Sunday, January 25, 2015

Committee Hearings – Week of 1-25-14

Here we are in the fourth week of the 114th Congress and the hearing schedule is starting to pick up. There are only two hearings this week, both on the Senate side, that may be of specific interest to readers of this blog; one on cybersecurity and one on rail transportation safety.


On Wednesday the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on Protecting America from Cyber Attacks: The Importance of Information Sharing. The witness list makes it clear that the focus of this hearing will be on the IT side of cybersecurity.

Freight Rail Safety

The Senate Commerce, Science and Transportation Committee will be holding a hearing on Wednesday on Freight Rail Transportation: Enhancing Safety, Efficiency, and Commerce. The current witness list includes:

● Mr. Frank Lonegro – CSX Transportation;
● Mr. Dave Brown – Genesee & Wyoming Railroad Services;
● Mr. Bill Johnson – Former Director of Port Miami and Former Chair of the Florida Ports Council;
● Ms. Michelle Teel – Missouri Department of Transportation; and
● Mr. Chris Jahn – The Fertilizer Institute

It is clear from this list that hazardous material transportation will be one of the topics discussed. Given that fact it is slightly disappointing that no one from the emergency response community is included on the witness list.

Byproducts and Unintended Consequences

There is an interesting discussion going on over on the Hazardous Materials Emergency Response (group membership required) group on LinkedIn about one of the byproducts of the current crude oil glut. As more expensive crude oil production sites are closed off due to the low market price of crude oil, there will be a reduction in the amount of crude oil transported in the US and Canada by railroad. One would like to think that this will lead to an increasing number of the most hazardous DOT 111 railcars being taken out of crude oil service.

Bill Barnholt, Cobra Hazmat/Safety Consulting & Training, writes in his discussion that:

“This means that there's going to be hundreds of (hopefully residue not loaded) tank cars being stored in areas that aren't used to having them around. This also increases the possibility of sabotage of the tank cars being stored. This will make the need for Emergency Responders even greater.”

Now this is not really an unusual occurrence. There are certain types of railcars that are periodically idled. The use of grain transport hopper cars, for instance, drops off dramatically after the harvest has been transported to market. The cars that are not actively in use are parked on some sort of non-active track until they are needed again.

The problem with these crude oil railcars, however, is that they may contain significant amounts of crude oil residue. While there certainly isn’t enough in a rail car to cause the sorts of fires that we have seen in the last year or so, there certainly is enough flammable vapors in these cars to cause a sizeable explosion if enough oxygen is present and there were some sort of ignition source.

I know that sounds dangers but there are two important ‘ifs’ in that statement. First enough oxygen must be present. We would expect these cars to be closed and, unless someone deliberately introduced oxygen into them, it is highly unlikely that there would be enough oxygen to support combustion inside the car. Second you would need a heat source (fire, electrical spark, etc) inside the car to provide an ignition source.

The very low probability problem could be eliminated by washing out the crude oil residues out of the railcars. Anyone that has ever cleaned a greasy auto part will have some inkling of the problems that are involved in this process. Needless to say this is not something that can be done safely or environmentally soundly just anywhere. Special facilities are required, the wash residue is typically a hazardous waste, and everything about this is quite expensive.

To the best of my knowledge there is no regulatory program that would require the owners of these cars to have them cleaned prior to parking them on a siding somewhere. Even more scary is the fact that there are no regulations that govern the security of these railcars that contain only residues. And there are certainly no rules governing where they can be parked.

Theoretically it would be fairly simple to turn these residue containing tank cars into rather impressive bombs. Some of the equipment would be a tad bit heavy for transporting by hand and it would take a little bit of knowledge about rail car fittings, but with the proper equipment and about 30 minutes access to the railcar a vapor phase explosion could be produced.

