Thursday, May 5, 2016

HR 710 Reported in Senate

Last year on May 20th, the Senate Commerce, Science and Transportation Committee held a markup hearing on HR 710, the Essential Transportation Worker Identification Credential Assessment Act, that passed in the House in February. The Committee adopted substitute language and ordered the bill reported. That report was published last week.

Substitute Language

The new language reported in the Senate is a substantial re-write of the details of the bill, though the general import of the bill remains the same. The main report required by the bill was changed from a GAO report to a two phased report conducted by a national laboratory or a university-based center that is part of a DHS center of excellence. And the time limit for the study will change from one-year to complete the study to 60-days to commission the study.

The scope of the study was expanded to include a new phase 1 study that includes {§2(c)(1)}:

• The appropriateness of vetting standards;
• Whether the fee structure adequately reflects the current costs of vetting; and
• Whether there is unnecessary overlap between other transportation security credentials.
The second phase of the new study fairly closely replicates the GAO study outlined in the original bill. One new requirement was added; “a cost-benefit analysis of the TWIC Program, as implemented” {§2(c)(4)}.

Where the original bill restricted moving forward on the TWIC Reader Rule, the new bill prevents any new TWIC rule until the DHS IG approves the Secretary’s corrective action plan based upon the 2-phase study. As with the original bill, the regulatory restriction does not apply the currently stalled rulemaking on the TWIC Reader implementation.

As with the original language, the substitute language specifically does not provide any funding for the required study and reports.

Moving Forward

That it has taken almost exactly a year to get this report printed indicates that there has been some behind the scene negotiations going on to allow this bill to move forward. I expect that those negotiations have been between the Committee and the Senate Homeland Security and Governmental Affairs Committee, the other committee to which this bill was assigned for consideration.

It is likely that this bill will be considered by the Senate before the summer recess. I would expect to see this considered under the unanimous consent provisions of the Senate rules with no debate and no vote. I would not be surprised to see the House accept the Senate amendment to this bill, obviating the need for a conference committee.

ICS-CERT Publishes March-April 2016 Monitor

Late yesterday the DHS ICS-CERT published the latest edition of their Monitor; a periodic report on the activities of the organization. This is one of the better issues with some interesting topics.

Incident Response

As we have come to expect, ICS-CERT leads off the publication with a brief piece discussing a recent anonymized attack. Also, as we have come to expect, the attack being used in the discussion is on an organization that would be expected to have an extensive industrial control system operation (a water utility in this case), but the attack never apparently reached the control system.

The attack was a ransomware attack on the utility, so this is a timely issue. The author uses the mixed response from the utility (one system with good backup recovery and a second system with a backup recovery with significant gaps) to explicate the need for timely backups to respond to this type of attack. Unfortunately, the discussion never reaches beyond IT systems and the topic of backups for control systems is never broached.

The second article also addresses incident response, this time giving an overview of the role of ICS-CERT in incident response. The discussion is somewhat marred however by the apparently fictional response to a water utility incident that could be used as a story proposal for a CSI Cyber television episode. While my cybersecurity application talents are more than a little out-of-date, I would be really surprised if the ICS-CERT team could remotely start an effective whitelisting application on a system before they had even seen network logs.

Protected Critical Infrastructure Information

The third major article is a brief overview of the importance of the PCII program. This is an important information sharing tool that allows a covered entity to submit data to a federal agency while protecting that information from public disclosure. The article does a good job of providing a description of the importance of the program and an overview of its protections.

The article does fall short, however, in failing to discuss the major problem with the program; facilities must use a very specific phrase at the start of any document that attempts to claim PCII protection. Failure to include the Express Statement (and two the other key pieces of information discussed on that page) will mean that the information will not be protected by the PCII program. While the article does provide a link to the extensive PCII web site failure to explicitly mention that there are specific requirements for claiming PCII protections does a disservice to the readers.

