Friday, July 30, 2010

New Security Blog

I ran across an excellent review of this week’s hearing before Senate Environment and Public Works Committee on a relatively new security blog, the ASDWA Security Notes. The ASDWA is the Association of State Drinking Water Administrators and this new blog looks at security issues affecting water treatment facilities. While not strictly speaking a chemical security blog (as there are many more security issues facing water treatment facilities than just chemical security) this blog will be watched for its take on the chemical security issues facing such facilities. Bridget O’Grady, in her description of the Lautenberg Water Facility Security Act, makes an interesting point about IST, noting that: “calls for states and utilities to make “inherently safer technology” determinations (although that term does not appear in the legislative language)”. Neither the WFSA nor the House passed version of HR 2868 ever mentions ‘IST’ or ‘inherently safer technology’. Instead they both use the term ‘actions to reduce the consequences of a terrorist attack’. I’m sure that the reasons that the drafters of these two bills avoided the term ‘inherently safer technology’ or ‘IST’ was to avoid the type of conflict and confrontation that have routinely been associated with those terms when used in the security context. The problem with the suspect terms is that they have taken on separate meanings in the chemical and the advocacy communities which cause the two sides to talk passed one another. Unfortunately those plans of avoiding conflicting terminology were subverted by the supporters and the politicians on both sides of the issue who continue to use language that obfuscates the solutions by putting up unbreakable walls between the two sides. Oh well, such is politics in the US today. In any case, I’ll continue to watch the new ASDWA blog and I will point out any new information or views they identify on chemical security issues at water treatment facilities; the more voices involved in the discussion, the better. Welcome.

Summer Recess

When the House finishes their business today they will begin their summer recess (unless they are forced to have a Saturday session to finish their business). The Senate passed House Concurrent Resolution 308 (H.Con.Res. 308) yesterday setting the dates for Adjournment for the House. The House will return on September 14th for a daily session starting at 2:00 p.m. EDT. The Senate adjournment resolution (H.Con.Res 307) was passed in the House yesterday but has not yet been acted upon by the Senate. It is expected to pass by Unanimous Consent (as did H.Con.Res. 308). The Senate will start their recess on August 6th (next Friday) and return on September 13th with a morning session starting at 12:00 pm EDT. The House recess is starting a week earlier than originally planned. Pundits have blamed this on the necessity of getting back to the home districts to save their political campaigns. It certainly means that action won’t be started actually passing the Homeland Security Appropriations bill (which has not yet been marked up by the full House Appropriations Committee) until sometime in September. It will be unlikely for the final bill to get to the President before October 1st.

TSA SSI Threat Assessment ICR Renewal

The Transportation Security Administration posted a 60-day information collection request (ICR) renewal notice in today’s Federal Register. The current ICR (OMB 1625-0042) allows TSA to collect information to determine “whether the party or representative of a party seeking access to sensitive security information (SSI) in a civil proceeding in federal court may be granted access to the SSI” (75 FR 44974). History of Collection Request The original ICR public notice was filed in November 2006 under emergency procedures because there was a court case in progress where a determination about access to Sensitive Security Information needed to be made. To collect the necessary data to make that evaluation TSA requested expedited approval from the Office of Management and Budget (OMB). OMB provided a six-month approval under those procedures. TSA came back in 2007 and requested a renewal of the ICR under standard procedures. OMB received and approved that renewal on October 10th 2007 with an expiration date of October 10th of this year. TSA will be requesting a standard three year re-approval of the ICR without any modifications. Use of Information Collected When a party in a civil proceeding in Federal Court seeks access to SSI information for preparation of that party’s case (including providing access for expert witnesses, consultants or court reporters as required), TSA will require the submission of information including identifying information and an explanation supporting the party’s need for the information. TSA will use the information to conduct a threat assessment which will include:
“(1) a fingerprint-based criminal history records check (CHRC), “(2) a name-based check to determine whether the individual poses or is suspected of posing a threat to transportation or national security, including checks against terrorism, immigration or other databases TSA maintains or uses; and “(3) a professional responsibility check (for attorneys and court reporters)” (75 FR 44975)
The results of that threat assessment will be used to make the final determination of “whether the provision of such access to the information for the proceeding presents a risk of harm to the Nation” and if the individual will, therefore, be granted access to the SSI at issue in the case. Public Comments TSA is requesting public comments on their request for an extension of the current ICR which has been in existence since January 12th, 2007. Public comments should be emailed to TSAPRA@dhs.gov by September 28, 2010.

Thursday, July 29, 2010

S 3969 – MTSA 2010

I’ve been kind of busy this last week and I haven’t had a chance to review S 3969, the Maritime Transportation Security Act of 2010, introduced last week by Sen. Rockefeller (D, WV). Now I’m glad that I didn’t; Laurie Thomas just published her review of the legislation on her Maritime Security/MTSA News Blog. Since Laurie specializes in maritime security issues, I highly recommend that you read this posting if you have any interests in security issues at, in or near ports.

American Terrorist Update

We haven’t been hearing much about ‘eco-terrorists’ lately, but there is an interesting article over on Stratfor.com about the arrest last week of an accused fire bomber thought to be a member of the Animal Liberation Front (ALF). The accused is suspected in the firebombing of a leather factory, a store selling sheepskin products and a restaurant this year. Scott Stewart provides a very nice intelligence update on the group. Scott notes that when the suspect was arrested he had in his possession a copy of the ALF book “The Declaration of War: Killing People to Save the Animals and the Environment.” Scott’s analysis uses this fact and the increasing physical separation of the violent activists from the more mainstream members of the animal rights community to argue that we can expect increasingly violent attacks on facilities and the escalation to direct attacks on people. The Stratfor article does not suggest potential targets, but it doesn’t take an extensive intelligence background to make the leap that any kind of facility linked to action against animals, or that uses animal byproducts in making products, or produces products that are used to kill animals could easily make it to the ALF target list. Any number of chemical facilities, high-risk or otherwise could certainly fit one or more of those target categories. This is one aspect of the CFATS regulations that is frequently overlooked. Congress was concerned with attacks on chemical facilities that would essentially be attacks on the surrounding communities with the facility becoming the weapon for the attack. From a national perspective this is certainly a sound policy definition. From the aspect of security at any given chemical facility, it is certainly a method of identifying one particular type of terrorist risk. That certainly does not mean that facilities that did not make the DHS-ISCD ‘high-risk facility’ list can ignore the possibility of terrorist attack. Smaller, less protected facilities (softer targets) that fit into some target category for a ‘fringe’ radical group may actually be at a higher risk for actually being attacked than would one of the 6,000 facilities covered by CFATS. It wouldn’t have the overarching affect of an attack on a major chlorine production facility, but it would certainly be significant to that facility, its employees and the surrounding community. Facilities that think that they might be on a target list for a domestic terrorist group like ALF should contact their local Joint Terrorism Task Force (JTTF) for specific information on their potential risk status.

