Another massive spill, this one in Michigan. I remember process and security engineering used to look up to the oil and gas industry. Models for information security often borrowed concepts like fail-safe monitoring. Diagrams and images of oil rigs and pipelines were used to illustrate risk in terms of care and dilligence. The theory was the risk was so high for them, they had developed extensive controls. The BS7799 standard was even developed in a large part by oil companies, if I remember correctly, involved in the high-risk high-reward North Sea and Middle East operations.

The oil companies clearly have a very different public image these days. Oil spill update: State of emergency declared as 800,000 gallons of leaked oil begins flowing through Kalamazoo County.

County officials said they began an emergency response at about 6 p.m. Monday after news spread that a 30-inch oil pipeline in Marshall sprung a leak and released oil into the Talmadge Creek, which feeds into the Kalamazoo River. Houston-based Enbridge Energy Partners said the pipeline has been shut down but that did not happen before more than 800,000 gallons flowed into the creek.

The rate of flow must have been very high but a 30-inch pipeline still would take a while to lose almost a million gallons. Loss prevention has large body of scientific study for the oil and gas industry. What was the delay in detection and response? Maybe things have shifted so far now in the management of energy and risk that they could learn a thing or two from information security.

The BBC notes that diesel overtakes petrol car sales for first time:

Diesel sales made up 50.6% of the total in July, the Society of Motor Manufacturers and Traders (SMMT) said.

The sale of petrol cars dropped by almost a third in July compared with the same month a year earlier.

The article gives two main reasons in their analysis: company fleet restock and drivers buying more efficient engines. They say the tipping point came with diesel pump prices reaching the same as gasoline.

“They are buying despite the £1000 extra cost of diesel car, relying on the 15-20% greater fuel efficiency to leave them better off in the long run.”

According to the motoring organisation, a petrol car owner is now spending on average £123.85 a month on fuel compared with a diesel driver’s average spend of £103.28.

The popularity of diesel has been helped by a substantial fall in the price differential between petrol and diesel. In 2008 it was 13p per litre, wiping out any substantial cost savings a more fuel-efficient diesel engine might offer.

Last month, the difference at the fuel pumps was only 1.5p per litre.

I do not agree with this analysis. The price at the pump varies regularly and diesel is usually close in price. Diesel can be above or below gasoline with very little explanation or reason. Thus, unless people are buying cars on a moment’s notice, there is something else driving them (no pun intended) towards a diesel engine.

My guess is that the usual criteria like performance and prestige are a bigger factor. Why else would so many purchase cars that require premium fuel, which always costs more than regular? BMW, for example, markets their cars to drivers who are concerned with the time to go 0-60. The new diesel 3-series is as good or even better than the gasoline model. That is more likely a real tipping point, rather than just cost at the pump.

The aesthetics of a modern diesel also may be a factor: quieter, better-smelling, better-looking…all the things that used to be said about gasoline are now the reverse. You want an engine that purrs or has a low growl? Diesel comes that way by default. The high-pitched whine of gasoline is out.

Perhaps most important of all, however, is the efficiency measured in terms of convenience and lifestyle. A man who lives in San Francisco I recently met said that due to his first newborn he finally sold his Chevrolet Tahoe and bought a VW Jetta SportWagon with a diesel engine. His eyes grew wide and his hands gestured excitedly as he explained “I have to find a station and stop for gas half as often now — just once every other week. I get back so much time!” When was the last time you heard the father of a newborn talk about all the time they have found?

A quick calculation on productivity in America could make regulation go something like this: require all new pickup trucks to have engines that get 45mpg without any loss in towing power or capacity; this has been done before using diesel technology and could easily be done again. In some sense, it already has.

The funny thing about general technology/marketing evolution is that this 1980s vision of utility

has recently been turned into this (concept)

and this (reality)

There will be approximately 1.5 million pickups sold this year, which get a (questionable) publicized average of 22mpg. Take the 1.5 million gasoline engines filling up 20 gallon tanks every week and compare it to the same number of diesel engines filling up 15 gallon tanks every other week. Right there you eliminate 1 billion (975 million) gallons of fuel consumption in one year and that is just for new vehicles. Assuming 30 minutes is spent for each pump visit we also would recover 19.5 million hours of time for those new vehicles. With current pump prices ($0.20 difference between regular and diesel in America) that means $2.6 billion saved ($1742/yr per vehicle). If the time saved is mapped to $20/hr of productivity that is $585 million gained a year ($390/yr per vehicle).

US Savings in One Year: If All New Pickups Had Diesel Engines

In other words moving the pickup market to diesel would return approximately $2,000 per vehicle in time and cost per year. These calculations alone, however, will not be enough to move the majority of consumers, as noted above. When you add in performance and more prestige — being seen as macho, hip or cool with a diesel — you cover all the primary issues in the American market. On that note the recent fashion trend towards 80s nerdiness (led by the coming-of-age consumers born during that time) should make it easy to see how diesel could outsell gasoline even in the American market.

