Wednesday, April 23, 2014

ISCD Updates CFATS Knowledge Center – 04-23-14

Today the DHS Infrastructure Security Compliance Division (ISCD) made a minor revision to one of the frequently asked questions (FAQ) on the CFATS Knowledge Center. The change was so small that there was no mention of the revision in the ‘Latest News’ section of the page.

FAQ #329 (originally published in May of 2009 and revised last in June 2012) had a typographical error in the actual question. It used to read:

What is the Environmental Protection AgencyƂ’s (EPA) RMP*Comp?

It now reads:

What is the Environmental Protection Agency's (EPA) RMP*Comp?


This is certainly a very minor error correction, but it was an error none-the-less and ISCD is to be commended for their diligence. To be fair to ISCD I did not report (nor probably notice) the typo when I reported on the FAQ changes made that day, but my records show that it was certainly there.

EPA Extends Use of Methyl Bromide Product

Today the Environmental Protection Agency (EPA) published a notice in the Federal Register (79 FR 22669 – 22670) amending a pesticide cancellation order from May 20th, 2011 (76 FR 29238 – 29240) allowing for the use of existing stocks of two methyl bromide products on golf courses. The products were produced by Cardinal Professional Products and Trical, Inc; both of Hollister, CA.

Golf Course Soil Fumigant

The original order allowed for the use of existing stocks through December 31st, 2013. In January these two manufacturers notified the EPA that they still had stocks of the material and requested an extension of the allowed sale and allowed use dates. Neither of the two letters is currently posted to the docket at www.Regulations.gov (Docket # EPA-HQ-OPP-2005-0123) so it is not clear how much of the two products is actually still available for use.

In today’s modification of that order the EPA allows:

• The sale and distribution of existing stocks of the affected products until November 30, 2014;
• The use of existing stocks of the products purchased prior to April 30, 2014 according to the directions on the label for the product until those stocks are exhausted; and
• The use of existing stocks that were purchased after April 30, 2014 only on golf courses according to the directions for that use on the label for the product until those stocks are exhausted.

Methyl Bromide and CFATS

Insert standard diatribe about methyl bromide being removed from list of DHS chemicals of interest (COI) because methyl bromide was ‘being phased out by EPA’.

It is not clear if this order revision would have any practical effect on chemical security rules under the CFATS program. Since we don’t currently know how much of the products the two organizations have on hand we don’t know if they would have enough (10,000 lb minimum if the standard toxic release chemical standard was used) to be required to submit a Top Screen to DHS. Certainly if they are currently covered under the CFATS program because of the possession of other, actually listed COI, this order will not affect their status.


Golf courses that use these two products will almost certainly not have anywhere near 10,000 lbs of this material on hand, so they would not have (if methyl bromide were a listed COI) to be concerned with CFATS reporting requirements.

Monday, April 21, 2014

Volunteer for CDCI Status

Last week I wrote about the notice published by DHS National Protection and Programs Directorate (NPPD) concerning the notifications made to organizations and facilities that have been designated Cyber Dependent Critical Infrastructure (CDCI). In that post I mentioned in passing that the request for reconsideration process outlined in that notice could be used by facilities that wished to be so designated. Today I want to look at why a facility might want to make such a request.

Program Benefits

The CDCI program is part of the President’s executive order on Improving Critical Infrastructure Cybersecurity (EO 13636) and is identified in §9 of that document. Actually, §9 only outlines the procedures for designating facilities as CDCI. The Notice published last week provides a brief listing of the positive impacts associated with the CDCI designation:

● Ability to request expedited processing through the DHS Private Sector Clearance Program, which may provide access to classified government cybersecurity threat information as appropriate;
● May be prioritized for routine and incident-driven cyber technical assistance activities offered by DHS and other agencies; and
● May receive priority in gaining access to Federal resources and programs to enhance the security and resilience of critical infrastructure against cybersecurity threats.

It is interesting to note that the Notice never uses the word ‘shall’ in the paragraph describing the positive impacts of the CDCI designation. The closest that it comes is in the final sentence:

“As Federal government resources and programs develop and improve to enhance the security and resilience of critical infrastructure against cybersecurity threats, cyber-dependent critical infrastructure will be a continued priority.”

