Thursday, July 21, 2016

S 3186 Introduced – Active Shooter Support

Last week Sen. Carper (D,DE) introduced S 3186, the Active Shooter Preparedness Enhancement Act of 2016. This is a companion bill to HR 5643, introduced earlier this month by Rep. Duckworth (D,IL).

Moving Forward

Carper is the ranking member of the Senate Homeland Security and Governmental Affairs Committee, the committee to which this bill was assigned for consideration. Thus, unlike HR 5643, this bill has the potential for being considered in Committee.

There is nothing in the bill that would draw any significant opposition, so there is a good chance that if the bill were considered in committee or on the Senate floor that it would pass with at least some bipartisan support. The problem is, this late into the final month of the 114th Congress few bills will make it to the floor for consideration.


For anyone interested in this type of legislation, I would urge them to read my post on HR 5643. In short, any active shooter incident at an industrial facility needs to take into account the types, quantities and locations of any hazardous chemicals stored, produced or used at the site. I have seen little or no discussion of this inherent problem in any of the publications I have seen about active shooter events.

ISCD Updates CFATS Website for CSAT 2.0

Yesterday the DHS Infrastructure Security Compliance Division (ISCD), in conjunction with their Federal Register announcement about the implementation of CSAT 2.0, updated a number of their Chemical Facility Anti-Terrorism Standards (CFATS) program web sites. They also added a new page briefly outlining the new tiering methodology implementation.

Revised Pages

The following web sites were modified:

For the most part each page was modified by adding minor variations of the following note:

“Per the notice published in the Federal Register on July 20, 2016, DHS has temporarily suspended the requirement to submit a Chemical Security Assessment Tool (CSAT) Top-Screen and Security Vulnerability Assessment as the Department improves the tiering methodology process.”

Tiering Methodology Page

The new Chemical Facility Anti-Terrorism Standards Tiering Methodology page provides a brief overview of most of the information that was presented in yesterday’s Federal Register notice. Other than mentioning that the Site Security Plan (SSP) CSAT tool will also be ‘revised and streamlined’ there is no mention of the new relationship between the SSP and SVA tools.

The page also notes that ISCD is intending to add new (and presumably revise some existing) frequently asked questions on the CFATS Knowledge Center to address the changes being wrought in the CFATS program. As of the time of the writing of this blog post (06:00 am EDT), no such changes have been made to the FAQs.


These pages were modified/added overnight. This is a fairly comprehensive and timely update of a Federal web site to reflect an important new change in a regulatory program. While ISCD is to be commended on its prompt attention to the program web site, I do have a couple of complaints.

First, and foremost, is the lack of any real mention of the changes being made to the SSP portion of the CSAT tool. I am severely disappointed that the SSP page was not updated to include a mention of the fact that any un-submitted SSP data in a facilities SSP tool will be erased when the SSP tool is updated sometime next month. Particularly considering the unwieldly nature of the current SSP tool (which hopefully is being substantially reformatted in CSAT 2.0), the amount of work that could potentially be lost could be very disheartening for many CSAT Preparers.

Second it is almost as disturbing to see no mention of the change in the relationship between the SVA and SSP. In the old CSAT these two reports were submitted sequentially and submission of the SSP did not begin until the SVA was ‘approved’ by ISCD. The move to developing the tiering notification based upon the Top Screen makes infinitely more sense, but it will make for a major shift on how a facility implements its CFATS process. This surely should have received at least some mention in yesterday’s website update.

Finally, when I saw the new tiering methodology page I expected to see at least some information about the actual methodology. I know that ISCD has committed to providing some level of detail about that new risk assessment process and this would have been an appropriate time and place to do so.

This is certainly not going to be the last change to the CFATS website reflecting changes being brought about by the implementation of the new risk assessment process or CSAT 2.0. In the next month or so we can expect to see a number of new and/or revised CSAT publications being published. I hope that ISCD intends to publish those in a phased manor so that we have a chance to review and digest the changes in each CSAT 2.0 tool before we consider the next tool revision.

Wednesday, July 20, 2016

DHS Publishes CSAT 2.0 Notice

Today the DHS Infrastructure Security Compliance Division (ISCD) published a notice in the Federal Register (81 FR 47001-47004) outlining the plan for the implementation of their new risk assessment protocol and the revisions to the Chemical Security Assessment Tool that are being called CSAT 2.0. This includes the temporary suspension of requirements to submit Top Screens (TS) and Security Vulnerability Assessments (SVA) effective today.