To be fair this problem is not limited to this ICS-CERT article about the PCII program. I have not yet seen a government discussion of the PCII program that really emphasized the importance of properly claiming PCII protection.

NOTE: Remember that DHS is in the process of trying to revise the PCII regulations (see here and here).

Strong Passwords

No discussion of cybersecurity would be complete without the topic of passwords being addressed. The fourth (and last) major article of this issue of the Monitor addresses this important topic. While there have been periodic discussions in the industry of replacing passwords with some neat new technology, ICS-CERT apparently remains a strong proponent of strong passwords. Their definition of a strong password is now 12 characters using: caps, lower case, numbers and symbols. Remember it must be unique, but easily remembered as you should never write it down. Sharing passwords or multiple users using the same password are both strictly verboten.

There is an important caveat in the article that should be remembered by everyone:

“There is only one proven method to prevent your password from being cracked: leave your device sealed in the box in which it was shipped. Otherwise, all passwords can be cracked. Given enough time and processing power, even the longest most random password can be cracked.”

Standard Features

This issue includes all of the standard blurbs that we have come to expect, including:

• Onsite Assessments Activity;
• ICS-CERT News;
• Recent Product Releases;
• Coordinated Vulnerability Disclosure;
• Open Source Situational Awareness Highlights; and
• Upcoming Events

It is nice to see three chemical sites listed in the Onsite Assessments Activity chart. At the risk of offending the increasing number of businesses that provide a for-fee assessment (a valuable service that should be encouraged) any facility that is being regulated by the federal government program that addresses cybersecurity of control systems (not many to be sure) would be foolish not to avail themselves of the free assessments provided by ICS-CERT. That assessment should be supplemented by the best fee-based assessment that the budget allows, but an ICS-CERT assessment has got to look good to any Federal inspector.

The ICS-CERT news piece in this issue was yet another non-update on the December Ukraine attacks. Apparently ICS-CERT has no new information that can be shared with the general control system community. It does plug the latest update to IR-ALERT-H-16-043-01BP, “Cyber-Attack Against Ukrainian Critical Infrastructure”. This is only available on the US CERT Secure Portal. You can request access through ICS-CERT (see the ‘I Want To’ box on the bottom of their landing page).

There is an ironic touch in the discussion of coordinated disclosures this month. The first name on the list of personnel being praised for coordinated disclosures is none other than Reid Wightman for his work on the Moxa vulnerabilities. I am sure that this mention makes Reid very happy.

Thumbs Up

The nits picked above notwithstanding, I really did enjoy this issue of the Monitor. I would recommend it to anyone in the control system security community.

Wednesday, May 4, 2016

HR 5077 Introduced – FY 2017 Intel Authorization Bill

Last week Rep. Nunes (R,CA) introduced HR 5077, the Intelligence Authorization Act for Fiscal Year 2017. Analysis of this bill is complicated because significant portions (How much? Don’t know.) are classified for fairly obvious reasons. The unclassified portion available to the public does include one cybersecurity provision; a requirement for a port cybersecurity report.

Port Cybersecurity Report

Section 604 requires the Under Secretary of Homeland Security for Intelligence and Analysis to submit a report on port cybersecurity to the congressional intelligence committees. The report will cover the “cybersecurity threats to, and the cyber vulnerabilities within, the software, communications networks, computer networks, or other systems employed by” {§604(a)}:

• Organizations conducting significant operations at seaports in the United States;
• Maritime shipping concerns of the United States; and
• Organizations conducting significant operations at transshipment points in the United States.

The report will include:

• A description of any recent and significant cyberattacks or cybersecurity threats directed against software, communications networks, computer networks, or other systems employed by the port entities described above; and
• An update on the status of the efforts of the Coast Guard to include cybersecurity concerns in the National Response Framework, Emergency Support Functions, or both, relating to the shipping or ports of the United States.

