Sunday, January 31, 2010

Reader Comment – 01-29-10 Cyber Response

A reader, D3, posted a response to my recent blog about the introduction of HR 4507. D3 wrote: “Why should it surprise you to learn that the Federal Government realizes that cyber security is "everyone's responsibility?" Assuming the Federal Government is the sole entity responsible for security in "cyberspace" is a lot like saying the fire department is the only entity qualified to respond to fire emergencies...just a thought--not an attack.” In the broader sense, D3 is certainly correct; everyone is responsible on some level for cyber security. If every computer user properly protected their own computers we would not have the wide spread ‘botnets’ that are being used in so many cyber attacks. If every organization properly trained their users and adequately monitored their own networks they would be much less susceptible to cyber attacks. If every equipment manufacturer and software developer adequately tested and evaluated the risks to their products, it would be much harder for cyber criminals to affect successful cyber attacks. If the wording of HR 4507 indicated that the consortium was designed to help State and local governments to protect their own computer systems against cyber attack, then I would be much more supportive of the measure. However, it seems to me that the intent of the bill is to enroll these State and local governments in the more general protection of the ‘Internet’. Those governments simply have no authority to affect cyber practices beyond their own internal systems. If Congressman Rodriguez (D, TX) was intending to ensure that the appropriate cyber security education was being developed and spread down to the State and local level so that they could protect their own systems, I think that it should have been more explicit. The current language does not appear to me to support that interpretation. A further suggestion; State and local governments are not the only entities that need outside assistance in the field of cyber protection and education. There are a very large number of users that do not have the internal resources to ensure that their organization is making the proper efforts to protect their systems from cyber attacks. The consortium could also be used to develop procedures and training for small businesses and non-profit organizations. If HR 4507 were expanded to cover this type of organization than the intent to help systems protect themselves this intention would be clearer.

Saturday, January 30, 2010

DHS CSAT FAQ Page Update 01-29-10

This last week DHS only added/update one question on the Chemical Security Assessment Tool (CSAT) Frequently Asked Question (FAQ) web page. This extensive FAQ page provides a very large list of questions that have been addressed by the CSAT Help Desk and provide some insight into the DHS CFATS program administration. This week a new question and response were added to the FAQ page. That question was: 1660 Once I get my “final” tier, can it or will it ever change? How and why? DHS notes that the ‘final’ tier is the term given to the tier designation after the Security Vulnerability Assessment (SVA) is reviewed by DHS and does not mean that this is a permanent tier ranking. The response provides three examples (presumably not exclusive) of how a facility might receive a different tier ranking. Significant Change in Operations The first example is the one explicitly covered in the CFATS regulations {§27.210(d)}. Anytime a facility has a ‘significant’ change or “material modification” in their operations they are required to submit a new Top Screen. DHS will evaluate the new Top Screen and determine if the change is significant enough to require either a new SVA or Site Security Plan (SSP). A new SVA might result in a change in Final Tier ranking. DHS has not specifically listed all of the things that might constitute a “material modification” but it would certainly include the addition or removal of a chemical of interest (COI) from a facility. A significant increase or decrease in the inventory of an already existing COI would be a material modification. The addition of a new security measure would not be captured in a new Top Screen, but could conceivably result in a change in Tiering. Facilities should probably contact the Help Desk for a determination on how to proceed in that case. Remember, removing a security measure that has already been placed on a submitted or approved SSP can only be done with the approval of DHS. Two New Tier Change Methods The second response expands on an implicit requirement of §27.210(b). That section requires facilities to periodically resubmit their SVA and or SSP. DHS has yet to publish a schedule for the resubmission of SVA’s and SSP’s (we really do need to get the current SSP process complete before anyone really wants to worry about that), but DHS could also send letters to individual facilities, or post a notice in the Federal Register requiring a class of facilities, to submit new SVA’s or SSP’s. This FAQ response notes that DHS could change their Tier ranking based on the newly submitted SVA or SSP without any underlying change in the Top Screen information. This could reflect the DHS determination that “the plan has been successful enough to lower the facility’s final tier”. Not stated in this response, but possible, would be the determination that the SSP had proven inadequate in some manner and the Tier ranking could be raised. A similar methodology has actually been used for addressing the Tier ranking of a large number of gasoline fuel terminals after DHS changed some of the SVA questions relating to the storage of gasoline products. DHS required re-submissions of the SVA for the potentially affected terminals and re-evaluated their Tier rankings based upon the new information. The third response is implicit in the Secretary’s authority determine Tier rankings and requires no new input from covered facilities. This response indicates that DHS can change the existing Tier ranking when:
“DHS considers new information about a site, chemical, threat, or process that warrants revising (up or down) an existing final tier. DHS will provide appropriate notification to the facility of the reasons justifying a change in the facility’s existing tier.”
This means that if DHS were to come into some new information that would change their basis for determining Tier rankings, DHS could go back and use that new information to re-evaluate previously issued rankings.

Friday, January 29, 2010

HR 4507 Introduced

On Tuesday, Congress Rodriguez (D, TX) introduced HR 4507, the Cyber Security Domestic Preparedness Act. The legislation would authorize the Secretary of DHS to establish the Cyber Security Domestic Preparedness Consortium which would train and assist State and local authorities prepare for and respond to cyber security attacks. The Act would also authorize the establishment of the Cyber Security Training Center where such training would take place. The Consortium would consist of “consist of academic, nonprofit and government partners that develop, update, and deliver cyber security training in support of homeland security” {§226(c)}. In addition to training, the Consortium would provide technical support to State and local authorities “in support of cyber security preparedness and response” {§226(b)(3)}as well as conducting simulation exercises to aid in developing techniques “to defend from and respond to cyber attacks” {§226(b)(4)}. The bill does not include a definition of ‘cyber attacks’, nor does it provide a description of the types of attacks for which the Consortium would provide training support. One would assume that attacks against industrial control systems would be included in ‘cyber attacks’ although there is already an organization within DHS that already conducts that type of training, the Control Systems Security Program (CSSP) under the DHS-CERT. The difference would be that the CSSP training is directed at private industry where industrial control systems reside, rather than at State and local authorities. It does strike me as unusual that this bill seems to intend to pass responsibility for preventing and responding to cyber attacks down to the State and local level. It seems to me that this should certainly fall under Federal responsibility under both the Commerce and Common Defense clauses of the Constitution.

Thursday, January 28, 2010

STB Finds for USM in Chlorine Rate Dispute

Today the Surface Transportation Board released their decision on one of three on-going chlorine shipping rate disputes between US Magnesium and Union Pacific (EB 40441). The STB found that the UP rates were “unreasonably high” and directed UP to establish new rates that do not exceed rates prescribed in this decision. While this case will likely have some effect on some rail transportation rates for similar TIH chemicals, the Board declined to “resolve the significant policy issue of PTC investment” (pg 17). The Board noted that they do not “require a shipper to provide the carrier with a return on an investment the carrier has not yet made” and noted that “UP has not sufficiently demonstrated the precise amounts that could be reasonably ascribed to USM’s traffic”. Finally, the Board stated that the Three-Benchmark proceeding agreed to by both parties is not an appropriate proceeding to resolve such a complex issue. In short, USM wins another tactical victory (with two similar battles still underway), but the final outcome of the war is still far from resolved. I’m sure that other chlorine and TIH producers are closely watching these developments.

Chlorine DVD Review

I always like to pass along information about hazard communication tools so I was really happy to find a review of a new chlorine information video at SecurityManagement.com. The 28 minute video by Emergency Film Group is part of their Hazchem series of videos and comes highly recommended by Mayer Nudell, the reviewer. I was particularly interested in the comment that the film addresses, along with the typical physical and health hazard information, the DHS “reporting and security requirements for handling chlorine”. This information might not be particularly important for emergency response personnel, but it should make this video useful as part of the annual training requirement listed in the TSA security regulation.

Wednesday, January 27, 2010

Cyber Security Bill to Rules Committee

The House Rules Committee web site announced this afternoon that they would be holding a hearing on H.R. 4061, the Cybersecurity Enhancement Act of 2009 next week. The Rules Committee web site has a link to the revised version of the bill that was supposed to have been reported by the House Science and Technology Committee. As of the 5:00 pm EST today that report had still not been submitted even though it was directed to be reported back in November. The Rules Committee has announced that they would be accepting proposed amendments through 5:00 pm EST on Monday, February 1st. The bill provides a number of provisions that are designed to increase the study of cyber security issues and establish standards to protect a variety of federal and critical infrastructure computer systems. Unfortunately, there is only one reference to industrial control systems in the entire bill. Section 110 of the bill amends Section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3), requiring the NIST to conduct “research associated with improving security of industrial control systems”. There are a number of places in this legislation where there should be references to industrial control systems in general a chemical production systems in particular. The potential changes could include: In the findings section of the bill:
On page 4, line 5, after ‘petroleum production and distribution,’ insert “chemical production and distribution,” On page 5, line 9, after ‘reliable information technology’ and insert “, vigorous industrial control systems”.
In §103, the Cybersecurity Strategic Research and Development Plan:
On page 7, line 10, rewrite to the end of the line after ‘secure networking’ to read “, information technology systems and industrial control systems;”
In §106, the Federal Cyber Scholarship for Service Program:
Throughout the section substitute the term “cyber technology” where ever the term ‘information technology’ is found.
These changes will help to expand federally funded research on security issues for industrial control systems.

