so called “militia” is really a group that manage botnets and servers more commonly used for spam and phishing. They are believed to be Russian because of the traffic patterns, but the fact that they use resources also for political events underscores their background and interests.