Category Archives: Energy

Energy, Security

EPA Withholds Nuclear Data on CA

3 Comments

Note: San Diego now has a line again like the other cities, although flatter, and the warning at the top of Greg’s lab page has been edited to say “Update: Apologies for the delay. Current data has been restored.”

Greg’s lab provides real-time “California radiation monitoring map”. I just noticed an update with a warning at the top of the main page:

Update: Data for some locations is currently being withheld by the EPA for review. Fresh data for the locations in question will begin to appear once the data is re-cleared for public release.

The access to raw data in some locations is currently unavailable for those who want to monitor time-critical information for radiation. San Jose monitoring stops on March 24th. Here is a graph for San Diego, which stops on March 23rd.

San Diego Radiation

The page has two notes, one of which gives the following prediction:

Please be aware that, while there is evidence that traces of fallout from the damaged Fukushima Daiichi nuclear plant in Japan are arriving on U.S. shores, the contribution of these substances at the levels detected to your daily radiation dose is practically nil. The Department of Energy and the EPA continue to monitor the situation carefully, and there is no expectation that harmful amounts of fallout will reach the United States.

That being said, the line only runs for a few days and then stops on the same day that Japan’s nuclear catastrophe was put in a different light by European scientists monitoring data in California.

Austrian scientists have released what appears to be the first clear, independent data concerning radiation levels in the immediate aftermath of the Fukushima radiation leak.

By releasing data from two monitoring stations of the Comprehensive Test Ban Treaty Organization (CTBTO) from Japan and California, researchers from the Central Institute for Meteorology and Geodynamics in Vienna have calculated backwards to estimate the true levels of radiation from Fukushima.

[…]

…Gerhard Wotawa, the lead Austrian researcher, noted that because of the high volume of particles released only during the first four days of the leak, he speculated that further data would reveal an even higher total amount.

“The releases of the volatile radionucleotides, like iodine and cesium, are very likely in the same order of magnitude as happened during the Chernobyl accident,” he told Deutsche Welle, adding that CTBTO member states, like Austria, only received data 72 hours after it was gathered via e-mail and private websites.

Other scientists disagree with this prediction but not definitively. They all say there is a need to review more data. Meanwhile, Japan is reporting more serious leaks detected.

Earlier, officials from the plant’s operator said there was possible damage at reactor number three at the complex, meaning more radioactive contamination may have leaked into the environment.

“It is possible that the pressure vessel containing the fuel rods in the reactor is damaged,” a spokesman from Tokyo Electric Power Co (TEPCO) told the AFP news agency.

So why has the EPA withheld data after the scientists announce a need for more transparency? Are they trying to tune out noise or hide a weak signal to avoid more speculation about the direction it might be headed? Some are starting to use the graphs as a reason to be concerned. Maybe the EPA has found the graphs are too low and should show an increase — a warning? I have a feeling it’s not the latter.

I have to say this reminds me of a 2009 story about how the EPA handled data on arsenic, lead, mercury and boron pollution from coal power.

People who live near sites used to store ash or sludge from coal-fired power plants have a one in 50 chance of developing cancer, according to a just released government report kept from the public for seven years by the Bush Administration.

The data on harm was released after the 2008 Tennessee coal ash spill ignited greater public concern. Will the public demand real-time radiation monitoring be restored, or at least that the EPA better explain the reasons for withholding data?

Updated to add: Humorous view of data analysis from the Daily Show

The Daily Show With Jon Stewart Mon – Thurs 11p / 10c
When Reporters Attack
www.thedailyshow.com
Daily Show Full Episodes Political Humor & Satire Blog The Daily Show on Facebook
Energy, Security

Yosemite Offline Due to Power Failure

Leave a comment

Waves of heavy rains have been hitting the Sierra Mountains for weeks and recently caused a land slide in an area called Ferguson Slide (didn’t see that coming) on the Merced River near Yosemite National Park. The slide knocked down power lines, which gave authorities a reason to turn away visitors for most of this week. News10 from Sacramento has this report.

Interesting to see that the disaster plan for a National Park, of all places, is so frail that it is just an electrical pole (on a slide) away from shutdown. I can see why they might want to turn away 10,000 people a day who are there to consume energy rather than expend it, but what about the more independent and capable outdoor enthusiasts?

