Category Archives: Uncategorized

Weakness in Systems used by Pentagon Power Grid

Posted on by
Reply

From http://www.csmonitor.com/USA/2012/0425/America-s-Stuxnet-Weakness-found-in-systems-used-by-Pentagon-power-grid:

America’s Stuxnet? Weakness found in systems used by Pentagon, power grid.

An amateur enthusiast has found evidence that hackers could exploit a security vulnerability in the systems of a company that serves power plants and military installations.

By Mark Clayton, Staff writer / April 25, 2012

An amateur cybersecurity researcher who bought industrial computer networking equipment on e-Bay for fun has discovered a critical weakness in equipment that helps run railroads, power grids, and even military installations nationwide.

The American Electric Power corporate headquarters in Columbus, Ohio. AEP is a customer of RuggedCom.

Paul Vernon/AP/File

The vulnerability means that hackers or other nations could potentially take control of elements within crucial American infrastructure – from refineries to power plants to missile systems – sabotaging their ability to operate from within.

Analysts say the problem is likely fixable, but the enthusiast says he has gone public only because the company that manufactures the equipment, RuggedCom of Concord, Ontario, has declined to address the issue since he made it known to them a year ago.

“It’s clearly a huge risk,” says Dale Peterson, CEO of Digital Bond, a control systems security firm in Sunrise, Fla. “Anytime someone can take down your network infrastructure, essentially cause a loss of control of the process – or your ability to monitor it, very dangerous things can happen.”

The vulnerability has to do with what is known as a digital “back door.” The back door is a secret login that allows the manufacturer to get into the equipment’s control systems without anyone knowing about it – even the purchaser. In theory, manufacturers could use their back doors to send updates to the equipment, but since they are secret, their use is not well known.

The discovery of back doors built into digital industrial control systems is not unprecedented. In fact, RuggedCom was recently acquired by a subsidiary of Siemens AG, the giant German industrial engineering company that has been criticized for using hidden, yet vulnerable, back doors in its control systems.

What is unusual is that RuggedCom’s equipment is often used as a digital fortress, protecting from hackers far more vulnerable systems that throw mechanical switches or close and open valves. Also surprising, experts say, is that the password needed to enter through this back door appears to be relatively easy to hack.

If hackers can get through the back door of RuggedCom’s routers and digital switches, the entire system that they are a part of becomes vulnerable. For example, Stuxnet, the world’s first publicly identified cyber super weapon, in 2009 wreaked havoc on Iran‘s nuclear centrifuge refining system by exploiting a password hidden inside a Siemen’s operating system.

“It is a very serious threat,” says Robert Radvanovsky, a cybersecurity researcher and cofounder of Infracritical, a think tank focused on shoring up cyber weaknesses in critical infrastructure. “The big concern is that these devices are what connect to the control systems that run the substations where power gets routed.”

RuggedCom sells “hardened” equipment designed to run around the clock in any temperature or weather condition. So it has a variety of clients seeking such robust machinery. Defense-industry customers mentioned on the RuggedCom website include big names like Boeing and Lockheed Martin, while power-industry customers include several of the nation’s largest utilities – American Electric Power, National Grid, Pepco, and others. The systems are also used by transportation authorities in the cities of Houston, Lakeland, Fla., and in Washington State and Wisconsin.

Pipelines, refineries, traffic lights, trains, military systems – all are at greater risk, especially to adept hackers belonging to nation-state intelligence agencies. The “good news,” Peterson says, is that even though the vulnerable systems are widespread, the problem is likely fixable, unless the RuggedCom operating system is too reliant on the back door login and its weak password-encryption system.

A RuggedCom spokesman, responding to an e-mail query, wrote that the company would be unable to respond Wednesday to Monitor queries about the vulnerability.

Feeling the company was dragging its heels and might never fix the problem was a key motivator for Justin W. Clarke, the San Francisco-based researcher who finally decided to reveal the threat a year after he first informed RuggedCom managers about it. RuggedCom said in mid-April that it would need three more weeks to notify customers but did not say whether it planned to fix the back door access with a firmware upgrade, Mr. Clarke says.

“I didn’t do this for money – I didn’t get paid for this,” he says. “I just wanted the problem fixed and nothing I heard from the company ever indicated that would happen.”

Everywhere he went during his day, he says, he saw the systems he knew how to hack sitting there vulnerable – from traffic light control boxes to power substations.

He learned about the vulnerabilities after buying the company’s devices off e-Bay “when they showed up cheap,” says Clarke in an interview. “This is something I do in my spare time with own money. I’m just this guy on street who knows how to do very bad things to important equipment, and I couldn’t stand that feeling so many systems – even in our military – were so vulnerable.”

He hopes a fix will come out now that the US-Computer Emergency Readiness Team, a federal cyberwatchdog, issued a vulnerability warning Tuesday, and its sister agency focused on industrial computerized control systems put out its own warning Wednesday.