Reader Comment – 01-25-10 Complacency

Since Red Team has taken part in security exercises at a number of facilities, I asked him if there were any interesting comments that he had heard from chemical facilities that he could share. He replied in a comment to one of the fertilizer blogs posts:
“Good question. Without going into details, many facilities simply appear to rely on the misconception that extremist groups lack the required knowledge of the deadly potential of various chemicals. “When asked why they didn't attempt to secure various assets containing certain chemicals, many sites simply reply that an adversary isn't going to know how to use it.”
I wish that I could say that I am surprised to hear that comment, but I am not. There is a common misconception about terrorists, based on news accounts about the wannabes that are the most frequently apprehended terrorists, that terrorists are third-world losers that have nothing to loose. Granted that wearing a suicide vest or spraying gunfire in a crowded marketplace does not take a great deal of training, but the people behind such simple attacks use a great deal of skill and knowledge to plan these events. The ‘downtrodden masses’ of the world have never provided more than cannon fodder for revolutionary movements. The leaders of such movements always come from the dissatisfied elites and middle class. They are the only ones with the time, education and money necessary to put together these kinds of prolonged actions. Anyone that underestimates the intentions and capabilities of these organizations is just setting themselves up to be a successful target.

New Security Blog

I ran across a new security blog the other day that might be of interest to members of the chemical security community, Svaconsultant's Blog. It is written by David McCann who has apparently worked as a security consultant for a number of years. While this is not specifically directed at CFATS issues, CFATS has come up a number of times in the discussion since the blog started earlier this month. My only complaint is the lack of links to supporting information within the blog postings. There are two specific postings to date that I think are especially appropriate for all facilities and for high-risk chemical facilities in particular: How to Avoid Serious Security Problems and How Security Enhances A Company’s Bottom Line. In the first blog McCann looks at the importance of prevention and provides a list of three security rules that must be taken into account when developing a security plan. These are:
“Rule No. 1 – It is not possible to protect everything. “Rule No. 2 – There is no such thing as 100% Guaranteed Security. “Rule No. 3 – Circumstances and the Environment are Subject to Change.”
In the second blog I have listed McCann provides a list of five solid business reasons to implement a security plan. This is an interesting insight as most people consider security just another cost center. His five reasons deal with:
“Prevention of Incidents “Prevention of Negligent Liability “Staff Morale “Company Perception “Sales Advantage”
This appears to be a blog that will bear watching. I’m adding it to my list of blogs to keep an eye on.

Reader Comment – 01-25-10 iPhone Security

Harold Ennulat posted a reply to my blog posting on the iPhone industrial control system application. Harold wrote:
“Good reminder about the security concerns. We'll have to wait and see how people actually use this kind of capability with devices like the iPhone. “It seems inevitable to me that they will be used and the security issues will be addressed satisfactorily.”
I agree with Harold that apps like this will almost inevitably be used. Anything that makes someone’s job easier is likely to be successful. More platforms will get this type of application development and the apps will cover more devices. Security managers that don’t understand this are living in a dream world. I am, however, too much of a cynic to agree with Harold’s assumption that “security issues will be addressed satisfactorily”. I have spent a great deal of my personal and professional life around a wide variety of engineers and very few of them that I have known have a great deal of respect for security rules. They will go along with the letter of the rules, but if the rule gets in the way of getting the job done they will figure out a work around. The more creative the engineer, the more likely they are to discover a unique work around. I can even understand the reasoning that would allow a reputable engineer to bypass this type restriction:
'The jihadists are religious fanatics so what could they know about control systems and sophisticated electronics? Besides they would have to know what specific equipment we are using here and know the specific communications protocols that we are using. Even if they could get control of our equipment they would have to understand our process to do any real damage.'
The first assumption is the worst, of course. The single most common background for known Al Qaeda operatives is engineering. So, it is likely that there is adequate understanding of control systems and electronics within these organizations. The other assumptions certainly contain a level of validity. The communications protocols and systems analysis would be difficult to detect and understand from outside. This is an area where insider knowledge, either from facility or vender staff, would provide the most likely avenue of approaching the problem. Having said that, we still must remember that hackers figure out similar communications protocols all too frequently.

Tuesday, January 26, 2010

Reader Comment – 01-25-10 Olympic Chlorine

Anonymous left a comment about my blog posting on the congressional hearing on hospital response to chemical terrorist attacks. Anonymous wrote: “Very good question to raise. My favorite EPA chemical engineer/regulator said his experience indicated hospitals were in blissful ignorance of both facility and transportation risks nearby. I am working currently on ensuring that folks working on NBA All-Stars game and SuperBowl security arrangements take some of this into account. You might check out the Vancouver Olympics-related controversy: http://www.vancouverobserver.com/search/node/chlorine” Actually I have been following this story, starting with a blog here on the off-site storage of chlorine rail cars. The link provided by Anonymous does provide a lengthy list of pages from the Vancouver Observer that address the issues caused by a nearby chlorine production facility. I have read many of the articles and must say that while there is a certain amount of sensationalism in the writing there is also a decent degree of honest concern about potential problems. Fred Millar, a vocal reader of this blog, figures prominently in many of the articles. Fred has been a consistent voice on the security and safety issues related to the rail transportation of TIH chemicals. While Fred and I don’t always agree on how to deal with these issues, I have long respected his warnings about potential risks related to TIH chemicals. I did a quick check of the VancouverObserver.com web site and could only find one reference to the unresolved ammonium nitrate issue that I have previously mentioned in this blog. It seems to me that the potential detonation of a couple thousand pounds of ammonium nitrate near an Olympic venue is a easier terrorist attack than an attack on chlorine rail cars. Oh well, I guess that VBIED’s are such a common news story that it just isn’t as sexy as a chlorine gas attack.

Ammonium Nitrate Background Information

A couple of documented comments about ammonium nitrate in current events have been posted in this blog recently, one by me and one by a reader. Just to ensure that everyone knows what was being talked about, I am going to provide some additional supporting information. Ammonium Nitrate in Afghanistan In his comment made on the initial post about fertilizers Red Team wrote:
“Even today, NATO forces realize the threat and potential danger in Afghanistan. They currently have a program where they attempt to purchase AN from farmers who have large stock piles. Insurgent fighters have been using it in VBIEDS; NATO is just trying to reduce the availability.”
Well, it seems that his information was just a little bit out of date. According to a Washington Post article posted on their web site, the government of Afghanistan has now outlawed the possession or use of ammonium nitrate all together. The article states that:
“NATO troops have seized tons of ammonium nitrate fertilizer in raids over the last five months in southern Afghanistan, and the government has been discouraging farmers from using it for years for environmental reasons.”
A recent decree by the government completely banned “the use, production, storage, purchase or sale of ammonium nitrate on the recommendation of Afghan intelligence services” and gives farmers and retailers 30 days to use or turn in their stocks. Missing Canadian Ammonium Nitrate I closed out my second post on fertilizers with the following comment:
“We (the United States) may be ‘fortunate’ because the boom might happen next month in Vancouver with the 6,000 ‘missing’ pounds of AN lighting up a Winter Olympic venue. That will be a Canadian problem, but it will get an appropriate reaction here. Hopefully I am wrong and it is an accounting error or maybe the RCMP will find the material before it explosively decomposes. In any case, I am afraid that that is what it is going to take.”
I was referring to an apparent incident that has been in and out of the Canadian news for a couple of months now. The most recent article can be found at EdmontonSun.com. A Canadian shipper of ammonium nitrate had initially reported that a large quantity had disappeared enroute from the shipping facility to the final customer. Then it said that, no, it was just an accounting error. According to this latest article, the Royal Canadian Mounted Police (RCMP) is still not convinced that the material wasn’t stolen. Their investigation continues. They are, of course, being extremely cautious because the Winter Olympics will be held in Vancouver, BC next month. It is just too inviting a target not to take this a little more seriously than normal.