The effects of the explosion would be dependent on a number of factors, most of which would not be readily discernable before the attacker opened the railcar. I would expect, however, that if enough crude oil residues were present, it would be possible to produce a large enough explosion to damage nearby structures, kill people, and attract national news attention. In other words, it would be a successful terrorist attack if it took place near inhabited areas.

It is certainly too late to start any legislative or regulatory action to address the immediate issue. Local police departments should probably plan on actively patrolling these parking areas and all first responders should have a good idea where these railcars are parked in and near communities.

Other than that the best we can do is to continue to hope that the various wackos that wish to create death and destruction in support of whatever cause ignites their anger continue to lack the creativity and knowledge necessary to execute these types of attacks.

Saturday, January 24, 2015

OMB Approves FRA Risk Reduction Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the FRA’s notice of proposed rulemaking (NPRM) for the Railroad Risk Reduction Program.

As I noted in my post about the advance notice of proposed rulemaking (ANPRM) published in December of 2010 the amount of hazardous materials that a railroad carries (and particularly carries through major urban areas) will have a significant impact on the requirements of this risk reduction program. When I wrote that post I was mainly concerned with the transit of toxic inhalation hazard (TIH) chemicals and the emergency response requirements for those chemicals that should be included in this rule.

Since that time we have had a number of accidents with crude oil unit trains that have resulted in very large fires with multiple explosions. I would suspect that the FRA has included specific requirements for those trains in this NPRM.

We should see this NPRM published in the Federal Register in the coming week.

Friday, January 23, 2015

PHMSA Publishes HMR Update NPRM

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (80 FR 3787-3838). The proposed rule would make a number of changes to the US hazardous material regulations (HRM); some based upon responses to public petitions, others on responses to NTSB accident investigation recommendations and some were initiated by internal agency actions.

Petition Responses

The changes proposed in this rulemaking include responses to the following public petitions:

P-1590 – Dangerous Goods Advisory Council (DGAC) - Remove the PG II designation for certain organic peroxides, self-reactive substances and explosives in the § 172.101 Hazardous Materials Table (HMT);
P-1591 – Air Products and Chemicals, Inc - Amend the marking requirements for poisonous by inhalation shipments transported in accordance with the International Maritime Dangerous Goods (IMDG) Code or Transport Canada's Transport of Dangerous Goods (TDG) Regulations (§ 171.23);
P-1597 – DGAC- Require that emergency response telephone numbers be displayed on shipping papers numerically (§ 172.604);
P-1601 – United Parcel Service (UPS) - Amend the packaging instructions for certain shipments of nitric acid by requiring intermediate packaging for glass inner packagings (§ 173.158);
P-1604 – National Propane Gas Association (NPGA) - Extend the pressure test and internal visual inspection test period to ten years for certain MC 331 cargo tanks in dedicated propane delivery service (§ 180.407);
P-1605 – Compressed Gas Association (CGA) - Incorporate by reference in § 171.7 CGA Pamphlet G-1.6, Standard for Mobile Acetylene Trailer Systems, Seventh Edition(§§ 171.7 and 173.301); and
P-1609 – Truck Trailer Manufactures Association - Clarify the requirements applicable to the testing of pressure relief devices for cargo tank motor vehicles (§ 180.407).

NTSB Recommendations

Some of the changes are based upon two recent NTSB recommendations dealing with the shipment of acetylene cylinders mounted on mobile acetylene trailers. The specific NTSB recommendations were:

H-09-01 - Modify 49 CFR § 173.301 to clearly require (1) that cylinders be securely mounted on mobile acetylene trailers and other trailers with manifolded cylinders to reduce the likelihood of cylinders being ejected during an accident and (2) that the cylinder valves, piping, and fittings be protected from multidirectional impact forces that are likely to occur during highway accidents, including rollovers; and
H-09-02 - Require fail-safe equipment that ensures that operators of mobile acetylene trailers can perform unloading procedures only correctly and in sequence.