HSINAC Meeting 08-31-10

According to a notice in today’s Federal Register, the DHS Homeland Security Information Network Advisory Committee (HSINAC) will hold a two-day public meeting starting on August 31, 2010 in Potomac, MD. The meeting will be open to the public but the public will not be allowed to participate in the discussions. Seating will be limited and will be available on a first-come, first-served basis. According to that notice the mission of the HSINAC “is to identify issues and provide to senior leadership of the Department, in particular the Director of Operations Coordination and Planning, independent advice and recommendations for the improvement of the Homeland Security Information Network (HSIN)” (75 FR 44801). The agenda for this meeting includes:
HSIN NextGen and the Common Operating Picture upgrade, The HSIN NextGen capabilities release schedule, The DHS portal consolidation program, Interoperability across Federal systems, The HSIN business case update, Desired future HSIN capabilities, and Relocation of the HSIN program.
Written materials and comments for Committee consideration and requests to make an oral statement can be submitted by email(HSINAC@DHS.gov) and the docket number (DHS-2010-0061) must be included. Submissions must be made by August 20th.

Wednesday, July 28, 2010

Reader Comment 07-28-10 IST Rules

Jennifer Gibson from NACD responded to my post about their opposition to HR 2868 (as passed in the House). Read her entire comment but she agreed with me that IST assessments would only produce limited options for chemical distribution, making the point that the evaluation would not be cost effective. Then she stated that:
“I would like to clarify that both H.R. 2868 as passed by the House of Representatives and S. 3599 as recently introduced by Senator Lautenberg would in fact impose IST consideration requirements on chemical distributors.”
The point that I think that she, and most opponents of an IST consideration mandate, fail to realize is that while an assessment must be conducted, the law (as crafted) does not specify how that evaluation would have to be conducted. DHS would be responsible for crafting the regulations that describe those requirements. Furthermore, looking at how DHS has crafted the current CFATS program, it is rather obvious how the folks at ISCD would attempt to design the data collection and evaluation process. An IST tool in CSAT would be a series of on-line questions that facilities would respond to. There would be initial questions about the facility operations to determine how COI are used at the facility. The responses to those questions would lead to additional questions pertinent to that facility. For distribution facilities one could easily see that those questions would be limited to inventory level questions to track options for possibly reducing maximum inventory levels or dispersing the most hazardous chemicals in multiple, separated tanks to reduce the maximum potential release. Such information would be readily accessible to facility management. The cost of this type of ‘assessment’ would be reasonable. The inventory management controls necessary to implement such an IST would be a small additional burden, but those costs would also be relatively easy to estimate. Even estimating the cost of installing additional tankage, if there was room on the facility for a reasonable dispersion plan, would not be an overly costly exercise. It is certainly true that many chemical manufacturers could have a costly chemical and civil engineering task a head of them in evaluating potential IST possibilities for their facilities. Regulations supporting an IST consideration mandate would need to take into account the cost of the assessment, an extremely complex and expensive assessment process would only be justified for the highest risk facilities. But again, this is a consideration for the regulatory process not the legislative process. Keeping the difference between regulations and legislation in mind is an important concept. As HR 2868 moves toward the Senate floor industry organizations must realize that there will be further attempts to add IST language back into the bill. At least one Senator in today’s hearing mentioned his intention to introduce a floor amendment to require an New Jersey style IST consideration mandate. Such a mandate will probably be the minimum requirement to get House approval in conference. Actually, given the three year limit on HR 2868 (as amended today), it might make a great deal of sense for industry to support such a consideration mandate. This would allow industry and DHS to iron out the details of such a regulatory program in a way that would make the most sense. After all, no one can really argue that facilities should not take a serious look at the chemicals and processes they use with a view to reducing their risk, both from deliberate acts or accidental release. If a reasonable risk reduction can be obtained at a reasonable cost, it will only enhance the facility’s operations and profitability.

EPW Water Security Hearing

Today the Superfund, Toxics and Environmental Health Subcommittee of the Senate Environment and Public Works Committee held their first hearing on chemical security issues at water treatment and waste water treatment facilities. While Chairman Lautenberg (D, NJ) assured Ranking Member Inhofe (R, OK) at the start of the hearing that this was an oversight hearing, it was quite obvious from Lautenberg’s questions of each of the witnesses that this was really a hearing on S 3598, the Water Facility Security Act. If you had listened to the HR 2868 hearings last year in the House, nothing here would have been surprising in the testimony about requiring facilities to consider and implement inherently safer technology techniques to reduce the consequences of a terrorist attack. Sen. Lautenberg was stead fast in his support for requiring facilities to switch away from the use of gaseous chlorine as were his Democratic colleagues. Sen. Inhofe stressed his belief that facilities should be the ones to make the decision to implement such changes. EPA Supports HR 3598 Cynthia Dougherty, Director of the EPA’s Office of Ground Water and Drinking Water, was clear in the Administration’s support of a qualified IST mandate for the highest risk facilities and the importance of bringing water facilities under a clear chemical security program mandate. In her responses to Sen. Lautenberg’s questions she expressed the Administration’s almost totally unswerving support for S 3598. Ms Dougherty did admit under questioning by Sen. Inhofe that the Department does not currently have the resources to implement HR 3598, but would presumably get those resources in subsequent authorization legislation. Public Witnesses The only witness with any objection to the IST mandate included in S 3598 was Benjamin Grumbles, Director of the Arizona Department of Environmental Quality. He cautioned that utility management was in the best position to evaluate whether or not it would be feasible for the facility to switch away from gaseous chlorine. He did acknowledge that given the States’ role envisioned in the enforcement of S 3598 he thought that they would be responsive to facility level decisions. The only ‘industry’ witness was not from a water utility but rather a supplier of one of the alternative technologies that would presumably be chosen to replace gaseous chlorine. Carlos Perea, CEO of Miox Corporation, made it very clear that the on-sight generators that his company and their competitors produce would provide a safer alternative to the current use of gaseous chlorine. The only potential negative for such systems was raised by Mr. Grumbles when he noted that utilities would have to look at the electrical requirements for the operation of that equipment. The other two witnesses were well known on both sides of this debate having appeared before similar hearings in the past. Paul Orum, representing the Blue Green Chemical Security Coalition (and author of the 2008 CAP report ‘Chemical Security 101”) painted a clear picture of the position of the environmental activist communities. Dr. Darius Savin, representing the United Automobile, Aerospace and Agricultural Implement Workers of America (UAW), made clear that labor unions were supporting the IST provisions of S 3598. Dr. Savin did, however, point out some short comings in that bill concerning inadequate labor participation in the security process that he thought needed correcting. Procedural Surprise The only surprise in this hearing was a simple procedural issue. The EPW Committee web site billed this as a full committee hearing, and it wasn’t. The only members present were from Sen. Lautenberg’s subcommittee. Actually it is normal for a Subcommittee to hold the initial hearing on an important piece of legislation like this, especially since the Chair was its author. I had assumed that Chairwoman Boxer had decided to skip that formality due to the late date in the Session so that this bill could be moved forward for quick consideration. It now appears that this bill may not be destined for the quick consideration that seemed to be in its future. That significantly reduces the chance of this bill getting to the floor of the Senate before full scale electioneering puts an effective damper on all controversial legislation.

Committee Approves Amended HR 2868

In an unusual display of bipartisanship the Senate Homeland Security and Governmental Affairs Committee approved an amended version of HR 2868 on a roll call vote of 13-0. As was expected Sen. Collins (R, ME) offered a substitute version of the bill that substantially modifies the intent and language of the legislation that substitute language was adopted by unanimous consent. According to Sen. Collins’ comments, her amendment would:
● 3 year re-authorization for the current CFATS program ● Voluntary exercise and training program ● Create in DHS a voluntary technical assistance program for methods to reduce consequences ● Create best practices clearing house
The actual language of the substitute will not be available until the Committee report is published. Chairman Lieberman (I, CT) noted that there would need to be significant modifications made to this version of the bill for it to get through passage on the Senate floor and subsequently through negotiations in Conference with the House.