Monday, January 25, 2010

Foreign Sourced Raw Materials

There is an interesting article from the Boston Globe on Globe.com about the impending shipments of liquefied natural gas (LNG) from Yemen to a facility in Massachusetts. Many people in Boston are concerned that the tanker will have to move through Boston Harbor as it makes it way to the Distrigas LNG facility in Everett, MA. A catastrophic release (like ones that terrorist might want to cause) could cause significant damage in and around the harbor. The fact that the tanker is coming from Yemen (of recent underwear bomber fame) is one of the major reasons for the level of concern. The fact that the tanker will be loaded at a French owned facility with ‘European Security’ should help to reduce some of the concerns about the emplacement of a remote controlled explosive device on the tanker. Many Bostonians are apparently not satisfied with that explanation. This concern in Boston is certainly not misplaced. Any shipment of hazardous materials from areas where there are questions about the government’s ability to control the routine movement and operations of terrorist or criminal organizations should be automatically suspected as a potential mode of terrorist attack. While criminal organizations are not that likely to initiate terrorist attacks, it is not beyond possible for them to sell access to shipments to terrorist organizations. Now, I don’t know of many chemicals being shipped from Yemen or Afghanistan to facilities in the United States, but those aren’t the only questionable areas in the world. One country in particular on our southern border might be a special problem. With the multiple modes of cross-border chemical shipment between Mexico and the United States and the presence of large stretches of narco-gang controlled areas in Northern Mexico, facilities might want to take extra security precautions for chemical shipments from that country. Of course all shipments into high-risk chemical facilities are expected to be searched before they are allowed to enter the facility. Special attention, however, should be paid to vehicles that were loaded in Mexico, or containers that came from other suspect areas around the world. I have an interesting problem for you, the interested reader. If an explosive device were placed inside a full tank truck or a large bulk container how would an inspection process detect it? For a flammable liquid this would probably be the most efficient method of turning it into an IED. The over-pressure from the device would cause a catastrophic failure of the tank and would likely ignite the liquid. Such a device could be placed in an empty tank before it is delivered to a chemical facility to be loaded. Pre-loading inspections should catch such a device, but these are frequently just cursory inspections, especially if they are dedicated, ship and return containers.

Sunday, January 24, 2010

Reader Comment – 01-22-10 MicroLogix

Keith Lester posted some additional information on the AB MicroLogix™ vulnerability. He wrote: “Rockwell Automation posted a TechNote on MicroLogix vulnerability in early January 2010; http://rockwellautomation.custhelp.com/app/answers/detail/a_id/65980/kw/65980/r_id/113025” Keith is obviously more experienced at searching the Rockwell Automation web site than I am, since I could not find a single mention of the problem. I really appreciate readers helping out. Actually it may be a good thing that I couldn’t find this information since it has been updated since I searched the site. Looking at the referenced page, Rockwell Automation recommends some specific mitigation strategies (printed below). To me these look like the standard precautions that someone should take with any industrial control system.
1. “Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment. 2. “Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures. 3. “Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance). 4. “Periodically and frequently change the Product's password and obsolete previously used passwords to reduce exposure to threat from a Product password becoming known.”
Any facility security manager (or cyber security manager) that has the listed MicroLogix controllers (1000, 1100, 1200, 1400, or 1500) on site should check the web page that Keith identified.

Terrorism and Hospitals

Later Friday the House Homeland Security Committee announced that the Subcommittee on Management, Investigations and Oversight would be conducting a field hearing on Monday in Danville, PA. CEO’s from four hospitals would be helping to answer the question: “Is the Medical Community Ready if Disaster or Terrorism Strikes: Closing the Gap in Medical Surge Capacity?” The Committee web site noted that:
“This field hearing will examine how the Department of Homeland Security coordinates with the Department of Health and Human Services, local hospital facilities, and public health officials in establishing and coordinating a national medical response strategy during an act of terrorism or public health threat, including biological, chemical or radiological events.”
With the field hearing be conducted so far from the Internet hub of the western world there will be no web cast of the hearing. It is a shame because I was hoping to hear the answer when someone from Chairman Carney’s (D, PA) Subcommittee asked each of the CEO’s if they had been in contact with the high-risk chemical facilities in their service areas regarding the potential chemical exposures that their medical facility would be dealing with in the event of a successful terrorist attack on those chemical facilities. Now to be perfectly fair to everyone involved, I doubt that this question will come up. Everyone, myself included, has failed to address the requirements for medical response to such attacks. We have talked about the necessity for coordinating with first responders and emergency response personnel, but have completely ignored the destination of the ambulances once they have left the scene of the attack. While we have heard numerous news stories about hospital emergency room conducting decontamination drills and even somewhere decon was thought to be necessary in a real event, there has been very little discussion of what will go on in the hospital once the victims have been decontaminated. Of course treatment depends on the chemical to which the victim was exposed. That is the reason that the local hospitals need to know the chemicals of interest with which they could be dealing. If they know that they can predetermine the likely treatment needs and train their staffs accordingly. Someone please ask these hospital CEO’s if they know what large scale chemical mass casualties they would be dealing with if terrorists successfully attacked one of the high-risk chemical facilities in their area. Anyone willing to bet that they know? I wouldn’t.

Saturday, January 23, 2010

Another Cyber Attack Route

If there weren’t already enough ways that a determined cyber attacker could gain unauthorized access to an industrial control system, a developer has come up with an iPhone app that allows for remote communications with Omron PLCs, according to a recent blog posting at Hennulat.WordPress.com. The article claims that: “Security is guaranteed through encrypted passwords and TCP/IP tunneling.” Unfortunately, it later notes that: “ScadaMobile connects directly to the PLC without routing through servers or personal computers, using a direct TCP/IP link between the iPhone and the PLC, with minimal configuration.” It would seem to me that if a system was not properly secured (and that never happens….) this could allow unauthorized access. This is one of the big problems with cyber security in general and ICS security specifically; developers work hard to make access to systems easier to simplify the life of people working on or with the system. Unfortunately, if this is not done very carefully, it also makes it easier for unauthorized personnel to gain access to the system. BTW: If your facility is using Omron PLCs, make sure that you are using a rigorous password policy. You don’t want them to be on someone’s iPhone contact list.

Friday, January 22, 2010

Reader Comment – 1-22-10 – Fertilizer 2

Red Team responded yesterday’s installment of our on-going discussion on chemical security issues. Red Team provides a number of examples of the tactical use of ammonium nitrate (AN) fertilizer as a terrorist explosive. Then Red Team points out that the easiest place to obtain AN is to steal it from an agricultural coop where there is little or no security.

All very valid and worrisome points for anyone that is concerned with preventing terrorist VBIED attacks since ANFO (AN fuel oil mixture) is the explosive of choice for such a device; cheap, easy to obtain, make and use. Red Team then points out that: “There is more deadly potential in AN than there is in many other COIs within Appendix A. History has proven that.” Right again; outside of the TIH chemicals like chlorine, fluorine, and anhydrous ammonia, or the actual CW agents (fortunately not readily available), AN is the most likely industrial-chemical weapon to be used terrorists.

Red Team closes the comment by saying: “Security Theater is a very real problem, giving DHS a pass because they are busy is not the answer.” I am assuming that the ‘Security Theater’ he is talking about is the TSA airport screening process. I would have to agree with that. Now that everyone knows about flying airliners into sky scrappers, that won’t be allowed to happen again. The smartest thing that was done after 9/11 was the hardening of cockpits to prevent terrorists from gaining control of the controls. Now all counter-air attacks are reduced to retail terrorism instead of wholesale terrorism.

We are spending an awful lot of money trying to be 100% successful defending individual planes from attack. We need to face it, we are going to lose some more aircraft; it is inevitable. Now, about the last part of that statement, I need to correct an obvious misunderstanding. I am not giving DHS a pass on their inability to get AN regulations in place. I frequently take them to task for not getting this done publicly and privately.

I don’t rant and rave about it, because I understand the problem. Congress gave them a politically and technically difficult task and no resources to complete the task. Like any good soldier, they saluted and are doing the best that they can. They have not yet been successful in accomplishing that mission, but just like LTC Smith who was ‘at fault’ for not stopping the initial invasion of Korea, they do not have the resources to get the job done.

Now, Congress doesn’t have the resources to give because of any number of political decisions that they have made. Those decisions won’t be changed until something goes boom. We (the United States) may be ‘fortunate’ because the boom might happen next month in Vancouver with the 6,000 ‘missing’ pounds of AN lighting up a Winter Olympic venue. That will be a Canadian problem, but it will get an appropriate reaction here. Hopefully I am wrong and it is an accounting error or maybe the RCMP will find the material before it explosively decomposes. In any case, I am afraid that that is what it is going to take.