Testimonials on the RuggedCom website show how deeply embedded its equipment is inside some of the most important US systems. Located at the end of the Alaska’s Aleutian island chain, about 300 miles from the coast of Siberia, the Shemya Island power plant provides power to National Missile Defense Authority facilities on the island.

“Ruggedcom switches were selected for use in the US Air Force Shemya Power Plant,” wrote Ted Creedon, chief engineer for Creedon Engineering in one testimonial for the company. “All electronics provided to the USAF were disassembled, quality inspected and burned in at the Chief Engineers office in Anchorage. Reliability was not an option.”

Risk: A Product – Umberto Tunesi

Posted on by
Reply

Umberto Tunesi pixRisk, a Product: what a bewildering idea!

Actually, it’s not quite so.

When we look at some official definitions of Risk, such as “the possibility of incurring misfortune or loss” and “to act in spite of the possibility of injury or loss”, and we compare them with the ISO 9000 definition of “Product”, that is “result of a process” (3.4.2), any enterprise, that is a process, may incur in misfortune, injury or loss. Continue reading

A New Professional: The Crisis Bringer – Umberto Tunesi

Posted on by
Reply

As key input and output of typical risk management processes, or risk processing – that is: risk identification, risk evaluation, risk prevention and risk monitoring – project killing is a very apt stage of project management. When a project goes over budget, be it for cost or time, or growing customer un-interest or designers’s un-skills, here comes the dressed-to-kill man or woman, and the project is killed, shot down. It saves money, and more resources. 

CRISIS BRINGER
Crisis-bringing requires more subtlety: a crisis-bringer who finds out the crucial stage(s) or the turning point(s) of events’ sequence, the unstable period(icity), e.g. the one(s) of extreme trouble or danger.

In short, a crisis-bringer is the person who catalyzes the production of one or more critical mass(es) that accelerates the onset of significant turning point(s); or proper adjustment of the process parameters – whatever the process is – to control instability and make the process be under control.

Crisis-bringers are usually found among writers, musicians, actors, painters – artists of any sort. But they are also found among esteemed professionals; only, their work style and policies are far from being even similar to those of “yes men”; “yes women” seem harder to be found, these days, so it may be easier to meet a female than a male crisis-bringer.

I borrowed the term from Deep Purple’s song Storm-bringer, the meaning of which is similar to crisis bringer.

Crisis-bringing can have innumerable applications, from Politics to Church, from Economy to Industry to Education to Society: where- and when-ever a Leader, or a manager, as the case may be, feels that breaking eggs must come before frying them, then crisis-bringers come into action.

We all give to the word “crisis” a negative, almost obsessive meaning; the same as for “critical”, but this word has also positive meanings. Let’s just think of criticality when evaluating for selection on a good restaurant menu: price, diet, appearance, taste, serving time – what else?

Of course, if I sent my bio or CV as a crisis-bringer, I could only expect to be laughed at.

But that’s another sign of the times: crisis-bringers usually get an advanced, very advanced feeling, even information, of what is very likely to go wrong. So they accelerate almost to paroxysm the onset of those conditions that will develop into almost uncontrollable risk – to build effective risk awareness.

Believe me, it’s not a question of any “third eye” perception, or intuition; it’s more like “data collection & analysis”, that we all were taught of at school.

When we don’t follow “good practices”, whatever they may be, we’ll soon run into troubles; and the less we listen to ourselves but eye on and give voice to bad counsellors, instead, then we soon also forget that risk – or danger or hazard – warning mechanisms are deep inside any living being’s nature.

 

Bag-Aholism – Umberto Tunesi

Posted on by
Reply

I sincerely thank Greg Hutchins, a fairly recent and very promising acquaintance of mine, for having introduced me to this terminology.

It is often said – among males – that the human equivalent of snails – obviously not in terms of slowness, since the human equivalent tend to move disturbingly too rapidly, especially when driving their male partner’s car … – are women.

When a woman moves, she takes more stuff from her house with her.

My wife and me went to Croatia for a two weeks summer sea holiday in Croatia, with two friends, a he and his female date. While he brought with him a – normal, according to males’ statistics – one by one by two feet bag, she had a one by two by four feet bag … My car, on which we travelled, was packed to the limit.

My wife: she’s a good, wise woman; but she starts packing her things two weeks before departure, which makes the journey planning a bit awkward. And, once more, two thirds of the garments she brings with her stay unused.

LESSONS LEARNED
But we – professional men – have to learn from these lessons.

What risks are bag-aholic ladies afraid of? Were they mothers, they would be expected to maintain  their children presentable. But when they are no mother? Or when their “children” are grown up enough to wear worn jeans and T-shirts, and don’t give a damn when they are dirtier than pigs?

There must be some deeper motivation.