PHMSA Initiated Changes

There is a rather extensive list of PHMSA initiated changes include in this NPRM. That list includes:

● Revise § 107.402(d)(2) to replace the term “citizen” with the term “resident.”
● Revise § 107.402(e) to require that a lighter certification agency submits a statement that the agency is independent of and not owned by a lighter manufacturer, distributor, import or export company, or proprietorship.
● Revise § 107.402(f) to require portable tank and multi-element gas container (MEGC) certification agencies to submit a statement indicating that the agency is independent of and not owned by a portable tank or MEGC manufacturer, owner, or distributor.
● Revise § 107.807 to require a cylinder inspection agency to be independent of and not owned by a cylinder manufacturer, owner, or distributor.
● Remove the entry for CGA Pamphlet C-1.1 in Table 1 to § 171.7.
● Incorporate by reference updated versions of the American Association of Railroads (AAR) Manual of Standards and Recommended Practices, Section C-III, Specifications for Tank Cars, Specification M-1002 in § 171.7.
● Revise the § 172.101 table to add Special Provision B120 to Column (7) for the entry “Calcium nitrate, UN1454.”
● Revise the entry for “Propellant, solid, UN0501” to remove vessel stowage provision 24E from Column (10B) of the HMT.
● Revise the PG II HMT entry for “UN2920, Corrosive liquids, flammable, n.o.s.,” to for consistency with the UN Model Regulations, IMDG Code, and the ICAO TI such that this entry is eligible for the limited quantity exceptions.
● Revise the PG II HMT entry for “UN3085, Oxidizing solid, corrosive, n.o.s.” for consistency with the UN Model Regulations, IMDG Code and the ICAO TI such that this entry is eligible for the limited quantity exceptions.
● Revise the HMT entries for “Trinitrophenol (picric acid), wetted,with not less than 10 percent water by mass, UN3364” and “Trinitrophenol, wetted with not less than 30 percent water, by mass, UN1344” to harmonize the HMR with the UN Model Regulations, IMDG Code, and the ICAO TI to clarify that the 500 gram limit per package does not apply to UN1344 but does apply to UN3364.
● Revise Special Provision 136, assigned to the proper shipping name “UN3363, Dangerous goods in machinery or apparatus,” in § 172.102 to include reference to Subpart G of Part 173.
● Remove reference to obsolete Special Provision 18 for the HMT entry “UN1044, Fire extinguishers” and in § 180.209(j) and provide correct cross reference to § 173.309.
● Correct a reference in § 172.201 to exceptions for the requirement to provide an emergency response telephone number on a shipping paper.
● Revise §§ 172.301(f), 172.326(d) and 172.328(e) to include the clarification that the NOT-ODORIZED or NON-ODORIZED marking may appear on packagings used for both unodorized and odorized liquefied petroleum gas (LPG), and remove the effective date of October 1, 2006 or “after September 30, 2006,” if it appears in these paragraphs, as the effective date has passed.
● Amend § 172.406(d) by clearly authorizing the use of labels described in Subpart E with a dotted or solid line outer border on a surface background of contrasting color.
● Update a mailing address in § 172.407(d)(4)(ii).
● Clarify the marking size requirements for an intermediate bulk container (IBC) that is labeled instead of placarded by replacing the bulk package marking reference in § 172.514(c) with the non-bulk marking reference, specifically, § 172.301(a)(1).
● Revise § 173.4a(a) to clarify that articles (including aerosols) are not eligible for excepted quantity reclassification under § 173.4a, although some are eligible to be shipped as small quantities by highway and rail in § 173.4.