The report will also include an intelligence assessment of:

• Any planned cyberattacks directed against such software, networks, and systems;
• Any significant vulnerabilities to such software, networks, and systems; and
• How such entities and concerns are mitigating such vulnerabilities.

Moving Forward

Nunes is the Chair of the House Intelligence Committee and this is one of those ‘must pass’ authorization bills. The battles have been fought behind closed doors on this bill and will not see the light of day. This bill will be considered on the floor of the House, probably with limited debate and amendments. That is limited in the terms of time; we know that it will be limited to unclassified information.

The Senate will probably have their own version of the bill that will be passed in that body and then a conference committee will work out the differences between the two bills.


The port cybersecurity report required in this report would be significantly different than the one in HR 3878 that was passed in the House last December. This is much more of an intelligence report than a security systems report that was described in the earlier bill. The bill does not state this (an understandable oversight from the Intel Committee staff) but the report will certainly be classified and probably will not be shared further than with the Coast Guard’s Captains of the Port.

It would have been nice to see a requirement for an unclassified version of the report so that more sharing could be done with the information, but you never get much unclassified information from the intel community. It just goes too much against the grain.

Tuesday, May 3, 2016

ICS-CERT Updates Siemens Advisory

Today the DHS ICS-CERT updated a control system advisory for an authentication bypass vulnerability in a number of SIMATIC products. The advisory was originally published on December 1st, 2015 and then updated on February 2nd, 2016. This update provides information on another product for which a mitigating firmware update is now available. Updates are now available on all of the affected products.

Siemens Product-CERT announced the release of their updated advisory last Friday via TWITTER®. At the same time, they also announced an update or another advisory that was originally published last October. The corresponding ICS-CERT advisory has not yet been updated.

HR 5026 Introduced – Cybercrime Strategy

Last month Rep. Ross (R,FL) introduced HR 5026, a bill that would direct the President to develop and submit to Congress a comprehensive strategy to combat cybercrime. The bill is very short and broadly written.

Strategy Requirements

Rather than defining ‘cybercrime’ the bill would require the President to provide the definition to be used in the strategy. It would also require the President to {§1}:

• Designate which Federal agency should take the lead role in investigating and combating cybercrime;
• Review of the current strategy on combating cybercrime of each Federal agency engaged in combating;
• Review the efforts to combat cybercrime of the governments of other countries, as determined appropriate by the President;
• Outline a plan for how the Federal Government should work with State governments and with the governments of other countries to combat cybercrime; and
• Describe the threats that cybercrime poses to individuals, businesses, and governments, and recommendations for protecting against such threats.

Moving Forward

Ross is not a member of the House Judiciary Committee, the committee assigned to consider this bill. This means that it will be extremely difficult for him to have this bill considered by that committee. The most likely way for this bill to move forward would be for it to be offered as an amendment to the Commerce, Justice and Science spending bill when it makes its way to the floor for consideration since Ross is not a member of the Appropriations Committee. This bill would not likely face any serious opposition if it were offered on the floor of the House either as a standalone bill or as an amendment to a spending bill.


It is extremely unusual for a Republican Congressman to ask this President to establish a strategy for such a potentially important crime fighting program without providing more input to that strategy. I was especially surprised to see the lack of definition of ‘cybercrime’ in the bill and a list of findings that outlined what Congress saw as the extent of the problem.

Allowing the President to set this strategy at this point in the closing days of the Administration makes me think that this bill was never intended to actually be considered and sent to the President. I am hard pressed, however, to offer an explanation of what purpose the bill actually serves, unless Ross is using this simply as a political tool to paint the Administration (and by association his opponent in this year’s congressional election) as soft on cybercrime. I would have expected, however, for this bill to have some snappy title that could be used in press releases or campaign literature if that were to be the case.

In any case, I do not expect that we will hear any more about this bill outside of possible local campaign discussions.