CFATS Knowledge Center Page Update 07-28-10

As of this morning the CFATS Knowledge Center web page now contains a link to a CSAT Agriculture Survey Questions Guide in the Documentation Section of the page. I would expect that this link will also be added to the Chemical Security Assessment Tool page. DHS might want to consider adding a page dedicated to the CSAT Agriculture Survey to their CSAT web site. They could provide a brief description of the purpose and scope of the survey as well as providing these links. They might also want to consider providing a link to a copy of the letter that they have sent out to the Ag supplier facilities. This would also provide them with a ready forum for posting the results of their survey.

DHS Appropriations Mark-up Postponed

Yesterday at 3:00 pm, when the full House Appropriations Committee was supposed to begin their markup of the FY 2011 DHS Appropriations Bill, the Committee announced that they had postponed that hearing until a yet to be determined later date. No reason was given for the postponement.

Tuesday, July 27, 2010

NACD Opposes IST

Today the National Association of Chemical Distributors issued a press release urging the Senate Homeland Security and Governmental Affairs Committee to pass S 2996 instead of HR 2868 which they are scheduled to mark-up tomorrow. While most chemical industrial organizations have opposed the imposition of an inherently safer technology (IST) mandate the NACD came out today in opposition to even the requirement to consider IST implementation. This is a position that has not been clearly expressed before and needs to be examined in detail. Their press release explained:

“The act of conducting IST assessments would be extremely costly for chemical distributors. These assessments will require expertise with IST methods, the likelihood of these methods to reduce risk, and their costs. The majority of NACD members are small businesses that do not have teams of chemical and process safety engineers on staff that would be able to conduct the IST assessments. These companies would be forced to hire consultants, who at rates of hundreds of dollar per hour, would easily drive the costs of the assessments into tens of thousands of dollars per facility.”

Small Companies and IST While we don’t know exactly what chemical facilities make up the list of 6,000 plus CFATS covered facilities it is almost certainly true that most are small companies. For the most part NACD is absolutely correct that those facilities do not have “have teams of chemical and process safety engineers on staff”. In fact, I would be willing to bet that a significant number of these facilities do not have any chemical engineers or process safety engineers on staff. NACD uses that fact to argue that it is financially impractical for these facilities to conduct such assessments. Again, this certainly has a large element of truth supporting the claim. On the other hand, this can equally be viewed as an added reason to require such facilities to conduct such a review. We should be able to expect that larger facilities with the requisite staff would be conducting these types of reviews as a matter of course as a part of the on-going process safety management (PSM) program at the facility. Those in-depth PSM reviews would also be expected to identify and correct a wide variety of problems that could result in chemical releases in the event of process upsets, mechanical failures and terrorist attacks. Smaller companies without the same resources would not be able to conduct the same level of PSM reviews. While these smaller companies would have a PSM program in accordance with Federal regulations, they would not have the ability to conduct the same level of proactive review and process improvements as facilities with large in-house technical staffs. It is extremely unlikely that they would voluntarily undertake an assessment of their processes to determine if there were legitimately safer alternatives that would be economically feasible to implement. The safe and reasonable solution to that inherent problem is not to avoid the imposition of an IST consideration mandate, but to make it easier for smaller facilities to undertake the financial risk of conducting such a review. One way to accomplish that would be to include tax incentives to allow smaller companies to partner with engineering and chemical education institutions to conduct such reviews. Financial grants could also be provided to educational institutions to conduct such reviews. Either would have the additional benefit of producing a new crop of chemists and engineers with the training and experience to continue making such reviews. Chemical Distributors and IST Having said all of that, it is not clear that any IST mandate included in current legislation would actually apply to chemical distributors. Typically chemical distributors take chemicals produced by other companies and simply store, re-package and perhaps blend those chemicals prior to shipping them to other facilities for use in other manufacturing processes. If their customers are buying chlorine gas, for instance, there is no amount of substitution that is going to provide that customer with chlorine gas. Even inventory reductions would be difficult to accomplish because the original suppliers typically only ship large bulk orders. Otherwise the customer would go directly to the supplier, getting a price break by avoiding paying the middle-man’s costs. This should make any IST consideration at a chemical distribution facility fairly straight forward. They would simply need to look at storage and handling conditions and inventory management options. None of the other, more complex options would apply to a chemical distributor. Detailed reviews of storage and handling conditions are already a part of the required PSM process and inventory management is the lifeblood of a distributor’s business model. This means that the only IST requirement would be to document actions already undertaken by chemical distributors. Cost is a Legitimate Issue

So far Congress has attempted to deal with the cost issues of implementing an IST program. Legitimately Congress has exempted facilities from the IST implementation mandates in HR 2868 if the implementation is not financially feasible. Congress also needs to address the issue of the cost of conducting the IST review as HR 2868 continues to wend its way through the legislative process. None of the IST advocates that I have heard or talked with have any desire to run small businesses into bankruptcy. They should be more than willing to work with industry and Congress to develop methodologies to address the study cost issue for the large number of smaller facilities covered by the CFATS regulations.

CFATS Knowledge Center Update 07-27-10

The folks at ISCD added a new item to the ‘Latest News Section’ of the CFATS Knowledge Center web page. Apparently the letters sent out to the facilities that were being required to complete the Agricultural Survey had an error in link to CSAT. The new note states:
“Letters with the corrected link to the CSAT Portal (https://csat.dhs.gov/csat) have been posted for facilities to access the Agriculture Survey. DHS regrets the initial error. Deadline for the Agriculture Survey is Monday, September 20, 2010.”
Covered facilities should have already had the URL for CSAT nearly hardwired into their systems by this time, but this certainly could have confused some people. Please note, however, that the revised letters do not change the due date for submitting the Survey.

Activists Target Republicans

I have frequently addressed efforts by Greenpeace to provide political support for the passage of legislation that would require high-risk chemical facilities to evaluate and implement IST techniques. For the most part those efforts have been targeted at getting their followers to apply political pressure to Democratic lawmakers to support such legislation. Now environmental activists probably have more pull in the offices of Democrats, but that must count as preaching to the choir. The latest effort, highlighted by a guest post on HuffingtonPost.com by Kristen Breitweiser, finally targets the politicians that are going to be necessary for passage of the legislation, the Republicans on the Senate Homeland Security and Governmental Affairs Committee and the two Democrats that joined Sen. Collins in sponsoring S 2996, the industry supported alternative legislation. If one (more probably 2) of the Republican Senators could be counted on to support HR 2868 in Committee and then on the floor of the Senate the bill could get passed this year. The question facing Greenpeace and their fellow environmental activists is how to convince these Senators to ‘defect’. In modern politics there are three ways to accomplish this, money, votes, or political persuasion. By ‘money’ I mean legal political contributions and I doubt that Greenpeace can outspend the chemical industry. The only Republican that is not from a solid conservative State is Sen. Brown and he’s not up for re-election this year, so that is an unlikely tactic to influence him. This leaves ‘political persuasion’ as the only real possible way to change one or more votes on this issue. Unfortunately modern political activist (on both sides of the various issues) have seemingly forgotten how to use this political tool. They stake out a hard line position and rail at their opponents for not accepting the inevitable. Political persuasion will never work that way. What is required for political persuasion to work is an understanding of two things; your position and your opponent’s position. First you must understand what you really need to accomplish; not want to accomplish but need to accomplish. Then you must understand the same thing about the person that you are trying to persuade. If what each of you needs is mutually incompatible, then persuasion is not possible. In this case I think (my opinion not theirs) that what Greenpeace needs is to significantly reduce the amount of toxic chemicals stored in and around major urban areas. What industry needs (and they are the opposition of Greenpeace, not the Republican Senators) is to continue to make a ‘reasonable’ profit in the production and sale of their products. In my mind the two needs are not necessarily incompatible. What Greenpeace and their allies need to understand is that since they are the ones seeking change they are the ones that will need to convince industry to come to the discussion. Since industry just needs to maintain the status quo they do not need to influence Greenpeace. So, until they achieve a significant political majority (not likely in the near term) Greenpeace is going to have to figure out how to sell the critical parts of their agenda to industry.