Three-Step Process

Today’s notice outlines a three-step process that ISCD will be undertaking to implement the new risk assessment protocol and CSAT 2.0. Those steps are:

Temporarily suspend, effective July 20, 2016, the requirement for CFATS chemical facilities of interest to submit a Top-Screen and SVA;
Replace the current CSAT Top-Screen, SVA, and SSP applications with CSAT 2.0 (i.e., the revised CSAT Top-Screen, SVA, and SSP applications) in September 2016; and
Reinstate the Top-Screen and SVA submission requirements in 6 CFR 27.210(a) on October 1, 2016.

The Top Screen and SVA submission suspension affects all chemical facilities that may be required to submit either initial or resubmission Top Screens and SVAs.

Presumably the implementation of CSAT 2.0 will include the publication of new CSAT manuals during the month of September.

Facilities Not Affected

The notice makes clear that four specific classes of facilities will not be affected by the changes included in the implementation of CSAT 2.0. They include:

Agricultural production facilities and miscellaneous extensions;
• Chemical facilities of interest with reportable COI that are only present in a gasoline mixture;
• Statutorily excluded facilities; and
• Untiered facilities that previously notified the department they had no reportable COI.

TS Submission Notifications

Once CSAT 2.0 is up and running ISCD will begin notifying ‘chemical facilities of interest’ of their need to submit a Top Screen. The notice makes it clear that the term ‘chemical facilities of interest’ was used deliberately instead of ‘covered facilities’ because it includes facilities that may have already submitted a Top Screen that indicated that they possessed DHS chemicals of interest (COI) inventories at or above the Screening Threshold Quantity (STQ).

The notification letters will be sent out in a phased manner over a number of months, presumably in a manner reflecting ISCD’s potential risk assessment of the previous information provided. There is no specific language in the notice that would indicate that all facilities that have provided Top Screens to ISCD will be notified to re-submit Top Screens at this time.

Facilities that do not have current COI inventories at or above the STQ will not be required to submit Top Screens to ISCD, even if they are notified by letter to submit a Top Screen. Those facilities may either submit a zero COI Top Screen or otherwise notify ISCD that they have no COI at or above the STQ and will not be submitting a Top Screen.

The notice does state that currently covered facilities that believe that the new risk assessment methodology will result in a lower tiering may submit a Top Screen before being notified by ISCD to do so. This certainly implies that ISCD will be sharing more information about the new risk assessment methodology and that tracks with what I have heard from ISCD privately. I do not expect that they will be sharing their actual model publicly, but they will be sharing more information about how the risk assessment methodology works.

Existing SVAs and SSPs

The notices makes it clear that only completed and submitted SVAs and Site Security Plans (SSPs) will be retained in CSAT 2.0. Partially completed SVAs and SSPs will be lost when CSAT 2.0 is implemented. This is of particular importance to remember this because ISCD will continue to accept new or revised SSP/ASP up until the date of the CSAT 2.0 switch over.

New SVA/SSP Timetable

For the most part, since ISCD expects to make a tiering decision based upon the new Top Screen, there will be no need to delay the SSP submission until after the receipt of the SVA. This notice, therefore, the new SVA and SSP tools in CSAT 2.0 have been designed to have facilities submit both documents concurrently. While more details are expected when the new manuals are published in September, it would seem that there will be more direct sharing of information between the two tools that should make the submission of both documents easier.

This means that ISCD is changing the submission deadline for the SVA from the current 90 days in §27.210(a)(2) to 120 days. It is interesting to note that the current regulation specifically allows ISCD to change that deadline with a Federal Register notice rather than requiring a rulemaking. The notice also makes it clear that the same notification of high-risk and tiering that now initiates the SVA submission requirement also is being used to initiate the SSP requirement. That certainly means that ISCD will be modifying the current notification letters.

Since the SVA and SSP tools will be so closely linked, facilities that revise their SSP will now also be required to revise their SVA at the same time.

Regular Top Screen Submissions

The notice indicates that regular Top Screen submissions for facilities reporting new inventories of COI at or above the STQ will resume on October 1st, 2016. Facilities that acquire such inventories between now and then will have 60-days from October 1st to submit their Top Screen.

CSSS Update

I am sure that there will be more information available at today’s session at the Chemical Sector Security Summit presentation on “Infrastructure Security Compliance Division (ISCD) Regulatory Update”. That session will be web cast at 10:00 am EDT.

Tuesday, July 19, 2016

NIST Looking at CSF and Manufacturing Operations

Thanks to Joel Langill for his TWEET® pointing at a new pre-publication draft of a National Institute of Standards and Technology (NIST) document entitled “Manufacturing Profile Cybersecurity Framework”. The Executive Summary of the document describes its purpose this way:

“This document provides the Cybersecurity Framework implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the Cybersecurity Framework can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices.”

