Deutsche Welle reports that Germans are afraid of ethanol and refuse to use it.

E10 is safe for 93 percent of all cars registered in Germany and 99 percent of all German-made cars. But that has apparently done little to reassure drivers, 70 percent of whom are sticking to what they know.

Apart from concerns over the 10 percent ethanol, E10 is also less efficient, somewhat negating the price advantage.

Blame for resistance in Germany has been put on the industry that produces and sells E10 there.

Germany’s Environment Minister Norbert Röttgen heavily criticized the fuel industry for not properly advertising E10 at gas stations. “The confusion that the petroleum industry has created is unacceptable,” he fumed.

Haha, he fumed. For what it’s worth Deutsche Welle often has the best puns in the news; who says Germans have no sense of humor?

The German automobile association ADAC has thrown its support behind the minister. “The petroleum industry alone is responsible for the chaos that followed the introduction of E10,” said ADAC spokesman Maxi Hartung. “For there to be absolutely no information available on a newly-introduced product is the wrong approach.”

There is a lot of confidence in Maxi’s statement. Calling the petroleum industry “alone” with “absolutely no information” is a bit extreme, but it is easy to see why the ADAC is so upset.

Educating drivers would be a boon to the automobile industry. It increases the likelihood of engine upgrades or vehicle replacement. The problem, however, is that this also could lead directly to a shift into efficient engines (and a trade-in for diesel). That lowers consumption of fuel and moves more Germans away from petroleum. While this is the goal of government regulation (reducing dependence on petroleum) the petroleum industry is hardly an eager proponent of this scheme; they are not likely to want to push demand down for their primary product (gasoline) any farther unless forced by regulations.

All of that speculation aside, I thought this was the most interesting statement in the article:

Many drivers prefer the old gas, even though it costs up to eight euro cents (11 US cents) more per liter, for fear…

Aha! Drivers prefer more expensive fuel at the pump, despite the option to spend less, because they are worried about long-term costs!

Surprised?

What would they decide if offered more expensive fuel that has a lower long-term collective cost (e.g. clean, domestic, renewable)…?

Studies of biodiesel, by comparison, suggest that Germans have adopted it rapidly and worry only that it may come from un-ethical sources. Ironic, when you consider where/how petroleum hstorically has been sourced.

Germans switched to biodiesel so quickly, in fact, that the government feared a tax revenue loss. They added laws expected to drive down biodiesel enthusiasm and protect petroleum demand while introducing ethanol…but they apparently did not plan for a lack of support from the petroleum industry, or for resistance from drivers.

The dark green bars above represent the extremely rapid adoption of biodiesel by German drivers and the plateau expected from taxation.

A smarter plan for the German government would have been to regulate ethical sourcing for fuels (to address consumer concerns) and then encourage consumers to move away from gasoline to diesel. Skip the ethanol phase.

Ethanol has become too small a step at a steep cost — high risk with little or no reward at all. The resistance from gasoline drivers makes it an even less attractive option. Biodiesel, meanwhile, has shown solid demand with far more supply options — low risk with high reward.

The Bulk Power System of the United States must comply with NERC standards CIP-002 through CIP-009.

The standards are setup so that CIP-002 has a significant influence over the need for standards CIP-003 through CIP-009. It requires a regulated entity to use a risk-based assessment methodology (RBAM) to identify critical assets. In other words, a RBAM is meant to set how much of an environment is within scope of review.

This is not a unique approach. If you are familiar with PCI this is like saying a regulated entity has to determine the systems that process, transmit or store cardholder data to set the scope.

Unfortunately NERC, in their December 2010 Sufficiency Review, says entities are failing to properly identify and document their critical assets.

As a result of audits conducted over the past couple of years through the CIP compliance monitoring program, NERC has found instances where entity methodologies are not sufficiently comprehensive to produce a complete and accurate list of critical assets. This suggests greater clarity is needed in either NERC standards or industry guidelines to provide a more accurate identification of entity critical assets. While in many cases, functional entities had similar methodologies, substantial differences were evident even amongst entities within the same registered function. In certain cases, this has led to audit findings of non-compliance.

Stuxnet has shown up in CSO magazine with a fingers-scratching-on-chalkboard title:

If Stuxnet was cyberwar, is U.S. ready for a response?

Interesting question. Why should we consider Stuxnet cyberwar? No analysis provided in the article. In the same vein we might as well ask if Stuxnet was water soluble, is the US ready to drink it? If Stuxnet was mixed into oatmeal, is the US ready to taste it?

Then comes the CSO article teaser:

The complex Stuxnet worm proved attacks on SCADA and other industrial control systems were possible. Are we ready if one comes our way?

First, I would not call Stuxnet complex, as I have written and presented many times. The attack was arguably complex, but Stuxnet not so much. I suppose we also could debate the meaning of the word complex but even Langner (who first discovered it) says Stuxnet was a simple and not well-written exploit.

Stuxnet attack very basic. DLL on Windows was renamed and replaced with new DLL to get on embedded real-time systems (controller). It was not necessary to write good code because of the element of surprise — only had to work pretty well

Second, it did not prove attacks on SCADA and other control systems are possible. It was well-known in the late 90s, as demonstrated by US Executive Order 13231 of October 16, 2001 “Critical Infrastructure Protection in the Information Age”, as well as Executive Order 13284 on January 23, 2003. In my BSidesSF presentation I explained the controversy Mudge started in 1999 when he told the press he could shut down 30 grids. So, from the “sophisticated” Maroochy Shire attack in 2000 to the “sophisticated” Aurora attack in 2007…there have been many proofs before Stuxnet.

Third, we know of reliability issues and failures already in control systems. I pointed out in my BSidesSF presentation three shutdowns of major nuclear stations in the US Northeast in early 2011. The question “are we ready” can be answered in the present tense for threats instead of a hypothetical. We know, for example, why more than 50 power plants were knocked offline in Texas recently. They were unprepared for threat conditions to their availability, despite forecasts. Moreover, the Governor of that state showed exceptionally poor judgment and a lack of situational awareness in his response.

Speaking of “ifs”, I am reminded of a Will Rogers quote:

If stupidity got us into this mess, then why can’t it get us out?

The CSO article would be far better if it tried to explain why, after more than ten years of warnings, critical infrastructure in America is still so susceptible to failure. Proverbs about chickens come to mind. Why is Stuxnet being phrased with terms of (sky-is-falling) cyberwar? Is that the most appropriate way to get a response from management?

Here is how I would have put the question: if we called Stuxnet the same kind of threat that we have been tracking and known about for years, albeit executed more carefully, would US critical infrastructure be any better prepared than they have been for lesser threats that seem to knock them offline?