Wednesday, June 18, 2008

Ice-free Arctic: Have we reached the tipping point?

Good BBC News story by Richard Black.

Nothing to worry about for the next five years, as long as you don't depend on anything or anyone located less than 22 feet above sea level.
A few years ago, scientists were predicting ice-free Arctic summers by about 2080. Then computer models started projecting earlier dates, around 2030 to 2050.

Then came the 2007 summer that saw Arctic sea ice shrink to the smallest extent ever recorded, down to 4.2 million sq km from 7.8 million sq km in 1980.

By the end of last year, one research group was forecasting ice-free summers by 2013

"I think we're going to beat last year's record melt, though I'd love to be wrong," said Dr Stroeve.

"If we do, then I don't think 2013 is far off anymore. If what we think is going to happen does happen, then it'll be within a decade anyway." ...

"This is a positive feedback process," commented Dr Ian Willis, from the Scott Polar Research Institute in Cambridge.

"Sea ice has a higher albedo (reflectivity) than ocean water; so as the ice melts, the water absorbs more of the Sun's energy and warms up more, and that in turn warms the atmosphere more - including the atmosphere over the Greenland ice sheet."

Greenland is already losing ice to the oceans, contributing to the gradual rise in sea levels. The ice cap holds enough water to lift sea levels globally by about 7m (22ft) if it all melted.



Thursday, June 12, 2008

Paying for secrets:
national security vs. tech innovation

Excellent post by Jon Stokes on Ars Technica. Stuff readers here will be familiar with, but nicely collected and summarized.

Labels: , ,


Thursday, June 05, 2008

Software update takes out nuclear power plant

On March 7 the Hatch nuclear power plant near Baxley, Georgia was forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. The trouble started after an engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network.

The Washington Post has a very good article by Brian Krebs, which is worth reading in its entirety. Highlights:
According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown...

Company technicians were aware that there was full two-way communication between certain computers on the plant's corporate and control networks. But she said the engineer who installed the update was not aware that that the software was designed to synchronize data between machines on both networks, or that a reboot in the business system computer would force a similar reset in the control system machine.

"We were investigating cyber vulnerabilities and discovered that the systems were communicating, we just had not implemented corrective action prior to the automatic [shutdown]," Phillips said. She said plant engineers have since physically removed all network connections between the affected servers.

Computer security experts say the Hatch plant incident is the latest reminder of problems that can occur when corporate computer systems at the nation's most critical networks are connected to sensitive control systems that were never designed with security in mind.

Specifically, experts worry that vulnerabilities were introduced into the systems that regulate the electrical grid as power companies transferred control of generation and distribution equipment from internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports.

The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely. But experts say it also exposes these once-closed systems to cyber attacks...

Joe Weiss, managing partner at Cupertino, Calif.-based Applied Control Solutions, said Hatch is not the only plant that has suffered this type of unusual event. But he said it is one of a handful of public events of this type because the Nuclear Regulatory Commission documents all unusual events, in contrast to non-nuclear facilities that do not make their unusual events public.

"Consequently, it is expected that non-nuclear facilities have experienced similar events," Weiss said. "The Hatch event illustrates the unintended consequences that could occur when business information technology systems interconnect with industrial control systems without adequate design considerations." ...

Weiss said many people in charge of SCADA systems have sought to downplay the threat that hackers pose to these complex networks. But he cautioned that internal, accidental cyber incidents at control system networks can be just as deadly as a carefully planned attack from the outside...

"To people in the IT world, cyber means 'attacks,' but what I tell people is that in our world the predominant cyber events are unintentional," he said. "The flip side of that is if it can happen unintentionally, it can probably be caused intentionally and be a whole lot worse."

News of the Hatch incident also comes as the cyber-security posture of the electric and nuclear power industry is coming under increasing scrutiny from Congress and government investigators. Last month, the Government Accountability Office issued a scathing report about cyber security weaknesses at the Tennessee Valley Authority, the nation's largest public power company and operator of three nuclear plants, including Browns Ferry.
This reinforces the points made in my previous post on protecting the BPS.

Labels: ,


The ID Divide

Bruce Schneier has a nice post on the Center for American Progress paper on identification and identification technologies: "The ID Divide: Addressing the Challenges of Identification and Authentication in American Society."