It is not clear when/if NIST intends to publish this document, but it looks like it will be a valuable addition to the documents used to help organizations implement the Cybersecurity Framework (CSF).

Manufacturing Overview

There is a brief, if somewhat simplistic, overview of manufacturing systems. It breaks manufacturing down into two broad categories; process-based and discrete-based. It then breaks the process-based manufacturing into two separate processes; continuous and batch. I call this ‘somewhat simplistic’ because many manufacturing organizations use a combination of both systems and processes.

The important missing element in the manufacturing overview is any mention of the different types of cyber-systems used in the manufacturing environment. A wide variety of industrial control systems are used in the control of manufacturing processes, inventory control, safety systems, security systems and environmental controls.

Manufacturing and Business Objectives

The section on manufacturing and business objectives lays out five main areas where cybersecurity affects the manufacturing environment:

• Maintain personnel safety;
• Maintain environmental safety;
• Maintain quality of product;
• Maintain production goals; and
• Maintain trade secrets

The document then ties these categories of cybersecurity concern back into the categories and subcategories of the CSF Core. It highlights each of the subcategories in the Core that apply to each of the manufacturing objectives listed above.

The NIST document then goes on to undertake a lengthy discussion about how risks can be categorized for each of the subcategories in the CSF Core. Then, in Section 7 (Manufacturing Profile Subcategory Guidance) of the document NIST provides detailed proposed language for evaluating the cybersecurity risk profile for the manufacturing segment of an organization. Again this is based upon the categories and subcategories of the CSF Core.

Moving Forward

This document currently stands alone on the NIST web site without any indication of how NIST intends to move forward with this draft document. I would hope that NIST will continue their proactive efforts to bring industry into the development of the various documents that support the CSF. The 28 pages of the Manufacturing Profile Subcategory Guidance is too much for a single person (even me – GRIN) to effectively review and provide suggestions for improvement.

I do think that NIST has done another remarkable job of producing a draft document for public review and comments.

Friday, July 15, 2016

ICS-CERT Updates Advantech Advisory

Yesterday, in addition to the two updates I have already reported on, the DHS ICS-CERT updated a control system security advisory for Advantech WebAccess that was originally published on June 21st, 2016.

The update adds ZDI to the vulnerability reporting process. It also adds an information exposure vulnerability (CVE-2016-5810) to the previously reported vulnerabilities.

I became aware of this vulnerability earlier today when I received an email from ICS-CERT (part of the notification program for which you can sign up) notifying me that the advisory had been updated. There was also a TWEET from ICS-CERT today making the same notification.

My followers on TWITTER would normally have seen a Re-TWEET from me, but for some reason ICS-CERT has been blocking Re-TWEETS of a number of their advisory and update TWEETs. Not all of them have been treated that way, but an interesting number of them have.

Bills Introduced – 07-14-16

On their last day in Washington for the next seven weeks the House and Senate introduced 236 bills. Of those five may be of specific interest to readers of this blog:

HR 5786 To amend title 49, United States Code, to provide for a rail spill preparedness fund, and for other purposes. Rep. DeFazio, Peter A. [D-OR-4]

HR 5843 To establish a grant program at the Department of Homeland Security to promote cooperative research and development between the United States and Israel on cybersecurity. Rep. Langevin, James R. [D-RI-2]

HR 5859 To amend the Homeland Security Act of 2002 to establish the major metropolitan area counterterrorism training and exercise grant program, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

HR 5877 To amend the Homeland Security Act of 2002 and the United States-Israel Strategic Partnership Act of 2014 to promote cooperative homeland security research and antiterrorism programs relating to cybersecurity, and for other purposes. Rep. Ratcliffe, John [R-TX-4]

HR 5900 To require compliant flame mitigation devices to be used on portable fuel containers for flammable liquids, and for other purposes. Rep. Thompson, Mike [D-CA-5]

Generally speaking these bills have little chance of being considered before this Congress disbands at the end of the year. For the most part these bills were introduced to provide the various congresscritters with bragging points in their campaigns. Still, I’ll be looking at each of these bills when they become available for review; there may be some interesting provisions.

CSB Business Meeting – 07-27-16

Today the Chemical Safety Board published a meeting notice in the Federal Register (81 FR 46045) for a business meeting to be held in Washington, DC on July 27th 2016. The Board will provide an update on the 2016-2020 strategic plan, the status of Office of the Inspector General audits, open investigations, and the agency's action plan, as well as discuss financial and organizational updates. A conference call line access is being made available.

There will be a brief public comment period at the meeting. Written comments may also be submitted via email ( 
/* Use this with templates/template-twocol.html */