An insider SCADA attack

For all the talk of attacks on SCADA systems (for those not in-the-know, those are systems used to control things like power plants and water pipelines), there have been few publicly acknowledged actual attacks. Probably the most famous was in Australia last year where an attack on the systems controlling a water treatment plant caused raw sewage to be dumped onto the beach.

There was also an article and video recently talking about how one could use an attack on a SCADA system to blow up a generator. Not clear to me whether that was just theatre, but in any case it wasn't an actual attack.

But this is an interesting case - an employee of a California water authority attacked the system and diverted water. It's interesting not because of the level of damage or the ease of causing damage, but because it was an insider attack. Lots of systems, including control systems and voting systems assume that the insiders are trustworthy, and only worry about outsider attacks. Just as I wrote about insiders and voting when viewed through the lens of the Washington DC real estate scandal, perhaps we need to reconsider insider SCADA attacks, which were previously ignored.

Hats off to TSA

I rarely (OK, never) have anything good to say about TSA. But today I'm turning over a new leaf.

I returned last night from spending the Thanksgiving weekend in Los Angeles. I flew west (Dulles to Los Angeles on Tuesday night) and east on Sunday morning. (My daughter also flew Cleveland to Los Angeles on Wednesday night and back on Sunday morning.) TSA had ample staffing, with short lines at security checkpoints.

Lest it sound like I've been totally won over, I'll point out that they still failed to notice liquids and gels in my hand-carried baggage. The whole thing is still a charade - but one they managed to do more efficiently than I would have dreamed.

Voting systems and real estate fraud

The vast majority of election officials are honest, hardworking, underpaid public servants whose goal is to ensure that every eligible voter has the opportunity to vote, and that vote is counted accurately. So too, the vast majority of people who work in tax collection authorities are honest, hardworking public servants who want to ensure that everyone pays their fair share, according to the laws.

Over the past few weeks, a scandal has rocked Washington DC city government. It seems that a group of at least a dozen officials in the real estate tax office put through false paperwork to generate real estate tax refunds to non-existent companies, and stole at least $30M in taxpayer funds over a period of years.

When thinking of voting systems, one of the primary safeguards is multiple control - even if there is one corrupt official trying to sway (or steal) elections, their attempt will be unmasked by others. That's supposed to happen in tax systems too - but evidently it didn't.

The primary criteria used in the widely acclaimed Brennan Center report was the number of people who had to be involved to pull off a fraudulent election. Many of the attacks were infeasible because the numbers were too high. But perhaps in light of the DC tax scandal, we need to reconsider how big a conspiracy can go undetected within a government organization.

Many of the election officials I've talked to say that many types of attacks, such as replacing software with malicious software, or changing ballot layouts, just can't happen because trusted people do the work. Is that really good enough to trust our democracy?

How close is close enough?

Last week's elections left (at least) two very close elections in Virginia, based on the unofficial counts. In Spotsylvania County, the Clerk of the Court race, the two leading contenders are separated by 63 votes, with 7,420 (38.46%) for Christy Jett vs. 7,357 (38.13%) for Paul Metzger out of a total of 19,295 votes cast. (Full details here.) In Fairfax County, out of 37,185 votes cast for the 37th State Senate seat, Ken Cuccinelli has 18,602 votes (50.02%) for a lead of 92 votes over Janet Oleszek (18,510 votes or 49.77%). (Full details here; Oleszek has announced she's seeking a recount.

What does this mean? Both Spotsylvania and Fairfax counties use paperless Direct Recording Electronic (DRE) voting systems, meaning that the only record of the votes is what's in memory cards on the voting machines. As has been amply demonstrated, there's lots of ways that these can be wrong, whether by accident or malicious intent.

Perhaps more critically, Virginia law is very clear on what can and can't be done in case of a recount. Section 24.2-802(D)(2) says "For direct recording electronic machines (DREs), the recount officials shall open the envelopes with the printouts and read the results from the printouts. If the printout is not clear, or on the request of the court, the recount officials shall rerun the printout from the machine or examine the counters as appropriate. [...] There shall be only one redetermination of the vote in each precinct." Section (H) notes "The recount proceeding shall be final and not subject to appeal."