There is nothing in the recent Notice or in §9 of the Executive Order that indicates that there are any specific requirements levied on a facility as a result of being designated as CDCI. The closest the Notice comes is a brief statement that the CDCI designees will be “encouraged to participate in the National Institute of Standards and Technology (NIST) cybersecurity framework for critical infrastructure”.

CSF Mandate

While the Administration has been very careful to talk about the voluntary nature of the cybersecurity framework (CSF) that was developed by NIST, the President made clear in the Executive Order that that there was the distinct possibility that certain organizations might be required to adopt the CSF. Specifically mentioned (but certainly not limited to) in §10(a) of the EO are the critical infrastructure identified under §9 of the order (the CDCI).

Agencies are required to determine which CDCI they currently have adequate regulatory authority to “establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure”. Where that authority does not currently exist, the EO directs the agencies to identify “any additional authority required”. The clear implication is that the implementation of the CSF will be required for identified critical infrastructure facilities.

Agencies have until May 16th, 2014, to make a determination if they currently have authority to mandate CSF implementation or make recommendations as to what additional authorities are necessary to require implementation. At this point there is no telling how long it might take to implement CSF requirements if the authority currently exists; it will depend on if a new rulemaking is required or just the publication of a notice. New authority will typically require Congressional action, which could take anywhere from years to decades to acquire.

There is also nothing that says that only CDCI will be required to implement the CSF. It will probably be easier for most regulatory agencies to require all existing critical infrastructure installations to implement the CSF than just a subset of the currently identified CI that has been selected by another agency of DHS. Either that, or agencies are going to have to come up with a separate designation process with criteria that are unique to their sector. That will just add an additional layer of complexity to the process; slowing it down even more.

Cost Benefit Analysis

Critical infrastructure facilities that have not been designated as CDCI have a choice to accept that lack of designation or request reconsideration of that decision. Such facilities will have to weigh the potential benefits vs the potential costs of the CDCI status to determine if they want to go through the reconsideration process.

Right now it looks as if the only ‘costs’ associated with the designation will be the potential requirement at some future time of implementing the CSF. For facilities that are already implementing or planning on implementing the CSF would not really a cost associated with the decision to request a positive reconsideration. Other facilities will certainly view a CSF mandate as a cost if and when the administrative processes for requiring the implementation are completed.

The other question that has to be taken into account in this cost benefit analysis is when the cost may be incurred. Since there is only a future possibility (a fairly high probability in my estimate) of a CSF implementation requirement, organizations might significantly discount that potential cost. This is particularly true because the EO calls for an annual review of the designation of CDCI; a future designation may come at a time when the potential cost is fully realized with CSF implementation regulations already in place.

Staying off the Bureaucratic Radar

There is one other downside cost that some organizations may perceive arising from the submission of a request for reconsideration; that of placing themselves on the DHS radar.  Organizations, particularly smaller organizations, that may not otherwise attract the notice of potential future regulators at DHS may want to avoid attracting the attention of Federal agencies. This is particularly true in this era of the intended increase of information sharing within the Federal bureaucracy.

On the other hand, small organizations are unlikely to have extensive in-house cybersecurity resources. Leveraging some of the assistance that may be provided by the CDCI program may give installations a significant boost in the cybersecurity realm. This may provide a competitive advantage in the market place, or at least reduce the advantage enjoyed by larger competitors with more developed internal cybersecurity capabilities.

Quick Decision
With the May 15th deadline for requesting reconsideration fast approaching, organizations are going to have to make a quick decision. Having said that; this is an annual process with a fairly high certainty that the selection criteria will almost certainly change somewhat in the next go around. Failure to file a request for reconsideration by the deadline does not mean that an organization will be kept out of the program (or be forced to remain in the program) in perpetuity.

What is not clear from last week’s Notice, however, is when the next round of designations will be made. The current list of CDCI facilities was initially provided to the President in July of last year, but it is not clear when the facilities were actually designated as CDCI. I would assume that the program was officially stood up in the last couple of months and that we should expect to see the next annual notice of the reconsideration period about this time next year.


In any case, if an organization wishes to avail themselves of the potential benefits of the CDCI program, it probably makes sense to take advantage of the current reconsideration process by submitting their request before the May 15th deadline.