Monday, May 2, 2016

ISCD Publishes CFATS Update – May 2016

Today the DHS Infrastructure Security Compliance Division (ISCD) published their May 2016 CFATS Fact Sheet. This document provides a monthly update of the implementation of the site security plan (SSP) program in the Chemical Facility Anti-Terrorism Standards (CFATS). ISCD continues to increase the number of authorized and approved SSPs as well as a significant increase in the number of compliance inspections.

March 2016
April 2016
May 2016
Covered Facilities
Authorized SSPs
Approved SSPs
Compliance Inspections

We continue to see the same problems with these numbers that we have seen every month for quite some time now. We continue to see a decline in the number of covered facilities without any explanation of why the facilities are leaving the program. The number of authorized SSPs continues to increase well beyond the number of facilities that remain in the program. Finally, we continue to see a report of the number of compliance inspections conducted without any indication of the rate at which those facilities are found within compliance with their negotiated SSP requirements.

The number of approved SSPs has now reached 75% of the number of covered facilities, if there is not the same counting problem that affects the number of authorized SSPs. It would be nice, however, if additional details were included, additional numbers that could have been provided would have been the number of facilities that were approved based upon their submission of an Expedited Approval Program SSP. With the recent implementation of the Terrorist Screening Database screening portion of the Personnel Surety Program a report on the number of approved SSPs that include the TSDB vetting.

While I am glad to see that ISCD is continuing to voluntarily report these CFATS Updates, it looks like it is really just a PR ploy since there are so many problems with the data being provided. If ISCD really wants this to mean anything, they need to consider updating what they are reporting.

RMP NPRM: Emergency Response Exercises

This is part of a continuing series of blog posts about the EPA’s recently published notice of proposed rulemaking (NPRM) for revisions of their Risk Management Program. Earlier posts in this series include:

Background – Emergency Response Exercises

The current RMP rules do not include any requirements for the conduct of emergency response exercises. The preamble to this NPRM notes that the original RMP NPRM (58 FR 54190, 10-20-93; not available on-line) did include such a requirement, but that it was dropped from the final rule. The preamble notes two reasons for that removal:

“First, the Agency decided to limit the emergency response program requirements to the minimum requirements contained in CAA section 112(r)(7) in order to avoid inconsistency with other emergency response planning regulations. Second, the Agency indicated that the additional requirements were already addressed in other Federal regulations and therefore, sources were already doing them.”

The preamble includes a lengthy discussion about the reasons for having an effective exercise program. The EPA then concludes that:

“However, EPA's experience with implementing the RMP rule over nearly two decades, along with incidents such as those described above, indicate that many regulated sources do not regularly conduct emergency exercises that involve local response authorities. The Agency now believes that adding this provision to the regulation will likely reduce the severity of some accidents that do occur.”

Exercise Requirement

The NPRM would add a new 40 CFR 68.96 outlining the exercise requirements for Program 2 and Program 3 facilities. Two general types of exercises are addressed; notification exercises and emergency response exercises. Both responding and non-responding facilities would be required to conduct notification exercises; while only responding facilities would be required to conduct the emergency response exercises.

Notification Exercises

Section 68.96(a) would require all Program 2 and Program 3 facilities to conduct an annual notification exercise. The notification exercise “would include contacting the Federal, Tribal, state, and local public emergency response authorities, and other external responders that would respond to accidental releases at the source”. Responding facilities would be able to include their notification exercise in their emergency response exercise.

Notification exercises would be documented and those records would be required to be maintained for five years. Those records would be submitted to local officials {§68.205(b)(6)} and be made available to the public {§68.210(b)(5)}.

Emergency Response Exercises

The NPRM would require responding facilities to conduct two different types of emergency response exercises: table top exercises and field exercises. Table top exercises would be conducted every year (except years when a field exercise is conducted) and field exercises would be conducted every five years.

Facilities would be “required to coordinate with local public emergency response officials in planning and conducting exercises, and invite local officials to participate in exercises”. The participation of local officials would not be required for a successful emergency response exercise.