Seems to me a golden opportunity lost for the park to engage visitors who would really appreciate it without power and be willing to pitch in to keep it open. Some of those visitors might also help build a more resilient infrastructure including clean and local energy.

The LA Times points out an extremely high cost of line repairs.

“Mother Nature has flexed her strength with this series of storms,” said Nicole Liebelt, a spokeswoman for Pacific Gas and Electric Co. Crew members had to be brought in by helicopter to the remote area to work on the problem, she added. Company officials said they hope to have power restored by late Friday.

That has to have run past hundreds of thousands, added to the lost revenue from visitors turned away…what if it the same investment was put towards business continuity so the park was designed to operate without power for a week or even a month?

Energy, History, Security

US Losing African Support Over Libya

Leave a comment

It was supposed to be an internationally sanctioned operation to achieve a UN Resolution and protect civilians. Instead several states are openly criticizing the NATO forces for putting Libyan civilians at greater risk or even killing them.

The President of Uganda has published his opinion in the paper and points out many interesting facts about Libya as well as inconsistencies in American foreign policy.

In the nine-page statement, the President accused the West of hastily imposing a ‘no-fly zone’ on Libya yet it has dragged its feet on the Africa Union request for the same over Somalia.

“We have been appealing to the UN to impose a no-fly zone over Somalia so as to impede the free movement of terrorists, linked to Al-Qaeda that killed Americans on September 11, killed Ugandans last July and have caused so much damage to the Somalis, without success. Why?” the President asked.

The UN imposed a ‘no-fly zone’ on Libya last Thursday.

Museveni also accused the West of looking on as a Libya-like crisis evolves in the Great state of Bahrain.

The same could perhaps be asked of the Ivory Coast. Why has the UN not imposed the same conditions as in Libya?

A few things that stand out to me, which President Museveni does not mention.

One, Libya is nestled between the revolutions of Egypt and Tunisia. I can’t say exactly how that factors into American logic for intervention but it should not be underestimated. It’s easy for Museveni to say one state has peaceful demonstrations while another has violent insurrectionists because he is ignoring the flow of arms and support going across state borders from demonstrators to insurrectionists. The true difference may be best judged in the dictatorship’s response relative to a whole region of revolution.

Two, enforcement of a no-fly zone (with minimum air casualties) means anti-aircraft defenses have to be neutralized. That is why so many missiles were fired in the initial phase. There is no surprise to this tactic. The civilian casualties are tragic but Museveni does not propose in his statement an alternative method to disabling the threats to civilians and the aircraft sent to impose a no-fly zone.

Three, while I can understand why China, Russia, India, Arab nations, African nations…all believe that America aims to remove Gaddafi from power, this is their moment to step up. They could now find a way to take the reigns of the operation to ensure it remains focused on minimizing civilian casualties. Their decision to pull back and criticize leaves the US in a position of greater authority. Has the US made it impossible for the other countries to work with the NATO forces? It seems that leaders of the other nations are unwilling to take responsibility for the consequences of a tough situation with few easy answers.

Museveni urged Gadaffi to sit at a round table with the opposition, adding that since there have never been elections in Libya, “dialogue is the correct way forward.”

That is not a bad suggestion. It could be that Museveni is using a public critique of the US as a “good cop” routine; perhaps he knows that the UN resolution and NATO attacks could inspire Gadaffi to sit at the table, but the Libyan dictator will not appear without a sense of balance (less overt support for America) in the AU.

I highly recommend reading the full statement. It has some parts that are just ridiculous:

Black people are always polite.

They, normally, do not want to offend other people. This is called obufura in Runyankore, mwolo in Luo – handling, especially strangers, with care and respect. It seems some of the non-African cultures do not have obufura. You can witness a person talking to a mature person as if he/she is talking to a kindergarten child. “You should do this; you should do that; etc.” We tried to politely point out to Col. Gaddafi that this was difficult in the short and medium term.

I almost quit after reading that nonsense, but it also has some interesting insights into the Ugandan perspective on international relations, such as this:

Idi Amin came to power with the support of Britain and Israel because they thought he was uneducated enough to be used by them.