Site Security Plan Article

This is an interesting period for the chemical security community. The Senate is getting ready to start working on CFATS legislation while there is a renewed interest in general on counter-terrorism issues. Tier 1 facilities are starting to go through the inspection process while the other tiers are finishing up their SSP submissions. This renewed emphasis on CFATS is reflected in a number of magazine and web articles on the process. I recently found one such article on SecurityManagement.com; “The Skinny on CFATS”. Site Security Plan This article by Joseph Straw gives a good feel for the Site Security Plan process even if it lacks on details on how the process works. It does make a good point that the name of this phase of CFATS implementation is more than a little of a misnomer. As I have mentioned in other blog postings, a ‘plan’ normally connotes an organized document that lays out objectives and explains how they will be met. As this article explains the SSP is not really a plan, but rather a lengthy questionnaire about the security measures in place at the facility. Even that is a simplification of the SSP process. Unless a facility has been hard at work in upgrading their security measures to meet the risk based performance standards (RBPS) outlined in last year’s RBPS Guidance Document, it is extremely unlikely that ‘current’ security measures in place will be enough to get an SSP approved. But DHS has a simple solution to that problem, they will give you credit in the SSP for ‘Planned Security Measures’ as long as the facility can demonstrate that there is really a plan firmly in place for implementing those measures. The article also makes the point that the SSP submission/approval process is more like a negotiation between the facility and DHS. Since DHS is prohibited by statute from specifying particular security measures in the SSP approval process, a facility just has to be able to demonstrate that their particular combination of security measures fulfills the performance criteria of the RBPS. The article does kind of gloss over one final point on the SSP process, however. Once the SSP submission is approved, DHS looks on that document as a ‘security contract’ between that facility and DHS. All subsequent inspections by DHS will be done to ensure that the facility is in compliance with that now enforceable contract. The §550 prohibition against ‘requiring specific security measures’ will no longer apply to that facility. If the facility said that it would have a security measure in place, then DHS will expect to find it in place when they come to inspect. ‘Planned Security’ measures must be proceeding according to the documented plan. Alternative Security Plans The article does mention that there is an alternative to completing the ‘1,500 questions’ in the SSP tool, the submission of an ‘alternative security plan’ (ASP). Conceived in the §550 language this was included to ensure that facilities with an already existing robust security plan would not have to re-invent their plan. DHS has expanded the idea to allow any facility to upload a security plan into the SSP tool as an alternative to answering most (certainly not all) of the questions in that tool. Given the ‘problems’ that facilities had in getting initial approval of their security vulnerability assessment (SVA) using an alternative security plan in lieu of answering the SVA tool questions, I doubt that there will be many facilities that will get initial acceptance of the ASP. That certainly does not mean that facilities, particularly those single COI facilities mentioned in the article, should not try this option. Just expect to have to answer directed questions from DHS about RBPS issues not well addressed in the ASP. Facilities planning on submitting an ASP should probably do a quick look at the SSP questions to see what type of information DHS is requesting. Ensuring that the appropriate information is in the ASP before it is submitted will help getting it approved. A large number of the questions in SSP would be expected to be answered in the negative for most facilities, those negative responses wouldn’t need to be included in the ASP. But if something is in the SSP and the facility has it as part of their security set-up it needs to be included in the ASP submittal. Other Articles This is not the only article currently out there about the CFATS program. While I may not be able to review all of them, I certainly want to point my readers at as many of these articles as possible. If I miss any, please let me know either by email or as a comment to this blog posting.

Thursday, January 21, 2010

Reader Comment – 01-20-10 Fertilizer

Red Team used a comment on a continuing gasoline blog conversation to bring up another explosive issue; fertilizer. Red Team wrote: “I think one potential problem with DHS CFATS is that it really does not consider certain fertilizers, I'm not going into details, as a significant issue. It appears that DHS has not looked at the history of various fertilizers and their destructive nature and relative safe handling characteristics. Terrorist groups within the US and outside the US have used this substance on many occasions.” I’m sorry, but I don’t think that that description is quite fair. I’m assuming that Red Team is talking about ammonium nitrate; a very common fertilizer that is certainly useable as an explosive ala Timothy McVay. Ammonium nitrate (AN) is actually two separate chemicals of interest in Appendix A (one as an release-explosive and one as a theft/diversion IED precursor) so this fertilizer is included in CFATS. Now, to be fair to Red Team, DHS has had some problems with their regulation of AN. First off, AN used on actual agricultural facilities is not currently captured in the CFATS process because of the ‘temporary’ Top Screen exception for such facilities. That exception was partially in response to farm interest lobbying efforts (one of the most powerful lobbies in the US) and partially a recognition that most ag-facilities were a little too remote to be much of a terrorist target. The more important AN related problem that DHS has been experiencing has nothing to do with CFATS (other than the same people will be responsible), the Congressionally mandated regulation of the sale of AN. The FY 2008 budget bill mandated that DHS regulate the sale and transfer of AN and required the registration of both sellers and buyers. The regulation was supposed to be in place by the June 2008 and we have only seen an ANPRM to date. Now part of the problem is that the same people who are supposed to write this regulation are the same people who are developing all of the supporting stuff (CSAT Tools, CSAT Instruction, RBPS Guidance Document, etc) for CFATS so there is something of a time constraint. Another big part of the problem is the unexpected complexity of the issue. It sounds simple to say that you just have to require sellers and buyers of AN to register with DHS and sellers can’t sell to someone who isn’t registered. All of that is straightforward until you get to the user end of the supply chain. Most ammonium nitrate is sold at the retail level at distribution centers to farmers. Now the distribution center had to be registered to buy it from their supplier, so there is no problem there. The problem is with the end user. The big farmer in the mid-west buys multiple truck loads of AN at a time to prep his fields for planting. Registering the farmer is not a problem, he’s been there for ever, everyone knows him and he’s never been to jihadist training camp. The problem is that he is not the one driving the truck that is picking up the AN. That is a hired hand, maybe even a seasonal worker, maybe on an ag-visa. Registering that hand might be a tad bit harder, especially if he isn’t hired until the week before he’s needed. Another requirement of the legislation is that anyone with AN must report the lost/theft of any AN; makes sense, you want the FBI checking out the theft of nasty stuff like AN. Just one problem; AN is frequently handled in large bulk shipments and inventory ‘losses’ are common. Wind blows loose AN into the Mississippi River from barges every day. How much loss do you have to report? It was only a couple thousand pounds that crashed the Federal Building in OKC. That much is just inventory slippage. Just look at the problem that the RCMP is currently having in Vancouver (Winter Olympic site; maybe a terrorist target). A major AN supplier reported a 6,000 lb loss of AN in transit. Then they recanted, its not missing, some one miscounted. Maybe. The RCMP is still investigating; not to find out who stole it, just to see whether or not it is missing. If it is missing, then they start looking for the thief. Just hope it hasn’t been packed into a rail car heading for the chlorine plant just outside of Vancouver. I keep asking my contacts at DHS how the AN regulation is coming. The answer is always the same, just a couple of months away (this Spring, we’re sure). Of course, I’m not the only one bothering DHS about this issue, so is Chairman Thompson who pushed the AN requirement into the budget bill. So anyway, Red Team is right and wrong. DHS does consider ammonium nitrate in CFATS, but it probably isn’t as proactive in the area as is it probably should be. But then again, they have lots of stuff to do.

ICSJWG Web Page Update 01-20-10

DHS-CERT updated the Control System Security Program web page dealing with the Industrial Control System Joint Working Group’s (ICSJWG) Spring Meeting. They have now added a link to the electronic form to be used for submitting proposal abstracts for presentations to be made at the April meeting in San Antonio, TX.

Wednesday, January 20, 2010

Reader Comment – 01-19-10 – Subjective Comments

Red Team posted an interesting question to my discussion with Fred Millar about TIH chemicals and subways. About my statement at the end of the post about my lack of confidence that “we have the tools in place to reduce the deaths from a mass casualty terrorist attack", Red Team asked: “This is a fairly subjective statement. How do you compare what is reduced and what is not. What are we comparing it to? Just a thought.” It certainly is a subjective analysis, though I thought I laid out pretty clearly the basis for my lack of confidence in the posting. Measuring confidence in the political field is nearly always a subjective exercise. That does not make it any less important. Confidence is the thing that makes soldiers follow their leaders into combat, or allows voters to support a complex bit of legislation they don’t understand. Lack of confidence causes soldiers and voters to question and oppose their leaders. A more important question, one that Fred and I have ignored in our many discussions, what is a fair cost to pay for preventing unlikely casualties? This is the question that should be brought up periodically in any discussion about response to terrorism. Unfortunately, the real answer to that question would also be subjective, but that should not stop the discussion. This is the question that the politicians dislike asking. Too low an acceptable cost set by the voters and their favored programs will be opposed as too costly. Too high a cost, and they will be forced to forgo their favorite program to pay for the costly preventive measures. Perhaps it is time that we explicitly asked this question. I’ll start it here; what is the maximum acceptable cost of measures to prevent the unlikely terrorist attack on a chlorine rail car? Who wants to take a stab at answering that?

STB Ex Parte No 677 Closed

Yesterday the Surface Transportation Board closed out a number of Ex Parte dockets where the purpose of the proceedings has been met. While these information collection dockets all deal with railroad operations, there is one in particular that will be of interest to the chemical security community; STB Ex Parte No 677, the Common Carrier Obligation of Railroads, was one of the dockets that was closed out. Readers might recall that this docket was ‘served’ (an interesting legal term) Feb. 22, 2008 as an inquiry into whether or not railroads had a legal obligation to carry hazardous materials. It has been a legal truism that railroads, because they were effectively regulated monopolies, are required to accept all ‘properly packaged’ shipments {49 U.S.C. 11101(a)}. The railroads have been questioning this doctrine because they bear the financial risk of an accidental (or deliberate terrorist) release of chemicals like chlorine gas or anhydrous ammonia or any of any number of other TIH chemicals. In closing out this docket the STB has not reached a ‘decision’ on the issue. They were simply collecting information and opinions. A major reason that they have not made a decision is that Congress will probably have to legislate any change to this doctrine. Interestingly a part of that docket was left open {STB Ex Parte 677 (Sub-No. 1)}. A public hearing was held on July 16th that addressed specifically the hazardous material’s aspect of the ‘common carrier obligation’. No comment on why this part of the docket was left open. BTW: The STB has continued to maintain their enforcement of the railroads common carrier obligation to carry hazardous materials, most importantly in UP v USM (STB Finance Docket No. 35219).

