Wednesday, August 24, 2016

Draft OSHA PSM Guidance Documents Published

Yesterday I received an interesting email from the folks at DHS that are providing administrative support for the DHS-OSHA-EPA response to the President’s Executive Order on Improving Chemical Safety and Security (EO 13650). The email reported that OSHA had published three new draft guidance documents for their Process Safety Management (PSM) program and noted that OSHA was soliciting public comments about these documents.

The three new guidance documents are for [NOTE: all links are for .PDF downloads]:

A brief review of the Storage Facility guidance document did not show any new information or outline any new requirements not already spelled out in the PSM guidance document. It looks like the intent is to provide a fairly brief (15 page) overview of the PSM requirements for facilities that may have thought that the PSM standard did not really apply to them. If that is the intent a brief section outlining how a facility determines if it is covered by the standard would have been appropriate.

OSHA is soliciting public comments on these documents. Written comments may be submitted via the Federal eRulemaking Portal (; Docket #OSHA-2016-0021).


I have two points of interest to discuss without having done a detailed review of any of the three documents. The first is a complaint about the administration of this process and the second is a pet peeve about the PSM program.

I am very disappointed in the way that OSHA is going about this publish and comment process. There is no notification about these documents on the OSHA EO 13650 web site nor has there been a notice published in the Federal Register. That combined with the very short (30-day) comment period makes me wonder just how interested OSHA and the Administration is in receiving public comments on these documents.

Since these are just guidance documents with no real information, I suppose OSHA is under no legal obligation to go through a formal publish and comment process. But, if you want to keep up appearances, especially this late in the life of the current Administration, then a formal publication of a request for comments in the Federal Register with a reasonable 60-day comment period would seem to be much more appropriate.

There are a series of ‘frequently asked questions’ at the end of the guidance documents and one of those in the Storage Facilities document (and most likely the others) is responsible for triggering a mini-diatribe about the major failing (IMNSHO) of the PSM program. The FAQ asks: “Must employers inform OSHA if the standard applies to them?” The OSHA response (in part) is very important:

“No. Unlike various other environmental, health, and safety regulations, the PSM standard does not have notification or reporting requirements. This means employers do not need to inform OSHA whether or not they meet the PSM applicability criteria. They need only ensure that they fully comply with the mandatory PSM requirements for all processes that meet the applicability criteria.”

This is one of the reasons (another being a totally inadequately sized inspection force) that PSM covered facilities seldom see an OSHA inspector until after a major accident has occurred; an accident that frequently would have been prevented if the PSM standard had been met. While some facilities deliberately ignore the safety standard, most facilities (particularly the smaller ones) fail to meet the standards set forth in the PSM program out of program ignorance and the lack of chemical safety experience. An active compliance inspection program before accidents happen would certainly help reduce the accident rates.

Tuesday, August 23, 2016

ICS-CERT Publishes Advisory Update and New Advisory

Today the DHS ICS-CERT updated an advisory previously published for a control system vulnerability in the Westermo industrial switch and published a new advisory for Moxa’s OnCell products. The Westermo advisory was originally published in January, 2016.

Moxa Advisory

This advisory describes two vulnerabilities in the Moxa OnCell product. The vulnerabilities were reported by Maxim Rupp. Moxa has produced new firmware to mitigate these vulnerabilities, but there is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Improper restriction of excess authentication attempts - CVE-2016-5799; and
• Plain-text storage of passwords - CVE-2016-5812

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to bypass authentication to log in as a valid user.

Rhetorical Question: Has Maxim Rupp selected Moxa to be his personal research project?

NOTE: According to a TWEET from Maxim Rupp the advisory does not list all of the affected devices. Sounds like a case where the vendor does not acknowledge all of the affected devices. ICS-CERT certainly does not test them. Added 08-24-16 0630 EDT.

Westermo Update

This update explains that Westermo has now produced a patch that that allows changing default certificates to custom certificates instead of requiring the certificates to be changed manually.

NOTE: ICS-CERT announced this update on TWITTER® today. Without that notification it would be very difficult to know that the advisory had been updated.

