Monthly Archives: June 2010

Security

Critical Flaw in Critical Infrastructure Analysis

Leave a comment

Skating on Stilts is a blog that says it is about “why we aren’t stopping tomorrow’s terrorism”. A post today discusses Emergency Powers to Respond to a Computer Attack.

Note the disclaimer in paragraph six:

So, if operators of our power grid are dumb enough to run their systems by relying on the Internet and Windows XP, then the bill’s authority to order emergency measures would apply to the providers of electric power, to their ISPs, and to Microsoft. Otherwise the ISPs and Microsoft are in the clear. As for the rest of us, including our search engines, we’re in the clear from the start.

Dumb enough?

At this point I wonder if the author, Stewart Baker who served as General Council for the NSA and worked in DHS under President Bush, has a clue about security let alone how utilities depend on and use technology.

Utilities have critical systems (as defined under NERC CIP 002) that run Windows XP and they also rely on the Internet. Critical systems not only include those involved in bulk power generation and distribution systems but also the daily operations systems including financial management and market systems. That is not to mention the expanding use of the Internet for smart grid and smart metering systems.

Why bash utilities for using Windows XP? I mean if he had said Windows 98 we might have had a laugh or two but Windows XP? Gartner just started recommending that enterprises begin migrating from Windows XP…by 2012.

Microsoft will support Windows XP with security fixes into April of 2014, but past experience has shown that independent software vendors (ISVs) will stop testing much earlier. “New releases of critical business software will require Windows 7 long before Microsoft support for Windows XP ends,” said Steve Kleynhans, research vice president at Gartner. “Organizations that get all of their users off Windows XP by the end of 2012 will avoid significant potential problems.”

I am not defending Windows XP. It is just a simple reality that it is widely used by bulk power and it is still a supported operating system. There are significant security concerns with Windows XP yet it is misplaced to blame a single supported OS for security failures. In other words it is not the technology, stupid.

Remember how President Bush signed Executive Order 13231 in October 2001? The security recommendations in that order went something like this:

  1. Identify SCADA systems connected to the network
  2. Disconnect those systems from the network

That is not what I would call smart security; and we wonder why we are in such trouble with security of critical infrastructure. The irony of the Order is that it carried the title “Critical Infrastructure. Protection in the Information Age”. Perhaps it could have had the alternate title “Welcome to the information age, please disconnect for safety.” Switching from Windows XP to some other OS does not fix everything. Same for getting “off” the Internet. Much better to recognize how to handle these as a reality of any modern IT environment.

Although well-intentioned, Baker’s blog post would have been more effective if he had done some basic research on information security and technology used by utilities. His reference to Windows XP and the Internet as dumb choices really just reflects poorly upon his own knowledge of security risks and what authority the government needs to help manage them.

I suggest, for example, that FERC quickly tighten up the NERC CIP. It currently allows too much leeway for entities — they can dictate scope unreasonably, which can turn it into something like a bad SAS70. Force more accurate scope through prescriptive compliance based on NIST SP. Handing out almost open-ended amounts of rope to energy companies seems to have just gotten them severely tangled or worse. Even Sarah Palin, after the latest disaster, has become an advocate for far more industry regulation.

With all that said the key to Baker’s analysis seems to be found in the concluding paragraphs when he asks

…do we want the President to look as helpless as he looks today in response to the BP spill?

Make the President look good? That sounds eerily familiar.

Worthy advised Brown: “Please roll up the sleeves of your shirt, all shirts. Even the president rolled his sleeves to just below the elbow. In this [crisis] and on TV you just need to look more hard-working.”

Give the President more authority so he can look better during a crisis? Just to look better? That does not sound well-reasoned at all to me. Give more authority if a user is qualified and there are adequate controls in place to prevent catastrophic mistakes and misuse.

Security

The Most Dangerous Dogs

Leave a comment

I have to say, before I get on to the usual data about pit bulls, that I am surprised to see the dalmation appear in a list of dangerous dogs. Apparently they are aggressive towards people, which does not fit well at all with my image of them riding in fire trucks.

It turns out the spotted breed actually gets along really well with horses. Fire engines used to be pulled by horses. Thus the connection between fire departments and dalmations has nothing to do with safety to humans.

I still think they are nice dogs. Right, with that out of the way, Dog Bite Law says pit bulls and rottweilers are the most common dogs involved in fatal incidents:

“Studies indicate that pit bull-type dogs were involved in approximately a third of human DBRF (i.e., dog bite related fatalities) reported during the 12-year period from 1981 through1992, and Rottweilers were responsible for about half of human DBRF reported during the 4 years from 1993 through 1996….[T]he data indicate that Rottweilers and pit bull-type dogs accounted for 67% of human DBRF in the United States between 1997 and 1998. It is extremely unlikely that they accounted for anywhere near 60% of dogs in the United States during that same period and, thus, there appears to be a breed-specific problem with fatalities.”

Saw that coming, didn’t you? These statistics beg the usual questions. Are pit bulls frequently in situations where there is a high likelihood of violence, or is there a high likelihood of violence in situations where there is a pit bull? German shepards and dobermans, for example are typically used for guard or police duty. That would make them far more likely to be involved in incidents like biting people. Dalmations seem to be around fires a lot…

Food, Security

Fat is good for us, really

Leave a comment

I am amazed by the low-fat marketing movement. People all around me in America seem obsessed with the idea that removing fat from your diet somehow makes you healthy. From a risk management perspective this makes no sense to me.