Among other things, the paper identifies six principles for identification systems:

  • Achieve real security or other goals
  • Accuracy
  • Inclusion
  • Fairness and equality
  • Effective redress mechanisms
  • Equitable financing for systems
From the Executive Summary:

How can these principles be honored in practice? That’s where the "due diligence" process comes into play when considering and implementing identification systems. Due diligence in the financial world of mergers and acquisitions and other important corporate transactions is conducted before a company makes a major investment. Proponents of, say, a merger (or in our case, a new identification program) can err on the side of optimism, concluding too readily that the merger (or new ID program) is clearly the way to go. Thorough due diligence protects against such over-optimism.

Labels: , ,


Tuesday, June 03, 2008

Data breach tied to identity theft

A common response to reports of data breaches is that "that's just the number of people whose data was exposed--there's no reason to believe that the data will be used fraudulently."

ComputerWorld has an article by Robert McMillan reporting on one case where there definitely is reason to suspect fraudulent use.
A data breach at United Healthcare Services Inc. has led to a rash of identity-theft crimes at the University of California, Irvine.

To date, 155 graduate and medical students at the school have been hit by the scam, in which criminals file false tax returns in the victim's name and then collect their tax refunds. The breach affects 1,132 graduate students who were enrolled with the university's graduate student health insurance program in the 2006-07 school year, said Cathy Lawhon, the university's media relations director...

Based in Minnetonka, Minn., UnitedHealthcare is one of the largest health care service providers in the U.S. A company spokeswoman confirmed that some university students' personal information "may have been accessed without authorization," but she could not comment on the source of the breach.
I have frequently posted on this topic. Let's hope there aren't many more such stories to come. The next victim could be you! (Or, even worse, me. :-)

Labels: , , ,


Sale of SPARTA consumated

I previously posted about the proposed sale of SPARTA. It's now happened.

Today SPARTA, Inc. officially became a subsidiary of Cobham plc.

My job has not changed, just its corporate framework.



Monday, June 02, 2008

More on protecting the bulk power system

Following up on "The power grid? Why would hackers want to mess with that?":

House Homeland Security Committee Chairman Bennie Thompson and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James Langevin sent a letter late Thursday to Energy and Commerce Chairman John Dingell detailing their recent efforts to review the United States' bulk power systems operators' efforts to secure their information networks.
The BPS [bulk power system] of the United States and Canada has more than $1 trillion in asset value, more than 200,000 miles of transmission lines, and more than 800,000 megawatts of generating capability, serving over 300 million people. The effective functioning of this infrastructure is highly dependent on computer-based control systems that are used to monitor and manage sensitive processes and physical functions... According to the United States Computer Emergency Readiness Team ("US-CERT"), "this transition towards widely used technologies and open connectivity exposes control systems to the ever-present cyber risks that exist in the information technology world in addition to control system specific risks." ...

The risk to these systems is steadily increasing. Ten years ago, the President's commission on Critical Infrastructure Protection ("PCCIP") released a report on the risks associated with interconnected computers systems on the BPS, stating that "the widespread and increasing use of supervisory control and data acquisition systems for control of energy systems provides increasing ability to cause serious damage and disruption by cyber means." Since the release of that study, numerous unintentional cyber incidents -- the Davis-Besse power plant incident in 2003, the Northeast blackout in 2003, and the Browns Ferry nuclear power plant failure in 2006 -- suggest that the concerns raised by the PCCIP were warranted. Malicious actors also pose a significant risk to this infrastructure. The Federal Bureau of Investigation has identified multiple sources of threats, including foreign nation states, domestic criminals and hackers, and disgruntled employees working within an organization.

Clearly, intentional and unintentional control systems failures on the BPS can have a significant and potentially devastating impact on the economy, public health, and national security of the United States. For a society that runs on power, the short term or long term disruption of electricity to chemical plants, banks, refineries, hospitals, water systems, and military installations presents a terrifying scenario. Economists recently suggested that the loss of power to a third of the country for three months would result in losses of over $700 billion...

While the NRC [Nuclear Regulatory Commission] could issue specific requirements for its owners and operators, the Electric Sector was unable to make similar demands... Though NERC [North American Electric Reliability Corporation] testified during the hearing that it sent a survey to industry members to determine compliance with the advisory and received a response from approximately 75 percent of the transmission grid that mitigations had been implemented or were in the process of being implemented, the Commmittee later learned that the survey was not sent until October 19, 2007 -- two days after the hearing...

In fact, all of the utilities interviewed requested additional information to help understand the technical implications of the attack and the specific strategies to mitigate the identified vulnerabilities...

In the interest of national security, a statutory mechanism is necessary to protect the grid against cyber security threats...

We look forward to working with you and your Committee to pass this critical legislation.
With this degree of urgency, perhaps we can hope for a suitable new law within 10 years, at which point the NERC can start drafting regulations with teeth in them...

Labels: , , ,