Let’s do some analysis.  Ishikawa permitting, I allocate the bag-aholism effect to the following key causes:

  • Machines:  Any piece of equipment is a potential risk for garments, it can cause any damage. As in any wisely designed chemical plant, a three-times redundancy approach is strongly recommended, though expensive and space consuming may be.
  • Manpower:  There is a basic interaction approach: the she and the others. Just think of a bar or restaurant waiter spilling a drink or a sauce on the lady’s dress. She has to change, as soon as possible.
  • Materials:  Ladies’ dresses are nowadays light-years apart from Nature; cotton, linen, wool are unknown to fashion designers, especially Italian and French. Pity that they are too trendy, they live on stains, and they cannot be quickly and easily washed, like a male’s T-shirt or jeans. They need change.
  • Methods:  This is a quite difficult cause to detect; but when a lady, like my wife, or my mother, breaks a coffee cup every week, or her leg when biking against a car, you do expect anything to happen. And  bandage and hospital pajamas must not be forgotten, in a wise lady’s travel bag.
  • Environment:  Meteo’s are becoming more and more like football or baseball news. “What will be the weather like? “ is the most common question when adventuring in any journey. So ladies put in their travel bag one inch thick pullovers when flying to Maldives, and even much thicker when flying to Iceland.

A friend of mine went to Santo Domingo with his “fresh” wife for their honeymoon. After dinner, they romantically walked along the seaside; he was wearing shorts and slippers, breast-naked; she wore long cotton trousers, shoes, T-shirt, shirt and a wool sweater – and she was feeling “just right”.

In short, what males think of risk is totally different from women. And traveling bags are a meaningful sign.

A friend of mine, when he left for his one-month summer holiday, just brought a toothbrush with him, nothing else: he would find all he would need “on site”.

Let’s be careful on this, dear risk-processing friends: if a rose is a rose is a rose, not for any- and every-body a risk is a risk is a risk.

Thank you.

BA FLIGHT 38, January 17, 2008, Heathrow – Umberto Tunesi

Posted on by
Reply

The National Geographic Canada “Mayday” reconstruction of the above accident is quite dramatic.

But it is much more than that, when we think that the key cause of the accident, in spite of the many millions and months spent, and all the technicians involved, was found by mere chance.

Quite often it is like that, when practicing problem-solving and / or error-proofing: the technician(s) can be diligent as possible, think of any possible cause and solution, but the ultimate cause and solution are often found by chance.

Why is that?

I am no expert of human thinking processes; but I know of one striking example: the Nobel Prize Winner James D. Watson recounts in his book “The Double Helix”, how he “saw” the DNA structure in an english pub, drinking beer.

UNGUIDED PROBLEM SOLVING
And J.G. Bennet, in his book “Creative Thinking”, guides us on solving a problem simply not working at it: he says to pose yourself the question, then let your mind work; just sample your thoughts from time to time, until the bright idea is born.

I myself – and many people I know tell me they share the same experience – have the brightest ideas when not thinking of “the problem”: it’s just like with Bennet, I pose myself the question, then I – seem to – forget about it. Then, totally unexpected, the solution, the idea, is there, in my mind. Showering in the morning is an effective catalyst, for me.

No time-consuming free-wheeling or brain-washing teams and meetings, therefore.

It seems that – unlike Shakespeare’s Shrew – the human brain cannot be tamed. On the contrary, the more one forces it, the less it produces.

Bertrand Russell writes that after having written “Principia Mathematica”, his co-author A.N. Whitehead almost forgot how to count. It may be an exaggeration, but it says much on how “wild” human brain  is. Put it in chains, and it will rebel.

Let’s stay in the Risk farm: a key series of input is surely knowledge, experience, lessons – “to be” – learned. But when working at something really new, or that we know very little of, how do we go about it?

In times when Innovation is the Economy and Industry password, the available information and data on which to build a project are not that much – quantitatively; and qualitatively they may even be less.

Therefore we have to rely on our imagination, intuition processes.

But where and how do we learn to be imaginative, intuitive, in a world where there are more and more – and almost only – “golden rules”?

One of my “bibles” is surely John Steinbeck’s “The Log from the Sea of Cortez”.

By the way, on last February 27 it was his 110 birthday anniversary.

In this – to me mentor – book, Steinbeck’s writes at length on his friend Ed Ricketts’ non teleological mode of thinking.

Abstruse and completely abstracted from aims, ends, goals, targets, non teleology poses itself just a question: what is it? The “why” has no relevance at all.

RISK FARMING
Surely it’s no easy job, for us Risk farmers, to shift our thinking mode from “why?”-type questions to “what?”-type questions; we are too used to the former. But I think the gain is worth the pain. And by gain I don’t mean any aims, ends, goals, targets, I mean “what it is”.

When working at sampling and analyzing ores – iron, aluminum, zinc, coal, whatever – we were used to the “as-is” characteristics’ figures. As compared to the german “Sollwert” (should-be, or expected figure), the “as-is” figure made our work much easier. It was a kind of configuration management – when it works, it’s OK – rather than “make it like the design specifications”.

I really wish some of you do try the as-is, non teleological approach, whenever and however you will, and feed me back on your experience.

Bio:
My e-mail address is umbertotunesi@gmail.com

Thank you.