Friday, April 18, 2014

Reader Questions – CSF Notifications

Yesterday I had two interesting questions posed to me about my post on the DHS designations of cyber dependent critical infrastructure.

First on TWITTER® from Aristotle Tzafalias - “Know of any non ‘Cyber dependent’ (as defined in prev) CI?”

And then on my blog from an anonymous reader - “Any thoughts on what sectors (and representative companies) make up the greatest representation?”

Both are important questions for homeland security reasons and I won’t be able to answer either definitively because DHS will not be disclosing either their list of ‘Critical Infrastructure’ facilities nor of their ‘Cyber Dependent Critical Infrastructure’ (CDCI) facilities for security reasons. That won’t, of course, stop me from offering my thoughts on the matter.

Critical Infrastructure

There are a number of variations of the basic definition of ‘critical infrastructure’ that are in current use. To make things easy let’s stick with the one found in §2 of the President’s executive order on Improving Critical Infrastructure Cybersecurity (EO 13636):

“As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

With the large number of undefined terms in that sentence it is obvious that there is a wide leeway for determining what is or is not ‘critical infrastructure’. In the narrowest sense I can think of only a single entity, the New York Stock Exchange, whose incapacity or destruction would have a debilitating effect on national economic security.

If we look at ‘systems’ however, there are a much wider variety of systems that would fit the bill. These could include the electric grid, fuel distribution systems, communications systems. In fact, the President has identified 16 critical infrastructure sectors of the economy that would meet a broad definition of critical infrastructure. Again, it is hard to imagine that the failure of any single entity within those sectors would meet the definition of critical infrastructure by themselves, but a limited number of individual failures within a sector could certainly have debilitating effects on the national economy or security.

I think that a reasonable supposition about how DHS has gone about determining which facilities are to be considered critical infrastructure would be those facilities that, if more than a couple failed at about the same time, there would be debilitating consequences for the national security or national economy. I think that most reasonable people would agree that this type of methodology would be the most usable way of designating critical infrastructure.

Cyber Dependent Critical Infrastructure

Aristotle raised an interesting question in his TWEET®; in today’s age isn’t everyone ‘cyber dependent’? To a certain extent this is true, but some sectors rely on cyber-systems more heavily than others. The ‘Information Technology Sector’ certainly relies more on their computers than does the ‘Dams Sector’, but no sector could long survive with their various electronic systems not functioning.

Using the broadest interpretation of the definition provided in yesterday’s Federal Register notice I would be hard pressed to think of any organization that would not be considered ‘cyber dependent’. And if DHS used that broad sweep to include all critical infrastructure, then the whole point of the exercise was lost. Section 9(a) of the EO required DHS to “use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” [emphasis added].

So, instead of a complete loss of computer systems, DHS should have been looking at more limited incidents at these facilities that could result in ‘catastrophic’ effects. To be sure this would be a much more difficult standard to parse as DHS does not have a lot of internal information about most of these organizations and their systems. And again, even considering potential regional effects, there are very few facilities where a single cyber incident would cause catastrophic effects, so we should clearly expect that DHS would consider facilities where just a few related facilities affected by similar and concurrent attacks would cause catastrophic effects.

Now in my opinion, you are looking at just three types of facilities, the national stock exchanges, the electrical distribution system and fuel distribution pipelines. The remaining sectors have too much redundancy to be catastrophically disrupted by any reasonable set of cyber incidents. There could be economic disruptions in all sectors, but few that would even approach catastrophic on a regional or national basis.

Chemical Catastrophes

It might seem strange that I do not include the chemical sector or at least chemical facilities storing large quantities of toxic inhalation hazard (TIH) chemicals in the list of cyber dependent critical infrastructure. After all, we continue to hear organizations like Green Peace insist that a catastrophic release at many of these facilities could result in deaths of hundreds of thousands of people. Wouldn’t that be a catastrophe on a regional or national scale?

It certainly would, but I would have a hard time positing a reasonable cyber incident that would result in a catastrophic release of one of these chemicals. A release yes, even a release that resulted in off-site casualties; certainly. But not a catastrophic release of the scale discussed by these organizations (and to be fair by me here in this blog), that would take a failure of the physical structure of the tank. A cyber incident could, at most, result in a valve being opened to the atmosphere that would take dozens of hours to release the total contents to the atmosphere. Long before that happened, manual efforts to close the line would be successful.