Virginia is no stranger to close elections. In 2005, the Attorney General's race was decided by less than 0.02% (that's two hundredths of a percent, not two precent), and in 2006 the Senate race was decided by less than 0.4%.

Thus, there are no meaningful recounts possible in Virginia. All you can do is total up the tapes from the individual machines - but you can't go looking to see if there's an error in the software or the ballot programming. I'd love to have the opportunity to convince a judge that the law violates the constitutional right to have your vote counted, but I doubt I'll have that chance.

For those of us who believe the voting requires paper trails, our best allies are those who lose elections, regardless of their party. Those who win are much less likely to want to risk opening their election results to inspection.

Thanksgiving travel streamlined - not!

I'm as pleased as anyone to hear that President Bush cares about my Thanksgiving travel headaches. It's wonderful that there will be extra space for flights in the sky, and extra airline staff in the airports to help out.

Now is someone going to make sure the TSA doesn't screw it all up? In my experience, the bottlenecks are frequently TSA incompetence and understaffing, not any of the other problems. If I can't get through security, it doesn't matter whether my flight is on time or not.

Keep your fingers crossed for me - I'm California-bound!

Judging the risk

I spent the weekend visiting my daughter at Oberlin College - like all parents, I'm tremendously proud of my children, and find I enjoy spending time with her more than ever.

My return trip was a bit more exciting than usual. After takeoff, the landing gear wouldn't retract, and then the smoke detector in the bathroom went off. The flight attendant commented that the smoke detector had done that on the same plane two days ago, and they replaced parts to try to fix the problem, obviously unsuccessfully. The net result was an emergency landing back at Cleveland, chased down the runway by fire trucks and ambulances. (No one was hurt, and there was no emergency evacuation.)

Several people were unwilling to get back on the plane (which turned out not to matter, since they canceled the flight and rebooked everyone). But it made me wonder - is getting on a plane that's just had an emergency (but a normal landing) safer or riskier than getting on a randomly selected airplane? On the one hand, we know that in this case they had tried and failed to fix the problem several days earlier, which would tend to indicate that it's riskier. [Of course, the problem might be that it's not a failing smoke detector, but something really wrong.] The landing gear issue is different - they hadn't seen that problem before. On the other hand, that particular plane is probably being checked over more carefully than usual by both mechanics and pilots, which would tend to make it less risky.

I've read several articles and books on misperception of risk, but in a simple case like this I don't know how to answer the question. Are people being superstitious in avoiding a flight on a plane that they know had a problem, and instead selecting a plane about which they have no historical information?

Unrelated to the risk item, but while I'm writing, here's my obligatory swipe at TSA: as I went through security, I deliberately did not remove my plastic bag of toiletries from my suitcase, and it went right through without complaints. But the pilot just in front of me had his baggage sent through the scanner twice. As numerous people have pointed out, an insider attack (i.e., a pilot who wants to destroy his own plane in flight) can't be stopped, so there's no point checking their baggage for explosives they placed aboard. I asked him about his feelings on the value of TSA - he didn't want to directly criticize them, but said "I do what I'm told".

Strange failure modes for voter sign-in

I spend a lot of time thinking about (and whining about) problems in electronic voting systems. But yesterday's Montgomery County (Maryland) election had a new twist to failures, not in the electronic voting system but in the system used by voters to check in at the polls. According to the Washington Post, "The state's list inadvertently marked as absentee the names of voters with a home address that begins with the number five. Election judges kept track of those who showed up to vote today in handwritten lists. And to ensure that voters only cast one ballot, election officials said they planned to compare the list to the names of those who actually cast absentee ballots."

This sounds like a movie-plot failure - it mishandles voters whose address begins with the number five?!?!?! It's hard for me to imagine what accidental software bug would cause that flaw!