Tuesday, January 19, 2010

Reader Comment – 1-19-10 Gasoline 3

A Reader, Red Team (certainly reference to a security professional that simulates being part of a terrorist team penetrating facility defenses), joined an earlier discussion about gasoline storage facilities and vapor cloud explosions. He makes two separate points in the discussion. First Red Team writes: “I've done some ‘Red Team’ work for a few security firms that contract with DHS. Many of these above ground gasoline storage tanks have floating roofs. I do not know the technical name. Considering this, there is very limited gasoline fumes of which to ignite. Attacking a large gasoline tank with a VBIED, satchel charge or stand-off weapon would not create a large catastrophic explosion because the fumes are not present in large quantities. This belief, for the most part, is pure Hollywood.” Red Team is correct; fuel storage facilities use some sort of technique, floating tops (that’s probably not the correct terminology) that move up and down with the liquid level or displacing the oxygen in the headspace with some inert gas. They have done a lot of work to prevent even small vapor cloud explosions in their tanks. Even if you were able to get a tank ignited it would just blaze away at the surface, providing a rather spectacular display of flames and smoke. It will just keep burning until the gasoline is consumed or fire fighters manage to get a good foam blanket on the surface. Modern tanks are kept far enough apart that a tank fire in one probably won’t set off a neighbor. No, to get a good VCE you have to spill the gasoline on the ground leave it alone long enough for a vapor cloud to form. There should be very little wind to disperse the cloud and the ignition source should be above the surface of the big puddle. Even the getting enough surface area in many tank farms may be a problem because the secondary containment may be sized to keep the surface area of a spill small enough to prevent the formation of a vapor cloud. Not wanting to make this a primer on turning a gasoline tank into a VCE, I won’t go into details, but you have to make a large enough spill with a large enough surface area in the right weather conditions to make a VCE. Breaching a containment dike or causing a catastrophic failure of a tank would both contribute to the success of the endeavor. This is not a task for an underwear bomber. It will take at least one fuel system engineer and some people with a talent for explosives, but it can certainly be done. This brings us to the second part of Red Team’s comment: “However, considering the fact that many organization attack to cause death, destruction, fear and adverse economic reactions, attacking a gasoline facility might cause spillage and fire, but not a large explosion. The results could greatly increase the cost of oil because of the perceived effects of the terrorist act.” Because of the socio-economic (I get extra points with a former college professor for writing that) nature of gasoline an unsuccessful attack (no VCE) can still be counted as a successful strike. First the fire is spectacular and gets wide spread press coverage for hours, even without a terrorist claim of responsibility. Next gasoline is inextricably linked with an icon of American culture, the automobile. Politically, the jihadist can always claim that the gasoline was stolen from Muslims, so it is theirs to destroy. Finally an attack that significantly damages part of the gasoline distribution network will have economic affects, at least locally. Win, win, win, and win; all for a ‘failed’ attack. The effect is significantly magnified if accompanied by a VCE fireball.

CFATS Webinar

I ran across an ad for another CFATS webinar being sponsored by ADT Advanced Integration. The last one I listened to was run back in early November of last year and it was quite good. This one uses different presenters, but if it is any where near as good as the last one, it will certainly be worth watching. And you can’t beat the cost; free. The February 2nd webinar will last 60 minutes and will be hosted by SecurityInfoWatch.com. Webinar participants will learn “about legislative updates, developing legally compliant SSPs and the impact of non-compliance. Find out how to leverage countermeasures to meet Risk-Based Performance Standards (RBPS): people, procedures & equipment in your plan.” Additionally, the webinar will cover:
“The CFATS timeline & roadmap from determination to audit and re-submission “What to do before and immediately after receiving your final determination letter “DHS published guidance for implementation of the RBPS “SSPs preparation in accordance with other regulatory programs “How to approach the challenge of meeting the RBPS “What to look for when you on-board resources to help with CFATS “Preparing for DHS Site Inspections"
The only potential problem that I see with this webinar is that it doesn’t include anyone from DHS to provide hints to what is coming up with the program. Having said that, the three presenters do seem to have the kind of background that could still provide valuable in-sights into the CFATS process; a lawyer with a background in DHS, a certified security professional workng with multiple CFATS facilities, and the head of the ADT division dealing with CFATS issues. The registration form is on the bottom of the page describing the webinar. There is nothing on the web site indicating a limited attendance (one of the advantages of a webinar vs. an in-person education event), but they do advertise that there will be both a Q&A session and interaction during the presentation. This would tend to indicate some form of participation size limitation to keep the interaction manageable within the advertised time constraints. I have already registered; I suggest that interested readers do so as soon as possible.

Reader Comment – 01-18-10 TIH vs Subways II

Fred Millar responded to my comments on his earlier comments (I love it when we get a dialogue going). Fred wrote:
“Your usual thorough and excellent analysis here is right on, although I was thinking not so much of a terrorist having to penetrate urban security as perhaps attaching an IED to a TIH railcar before it goes into a city (which may have a major transit system, like DC's, largely underground). You leave unanswered how confident we might be of prevention of mass casualties or survival in either TIH or shooting scenarios. In any case, my ultimate point [not expressed before] is that mass transit agencies, cravenly dependent on the mighty freight railroads for shared tracks in many cases, and on the railroads' cooperation not to block the transit tracks too much, have never supported TIH re-routing moves around major cities.”
Transit Agencies and TIH Re-Routing Fred brings up a number of interesting points and I’ll address the last first; transit agencies and re-routing TIH shipments. I think that Fred may be partially correct in stating that these agencies don’t want to upset the people that supply and maintain some portion of their trackage. I suspect, however, that it is probably more a case of ‘it ain’t my job’. Since passenger rail (intra- or inter-city) does not carry TIH chemicals (hopefully anyway), it is not an issue that ‘affects’ them. As Fred pointed out in his earlier comments, an attack on a chlorine railcar near a transit line is effectively an attack on the passenger rail. The problem is that most people (including corporate decision makers) considers that an attack on TIH railcars a very unlikely scenario. The reason goes back to a familiar safety conundrum; if an accident hasn’t happened, it is unlikely. Of course, that reasoning is fallacious since your essentially applying statistics to non-random events. There are factors that make a successful attack on a TIH railcar less likely than some other forms of high-profile terror attacks. First there is a certain level of technical sophistication required; it take specialized explosives to successfully attack a train car designed to withstand 300 psi of internal pressure. Your typical IED will just scratch the paint job. This is a job for a trained, experienced explosives expert, not something that will be done by a web-site wannabe. Secondly, TSA, shippers and the railroad have increased the security observation of urban rail lines and the TIH railcars while reducing the idle time on unobserved sidings. While not nearly the protection that one would provide a train car full of money, it still makes it more difficult to get to the cars with enough time to emplace the sophisticated explosives. More, of course, can be done. None of this makes it impossible, by a long stretch, to successfully attack a TIH railcar; it simply makes it more difficult. It would be easier to steal portable containers and then apply the chemical attack to a specific target. Would it be a ‘more successful’ terrorist attack? That would depend on the target. Preventing Mass Casualties This is always the problem with a terrorist attack. We are completely inured to the thousands of murders that take place in this country every year; we accept thousands of people dying from automotive accidents, but have 300 people almost killed by an underwear bomber and we go completely nuts. By definition the best way to prevent mass casualties from a successful terrorist attack is to prevent the attack. That is done by some combination of security procedures and counter-terrorism intelligence. Where the risk is higher there will be more security procedures. One clear security procedure for railcars of TIH chemicals is keeping the cars unnecessarily out of urban areas, re-routing. The key there is the term ‘unnecessarily’; the political process will never keep all TIH railcars out of urban areas. Just look at the fight in and around Chicago about the re-routing efforts by the Canadian National railroad and the fight they are having with the non-urban areas on the new routes. There is certainly an argument to be made that urban areas are better equipped to deal with an accidental release (which are usually non-catastrophic) of TIH from rail cars than are smaller jurisdictions. And the accidental releases are much more common than the terrorist attack. Even with a terrorist attack, the multi-story buildings of an urban area are better protection against a chlorine release because the density of the gas keeps the cloud low to the ground. Lacking the prevention of the successful terrorist attack, the best way to reduce casualties from such an attack is a well thought out, exercised and implanted emergency response plan. While LERC’s may do an adequate job of coordinating this type planning for fixed sites, I really doubt that there is anywhere near an adequate amount of work being done on transportation incidents. Some of the railroads are actually doing their part with their training efforts and their tracking of TIH rail cars, but much more remains to be done. Finally, the one woefully lacking area of emergency response is the capability to handle a real mass casualty situation. If most of the people in the Twin Towers had been injured instead of killed outright, the handling of casualties would have been a major embarrassment; and New York is better equipped than most cities to handle mass casualties. If a VBIED went off at a high-school football game in rural Texas, most of the resulting deaths would have been preventable, if adequate health care emergency response were available. In short, I would have to answer Fred that I am not confident that we have the tools in place to reduce the deaths from a mass casualty terrorist attack; regardless if it is an industrial chemical attack, a multiple shooter attack, or a VBIED attack.