Curing a SCADA Trojan

There is an interesting article over on HomelandSecurityNewsWire.com about some recent (7-22-10) information from Siemens on the Stuxnet Trojan. It includes a valuable link to the Siemens web site on the problem, but that is not what people are going to remember this article for. The title is what all of the non-SCADA folks are going to target on; “Removing SCADA trojan may disrupt power plants”. Update Testing This is based upon the simple comment from the Siemens web site that says: “As each plant is individually configured, we cannot rule out the possibility that removing the virus may affect your plant in some way.” Of course, anyone that knows anything about industrial control systems knows that this is one of the main problems with installing any kind of update on the system. Every facility should have a virtual image of their ICS on a stand-alone system to test the installation of any update to see how it will interact with the various devices installed at that facility. This is one of the basic problems that IT folks have with understanding control systems. There are just too many devices that rely on specific links, channels and protocols to operate properly to allow an untested change to be made on the system. In an IT system if an update wipes out an IP address for a printer, there will be no production down time while it is re-installed. That is not the case with an ICS. Software Security Testing The other comment that should draw some attention in this article is this quote from Chris Wysopal of Veracode “Software customers that are operating SCADA systems on critical infrastructure or their factories with the WinCC software had a duty to their customers and shareholders to not purchase this software without proper security testing.” This, of course, begs the question of what protocol or standard should a facility use to conduct such ‘security testing’. While I understand that there may be methods to conduct such testing (don’t ask me what, how I’m a chemist) most facilities do not have in-house software engineers to conduct the testing. Even if there were a legal requirement for facilities to conduct such testing, I don’t believe that there are enough qualified personnel in the world to conduct such evaluations at the facility level. What is needed is the establishment of an industry wide standard for SCADA software security. Software producers could then certify their software against that standard and facilities could require that certification as part of their software purchase requirements. Failure of the software to provide that level of security protection would allow action against the supplier. While there are a variety of efforts to accomplish the standard setting, there has been little push by users to require the second. One of the advantages of having the very public discussion about the Stuxnet Trojan is that there should be more of a customer interest in SCADA security. Another way to accomplish this end is for the government to require such certification of control system software in regulated industries. While this is in process (?) for the power industry there has been little movement in this direction for high-risk chemical facilities mainly because DHS lacks the authority to do so.

Monday, July 26, 2010

House DHS Appropriations Markup

The House Appropriations Committee will be holding their full Committee markup of the House Homeland Security Appropriations Bill tomorrow at 3:00 p.m. EDT. The bill has not yet been introduced so there is no public version of the bill available for review. The hearing is scheduled to be web cast.

Ag Survey Template

For facilities that are required to complete the DHS CFATS Agricultural Survey (you will have received a letter from DHS notifying you to complete the survey) there is an interesting article at CropLife.com that might be of interest to you. It is a short article that briefly addresses this new program. There is very little information in the article (about what I included in my first blog on the subject) but they do provide an interesting link in the article. They have produced a .PDF document showing the actual CSAT pages (WARNING: this is a very large download file) from an Ag Survey for a generic facility. Someone has set up a dummy facility in CSAT, Mike’s Dev Facility 4, that services customers in the Oil Seed and Grain Farming NAICS. They then answered some of the initial questions for that facility and then printed a summary screen for that facility’s survey. They then recommend “printing the Ag Survey Screen Captures and completing a draft of the survey before inputting information into the CSAT system”. Typically ISCD folks have provided a similar service by producing a ‘Questions’ manual to accompany the ‘Users Guide’ manual. In this case they have only made the Users Guide manual available on their web site. This makes the document made available at CropLife.com a valuable tool for completing the survey. Facility Specific Information There is a potential problem with this tool, there is no way of knowing for sure that all of the pages that a facility will see on their Ag Survey are included in this file. DHS has designed their tool so that a facility will see only the questions that apply for their site. The preparers of Mike’s Dev Facility 4 answered the initial questions about their facility and those answers will not be the same as the answers produced by any other facility. Using a document like this will certainly make the on-line completion of the survey easier. It will allow facilities to identify the specific information that they will need to complete the survey and will organize that information in a readily useable manner. While the provided screen prints would be a valuable addition to the Users Guide, I think that there is a better way to develop a facility specific ‘questions’ manual. I would suggest that a facility should develop their own tailored questions document by completing the first three sections of the Ag Survey (use the first 8 pages of the CropLife.com document as an information collection template to prepare for this). After saving the Survey at this point the facility preparer can print a facility specific version of the survey questions by using the ‘View Summary Report’ link on the left side of most Survey pages and following the subsequent instructions. There may still be pages on which the facility will have to answer questions that do not appear in the summary document as the default answers on the various questions shown may not provide access to all possible pages. These CSAT tools are very complicated documents (which is one of the reasons that they take so long to produce), but there is a very generous time limit on getting this survey completed (September 20th, 2010). Facilities should certainly plan on taking multiple sessions to complete this survey. CVI Note Technically speaking the document provided by the CropLife.com folks is a violation of the CVI rules. Anytime that there is any facility information provided on the Ag Survey, the printed (electronic or paper) copy of the survey becomes Chemical-terrorism Vulnerability Information. It must be marked in accordance with the requirements of the Chemical-terrorism Vulnerability Information Procedures Manual. I’m sure that DHS will take cognizance of the fact that this isn’t an actual facility and ignore the technical violation.

Facilities, on the other hand can expect that they will be required to protect any working copies of their Ag Survey as CVI. As soon as any facility specific information is added to the Survey it becomes CVI. This certainly includes working copies of the ‘blank’ survey found at CropLife.com.

