Month: April 2015

How ICS relates to our daily lives — snippet from GCCS2015 paper on ICS by Luiijf and Te Paske

The paper Cyber Security of Industrial Control Systems (.pdf, March 2015) by Eric Luiijf and Bert Jan te Paske, published as part of the Global Conference on CyberSpace (GCCS) 2015 that takes place later this month in The Hague, contains a nice explanation of how ICS relates to our daily lives. Quoting from page 10:

Good Morning with ICS

What ICS controlled functions did you use this morning before you arrived at your desk? None? Then, we ask you to re-trace your steps.

Your alarm clock awoke you. You turned on the bedside light. The required extra Watts were generated, transported and distributed under ICS control. While you took a shower, ICS adjusted the drinking water production process and maintained the pressure in the pipelines to your home. Heating of your home and cooking breakfast required the production, transport and distribution of gas. All these processes are controlled by ICS. The cup of milk you used required automatic milking, strict temperature control of the intermediate storage tanks, and processing and packaging at the milk factory, all under ICS control. You either took the train (ICS-controlled signalling, points, power and traction), or road transport (ICS-controlled traffic lights, safety systems in tunnels and traffic control of lanes). Arriving at the office, you passed the ICS-operated barrier to the parking lot and the ICS-controlled security barrier or doors to enter the premises. The air conditioning, fire protection and evacuation systems of your organisation are all operated by ICS 24/7, as well as the elevator you took to your office at the top floor. The (critical) large coffee/tea/chocolate/soup machine has embedded ICS and is connected to the Internet …

You may have noticed that we deliberately skipped at least twenty other ICS operated functions your organisation and you have encountered and used this morning. Can you name them? Surprised by how ICS embed and hide themselves in functionality that is taken for granted?

But who is taking care of the cyber security and resilience of such critical functions? Or are these ICS managed in an unconsciously insecure way?

The remainder of the paper discusses these questions.

EOF

What categories of data people share on Facebook according to Facebook’s lawyers — snippet from June 2014

In 2014, Facebook asked an appeals court to block bulk search warrants that directed Facebook to produce, as Facebook’s lawyers state, “virtually all records and communications for 381 Facebook accounts”. Here is an interesting paragraph from Facebook’s opening brief (.pdf, June 2014) for the appeal that shows how Facebook itself reflects on the personal data that is collected:

(…)

People use Facebook to share information about themselves, much of it personal. This information often includes:

  • The person’s age, religion, location, city of birth, educational affiliations, employment, family members, children, grandchildren, partner, friends, places visited, favorite music, favorite movies, favorite television shows, favorite books, favorite quotes, things “Liked,” events to attend, affiliated Groups, fitness, sexual orientation, relationship status, political views;
  • The person’s thoughts about: religion, sexual orientation, relationship status, political views, future aspirations, values, ethics, ideology, current events, fashion, friends, public figures, celebrity, lifestyle, celebrations, grief, frustrations, infidelity, social interactions, or intimate behavior;
  • The person’s photographs and videos of:  him- or herself, children/family, friends, third parties, ultrasounds, medical experiences, food, lifestyle, pets/animals, travel/vacations, celebrations, music, art, humor, entertainment;
  • The person’s private hardships meant to be shared only with  friends; and
  • The person’s intimate diary entries, including reflections, criticisms, and stories about daily life.

(…)

EOF

Dutch govt plans limitations on marketing and sale of explosives precursor chemicals

UPDATE 2018-12-18: EU LIBE committee report on the proposal for a regulation of the European Parliament and of the Council on the marketing and use of explosives precursors, amending Annex XVII to Regulation (EC) No 1907/2006 and repealing Regulation (EU) No 98/2013 on the marketing and use of explosives precursors (COM(2018)0209 – C8-0151/2018 – 2018/0103(COD)).

UPDATE 2016-03-31: Rules regarding placing on the market and use of explosives precursors (Law explosives precursors) (parliamentary paper, in Dutch).

UPDATE 2015-09-22: the government published (in Dutch) the Memorandum of Understanding for this legislation. It will be discussed on November 5th in a non-public meeting of the standing committee on Security and Justice.