Table Top Exercises

A table top exercises are defined as “discussion-based exercises without the actual deployment of response equipment”. A table top exercise would include:

• Procedures for informing the public and the appropriate Federal, state, and local emergency response agencies about an accidental release;
• Procedures and measures for emergency response after an accidental release of a regulated substance including evacuations and medical treatment;
• Identification of facility emergency response personnel and responsibilities;
• Coordination with local emergency responders;
• Procedures for the use of emergency response equipment, and other actions identified in the source's emergency response plan, as appropriate.

Field Exercise

A field exercise is an emergency response exercise that actually includes the deployment of emergency response equipment in accordance with the emergency response plan. They would be required every five years and within one year of a covered chemical release incident. A field exercise would include:

• Procedures for informing the public and the appropriate Federal, state, and local emergency response agencies about an accidental release;
• Procedures and measures for emergency response after an accidental release of a regulated substance including evacuations and medical treatment;
• Communications systems;
• Mobilization of facility emergency response personnel;
• Coordination with local emergency responders;
• Equipment deployment, and
• Other actions identified in the source's emergency response plan, as appropriate.


There is an old military adage that no plan survives contact with the enemy. Things happen that the planners did not foresee or consider in their planning process. Assumptions made by the planners do not actually pan out in a real world application. And, of course, the biggest problem is that actual responses include thousands of tiny details that can never make it into a plan. This is the reason for conducting exercises.

Having spent 15 years in the US Army and over 20 years in the chemical industry, I have taken part in a number of exercises, good and bad. I have also responded to real world incidents in both arenas. I will be the first to tell you that no real world incident has ever followed an exercise scenario. On the other hand, incidents where the response had been exercised (no matter how badly) always went more smoothly with fewer unanticipated disruptions.

There are three major shortcomings to the exercise program included in this NPRM. The first is inevitable due to congressional concerns with unfunded mandates placed upon State and local governments. Any notification exercise initiated by a covered facility should include at the very least a written response by the notified local emergency response agencies to the facility about what actions would have taken place if the notification had been an actual emergency. The facility could use that information to refine the prior coordination the facility has made with that agency.

The second major shortcoming is that the number and frequency of the exercises is totally inadequate, particularly when a plan is first established. A year between table top exercises provides too much time for the loss of institutional memory and five years between field exercises ignores the changes in equipment and processes that normally take place in most facilities over that time period.

Both of these time period related problems could be resolved if the regulation recognized smaller level intermediate exercises. For example, instead of pulling the entire emergency response team in for a table top exercise, just the supervisory and facility management personnel could conduct a table top exercise that Army used to call an exercise without troops. Likewise, you could have table top exercises for just portions of the emergency response team, like the decon team. This way you could have quarterly table top exercises while minimizing the disruption to the facility operation. The same sort of thing could be done with annual field exercises.

The third major shortcoming is again related to Federal mandates on State and local resources. This new exercise requirement totally ignores those facilities that opt to be listed as non-responding facilities. One just needs to consider the example of the West Fertilizer explosion, an example used throughout this NPRM. That facility was obviously too small to have a full blown internal emergency response plan, so no exercises would have been required for that facility.

At a very minimum there should be a requirement for all non-responding Program 2 and Program 3 facilities to host an on-site annual facility review exercise where representatives from the LEPC, the local fire department and other local emergency response agencies are invited to attend a briefing on the covered processes and the associated off-site consequence analysis (OCA) data followed by a tour of the facility. To encourage participation by local agencies, the facility should be required to include reports on the facility review exercise in the information that they are required to make available to the public under §68.210(b).

Finally, I am disappointed that the NPRM did not address the most basic emergency response exercise; the evacuation or shelter-in-place exercise. This is the industrial equivalent of the old-style school fire drill. There really should be a monthly requirement to conduct (and document) this type of exercise for all RMP covered facilities.
/* Use this with templates/template-twocol.html */