Sunday, July 25, 2010

Reader Comment 07-25-10 Open Source Intel

While I try to keep a pretty close eye on what DHS is doing, it is a very big organization and I probably don’t see but a very small fraction of what gets posted on their web site. Fortunately, I am not the only one watching DHS. An anonymous reader recently posted a comment to an earlier posting of mine; not a comment on the posting, but pointing me at an interesting new DHS document posted on the web. The document is a Privacy Impact Assessment for a new program being conducted by the National Operations Center called the Publicly Available Social Media Monitoring and Situational Awareness Initiative. To explain this program I need to go back to my past and tell a war story (‘war story’ - a mostly true personal story about a military operation not necessarily involving combat). Back in March of 1981 I was working out of an office in the G-3 Operations Office in the Berlin Brigade. When President Reagan was shot the Commanding General’s secretary heard the news before the CG did because she was watching her soap operas and AFN-TV broke into the broad cast with a breaking news bulletin. The official message didn’t get to the CG until a couple of hours later. From that day forward the CG required us to have a TV on in the Emergency Operations Center so that the duty NCO/Officer could provide immediate information from that information source. I’m sure that that wasn’t the first time that a news organization was the source of operational information to elements of the Executive Branch. It certainly wasn’t the last. In fact with more and more electronic communications bypassing the traditional means of distributing information on news stories, I’m sure that there are a number of organizations that are monitoring news casts, web sites, and any number of different Web 2.0 social communications sites to get access to timely open source information. The PASMMSAI (someone has got to come up with a better name/acronym for this) program described in this document is the version being implemented at the DHS National Operations Center. Blog Listings The reason that my anonymous reader pointed me at the document can be found at the top of page 14 (the third page of a little more than five pages of sites being monitored). There can be found the name and URL of this blog. I am now an official, unclassified, and, unfortunately, unpaid intelligence source for DHS. I join a distinguished company that includes ABC News Blotter, Global Security Newswire, Stratfor, and Wikileaks. The NOC was even so kind as to include a listing of the keywords that they would typically be expected to use to search my blog (and all of the others) to help them “provide situational awareness and establish a common operating picture” (pg 17). If I was writing a search engine optimized blog I would certainly make sure that I would be careful to use as many of the words in their list as possible as many times as possible. For readers posting comments to this blog you can rest assured that DHS is committed to redacting any personal identifying information (PII) from your comments before they include abstracts from those comments in any intelligence report prepared and disseminated from this office. I can see now that my ongoing campaign to get commentors not to use the nome de guerre ‘Anonymous’ is in serious jeopardy.

Saturday, July 24, 2010

Congressional Hearing Week of 7-26-10

This is going to be an interesting week for Congressional hearings for members of the chemical security community. There will be two Senate hearings that directly address chemical security issues and a House hearing that should be touching on at least some chemical transportation security issues. HR 2868 As I mentioned briefly in a posting on Friday, the Senate Homeland Security and Governmental Affairs Committee will be marking up HR 2868 at their Business Meeting on Wednesday, July 28th at 10:00 am EDT. Since there are a number of other items (not chemically related) on the agenda for that meeting I don’t expect that we will see a large number of amendments offered during the mark-up; certainly nothing like the three-day markup we saw in the House Homeland Security Committee last fall. The Senate committees typically conduct their negotiations and arguments before their hearings are held. I would expect that Chairman Lieberman will offer an amendment in the form of a substitute at the start of the hearing. Based on past history the details of that amendment will not be made public until the Committee Report is published. If Ranking Member Collins offers a substitute amendment that will probably be the main vote on the IST provisions of the legislation, but we won’t know for sure until the Report is published. An affirmative vote on the final version of HR 2868 does not mean that the measure will make it to the floor of the Senate. This Committee has a history of not actually submitting its Committee Reports and nothing further will happen until that report is filed. S 3598 The Senate Environment and Public Works Committee will be holding their first hearing on S 3598, the Water Facilities Security Act, on Wednesday afternoon at 2:30 pm. The listing in the Congressional Record doesn’t actually say that S 3598 will be addressed. It just notes that the hearing will “examine protecting America’s water treatment facilities”. The witness list on the Committee web site includes Director Dougherty of the EPA’s Office of Ground Water and Drinking Water, the person who would be responsible for implementing S 3598 if it passes. The public panel does not include anyone representing the management of water treatment facilities with the one corporate witness representing a company that provides hypochlorite production systems to treatment facilities. There will be a labor representative and an IST Activist on the panel. Don’t expect to hear any witness express opposition to an IST mandate at this hearing. Surface Transportation Security The House Homeland Security’s Subcommittee on Transportation Security and Infrastructure Protection will hold a hearing to examine TSA’s management of Surface Transportation Security Inspectors on Wednesday at 2:00 pm EDT. The disparity between air transportation security and surface transportation security will be addressed. With the Assistant IG on the witness list we can expect to see an IG report on the issue released at the hearing. Chemical transportation security is certainly part of the issue, but the two public witnesses listed on the Committee web Site represent transit interests not freight transportation. We’ll have to wait and see how much attention is addressed to chemical security issues.

Friday, July 23, 2010

Senate Panel to Markup HR 2868

The Senate Homeland Security and Governmental Affairs Committee announced today that the markup hearing scheduled for July 28th, 2010 will look at HR 2868, not S 2996 or S 3598. No further details are available at this time on the Committee web site.

New Greenpeace Video

Greenpeace has added yet another new program in their campaign to influence public opinion to help them convince Congress to implement an aggressive inherently safer technology mandate in the legislation to reauthorize the CFATS program. This time it is video on YouTube showing a retired California fire fighter talking about his experiences in emergency response at chemical facilities. The Video I had a reader tell me that this video was produced by volunteers. You certainly can’t tell it from the production values. Ed Shlegel, the on-screen personality, is a retired Los Angeles Fire Captain and looks (and sounds) like he should have come from central casting. The photography is excellent with chemical facility backgrounds throughout the video and not a cheap shot in the batch; not a single shot that the chemical industry could object to. The dialogue is straight forward and it is certainly not strident. Ed explains that his job was to respond to emergency situations and describes rolling into a refinery with an active chlorine leak while the employees were ‘running out the gate’. He explains that going into danger was his job and he knew the risks he was going to potentially deal with. He then asks if the refinery’s neighbors knew the potential dangers that they were living with. He closes by explaining that the highest risk facilities have safer alternatives for their dangerous chemicals and the law needs to make sure that they use those alternatives. Finally, he recommends pressuring Sen. Boxer (D, CA) to support the unspecified legislation. The Politics It’s interesting that Sen. Boxer is targeted in this video. She is a Committee Chair, but Public Works Committee would have little to do with chemical facility security legislation. That is until last week when Sen. Lautenberg (D, NJ) introduced the Secure Water Facilities Act which would require water treatment facilities to evaluate and implement (where practical) safer alternatives to chlorine gas. Sen. Boxer’s committee has been delegated the responsibility to review that bill. Actually I doubt that the producers of this video had that in mind when they produced the video. A more important consideration was probably the fact the Ms Boxer is in relatively tight race for re-election this year. The environmental vote in California is an important constituency for Democratic candidates. Reminding the Senator of the issues that are important to the environmental community is especially important in a close election. I first saw mention of this video on Twitter® in a tweet from GreenpeaceIL. That tweet ended with the comment: “Call Senator Burris today!”. This is one of the important aspects of this type of use of the web, a video that is targeted at a politician in California can be used by local activists to target a politician in Illinois. The Message I don’t think that this particular message is properly targeted. The most effective points made by this retired fire fighter are not security related. They have to do with community relations and hazard communications. None of those issues have anything to do, directly, with counter-terrorism, which is what the targeted security legislation is supposed to be about. In fact, there is not a single mention of security or terrorism in the video. Unfortunately, no one is currently working on bills to improve the laws dealing with Community Right to Know or emergency response planning issues. The only legislation looking at chemical facilities is the reauthorization of the CFATS regulations. So the environmentalists are targeting that bill. Now when the environmentalists point out that removing high-risk chemicals from facilities effectively removes them from potential target lists of terrorists they do make a security point. That is never mentioned in this video. This only deals with emergency response and hazard communication. Will the target audience notice the difference? Probably not. So, if Greenpeace can get enough play on this video (always a potential problem with the thousands of videos posted to YouTube® every day), the video will probably have the desired affect on the public. Of course there is still the problem of preaching to the choir; Sen. Boxer can probably be counted on for supporting Sen. Lautenberg’s bill.