● Revise § 173.21(e) to prohibit transportation or offering for transportation materials in the same transport vehicle (e.g., a trailer, a rail car) with another material, that could cause a dangerous evolution of heat, flammable or poisonous gases or vapors, or produce corrosive materials if mixed.
● Clarify that the requirements provided in paragraph § 173.24a(c)(1)(iv) do not apply to limited quantities packaged in accordance with § 173.27(f)(2).
● Clarify the quantity limits for mixed contents packages prepared in accordance with § 173.27(f)(2).
● Clarify the requirements applicable to bulk transportation of combustible liquids by adding new subparagraph § 173.150(f)(3)(xi) stating that the registration requirements in Subpart G of Part 107 are applicable and revising §§ 173.150(f)(3)(ix) and 173.150(f)(3)(x) for punctuation applicable to a listing of requirements.
● Add a new paragraph (j) in § 173.159 to allow shippers to prepare for transport and offer into transportation damaged wet electric storage batteries.
● Revise § 173.166(e)(6) to add the words “or cargo vessel.”
● Revise §§ 173.170 and 173.171 by changing the term motor vehicle to transport vehicle to allow for motor vehicles comprised of more than one cargo-carrying body to carry 100 pounds of black or smokeless powder reclassed as Division 4.1 in each cargo-carrying body instead of 100 pounds total in the motor vehicle.
● Revise § 173.199(a)(4) by removing the reference to the steel rod impact test in § 178.609(h).
● Clarify the Packing Method table for organic peroxide materials in § 173.225.
● Amend the bulk packaging section reference in Column (8C) of the HMT from § 173.240 to § 173.216 for the entries “Asbestos, NA2212,” “Blue asbestos (Crocidolite) or Brown asbestos (amosite, mysorite) UN2212,” and “White asbestos (chrysotile, actinolite, anthophyllite, tremolite), UN2590.” In addition, we are proposing to revise paragraph (c)(1) in § 173.216 by authorizing the use of bulk packages prescribed in § 173.240.
● Add a new paragraph (d)(5) to § 173.304a, a new paragraph (h) to § 173.314 and revise § 173.315(b)(1) to require odorization of liquefied petroleum gas when contained in cylinders and rail cars.
● Amend § 173.306(k) to clarify that aerosols shipped for recycling or disposal by motor vehicle containing a limited quantity are afforded the applicable exceptions provided for ORM-D materials granted under §§ 173.306(i) and 173.156(b).
● Create a new paragraph (d) in § 175.1 stating that the HMR do not apply to dedicated air ambulance, firefighting, or search and rescue operations.
● Correct § 175.8 by adding the appropriate 14 CFR, Part 125 citations.
● Clarify exceptions for passengers, crewmembers, and air operators in paragraphs (a)(18), (a)(22), and (a)(24) of § 175.10 for the carriage of hazardous materials aboard a passenger aircraft.
● Clarify § 175.75(e)(2) by replacing the word “located” with “certificated.”
● Clarify § 176.30(a)(4) by replacing the word “packaging” with “package.”
● Clarify that the loading restrictions in § 177.835(c)(1) through (4) are applicable to § 177.848(e).
● Revise § 178.65(i)(1) to correctly reference the manufacturer's report requirements in § 178.35(g).
● Clarify § 178.337-17(a) to eliminate confusion of the name plate and specification plate requirements.
● Correct an editorial error in the formula in § 178.345-3(c)(1).
● Include provisions consistent with the non-bulk packaging and IBC approval provisions for Large Packagings in § 178.955.
● Clarify the requirements for Federal Railroad Administration (FRA) approval of tank car designs in § 179.13.
● Revise § 180.401 to replace the term “person” with “hazmat employee or hazmat employer” to clarify that Subpart E of Part 180 does not only apply to persons offering or transporting hazardous materials.