AB Micrologix Vulnerability

On Saturday Walt Boyes from ControlGlobal.com re-published an alert (I must have missed it on the SCADASEC Listserv) about a recently identified security vulnerability in the 1100 and 1400 series Micrologix controllers that allows an outside to gain unauthorized control of these controllers. According to the alert this control would allow an attacker to:
“Halt the system's operation (Denial of Service) “Gain unauthorized access with high privileges to the system “Leverage these vulnerabilities to attempt to find additional vulnerabilities in the server….”
Neither the discoverer of the vulnerability, Eyal Udassin from C4 Security, nor Rockwell Automation are publicly discussing the details of the vulnerability. Why they won’t tell me (who couldn’t identify a Micrologix controller sitting on the table) or the local hacker society the details of the problem is beyond belief…. (tongue firmly in cheek). Rockwell Automation is working directly with potentially affected device owners to resolve the issue. If your facility has one or more of these controllers on site, contact your supplier immediately. C4 Security will discuss the issue with verified owners (contact them at info_at_c4-security.com). Interestingly I can find no mention of this issue on either the Rockwell web site or the CERT website. One final note; this would be a good question for DHS inspectors to ask about at SSP inspections or site visits when the issue of cyber security comes up.

DHS CIKR Webinar Page Update – 01-15-10

On Friday DHS updated their Critical Infrastructure Key Resources Learning Series page with information about the next two webinars that will be conducted by the Department. With the December webinar having been moved to January because of the December snow storm in DC, the next two webinars will both be held in February. The next webinar will be held on February 11th and will deal with “Making effective use of visualization technology”. Conducted by Mike Clements, Branch Chief, Operations Support Branch, Infrastructure Information Collection Division, DHS Office of Infrastructure Protection (IP), the presentation will “provide an overview of the ways that IP provides context to infrastructure data through the use of Geographic Information Systems, geospatial products, and remote sensing data acquisition. The presentation will also address geospatial products and services that are available to federal, state, local, tribal, and private sector partners during both steady state and incident response situations.” The third webinar in the Winter Series will held on February 22nd and will be an update on the Chemical Facility Anti-Terrorism Standards program run by the Infrastructure Security Compliance Division of NPPD. Conducted by Sue Armstrong, Acting Deputy Assistant Secretary for Infrastructure Protection, the webinar will provide an activity and implementation update for CFATS. The site continues to provide links to previous webinars in the CIKR Learning Series. These links will allow those who missed participating live with the chance to view the webinars. Actually there are advantages to seeing these recorded webinars as they may be paused or backed up to see something that was missed. Unfortunately, there is no option for asking questions. The three webinars on the page are: Critical Infrastructure Resilience: The Next Frontier in Homeland Security Voluntary Preparedness Standards The Infrastructure Protection Security Survey: What's in It for You? All webinars are available free-of-charge. You can register for the visualization technology or the CFATS update webinars online. No registration is necessary for the recorded webinars.

Monday, January 18, 2010

Reader Comment 01-17-09 Chlorine Follow-up

An anonymous reader left a comment on a blog from last month about the temporary storage of chlorine railcars on a siding outside a small town in Washington. Anonymous wrote: “For some follow-ups to this story-- see Vancouver Observer online.” I have been trying to read the many follow-up articles in the Vancouver Observer about the issue of chlorine cars and the Olympics, but most of the articles are restricted to subscribers. I have accessed one rambling article about the issue, but it provides little new information for readers of this blog. If anyone spots an interesting article on this subject, feel free to bring it to my attention. Adding a comment to this post would be a good place to leave the link.

HSAC Meeting 02-03-10

According to a notice posted in the January 19th Federal Register, the DHS Homeland Security Advisory Committee will be conducting a meeting on February 3rd, 2010 at Grand Central Terminal in New York City. Only a portion of the meeting will be open to the public. New members will be sworn in and the Committee will receive updated briefings on the Quadrennial Homeland Security Review and consider recommendations made by the Committee’s Sustainability and Efficiency Task Force. During the closed portion of the meeting the Committee will receive intelligence briefings and updates on operational issues. Pre-registration for attendance at the open portion of the meeting is required. Personnel wishing to attend need to send an email to HSAC@dhs.gov. The mail should include full legal name, date of birth, e-mail, and phone number. This information will be used for security purposes. Emails should be sent to DHS before 5 pm EST on January 25th. Personnel wishing to have written materials considered by the HSAC should send to DHS before January 25th. Submitted materials should be marked “Department of Homeland Security” and “Docket DHS-2009-0160”. Material may be sent by email or by mail to: Homeland Security Advisory Council 1100 Hampton Park Boulevard Mailstop 0850 Capitol Heights, MD 20745

Sunday, January 17, 2010

Reader Comment – 01-17-10 – TIH vs Subways

Fred Millar left a comment on my blog from last month about the DHS subway study being conducted in Boston. He wrote: “How many major target city subway systems have in close proximity a non-re-routed freight line carrying chlorine gas and other TIH cargoes? You won't find this issue discussed on any transit rail website. Best defense: insert head in sand.” While Fred and I agree that railcars of chlorine in major urban areas is a potential security (and safety) problem I have to disagree with Fred here that this would be a major mode of attack against subways. Where most transit and freight lines share space would be where the intra-city trains are above ground. Since they would be moving through the chlorine cloud at speed, they would be less affected than people living or working in the area of the release. Where subways have a greater problem with TIH gasses like chlorine is when they are under ground. Since chlorine (and many other TIH chemicals) is heavier than air it would have a tendency to collect in subway tunnels. While trains moving through a limited chlorine cloud would still have the advantage of getting out of the cloud quickly, the lethal cloud would spread a longer distance underground because of the limited volume involved. Actually, the ideal way to attack a subway (other than through the use of explosives or a shooter attack which are always the easiest attacks) would be to hijack a chlorine tank truck and stick the discharge hose into a subway vent. Of course, it would take only a limited number of gas detectors to protect the subway system and evacuation would be fairly straight forward. No, a much better way to attack subways would be a few well placed explosives detonated when trains entered stations and a few well placed shooters on the stairs. Lots of ugly deaths, panic and terror; a much easier attack to pull off and the shooters could probably escape in the panic. Terrorists should always follow the KISS principle.

Saturday, January 16, 2010

Homeland Security Update Training

I received an interesting email from Kayla Appelt at TradeFairGroup.com about an upcoming workshop to be held in conjunction with the Industrial Fire, Safety & Security SIFSS) Seminars in Houston, TX over February 2nd thru 4th, 2010. The email was about one of seven workshops currently scheduled to take place on the opening day and it presents updated information about various DHS programs of interest to the chemical security community. Kayla’s email provided the following overview of the workshop:
“The Department of Homeland Security has imposed regulatory mandates to enhance security of the nation’s chemical and transportation supply chain. The Chemical Facility Anti-Terrorism Standards (CFATS), the Transportation Worker Identification Credential (TWIC), and the rail hazmat security regulations significantly impact the chemical and petrochemical industry. “This full-day seminar provides an in-depth analysis of CFATS, TWIC, and the rail hazmat regulations and offers practical solutions to help chemical and petrochemical facilities stay compliant.”
This seminar will be conducted by Steve Roberts, an attorney specializing in homeland security law and regulation. The Seminars on the following two days will provide members of the chemical security community with some other valuable information. The individual seminars of interest would include:
MTSA, BZPP & TWIC Implementations CFATS and Risk-Based Performance Standards Improvised Explosive Devices Fusion Center/ Intelligence & Information Sharing Public/ Private Sector Emergency Management
Registration for the workshop and the seminars can be done online. As always, I am happy to pass along information about this type of event to my readers but this should not be taken as an endorsement of the particular event. I haven’t seen any of these presenters in action so I can’t tell you how good a job they do. I would appreciate any feed back on these presentations that readers happen to have.

Friday, January 15, 2010

Reader Comment – 1-15-09 GPO Corrected

There was a comment posted by Anonymous adding some information to this morning’s blog about the GPO links to the PTC rule. Anonymous wrote: “Look also for a third section. (126 pages total)” I went back to look for that and found that the links in the GPO email that I had received early this morning now work the way they normally do. Both the Text and PDF links take you to a single complete document. Since the email didn’t change it must have been a problem on the GPO server that was corrected.