Microsoft Security Bulletin MS10-046 was released this morning and has extensive detail on how to patch or workaround the vulnerability in windows shell that allows remote code execution.

A couple keys points in the advisory:

First, Microsoft notes that the exploit only gains the rights of a local user. It is fine to suggest a role-based control approach. It is a best practice. However, everyone knows that Windows runs best with a local user in the Administrator group. It echoes my earlier post on this issue, where I tried to emphasize that this story has not significantly moved the dial in terms of Windows exploits. It is significant more because it was targeted to a specific vendor (Siemens) implementation of Windows. This is an excellent example of an Advanced Persistent Threat, versus an Advanced Threat. Persistence comes in the form of intelligence gathering and targeting specific/unique weaknesses. I would wager that Siemens software requires Administrator privileges.

Second, a specific service is implicated as an attack vector

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

Once again we can say all unnecessary services should be disabled as a best practice and for compliance (e.g. PCI DSS). Nothing new here. WebClient is even disabled by default in server versions of Windows since 2003 (they also have a redirector option). It has been enabled in Microsoft desktop systems since Windows 98. Windows 7 even provides a webdav server capability.

The WebClient service does nothing more than allow webdav (Web-based Distributed Authoring and Versioning) access. The service description calls them “Internet-based files”, which is too broad to be a useful definition.

With this functionality in mind it is interesting to note that the attack was distributed by USB. A network-based attack was not chosen perhaps because the systems targeted were said to be disconnected from a network. A WebClient service should only be enabled on a system that needs to manage HTML files via HTTP over a network. So the advisory pins together a local hardware attack with a network service exploit.

Did the Stuxnet authors know that Siemens runs on Windows XP or 98 with default services enabled? Does Siemens WinCC software or the SIMATIC distributed control system require WebClient, thus making it a networked system after all? I would wager, as above, the Siemens systems were configured without security in mind and an unnecessary service was enabled.

Therefore, from the above two points, a Windows user who disables unnecessary services and uses role-based access would reduce the risk of attack.

The real rub in this issue is that these basic security and compliance controls may not be present in utilities and attackers will use this to their advantage. Change to the environment will not come quickly, unfortunately, because some continue to argue against it. Control systems specialists, for example, often try and defend control gaps as another form of control – necessary for safety

One workaround that Siemens users should avoid, however, is changing the default passwords on their control systems, warned control systems expert Joe Weiss, writing on his blog. “Microsoft wants default passwords changed — standard IT policy — while Siemens is telling its customers not to change the default passwords as it could cause problems,” he said.

The disconnect highlights how in control environments, safety — not security — comes first, he said. “The IT folks do not understand why anybody would want to keep a default or hardcoded password as an emergency back door. IT in enterprises, outside of banking, simply doesn’t have real-time emergencies.”

This is very wrong. I could give obvious examples of enterprise IT that has real-time emergencies outside of banking and utilities (e.g. health-care). More to the point, however, even an emergency back door can be setup in a controlled fashion. A vendor default password should not be confused with the need and option for an emergency back door. Role-based access is the difference. Only some people should be authorized to have access to the back door. Access to the back door also should be monitored and logged. I think it stands to reason that a back door that everyone and anyone can access, without an audit trail, actually increases the risk of real-time emergency.

P.S. Kudos again to Microsoft for a thorough and highly useful report on the update as well as the vulnerability. Customers benefit greatly from this exchange of information.

Compare Microsoft’s excellent work with the current method used by Google, as demonstrated by the update report for a High Risk vulnerability in Chrome:

[$500] [43813] High Issue with large canvases. Credit to sp3x of SecurityReason.com.

Imagine if Microsoft had posted only “[2568] Critical Issue with Shell. Credit to Stux.”

Paul Krugman gives his explanation of why people choose not to act despite data showing risk.

So it wasn’t the science, the scientists, or the economics that killed action on climate change. What was it?

The answer is, the usual suspects: greed and cowardice.

If you want to understand opposition to climate action, follow the money. The economy as a whole wouldn’t be significantly hurt if we put a price on carbon, but certain industries — above all, the coal and oil industries — would. And those industries have mounted a huge disinformation campaign to protect their bottom lines.

Thomas Friedman gives a very concrete security example in his analysis of the American paralysis to regulate the coal and oil industries.

Making our country more energy efficient is not some green feel-good thing. Retired Brig. Gen. Steve Anderson, who was Gen. David Petraeus’s senior logistician in Iraq, e-mailed to say that “over 1,000 Americans have been killed in Iraq and Afghanistan hauling fuel to air-condition tents and buildings. If our military would simply insulate their structures, it would save billions of dollars and, more importantly, save lives of truck drivers and escorts. … And will take lots of big fuel trucks (a k a Taliban Targets) off the road, expediting the end of the conflict.”

Friedman then comes to the same conclusion as Krugman

I have a much simpler but plausible ‘conspiracy theory’: the fossil energy companies, driven by the need to protect hundreds of billions of dollars of profits, encourage obfuscation of the inconvenient scientific results. I, for one, admire them for their P.R. skills, while wondering, as always: “Have they no grandchildren?”