Thursday, July 22, 2010

CSSS Presentations – Personnel Surety

During the Chemical Sector Security Summit earlier this month Matt Bettridge from DHS provided an update on the status of the proposed Personnel Surety program being developed to provide high-risk chemical facilities a tool to allow them to submit information to have employees and visitors checked against the Terrorism Screening Database for ‘terrorist ties’. This check will provide covered facilities a method for meeting their obligations under §27.230(12)(iv). This proposed program has generated a great deal of controversy since it was first introduced via a 30-day information collection request (ICR) notice in the Federal Register last summer and modified by a 60-day ICR notice earlier this year. The slides for this presentation do not directly address many of the concerns raised by industry, but the tone and the details of the steps going forward should ease some of those concerns. Covered Personnel The presentation outlined the general procedures and addressed the issue of which facility personnel would be affected by the submission requirements. The slide specifically states that the program “[d]oes not affect facility personnel that do not have access to facilities’ restricted areas or critical assets” (slide 2). This apparently indicates a change in the intention of DHS to require screening all facility personnel (as understood by most commentors to the DHS 60-day notice). Rule Making Process A number of commentors on the ICR notices expressed concerns that the proposed personnel surety program should be covered by a formal rule making process rather than the less formal ICR process. The presentation partially addressed this issue by explaining that DHS would submit an notice of proposed rule making (NPRM) under the Privacy Act System of Records Notice (SORN) requirements. That NPRM would be published in the Federal Register at the same time that DHS publishes their response to the public comments received for the 60-day ICR notice. Timeline According to the presentation the “[i]nitial implementation of CFATS Personnel Surety is on pace for late fall 2010” (slide 7). DHS intends to use the same technique that they have used for the introduction of most new CSAT tools; the initial implementation will take place with a small group of select facilities. In this case they plan on using facilities that have already completed the SSP process and have approved plans. Lessons learned from that live testing will be used to perfect the tool before its general release. Unresolved Controversies There were a number of items in the presentation that do not appear to have changed since the 60-day ICR was published, even though they drew a number of adverse comments from industry. DHS still does not intend to ‘routinely notify’ the facility or the individual of a positive match in the TSDB search. I would hope that Mr. Bettridge took the opportunity to explain the reasoning for that during the presentation, but it doesn’t show on the slide presentation. The slides also indicate that DHS still intends to require facilities to “[n]otify DHS when an affected individual no longer has access to the restricted area and/or critical asset”. A number of commentors complained about the administrative burden that such a requirement would place on facilities, especially facilities that would be required to list off-site corporate personnel as having unaccompanied access. The wording on the slide seems to parallel the ICR wording that seemed to require including to which restricted area or critical asset that each submitted individual would have access. A number of commentors complained that this went far beyond the scope of requirement to check individuals against a list of known/suspected terrorists. There wasn’t any legal requirement for DHS to address these issues at this venue, but it certainly would have provided a good forum for explaining the reasoning or easing concerns of the regulated community. Now Mr. Bettridge may have actually availed himself of that opportunity, but it isn’t reflected in the slides. This is just another reason why I think that it would have been much better if DHS had provided video or even audio copies of the actual presentations on the CSSS Presentations page.

Wednesday, July 21, 2010

HR 4842 Passed in House

On Tuesday the House passed HR 4824, the Homeland Security Science and Technology Authorization Act of 2010 on a voice vote. No amendments were made to the reported version of the bill. This means that the chemical security related provisions I noted in the introduced version of the bill and in the full committee mark-up remained unchanged in the version of the bill passed in the House this week. The bill now goes to the Senate where it might be reach the floor before the fall recess (no one will look at it before the summer recess).

Knowledge Center Update 07-21-10

DHS has updated their CFATS Knowledge Center web page today. They announced a personnel change in ISCD management and provided additional information on the Agricultural Survey that I wrote about last night. ISCD Personnel Change In the ‘Latest News’ section of the page, ISCD posted the following notice:

“On July 19, 2010, Ted Cromwell became acting CFATS Senior Compliance Officer, replacing Laurie Boulden who takes over as Technical Analysis Branch Chief. Rest assured that during the transition and forward, ISCD compliance policies, actions, and branch staff—including the Help Desk—will continue to implement CFATS in a consistent, seamless manner. As always, we are eager to hear from you with questions and concerns.”

I talked with Laurie Boulden when I did an article for the Journal of Hazmat Transportation on her Corporate Reporting Tool. She is a very well spoken and informative woman who was very helpful in providing information about the program that she had worked so hard on to develop. I’m sure that she’ll do well as the Technical Analysis Branch Chief. Congratulations Laurie. Agricultural Survey

The ‘Latest News’ section also includes this notice about the Agricultural Survey:

“DHS is requesting information from approximately 1274 CFATS high-risk covered facilities that may sell, transfer or commercially apply COI-containing products (e.g., pesticides, fertilizers) used in agricultural activities by agricultural production facilities (e.g., farms, ranches, dairies, equine facilities, parks). Recipients must complete and submit the Agriculture Survey by Monday, September 20, 2010. DHS indefinitely extended the Top-Screen submission due date for agricultural production facilities in December 2007. The survey will provide DHS with additional information on potential risks, vulnerabilities and consequences related to facilities throughout the agricultural COI distribution chain – including manufacturers, distributors and retailers, commercial applicators and end users – and help the Department determine its next steps regarding the Top Screen extension.”
Additionally, there are 10 new frequently asked questions (and responses, of course) directly targeting this new CSAT tool. Those questions are:
1671: I sell pesticides, but only deliver them to customers on an "as needed" basis. How do I answer the questions regarding delivery of my pesticide products? 1672: For purpose of completing the Agriculture Survey, how will I know if a pesticide includes an agricultural chemical of interest (COI) at or above the minimum concentration? Where can I find the EPA Registration Number for the pesticide? Where can I find the percent by weight of a COI in the pesticide? 1673: Where can I read about the current indefinite extension to the Top-Screen deadline for agricultural facilities? 1674: Do the Appendix A minimum concentrations apply to the Agriculture Survey? What about the Appendix A screening threshold quantities (STQ)? 1675: I sell fuels that are Appendix A COI or that include COI, such as propane, to agricultural facilities. Should I include these fuels in the Agriculture Survey? 1676: Will my responses to the Agriculture Survey be protected as CVI? 1677: What is an “agricultural facility” as regards the Agriculture Survey? 1678: What are “agricultural activities” in terms of the Agriculture Survey? 1679: What does the term “COI-containing products” mean in the Agriculture Survey? 1680: When is the Agriculture Survey due? 1681: What CFATS covered facilities will receive the Agriculture Survey?

What is clear from reading these responses is that DHS will be mailing letters to those CFATS facilities that will be required to complete the Agricultural Survey and they are currently targeting fewer than 1300 facilities. If your facility receives one of those letters you certainly need to read each of the FAQ. If your facility services the agriculture sector I would think that it would also be a good idea to read these FAQ.