Amin, however, turned against his sponsors when they refused to sell him guns to fight Tanzania. Unfortunately, Col. Muammar Gaddafi, without getting enough information about Uganda, jumped in to support Idi Amin. This was because Amin was a ‘Moslem’ and Uganda was a ‘Moslem country’ where Moslems were being ‘oppressed’ by Christians.

Amin killed a lot of people extra-judiciary and Gaddafi was identified with these mistakes. In 1972 and 1979, Gaddafi sent Libyan troops to defend Idi Amin when we attacked him. I remember a Libyan Tupolev 22 bomber trying to bomb us in Mbarara in 1979.

And this:

Before Gaddafi came to power in 1969, a barrel of oil was 40 American cents. He launched a campaign to withhold Arab oil unless the West paid more for it. I think the price went up to US$ 20 per barrel. When the Arab-Israel war of 1973 broke out, the barrel of oil went to US$ 40.

And last, but not least, this:

The AU mission could not get to Libya because the Western countries started bombing Libya the day before they were supposed to arrive. However, the mission will continue. My opinion is that, in addition, to what the AU mission is doing, it may be important to call an extra-ordinary Summit of the AU in Addis Ababa to discuss this grave situation.

I would blame that on the French, not the US, but that could just be me. I suspect France was one of the most eager to intervene and are likely to have had special forces there from Djibouti long before the bombs started to drop.

Energy, Security

SCADA Exploits Roam Free

Leave a comment

It looks like Luigi Auriemma did only a quick check of SCADA systems before he came up with a giant list of flaws. He has decided to post his initial findings to Bugtraq:

The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment.

He points out in his post that he did not know anything about SCADA systems before the tests. Obviously that did not stop him from quickly finding many weaknesses.

Full-disclosure advisories and proof-of-concepts:
Siemens Tecnomatix FactoryLink:
http://aluigi.org/adv/factorylink_1-adv.txt
http://aluigi.org/adv/factorylink_2-adv.txt
http://aluigi.org/adv/factorylink_3-adv.txt
http://aluigi.org/adv/factorylink_4-adv.txt
http://aluigi.org/adv/factorylink_5-adv.txt
[…]

Open up factorylink_2-adv.txt and you will see the vulnerability levels can be very high — remote exploit.

CSService is a Windows service listening on port 7580.

All the file operations used by the service (opcodes 6, 8 and 10) allow to specify arbitrary files and directories (absolute paths) and it’s possible for an attacker to download any remote file on the server. Obviously it’s possible also to specify directory traversal paths.

First, to be fair, SCADA systems are often intended to live in a different world than other systems — single-user, single-role, etc. There may be a defense-in-depth or compensating control design to be considered that encapsulates a SCADA system. Langner talks about this some in his interview on Stuxnet. An unprotected CSService thus may have been built that way by design, to do one thing and do it well.

Second, I have found that critical infrastructure management can be dominated by a culture of data analysis. Staff are often told to punch holes into closed systems and environments to mine details needed for calculations. It can feel more like a financial firm trying to make real-time investment decisions than an engineering operation. Closed environments are under pressure to be opened in order for spreadsheets to run.

Third, the financially-focused managers boast about their speculation and risk-management skills. Yet they seem to rely more on faith than data analysis when it comes to risk relative to security controls. They raise defense-in-depth as a theory sufficient on its own instead of as a measured and managed practice to deploy controls more thoroughly. That usually means when you find a vulnerability like factorylink_2-adv someone will always emphasize my first point above and say “I believe that’s handled elsewhere.”

Putting the three above points together, the worlds of IT and SCADA are not nearly as separate and distinct as many want to believe. They must be managed to reflect this convergence or there is a risk of leaving gaps for attackers to exploit. Even worse, the depth of defense can go unmeasured and leave basic systems unprotected in environments exposed to high-risk multi-user threats.

That’s why Auriemma’s list should be taken seriously. Vendors need to secure their products, or at the very least test them for hostile scenarios and provide security warnings/guidance. The demand, however, really has to come from SCADA application consumers. I suspect that these full-disclosure vulnerability announcements will help improve the industry’s risk calculations — prove the value of paying for better security from the SCADA vendors. On the other hand, if management still does not get it, then regulations will probably have to tighten.