GPO Error – FRA PTC Final Rule

I noted earlier this week that the Federal Railroad Administration would be publishing their final rule on positive train control today. Well they did, but there was a problem with the GPO notification about that rule. For those of you that use either the email listing of Federal Register notices or the on-line listing the link to the PTC final rule will only take you to the second half of the rule published in today’s Federal Register. The first half of the rule is published at 75 FR 2597-2646 (.PDF Copy)and the second half is published at 75 FR 2697-2722 (.PDF Copy). I don’t know why there is a 50 page gap in the printing of this lengthy (72 total pages in the Federal Register) document, but this will certainly complicate people finding the complete document. Hopefully the GPO will provide a copy of the double link in Monday’s issue.

Reader Comments – 01-14-09 Gasoline Two

Two more comments on gasoline and CFATS appeared yesterday in response to two separate blogs, both by Anonymous (probably separate writers though). Gasoline and IEDs From the blog on gasoline security, Anonymous wrote:
“Good point. Flammable liquids or gases are usually not used as the primary charge/ explosive device in Improvised Explosive Devices (IED). However, they are used to intensify the destructive nature. For example, when Iraqi insurgents were utilizing the IED on an everyday basis, they would place propane tanks and/or jugs of gasoline around the IED. So let's say the insurgents had two 155 mm artillery rounds rigged as the IED, they would also place the propane tanks right next to it to create a more intense fireball, thus increasing the effects.”
Typically IEDs are small so that they can be concealed to prevent detection; this would preclude the use of flammable liquids or gasses as the primary charge because of the volume necessary to form the vapor cloud necessary for an explosion as opposed to a fire. The type IED I was describing utilizes large volumes of flammable liquids like gasoline. To get a VCE that liquid must be discharged into a large semi-enclosed volume that allows for the formation of a vapor cloud. While the Army’s work in the seventies concentrated on employing the gasoline in a sewer system for large scale excavations, the same thing could be done by pumping the fuel into a large building like a shopping mall, church or sports arena. Gasoline Terminals as Targets From the blog on the revised DHS notice, Anonymous wrote, in part:
“In addition to what you wrote for Gasoline security comments, I would contribute the fact that these above ground storage tanks are "visible" targets for terrorists to strike at. If I had to put a terrorist's hat on, I'd say why not strike it if it is there and it will make news.”
Combine this with the fact that most of these facilities have little more apparent security than a fence and a locked gate and they appear to be easy targets to hit. Now, I haven’t taken a comprehensive survey of gasoline terminals across the country, but two of the three that I have driven past often don’t even have gate guards. One other point while I’m thinking about it, many of these terminals sit atop a gasoline pipeline. A successful attack on the terminal (successful defined as effecting a VCE) will certainly damage the pipeline; at least enough to interfere with deliveries for a while. How long before that interruption begins to have economic impacts in the service area of that pipeline?

Thursday, January 14, 2010

CFATS Gasoline Notice Change

The Department of Homeland Security will be re-issuing the notice posted earlier this week in the Federal Register concerning their request for comments on the issue of gasoline terminals and the CFATS regulations. The footnotes were misplaced in the version published on January 12th. The new version to be published tomorrow will correct that issue and change the end of the comment period. The new date should be March 18th, 2010.

Gasoline VCE

While we are discussing gasoline vapor cloud explosions and CFATS, it might be instructional to look at a smaller gasoline VCE explosion that happened in Idaho last month. According to news reports a gasoline tank truck was making a delivery to a gas station near Mud Lake, ID on December 17th when the incident happened. The storage tank apparently was overfilled forming a puddle of gasoline under the tanker. Some ignition source, perhaps the tractor’s engine, ignited the resulting vapor cloud causing an initial explosion and subsequent fire. Reports are confused as to whether there was one subsequent explosion or multiple explosions. Since no one was injured in this incident there is no investigation by the Chemical Safety Board, so it is unlikely that we will hear about what actually happened if the local investigation is able to determine that. It does go to show, though, that accidental gasoline vapor cloud explosions are not as rare as the gasoline transportation industry would like us to believe. And if a gasoline VCE can occur accidentally, they can certainly be initiated by a trained terrorist.

Wednesday, January 13, 2010

Gasoline Security Comments

Yesterday I posted a blog entry about the latest DHS National Protection and Programs Directorate request for public comments on the CFATS program. That posting was pretty much a straight news-type report on the posting in today’s Federal Register. Now it’s time to take a more opinionated look at the issues involved. Long time readers of this blog can guess where this is going as I have written on the topic a number of times, most recently in November of 2009. Flammable Release COI The first thing that we have to remember is why DHS included the category of flammable release chemicals of interest (COI) in the list of chemicals that triggered the Top Screen reporting process when a screening threshold quantity of the chemical was present at a chemical facility. It wasn’t because of the threat of fire at the facilities in the event of a terrorist attack; large chemical fires have only a limited, short-term off-site affect making them of limited utility as a terrorist target. No the release-flammable COI were placed on the list of DHS Chemicals of Concern (Appendix A, 6 CFR 27) because of their potential to form large vapor clouds when released from storage tanks that could be detonated to form a vapor cloud explosion (VCE). The blast (over pressure) affects of a VCE have the potential to be catastrophically effective over a wide area which makes a VCE a wonderful terrorist weapon. Now gasoline is not one of the 300+ chemicals listed in Appendix A. The reason is that DHS chose to only include ‘individually named’ chemicals in their list. This helped keep the list of chemicals to a manageable number. To account for the large number of chemicals in commerce that are mixtures of two or more chemicals, DHS amended the language of 6 CFR 27 to include a variety of mixture rules for the various types of chemicals of interest. The basic release-flammable mixture rule {6 CFR 27.204(a)(2)} calls for chemicals containing at least 1% of a release-flammable COI and are rated as an NFPA (National Fire Protection Association) rating of 4 (their most dangerous flammability rating) to have their entire quantity counted as the amount of the COI on hand at the facility. Refined petroleum fuels such as gasoline, kerosene and diesel are very complex mixtures of a large number of chemical compounds. These fuels may contain a number of the listed release-flammable COI found in Appendix A; most typically pentane and butane. Gasoline has a typical NFPA rating of 3 which would normally exclude it from the §204 flammable mixture rule. There is, however, a specific exception for these petroleum based fuels found at §203(b)(1)(v), allowing for coverage of fuels with an NFPA rating as low as 1 when they are stored in above ground tanks. The reason for this is two fold; first the NFPA rating is not a perfect predictor of VCE potential, and second is the fact that internal combustion engine fuels are, by design, optimized for their vapor explosion potential inside of those engines. There is a third reason that petroleum based fuels should be considered a special case for the purposes of the flammable mixture rule; there is a special political dimension associated with these fuels that makes them more likely targets. First, a large portion of the oil used to make these fuels world wide comes from Muslim countries in the Middle East and this makes the fuel production and distribution systems in ‘infidel’ countries prime jihadist targets. Second, there have been ample public examples where disruptions of the fuel supply system in the United States in particular have led to widespread economic disruptions due to the rapid increase in gasoline prices, producing a potential target with an added snowball effect. Finally there is a technocrat class with a petroleum engineering background that is well represented in jihadist forces. VCE Modeling The flammable mixtures rule and its fuel addendum do not mean that all gasoline terminals (the generic term that DHS is applying to all facilities with above ground fuel storage tanks) will become covered facilities. It simply means that those facilities with more than 10,000 lbs of on-site fuel storage would have to complete a Top Screen submission. DHS would then evaluate that Top Screen information to make a determination if the submitting facility was at high-risk for a terrorist attack. According to the discussion in the request for comments, DHS reports that only 405 of the approximately 4,000 gasoline terminals that submitted Top Screens were preliminarily tiered as high-risk facilities. To evaluate the potential risk level for a facility based on their Top Screen DHS will use a variety of tools that estimates the potential worst case consequences of an attack. The chemical industry has heard the EPA use the term ‘worst case scenario’ for years now. There is a difference however; EPA uses the term to describe an accidental release. For example they would consider a flow rate from a storage tank through a broken hose as the ‘worst case’ release from a storage tank. DHS, on the other hand bases their ‘worst case’ on a successful terrorist attack; probably using an IED to cause a catastrophic failure of the tank resulting in a near instantaneous release of the contents. Typically, the consequences of a DHS ‘worst case’ are more severe than an EPA ‘worst case’. To evaluate the worst case consequence of a release-flammable COI release, DHS uses the Vapor Cloud Explosion model developed by EPA. This model takes into account a number of variables that would affect the formation of a vapor cloud to determine the distance from the point of release that there would be significant overpressure (blast) affects that would damage structures and injure/kill people. DHS then looks at the number of people and the number and types of other facilities within the potential danger area of a successful VCE. One of the key elements of this model is determining the size of the potential vapor cloud. This is determined by a complex calculation that takes into account the physical properties of the COI (vapor pressure, flammability limits, etc), the amount of the COI and the surface area over which it might spread. According to the DHS filing in yesterday’s Federal Register, the EPA model assumes that 10% of the available (ie: spilled) liquid will evaporate and form an ignitable vapor cloud. DHS has changed that to 1% for the gasoline VCE model, reflecting the different physical characteristics for gasoline. DHS asks in their request for comments if this assumption is reasonable. Well, while I am a trained chemist I am not an expert on models or physical chemistry. But I do know that the Chemical Safety Board is collecting a ton of information on a recent gasoline VCE that occurred in Puerto Rico last year. The information from that investigation should be used to verify the reasonableness of the VCE model assumptions. If about 1% of the spilled fuel was involved in the initial explosion, the model assumptions are reasonable. If it was closer to 10% or 0.1% then the model needs to be adjusted as appropriate. The thing to remember about models is that they are theoretical constructs. When the results of a model accurately predict actual occurrences the model is a valuable tool. If the model cannot be used to make reliable predictions of real world conditions then it is a poor tool and should be modified or discarded. Models should be validated against new data on an ongoing basis. Gasoline and IEDs Currently DHS does not include flammable liquids and gasses as theft/diversion chemicals in general and certainly not gasoline or any other petroleum based fuels. The basic reason is that the use of flammable liquids to create a VCE of any political consequence (the goal of any terrorist attack) requires a large volume of the liquid and is even difficult to set up when one has the chemicals in place. Having said that, the Army did some work in the 1970s on using gasoline as an improvised explosive for making anti-tank ditches in built-up areas. It was inspired by a news story describing an accidental discharge of gasoline into a sewer line that was then detonated by some ignition source; a two block length of sewer line exploded making a nearly uniform trench the length of the street. While the use of this type ‘explosive’ would be significantly more complicated than the ‘underwear bomb’ of recent history it would be an effective technique to use against urban or suburban targets. Since there is only minimal security at many fuel terminals and there are usually fuel transporters located nearby, the acquisition and transportation of the needed fuel a relative easy part of the fuel-IED process. Thus, it seems reasonable that DHS should consider adding a theft/diversion listing for gasoline because of its wide spread availability and its demonstrated utility as a raw material for an effective large scale IED.