Tuesday, July 20, 2010

CSAT Web Page Update 07-19-10

Without any fan fare or explanation the CFATS people at ISCD updated the Chemical Security Assessment Tool web page today. A single change was made to the page, adding a link to another ‘Key Document’ on the right side of the page; the CSAT Agriculture Survey User Guide. This document and its associated tool in CSAT (Agricultural Survey) are part of the data collection effort to resolve the issues that lead to the issuance of the Agricultural Facilities Time Extension Notification in January 2008. What is not yet clear is how DHS intends to communicate the requirement to complete this survey to “CFATS covered facilities that sell, transfer or commercially apply COI and COI-containing products to agricultural production facilities subject to the extension of the Top-Screen due date” (pg 1). There are a couple of possible options, official letter to the targeted facilities or a notice in the Federal Register. There is no notice scheduled to be published in the July 21st Federal Register, but one could be posted at some later date. With just a quick review of this document this evening it looks like a standard CSAT tool, requiring registered users who have completed CVI certification to access the tool. The odd thing about the questions is their focus on the facility’s customers rather than on facility security. It does not appear that facilities will be required to identify specific customers. The questions appear to be targeted at the universe of customers for each Covered Facility. Another interesting provision of the Survey is that DHS is asking for information on chemical use for all chemicals that are listed DHS chemicals of interest (COI) or that contain one or more COI above the minimum concentration values listed in Appendix A, regardless of whether or not the delivered quantity is above the Screening Threshold Quantity (STQ) for that COI. This applies even if the covered facility was not required to report the COI on their Top Screen because it was below the STQ threshold. I’m sure that I’ll have more to say about this document and its associate program after I have had a chance to look over the document in more detail and do some more research on how DHS plans on using this tool and its associated information.

Possible CFATS Mark-up Hearing

Today the Senate Homeland Security and Governmental Affairs web site added a listing for a Committee Business Meeting to their hearing schedule web page. That meeting is scheduled to convene on July 28th at 10:00 am. There is no agenda currently available for that meeting. With all of the recent speculation that the Committee would mark-up HR 2868, S 2996 or even S 3599 this month, it is possible that this meeting could address one or more of the three bills, though I would normally expect the Committee to only favorably report one of these three bills. Because of the close working relationship between Chairman Lieberman (I, CT) and Ranking Member Collins (R, ME), and their polar opposite approaches to IST mandates, I don’t really expect any of the current bills to be reported without significant modifications. Everyone also seems to forget that the putative reason that the Committee decided to take no action at their previous CFATS meeting was because the ISCD folks at DHS were in the process of drawing up their own version of a potentially comprehensive CFATS reauthorization bill. We could possibly see an approach that Lieberman and Collins could both support come out of DHS, since the professionals at ISCD don’t have a particular ax to grind in this fight. If that were to happen, I would expect to see that offered as an amendment in the nature of a substitute for one of the three bills. One could argue that the Collins’ bill would be the likely vessel for that substitute. If the bill were close enough in language and construction to HR 2868, amending that bill might make more legislative sense as it would take fewer votes (times voting not number of votes) to get it through Congress. Fewer scheduled votes means a better chance of passage in an election shortened session. I still don’t see a comprehensive CFATS bill happening this year, but really well crafted DHS language might offer enough for Democrats to support and Republicans to not actively oppose. Stranger things have happened, but don’t hold your breath, not in an election year.

S 3607 Introduced

Yesterday Sen. Lautenberg introduced S 3607, the FY 2011 DHS Appropriations Bill. The Committee Report is available (Sen. Report 111-222) and a version of the bill is available on Thomas.Loc.gov today, but the GPO web site does not yet have a .PDF version available for download. Lots of stuff to review here, but arguably the most important provision for the chemical security committee is the language in the bill for the CFATS authorization extension. No surprises here, the language is straight forward with no complications:
“Sec. 543. Section 550(b) of the Department of Homeland Security Appropriations Act, 2007 (Public Law 109-295; 6 U.S.C. 121 note), is amended by striking `on October 4, 2010' and inserting `on October 4, 2011'.”
It is easier to review the .PDF version than the one currently available on the Library of Congress site. I’ll wait to do my detailed review until after the GPO version becomes available. Besides, nothing more will probably be done on this bill until after the summer recess.

Reader Comments: 07-19-10 SCADA Trojan

PCM left a response to yesterday’s blog posting about the Siemens SCADA Trojan. PCM noted:
“And what is Siemens doing about the hard coded database password issue? THAT is the real problem, not the Microsoft 0-day...”
Actually, as I pointed out in the original blog posting from last week, there are three components of the Trojan, now named the ‘Stuxnet worm’, that make it work so well; the new Microsoft vulnerability, a trusted security signature and the Siemens password. Last week the initial response from both Microsoft and Siemens was to point fingers at the other’s part of the problem. That, now at least, seems to have changed; both seem to be responding to their part of the problem. Well, as PCM points out, Siemens seems to be working on methods to deal with the Stuxnet, but they have not publicly addressed the hardwired password issue. From various discussions going on around the net it seems that for some reason Siemens hardwired in a set of passwords into this SCADA system. They don’t seem to be used in the way a normal password is used to allow a user to sign into a system. Instead it appears to be used to allow a piece of software to verify that it is authorized to be run on the system. It seems to me (and remember I am not a software engineer, just an old rooky programmer) that this type of password has to be hard wired into the program. Allowing someone to change or shutdown the password would destroy the capability of the program to recognize new code or separate programs that are necessary to the operation of the complex system. This means that the agency employing this type of hard-wired password-based authentication system must provide nearly absolute security to protect the identity of the password. It would even be smart to keep the fact of existence of such a password very closely held. Unfortunately neither seems to have been well done in this case (an article at PCWorld.com notes that the password was disclosed on the web in 2008). Any security expert would respond to that last comment with a sigh and ‘No DUH’; providing absolute protection for anything is just not possible. There are other methods of providing this type of internal verification. They too are subject to compromise. Some, however, are easier to fix after a situation like this arises. It will be interesting to see how long it takes Siemens to come up with a patch to fix this problem, though ‘patch’ probably is an inadequate word to describe the complexity of the software change that will be needed to eliminate this hole. ICS-CERT Response Meanwhile, go read the PCWorld.com article. It provides some updated information and a good explanation of what is known to date. They also mention that DHS ICS-CERT has responded to this situation with an alert (ICS-ALERT-10-196-01) but noted that “the information is not publicly available”. I understand that the ICS-CERT has a Vulnerability Disclosure Policy, but that is supposed to prevent the spread of a previously unidentified vulnerability until the vendor has a chance to correct the problem. That hardly applies here; word about the vulnerability is fully in the public domain. NOTE: While I was getting ready to post this I got another Reader Comment on the same subject from Andrew Ginter, a well known SCADA Security Blogger. Andrew wrote:
“The ICS CERT released an advisory on the malware dated today, July 20. You can find it at: http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01%20-%20USB%20Malware%20Targeting%20Siemens%20Control%20Software.pdf
In any case, SCADA systems have now officially joined the target community. Anyone who thought that SCADA was just ‘too complex’ to attack had better re-examine their reasoning. System owners really need to paint a bulls-eye on the case of their SCADA server to remind them that they are a target and need to be prepared to actively defend their systems.