ISCD Publishes CFATS Cybersecurity Guidelines

Today the DHS Infrastructure Security Compliance Division (ISCD) posted a link to the CFATS Knowledge Center providing some additional guidance on how ISCD looks at cybersecurity in the site security plans (SSP) for facilities in the Chemical Facility Anti-Terrorism Standards (CFATS) program. This is supplemental information to that found in Risk-Based Performance Standard (RBPS) 8 of the RBPS Guidance Document.

Since the CFATS program is a risk-based security program, ISCD is really only interested in cybersecurity as it relates to the security of the DHS chemicals of interest (COI) that are responsible for the facility being covered by the CFATS program. Specifically, the guidance notes that ISCD is looking at cyber systems that:

• Contain business or personal information that, if exploited, could result in the theft, diversion, or sabotage of a COI;
• Are connected to other systems that manage physical processes that contain a COI; or
• Monitor and/or control physical processes that contain a COI.

The new document provides a brief overview of the types of activities that ISCD is looking to see in facility SSPs related to three specific types of cyber systems:

• Critical business systems;
• Critical physical security systems; and
• Critical control systems.

As with all ISCD guidance, there is very little detail in this document. This is because of Congressional limitations on the ability of DHS to specify security measures under the CFATS program. Once a facility has an approved SSP, however, the measures described in the SSP are specifically enforceable by ISCD.

Coast Guard Publishes TWIC Reader Final Rule

Today the Coast Guard published a final rule in the Federal Register (81 FR 57651-57713) outlining the requirements for the use of Transportation Workers Identification Credential (TWIC) card readers at facilities and on vessels covered by the Maritime Transportation Security Act (MTSA) program. The notice of proposed rulemaking (NPRM) for this rulemaking was published in March of 2013 and I completed a series of blog posts on the public comments received on that NPRM. This final rule was approved by OMB back on July 11th, 2016.

This rule will require that before an individual is allowed unescorted access to designated secure area of a Risk Group A vessel or facility, an individual will have:

• His or her TWIC authenticated;
• The status of that credential validated against an up-to-date list maintained by the TSA; and
• The individual's identity confirmed by comparing his or her biometric (i.e. fingerprint) with a biometric template stored on the credential.

The final rule authorizes a facility or vessel owner to use either a TWIC Card Reader on the approved TSA list or choose to fully integrate electronic TWIC inspection and biometric matching into a new or existing Physical Access Control System (PACS). Due to the exemption for vessels with 20 or fewer covered personnel there is only one vessel currently covered by this rulemaking. A total of 525 facilities are affected.

The effective date of this rule is August 23, 2018.

Future blog posts will take a more detailed look at the provisions of this final rule.

Monday, August 22, 2016

FAA Publishes Two Cybersecurity Special Condition Notices

Today the DOT’s Federal Aviation Administration published two cybersecurity related special condition rules in the Federal Register for aircraft from Beechcraft (81 FR 56475-56477) and Bombardier (81 FR 56474-56475). These final special conditions are required because of novel or unusual design features that require special attention not outlined in normal airworthiness standards.

Beechcraft Special Conditions

This Special Condition applies to the Beechcraft Model 400A airplane. The Special Condition is required to allow installation of digital-systems network architecture, composed of several connected networks that may allow access to or by external computer systems and networks, in Beechcraft Model 400A airplanes. The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. The FAA notes that:

“The existing regulations and guidance material did not anticipate this type of system architecture, or external wired and wireless electronic access to airplane electronic systems. Furthermore, regulations, and current system safety-assessment policy and techniques, do not address potential security vulnerabilities that could be caused by unauthorized access to airplane electronic systems and networks.”

The Special Conditions require that:

“1. The applicant must ensure that the airplane electronic systems are protected from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.
“2. The applicant must ensure that electronic system-security threats are identified and assessed, and that effective electronic system-security protection strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.
“3. The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the airplane is maintained, including all post-type-certification modifications that may have an impact on the approved electronic system-security safeguards.”

Bombardier Special Conditions

The Special Condition applies to the new Bombardier Model BD-700-2A12 and BD-700-2A13 airplanes. The Special Condition is required because the aircraft will contain a digital system architecture that contains multiple, interconnected domains, including:

• Flight-safety-related control, communication, and navigation systems (airplane-control domain);
• Operation and administrative support (operator-information-services domain); and
• Passenger information and entertainment systems (passenger-entertainment domain).