Public Comments

PHMSA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal {; Docket # PHMSA-2013-0225 (HM-218H)}. Comments should be submitted by March 24th, 2015.

Bills Introduced – 1-22-15

There were 130 bills introduced in the House and Senate yesterday. Of those only two might be of specific interest to readers of this blog:

HR 490 - To provide for a strategic plan to reform and improve the security clearance and background investigation processes of the Federal Government, and for other purposes. Rep. Lynch, Stephen F. [D-MA-8]

HR 505 - To establish a Hazardous Materials Information Advisory Committee to develop standards for the use of electronic shipping papers for the transportation of hazardous materials, and for other purposes. Rep. Lipinski, Daniel [D-IL-3]

HR 490 will only be of specific interest if it includes requirements for non-governmental security clearances. The rules governing the issuance of security clearances for government employees and contractors are slightly different from those issued for the purely private sector.

ICS-CERT Publishes Advisory and TIP

Yesterday the DHS ICS-CERT published an advisory for a vulnerability in a Siemens system and a tip about best practices for continuity of operations.

Siemens Advisory

This advisory describes an open redirect vulnerability in the Siemens SIMATIC S7-1200 CPU family. The vulnerability was reported to Siemens by Ralf Spenneberg, Hendrik Schwartke, and Maik Brüggemann from OpenSource Training. Siemens has provided an update that mitigates this vulnerability, but there is no indication that the researchers have verified the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to redirect users to a malicious web site. The exploit would require a social engineering attack.

BTW: Still no mention of the Siemens NTP vulnerability.

Continuity TIP

This document provides a rather extensive list of things to ensure the survivability of a network from a malicious intrusion. This looks to be more targeted at IT and network systems than specifically directed at control system security.

I did not see anything new or earth shattering, nor is anything described in the detail necessary for someone that doesn’t already understand this stuff to implement. This may, however, provide a basic check list for managers to use to question their cybersecurity folks on the status of their security processes.

Tuesday, January 20, 2015

ICS-CERT Publishes Two New Advisories

This afternoon the DHS ICS-CERT published two new advisories reporting multiple vulnerabilities in systems from Schneider Electric and Siemens.

Schneider Advisory

This advisory reports on two vulnerabilities reported in in Schneider Electric’s ETG3000 FactoryCast HMI Gateway by Narendra Shinde of Qualys Security. Schneider has produced a firmware update that mitigates the vulnerabilities. There is no indication in the advisory that Shinde was allowed to validate the efficacy of the update.

The two reported vulnerabilities were:

● Unauthenticated access - CVE-2014-9197; and
● FTP hardcoded credentials - CVE-2014-9198

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to access to the HMI Gateway. ISC-CERT also reports that Shinde reported that default credentials also allow access to configuration files, but this is not counted as a ‘vulnerability’.

The advisory also reports that the firmware update does not actually change the FTP credentials; it merely disables the FTP. The Schneider ‘readme’ document accompanying the firmware updated download explains what functions are lost when the FTP is disabled. Schneider also notes that upon an ETG reboot the FTP is automatically re-enabled.

Siemens Advisory

This advisory reports twin denial of service vulnerabilities in the SCALANCE X-300/X408 switch family. The vulnerabilities were reported by Déjà vu Security. Siemens has produced a firmware update that mitigates the vulnerabilities but there is no indication that Déjà vu Security has had the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute a denial of service attack. Siemens reports that both vulnerabilities require network access and one of the vulnerabilities requires the attacker be able to sign in to the FTP server.

Missed Siemens Advisory

Readers who follow me on TWITTER® (@pjcoyle) know that yesterday when Siemens reported their SCALANCE vulnerability they also reported on their NTP vulnerability in their RuggedCom devices. This is the set of vulnerabilities reported by ICS-CERT back in December. Siemens reports that their ROX based devices may be affected by those vulnerabilities.

They report that they are working on updates for the affected products. Their current advisory does provide some interim mitigation measures that system owners can take while waiting for the updates to be made available.

I suspect that the reason that ICS-CERT did not report this particular Siemens vulnerability is that the original NTP Advisory ‘addressed the problem’. Unfortunately it looks like Siemens (and perhaps other vendors) may have to take additional actions to protect their systems beyond that recommended in the NTP Advisory.
/* Use this with templates/template-twocol.html */