On April 2nd 2015, the Dutch cabinet announced (in Dutch) legislation to restrict the sale of chemicals that can be used for explosives. The announced legislation, of which the text is not yet public, implements EU regulation No. 98/2013 on the marketing and use of these so-called explosives precursor chemicals. It will be illegal to sell certain precursor chemicals to individuals who do not hold a permit. For some chemicals that have common legitimate uses, limits are set on the concentration levels that are allowed to be sold to individuals. The EU regulation sets such levels for hydrogen peroxide, nitromethane and nitric acid. Furthermore, the EU regulation prescribes that suspicious transactions (suspicious “by reason of their nature, or scale”) concerning the following substances (on their own, in mixtures, or in substances) must be reported to the government:

  • Hexamine (e.g. fuel tablets for camping or modeling)
  • Sulphuric acid (e.g. sink plunger, battery acid)
  • Acetone (e.g. nail polish remover, solvent)
  • Potassium nitrate (e.g. fertilizer, preservatives)
  • Sodium nitrate (e.g. fertilizer, preservatives)
  • Calcium nitrate (e.g. fertilizer, preservatives)
  • Calcium ammonium nitrate (e.g. fertilizer)
  • Ammonium nitrate (e.g. fertilizer)

Some related measures are already in place in the Netherlands; the new law will to some extent formalize standing practice. This standing practice also includes measures that are not explicitly part of the EU regulation; for instance, in one document (.pdf, 2014, in Dutch; mirror) the National Coordinator for Security & Counterterrorism (NCTV) also mentions “fine metal powders”, “permanganate salts” and “other chlorate, perchlorate and nitrate salts” as chemicals for which suspicious transactions may be reported on a voluntary basis.

A poster (.pdf, 2014, in Dutch; mirror) from the NCTV mentions the following example indicators for suspicious behavior:

  • buyer appears nervous, avoids conversations, or is not the usual type of customer;
  • buyer wants to buy unusual quantities or unusual combinations of products;
  • buyer does not know how the product is normally used;
  • buyer does not want to disclose what he/she will use the product for;
  • buyer refuses alternative products or products with a lower concentration;
  • buyer only wants to pay in cash, especially in case of larger quantities;
  • buyer refuses to disclose their identity or address when asked;
  • buyer wants to package or ship the product in an usual way.

Reports can be phoned in 24×7 at the Dutch phone number +31(0)88-1540000. It is suggested that reports should include as much information as possible about the customer and the transaction, such as:

  • appearance: length, build, haircut and hair color, facial hair;
  • notable characteristics: tattoos, piercings, scars, etc.;
  • vehicle: license plate number, brand, model;
  • transaction: time, products and quantities.

Furthermore, receipt, identification data and video footage (security cameras) should be kept, as well as all documents touched by the customer (for fingerprint identification).

Here is a translation of today’s announcement by the Dutch cabinet:

New restrictions on sale of explosives precursor chemicals

Without a permit, individuals can no longer purchase chemicals that can be used to make explosives. They also cannot import, possess, or use the chemicals, if they don’t have the necessary documents. Moreover, sellers and individuals in the Netherlands will be required to report suspicious transactions, disappearances and thefts of such chemicals to the government.

This is stated in a legislative proposal by the Minister of Security & Justice, adopted by the Council of Ministers. This legislative proposal implements a European regulation concerning the sale and use of precursors (chemicals) for explosives. The measure is part of the action program “Integral Approach to Jihadism” [Dutch: “actieprogramma Integrale Aanpak Jihadisme”]. The general objective of the European regulation to improve security of societies and a more effective internal market.

Self-made explosives are often used by terrorists and other criminals. The cabinet thus wants to prevent that these persons get their hands on the required chemicals. It is expected that the availability of those chemicals will strongly diminish after the law is put into effect. The law thereby provides a significant contribution to national security.

Member states of the EU currently apply different rules concerning the raw materials used in explosives. Some countries have strongly regulated the selling of chemicals and monitors it. But sometimes these chemicals are easy to obtain in other countries. Introduction of the regulation must end this undesirable situation.

Many Dutch companies have taken measures in anticipation of the legislation. They also already report suspicious behavior at the Suspicious Chemicals Transactions Reporting Centre [Dutch: “Meldpunt Verdachte Transacties Chemicaliën”], a cooperation between the National Police and the Fiscal Intelligence and Investigation Service (FIOD).

The Council of Ministers agreed to submit the proposal to the Council of State for consultation. The text of the legislative proposal and the advice from the Council of State will become public when they are submitted to the House of Representatives.

Related:

EOF