What about water system contaminations like we saw in Charleston, WV? While the Freedom Spill was certainly disruptive, even severely disruptive, to the lives of the folks that live in that area, it was hardly a catastrophe. But let’s assume that the definition of ‘catastrophe’ was wide enough to encompass that scale of disruption. I would be hard pressed to define a ‘reasonable’ cyber incident that would cause that type of problem. You would have to find an upstream facility that held a chemical that would not be removed by the municipal water treatment facility and find a way to electronically release that chemical in a way that bypassed existing secondary containment. You could not have done it at Freedom Industries; their tank valves were all manually operated.

There may certainly be facilities where this could be done. Identifying them would be very difficult for DHS and nearly impossible for anyone else but an insider. I’m certainly not saying that DHS or EPA shouldn’t be looking at this, but it wouldn’t be part of the cybersecurity program; at least not initially.

What Has Actually Been Done?

So that is my take on the limitations of the cyber dependent critical infrastructure designations covered by this notice. How closely does that track with reality? I haven’t the foggiest idea, DHS is keeping this information fairly closely held; they certainly are not discussing it with me.


I would guess that they are using a wider set of criteria than those that I have describe above. There is a certain bureaucratic incentive to broadly define the problem. The more facilities that are designated CDCI the more responsibility that DHS has for their oversight and assistance. So I would guess they include many more, and different types of, facilities than I have described. Which ones and how many? I just have no way of knowing.

Thursday, April 17, 2014

ICS-CERT Publishes Siemens Advisory and Updates 3 HeartBleeds

Today the DHS ICS-CERT published a new control system advisory for a Siemens product and provided updates on three separate HeartBleed related documents.

Siemens

The new Siemens advisory identifies three vulnerabilities in their SINEMA server. Siemens self-reported the vulnerabilities and has published a software update to mitigate the problems. The identified vulnerabilities include:

• Code injection, CVE-2014-2731 (incorrectly listed as CVE-2014-7231);
• Relative path traversal, CVE-2014-2732; and
• Improper input validation, CVE-2014-2733

According to ICS-CERT a relatively unskilled attacker could remotely exploit these vulnerabilities to execute arbitrary code, traverse through the file system, or cause a DoS.

HeartBleed Updates

ICS-CERT updated their HeartBleed Situational Awareness Alert by adding a list of ICS related products that have been identified as being specifically affected by the OpenSSL vulnerability. Only two vendors currently have products on the list, Innonminate and Siemens.

The Innominate HeartBleed Advisory was also updated. The Phoenix Contact branded versions of the Innominate devices is not affected by the HeartBleed vulnerability, but Innominate has upgraded them to the latest version to alleviate customer concerns. Only the 8.0.0 and 8.0.1 versions of the mGuard firmware are affected by the vulnerability


ICS-CERT has also provided a link to the latest FBI list of Snort Signatures that may be used to detect attempted exploitation of the HeartBleed vulnerability.

PHMSA Publishes Two Preemption Determination Requests

The DOT Pipeline and Hazardous Material Safety Administration (PHMSA) published two notices in today’s Federal Register {79 FR 21838-21840 (NY); 79 FR 21840-21842 (PA)} concerning requests by the American Trucking Association for determination of preemption of hazardous material permitting rules in New York City and Pittsburgh, PA. A determination of preemption would mean that the cities could not require the permits in question nor collect the fees for those permits.

New York City

The ATA has asked PHMSA to determine if the Federal Hazmat Transportation Law (49 USC Chapter 51) preempts the hazardous material transportation permitting requirements of Section 2702-02 of Title 3 of the Rules of the City of New York.

Pittsburgh

The ATA has asked PHMSA to determine if the Federal Hazmat Transportation Law (49 USC Chapter 51) preempts the hazardous material transportation permitting requirements of Chapter 801 of Title 8 of the Pittsburgh Code, Fire Prevention.

Public Comments


PHMSA is soliciting public comments on both petitions. Comments may be submitted via the Federal eRulmaking Portal {www.Regulations.gov; Docket # PHMSA-2014-0003 (NY) or Docket # PHMSA-2014-0002 (PA)}. Comments should be submitted by July 16th, 2014.