It should be common sense just from observing nature. Take the bear, for example. A bear that catches a fish will tear just the fat of the salmon off (with the skin) and then discard the rest. Birds of prey then take the meat from the bones left behind.

Would a bear target fat and skin if it was so unhealthy? We do not live like bears, of course, and there is no accounting for taste but observing them can give us a clue about how to live.

CBS news does a nice job making this point in a much more scientific manner in their article called Friendly Fats — and Fiendish Ones:

According to the National Institutes of Health, about 35 percent of the calories you eat per day should come from fat, as long as most are from healthy, plant-based foods. That’s about 60 grams a day for most of us, or roughly 15-20 per meal.

Note the reference to “healthy” foods. The irony is that fat has become bad because of the movement by the food industry to create artificial non-fat versions of fat. Follow me? Marketing fat as bad is what created demand for non-fat substances that turn out to be far worse than the fat itself. The industry telling you to buy non-fat, in other words, is the same industry that is making fat bad for you. Trans-fats are the perfect example:

There’s no good news here! Man-made trans-fats, found in foods like crackers, cookies, baked goods and fast food, is crafted from partially hydrogenated oil, which means liquid oil that had hydrogen added to it to make it solid. It’s been shown to boost weight gain and belly fat even when the exact same number of calories are consumed and the percentage of total fat is identical. Trans-fats have also been linked to an increased risk of infertility. One study found that infertility risk jumped by a whopping 73 percent with each 2 percent increase in trans-fat.

I will never forget a security product company where I worked that kept an unlimited and free supply of trans-fat filled products available for employees.

A whole cabinet full of boxed and bagged food products would disappear in just one day. I asked them if they were aware of the risks to their employees from the trans-fats to which they replied “we can not afford to buy the fancy food”. Save money? They paid for the insurance to treat all the employees who were affected by the bad fat in the cabinets. Moreover, productivity is surely impacted by the bad-fat. A risk management view would ban the artificial fats and bring in the good fats.

Let me make a finer point here about this company. It was a security product company. They had a marketing campaign to sell security products for unknown and unquantified risks. Their campaign was sometimes even based on just fear — buy this product or you could suffer the consequences. They were very successful and very proud of making hundreds of millions of dollars on this fear-based strategy. Yet, without any awareness of irony, when it came to evaluating risks for their own employee health they found it better to save money than reduce a clear and known danger.

Clear and known to whom? The risk of trans-fat, to be fair, has been mixed into deceptive marketing practices.

Unfortunately, food products can claim to provide zero grams of trans fat if the food contains less than 0.5 grams per serving (to identify this “hidden” trans fat, check the ingredient list for the words partially hydrogenated). And, a product can also be labeled trans-free if it’s made with FULLY hydrogenated instead of partially hydrogenated oil. Technically, fully-hydrogenated oils are trans-free, but they’re not risk-free. A Brandeis University study found that eating products made with fully hydrogenated oil, a trans-free alternative to partially hydrogenated oil) may lower HDL, the good cholesterol and cause a significant rise in blood sugar (about 20 percent).

The bottom line is that unprocessed food is increasingly found to be the source of nutrition with the least risk to health. A simple risk calculation should make fat the hero and non-fat the zero and the CBS report is a great sign of things turning in the right direction.

This trend could take a while. I believe the current chemical non-fat fascination is from as far back as the 1950s when the industry focused on making food sanitized to be healthy. The marketing has been so effective I hear some people say they would rather eat pesticides than see a worm or a blemish. Obviously those people have no idea about risk.

Those within the industry who are working against the grain have found things can get ugly.

“The tomatoes you find in the supermarket taste like cardboard,” [Joe Procacci] said. “We’ve come up with something consumers want. It tastes great. But they won’t let me market it.”

He speaks of the Florida Tomato Committee, an obscure but powerful group of tomato growers who regulate the quality of tomatoes shipped out of state. To some, many UglyRipes are the Frankenstein of the breed: misshapen, wrinkled and scarred tomatoes that look as though they’ve been to war.

Not the face many Florida tomato farmers want the world to see.

Quality? Who in their right mind would want to measure the quality of food by appearance alone? Yet that is exactly what has happened.

“Let’s take the Miss America pageant,” said Dan McClure, a member of the committee from Palmetto. “How often have you seen an ugly woman in the pageant? The same thing applies here.”

The committee to sell you tomatoes apparently just wants to win your business at the most superficial and least important level possible. After that, they do not care what happens to you. If that does not scream bad risk management, I am not sure what does.

Shelf-life is important. Cost is also important. However, they are not the most important and the non-fat movement should be put back into the box. A better measure of quality is taste as a short-term goal. An even better measure is health, as a long-term benefit, and from those two measures we should see that fat is good for us, really. So the next time you hear an American holding a non-fat drink and eating a non-fat muffin rant about how much they love/hate bacon just say “I agree *fat* is great but it is even better from healthy, plant-based foods”.