DHS Laws & Regulations Web Page Updated 01-12-09

Yesterday the Department of Homeland Security updated the Laws & Regulations web page in the Counter-Terrorism section of their web site. They added the following information in the “Notices Posted in the Federal Register” section of the page:
DHS request for comment on CFATS regulatory provisions for aboveground gasoline storage tanks. Published on January 12, 2010. The Department of Homeland Security invites public comment on issues related to certain regulatory provisions in the Chemical Facilities Anti-Terrorism Standards (CFATS) that apply to facilities that store gasoline in aboveground storage tanks. Written comments must be submitted on or before March 15, 2010.”
This change deals with the notice that I discussed in yesterday’s blog. I’m still more than a little surprised that DHS has not updated the Chemical Security “Statute” section of this page to reflect the extension of the CFATS authority that was included in the Homeland Security FY2010 budget bill.

Tuesday, January 12, 2010

DHS-CERT CSSP Web Page Update – 01-12-10

The DHS-CERT Control System Security Program (CCSP) web page was updated on Tuesday. There was a significant re-design of the page and a link to an updated page for the Industrial Control System Joint Working Group (ICSJWG). The two new pages have a lot of information that will be valuable for the chemical security community. CCSP Page The data portion of the CCSP page is now smaller than the previous design. To provide additional room for new information there is now a three-tabbed block in the center of the page that allows the CCSP to provide new information in the same space. The current tabs are “What’s New”, “Top Ten”, and “Reporting”. The Top Ten list provides links to the top ten accessed documents on the site. Unfortunately, the link to the ‘Calendar’ page is currently not operational. The current list includes, among other things:

Catalog of Control Systems Security: Recommendations for Standards Developers (pdf), Cyber Security Procurement Language for Control Systems (pdf), Developing an Industrial Control Systems Cybersecurity Incident Response Capability (pdf), and

Secure Architecture Design.

The “Reporting” tab includes links for reporting control systems incidents (this leads to a reporting form with a cursory description of what constitutes a ‘control system incident’. Actually, this brief and very inclusive description is probably very valuable in bringing in the widest volume of incidents that affect cyber control systems. This would allow CCSP to weed out the non-cyber incidents instead of pre-empting good reports that might not fall under a more specific description. ICSJWG Page The ICSJWG page provides updated information on the Spring 2010 Conference that I had briefly reported in a previous blog. The new information includes the actual location of the conference in Austin, TX (JW Marriott San Antonio Hill Country Hotel and Conference Center), a link to a one-page brochure about the conference, and a link to the conference registration page. There is also a ‘Call for Papers’ announcement on the page, though the link for the electronic submission of proposal abstracts has not yet been established. The program committee has provided a non-exhaustive list of topics that they are looking to have covered at the conference. These include:
Workforce Development, Control Systems Security Research, International Coordination, Standards Development, Incident Handling, Vulnerability Management, Emerging Technologies, Managing Vendor Relations, Integration of Cryptographic Technologies, Security Management Metrics, Wireless Integration in ICS environments, and Coordination of Threat Reporting.
I am always amazed (not really) when there is a noticeable lack of cross fertilization of ideas and topics in the various parts of the Department. Particularly amusing here is that the one regulatory program that is actively trying to deal with industrial control system issues is not mentioned in the program committee’s list of topics. I would have liked to see CFATS cyber security issues get some prominent mention in this forum. As more information becomes available on the ICSJWG Spring Conference, it will certainly be mentioned here in this blog.

PTC Final Rule to be Issued Friday

Last week I mentioned that I thought that the Positive Train Control (PTC) Final Rule was near to being issued. Today a Federal Railroad Administration (FRA) press release noted that the final PTC rule was being published today in the Federal Register. Actually, that is misleading as it was not published in today’s FR. It was released to the GPO today for publication in the January 15th issue of the FR. An advance copy of the final rule is available on the FRA web site. A quick review of the advance copy of the final rule shows that there is an extensive discussion about the issue of PIH re-routing decisions and their affects on which lines will be required to install PTC systems and how that might affect shipping costs. I will hold-off making any detailed comments on this until the legal version of the rule is published on Friday, but it looks like this rule is going to have a significant impact on shippers of PIH chemical via rail.

Gasoline Terminals under CFATS

On Tuesday, January 12th the Department of Homeland Security published a notice in the Federal Register requesting comments on “certain technical issues related to the applicability of CFATS to gasoline terminals”. These comments are being requested, in part, based upon a May 13, 2009 petition by the International Liquid Terminals Association (ILTA) requesting that DHS exempt gasoline from CFATS and remove all references to gasoline terminals from §27.203(b)(1)(v) and the CFATS flammable mixtures rule {§27.204(a)(2)}. The Problem The ITLA and other industry organizations have objected to the inclusion of facilities in CFATS coverage solely because of the presence of above ground storage tanks of gasoline or other fuels that contain release flammable chemicals of interest in the fuel mixture. They maintain that the physical characteristics of gasoline are such that a vapor cloud explosion (VCE) from a gasoline release is extremely rare and only occurs when there are multiple failures of safety procedures and devices. DHS has taken the position in their development of §27.203(b) and §27.204(a) that, while an accidental VCE is unusual, terrorists attacking a fuel terminal would be expected to structure their attack to take into account the necessary conditions to form an effective VCE. Instead of relying on a series of accidental conditions to cause a VCE, the terrorist would deliberately cause the necessary conditions. DHS has modified the Environmental Protection Agency model used to evaluate the potential consequences of a VCE for the purposes of determining if a facility is at high-risk of terrorist attack. Recognizing the added difficulties of initiating a VCE with gasoline, the DHS modified model reduces the amount of the released gasoline considered to take part in the VCE from the 10% that EPA uses for other flammable liquids to just 1%. The gasoline terminal industry has maintained that, if a consequence analysis of a terrorist attack on a fuel terminal is needed, that DHS ought to use the contained pool fire model for conducting that evaluation. Further, the industry claims that the use of that model would not result in fuel terminals being designated as high risk facilities; as such a fire would have minimal off-site consequences. DHS has countered that maintained that the contained pool fire scenario is inappropriate, because a terrorist attack would certainly seek to breach the secondary containment that that model relies upon to ‘contain’ the pooled gasoline fire. DHS does not yet have a viable model available for evaluating the uncontained pool fire scenario. The Questions In this notice DHS is requesting public comments on three issues relating to the inclusion of gasoline terminals in potential coverage under the CFATS regulations. Those issues are: Whether DHS should continue to include the rules for counting flammable release-COI {6 CFR 27.203(b)(1)(v)} in fuels stored in above ground storage tanks and the fuel provisions of the flammable mixtures rule {6 CFR 27.204(a)(2)} in the CFATS regulations; Whether the modified VCE model currently being used by DHS to evaluate gasoline terminals is the appropriate model for determining the risk of terrorist attack associated with those terminals that have no other COI present. Specifically, DHS wants to know if the 1% rule currently used in that model is the proper amount of fuel to include in the VCE calculations; and Whether a model currently exists or should be developed to evaluate the consequences of an uncontained pool fire at gasoline terminals. The public comments should be submitted to DHS via www.regulations.gov (docket # DHS-2009-0141) by March 15, 2010.
 
/* Use this with templates/template-twocol.html */