NPPD Makes CSF Notifications

The DHS National Protection and Programs Directorate (NPPD) published a notice in today’s Federal Register (79 FR 21780-21782) announcing that it had, in accordance with §9 of the President’s executive order on Improving Critical Infrastructure Cybersecurity (EO 13636), completed notification of facilities that they have been identified as “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”. The notice also outlines the procedure by which a facility can appeal that designation.

The actual list of designated facilities was submitted to the President on July 19th of last year. The facilities have been designated as “cyber-dependent critical infrastructure” and the list will be reviewed on an annual basis.

Definitions

Today’s notice provides several definitions that are important to understanding this program. They include:

Cyber incident; and

The above definitions seem to be IT system centric. For example the ‘cyber incident’ definition covers events that impair “the confidentiality, integrity, or availability of electronic information, information systems, services, or networks”. While this does not specifically exclude control systems, it certainly needs to be stretched to include them.

The definition of ‘critical infrastructure’ is taken verbatim from §2 of the EO. As I noted in an earlier blog the definition would be difficult to apply to any single production facility though national distribution networks (pipelines and the electric grid, for instance) would easily fall within the definition.

It is strange that NPPD did not use the §9(a) definition from the EO that expands coverage to facilities with potential catastrophic regional effects. This is especially true since §9(a) is the section directing DHS to prepare the list of critical infrastructure. Of course, since the list will not be publicly available, we will never really know how expansive the definition is in actual practice.

Listed Facilities

Being listed as a cyber-dependent critical infrastructure (CDCI) facility does not currently add to any regulatory burden, though adoption of the NIST Cybersecurity Framework (CSF) is encouraged. CDCI designation does provide facilities with the following perks:

● Ability to request expedited processing through the DHS Private Sector Clearance Program, which may provide access to classified government cybersecurity threat information as appropriate;
● May be prioritized for routine and incident-driven cyber technical assistance activities offered by DHS and other agencies; and
● May receive priority in gaining access to Federal resources and programs to enhance the security and resilience of critical infrastructure against cybersecurity threats.

Please note all of the permissive ‘mays’ in the descriptions. There are no guarantees provided. This is almost certainly due to the fact that this program is based upon an EO not legislative authority.

Status Appeal

The notice also provides instructions on how a facility can appeal their designation (or lack of designation) as a CDCI. The process for a request of reconsideration is actually quite simple in concept if not necessarily in actual execution. A letter or email is sent to the Under Secretary for NPPD requesting reconsideration. The request should include:

● The entity for which the reconsideration is being requested;
● The name, title, telephone number and email address of a designated point of contact, whether an employee or non-employee agent, for the owner or operator of that entity to whom all communications related to the reconsideration process will be directed; and
● If desired, a request for a meeting with DHS representatives.

After DHS confirms receipt of the initial request the process becomes less well defined as it involves the provision of information by the facility to DHS. That information will be the justification for why a facility should or should not be on the CDCI list. What the information might be and how much information will be necessary will vary considerably.

The notice does provide some very specific requirements for the formatting of information. It should be submitted by email (with certain exceptions) as a single attachment. It must be:

● Double-spaced;
● In 12 point Times New Roman text or visual material;
● Have 1” margins; and
● Have page numbers. 

The Notice specifically reminds submitters that the information provided may constitute Protected Critical Infrastructure Information (PCII) and provides a list of references about that program. Information designated as PCII (by the submitter) must be protected against disclosure by the Federal government and by anyone with whom it shares that information.

Anyone that submits information for this reconsideration process should become familiar with the PCII program as outlined in 6 CFR Part 29, and the PCII Program Procedures Manual (additional information can be found here). The single most important thing to remember is that information to be protected under the PCII program must be so designated {in a very prescribed manner, see §29.5(a)(3)} when it is submitted. If that is not done, the information is not required to be protected under the program.

The notice also reminds personnel submitting classified information that such information cannot be submitted by email.

Deadline

Facilities or organizations wishing to request a reconsideration must have their initial request submitted to NPPD by May 15th, 2014. Requests received after that date will not result in reconsideration, but may be added to the consideration process in the preparation of the next annual list of CDCI.


Once NPPD notifies a facility that there request was received, facilities will have 60-days to submit supporting information.
 
/* Use this with templates/template-twocol.html */