Additionally, this digital systems architecture will have the capability to allow access to or by external network sources.

The Special Conditions require that:

1. The applicant must ensure that the design provides isolation from, or airplane electronic system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.
2. The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the airplane is maintained, including all post type certification modifications that may have an impact on the approved electronic system security safeguards.

Public Comment

The FAA is soliciting public comments on these special conditions. Written comments may be submitted via the Federal eRulemaking Portal (; Beechcraft Docket #FAA-2016-8029; Bombardier Docket #FAA-2015-6359). Comments should be submitted by October 6th, 2016.


The FAA continues to address aircraft cybersecurity issues on a case by case basis. This is almost certainly due to the fact that most aircraft being certified do not have digital control systems with the potential for outside access that could affect safety of flight issues. That is obviously changing.

These special conditions are written in broad enough language that each manufacturer and aircraft operator is being given a wide degree of latitude in how they accomplish the requirements set forth in the Special Conditions. And it must be remembered that each applicable solution still has to be specifically certified by the manufacturer and/or the operator.

Two questions remain. First, does the FAA have enough adequately trained cybersecurity personnel to do the evaluation necessary to complete the certification process? Second, does the FAA have a vulnerability disclosure process in place to allow third party cybersecurity researchers to notify the FAA of newly discovered vulnerabilities in these flight control systems? I do not have an answer to these questions, but I do not get a warm and fuzzy feeling when contemplating the probable answers.

Thursday, August 18, 2016

ICS-CERT Publishes Navis Advisory

Today the DHS ICS-CERT published an advisory for the SQL injection vulnerability reported yesterday by ICS-CERT in an alert concerning an uncoordinated public disclosure about the vulnerability in the Navis WebAccess application. Today’s advisory reports that Navis has produced” custom patches to mitigate this vulnerability”. There is no indication that bRpsd, the researcher who published the vulnerability, has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to compromise the confidentiality, integrity, and availability of the SQL database. A separate incident response Alert published yesterday reports that there have been multiple live exploits of this vulnerability.

There is a very interesting explanation in the Mitigation section of this advisory that I am repeating here:

“Navis reports that they have released custom patches on August 10, 2016, for the Navis WebAccess application, which is a legacy product that is in use by thirteen customers around the world, five of which are in the United States. The SQL injection vulnerability, which targeted publicly available news-pages in the application, was brought to Navis’ attention on August 9, 2016. Navis reports that they have contacted all their affected customers and that all customers in the United States have implemented the fix.”

This is a remarkably quick response to a vulnerability in an extremely low volume legacy product. An SQL injection vulnerability should be relatively easy to fix, but a one-day turnaround from a vendor is commendable and should set the standard for the industry.

PHMSA Sends New Lithium Battery Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an interim final rule from the DOT’s Pipeline and Hazardous Material Safety Administration amending the Hazardous Materials Regulation (HMR) provisions for the shipment of lithium batteries. This rulemaking appeared for the first time in the Spring 2016 Unified Agenda.

According to the Unified Agenda abstract:

“This action would amend the Hazardous Materials Regulations to incorporate three amendments that impact the transport regulations for packaged lithium cells and batteries not packed with or contained in equipment. These amendments would: (1) prohibit the transport of lithium ion cells and batteries as cargo aboard passenger carrying aircraft; (2) limit lithium ion cells and batteries to a 30 percent state of charge; and (3) limit the number of packages that may be offered under current provisions for small (excepted) cells and batteries to not more than one package per consignment. We anticipate these amendments will result in temporary supply chain disruptions [emphasis added] but will produce immediate safety benefits by eliminating vulnerability in the existing transport regulations.”

The same high energy density that has led to the ubiquitous use of lithium batteries is also a major contributor to the fires that have resulted during shipment and use of these batteries. It will be interesting to see if OIRA allows PHMSA to go directly to an interim final rule on this rulemaking this late in the life of this Administration. While safety, not politics, is almost certainly the impetus for the rulemaking, we can expect to hear cries of ‘midnight regulations’ if this rule is issued without the normal publish and comment process.

Note: I do not expect to provide any future coverage of this rulemaking on this blog.
/* Use this with templates/template-twocol.html */