Monday, July 19, 2010

Canada-US Action Plan

Today DHS updated their Critical Infrastructure Protection landing page. They added a link to a web page about the recently released Canada-U.S. Action Plan for Critical Infrastructure. While this page was established last week (and announced in a DHS press release) the infrastructure protection aspects of the document were down played for some reason at that time. Placing the link to this page on the CIP landing page now highlights those aspects of the plan. This is a typical ministerial level document; that means that there are plenty of motherhood and apple pie generalities and little in the way of concrete proposals. There are a few of those generalities that, if followed-up upon, could have a positive affect on chemical security efforts. The cross-border shipments of high-risk chemicals of interest could have serious chemical security implications. The coordination of efforts to protect such shipments from origin to destination will enhance the security of both nations. Public-Private Cooperation One of the generalities is the identification of the need to coordinate the efforts of the government agencies responsible for public-private cooperation in critical infrastructure protection. The document assigns a joint action item of:
“Provide mechanisms and opportunities for the U.S. Sector and Government Coordinating Councils and the Canadian sector networks to work together to improve sector-specific cross-border collaboration.” (pg 6)
Since so many companies operate in both countries, it is likely that many of those companies already coordinate the security operations of facilities on both sides of the border. Facilitating the cooperation between companies that don’t have cross-border corporate ties is certainly a good idea. Inter-Government Communication Of course, one of the problems with this cooperative effort among the government agencies is working out the issue of information sharing. With so much of the critical infrastructure information protected by national laws on both sides of the border, finding legal methods for sharing that information while protecting proprietary information will be difficult. This new document recognizes this problem and outlines an appropriate action item of:
“The United States and Canada will work together to develop compatible mechanisms and protocols to protect and share sensitive critical infrastructure information.” (pg 7)
This is likely going to require modification of the laws mandating the information protection protocols. Intelligence Analysis Sharing A similar problem with sharing of intelligence information is also identified in the document. Again a general action item statement addresses the issue stating that:
“The United States and Canada will work together to identify public and private sector information requirements to support the development of valuable analytic products.” (pg 7)
Moving Forward It will be interesting to see if DHS and its Canadian counterparts actually take any concrete action to further these goals. If these goals are to see any real success it will require action on the part of Congress to authorize many of these actions. Trying to get that agenda acted upon will almost certainly have to wait for the 112th Congress. The outcome of the fall elections will certainly have a major impact on how Congress proceeds with this process next year.

Update on SCADA Trojan

The folks at ControlGlobal.com have posted a copy of the press release sent out today by Siemens AG about the Trojan that I reported on last week. Anyone that is using the the Siemens software Simatic WinCC and PCS 7 should read that press release and immediately contact their Siemens technical representative for further information. BTW: Has anyone seen anything about this from DHS ICS-CERT? I certainly haven’t. Does anyone know why not?

DHS ConferenceOn.TV

I have been advocating for some time for DHS to provide video coverage of the Chemical Sector Security Summit. Now the folks at DHS don’t talk with me much, so I don’t know why they haven’t taken this obvious step, but I figured that there must be some legal or policy issue that prevented them from doing so. Then last week I received an email from the folks over at DHS S&T advising me of their latest offering on their Homeland Security ConferenceOn.TV Network. Their latest offering is from their 11th annual Technologies for Critical Incident Preparedness Conference and Exposition, cosponsored by DHS, DOD and DOJ. Not much in the way of production values, just a single camera focused on the head and shoulders of the presenters. There is good audio though and the bandwidth is acceptable for a normal high-speed connection. There are a couple of other DHS S&T presentations available on the site, so this isn’t an entirely new capability at DHS (and certainly not new on the web). I do notice that the only presenters are DHS employees, so I assume that there are some copywrite issues. That is a shame because there are a number of CSSS presentations made by individuals from the private sector (though their slides are available on the CSSS Presentation page). So I guess there really isn’t a good reason that DHS isn’t making real coverage of the CSSS available on the web. Just providing presentation slides tells the vast majority of the chemical security community less than half of the story about the presentations. If DHS is really interested in communicating with the regulated community this is an obvious way to accomplish that.

Sunday, July 18, 2010

CSSS Presentations - DHS IST Proposal Confusion

As part of my review of the presentations made at the recent Chemical Sector Security Summit (CSSS) I was looking at the three presentations made as part of the Inherently Safer Technology (IST) panel when I received an email from a long time reader. That email contained a copy of an article, “US safer technology trial balloon draws fire”, by Joe Kamalick posted on July 15th on ICIS.com (unfortunately I do not have a subscription to ICIS and the reader did not have the URL of the article). The article essentially says that Larry Stanton of DHS proposed in his presentation a new way to handle the imposition of an IST requirement in the CFATS program without having to rely on a Congressional legislative mandate. Kamalick reported comments by SOCMA that they were surprised by this proposal, and comments by the NPRA that they were waiting for a formal proposal by DHS before they would look at the idea. Not a New Proposal First off, Stanton’s presentation is hardly new. It was made first to a Center for Chemical Process Safety meeting last year (6th Global Congress on Process Safety) at an inherently safer technology and security panel discussion. At that meeting Stanton explained that with the political push to include an IST mandate in any CFATS authorization, DHS had been tasked with looking at how such a program could be actually established. Since then, Under Secretary Beers formally announced that the Administration supported such a mandate in testimony before the Senate Homeland Security Committee. Back in May I interviewed Stanton for an article that I wrote for the May-June issue of the Journal of HAZMAT Transportation (21:1, pgs 12-3) on this subject. In that interview Stanton reiterated what Beers told the Committee; DHS wanted to work closely with industry to come up with a practical method of using IST to address security issues. This cooperative attitude was emphasized by asking us to include Larry’s contact information in the article; this was also included in the CCSP and CSSS slide presentations. In both slide presentations and in my interview Stanton made clear that DHS does not believe that they have authority to include an IST implementation mandate in the current CFATS program. Actually the current CFATS authorization prohibits DHS from requiring any specific security measure. But DHS does believe that a ‘Consider, Document, and Report’ could be added with an appropriate rule making process under the current authorization. Part of the reason that DHS is interested in pursuing a CDR requirement is that there is a concern that facilities have been effectively instituting their own IST initiatives and the Department has no idea of how these facility programs have been affecting the larger nationwide chemical security situation. Some IST security measures could, for example, shift the risk to other locations or populations and DHS doesn’t want to encourage that type of security change. IST Limitations DHS is fully aware of the limitations of Inherently Safer Technology. As Stanton points out in his presentations, IST is explicitly a safety evaluation tool not a security measure. This presents DHS regulators with a problem, IST “is a concept, not a list of some kind. Hence, ‘consideration’ becomes an open-ended proposition limited only by the imagination” (Slide 6). From a regulatory point of view this makes it very difficult to require a facility to ‘consider’ IST changes to its processes. Do you have an exhaustive set of techniques that you would list in the regulation for each chemical to be evaluated by every facility producing or using that chemical? A comprehensive list would be very long and most applications would not be appropriate to all users of a given chemical. The cost of conducting and documenting such reviews would be huge while auditing and verifying compliance would be nearly impossible. Look at the relatively simple example of the use of chlorine gas as a disinfectant in the water treatment industry. Possible ‘alternatives’ include on-site chlorine generation, industrial strength bleach shipments, on-site bleach production, ozone treatment, UV light treatment, reverse osmosis filtration, and even steam distillation. The effective evaluation of anyone of these techniques would require each local chlorine-using treatment facility to hire a consultant to conduct the appropriate engineering design studies to gauge the technical and financial feasibility of that technique. Defining the problem to be reviewed, posting the requests for proposals, reviewing the submissions and choosing a contractor could consume all of the 120 time limit for producing an evaluation as part of the process of producing a site security plan. Do you allow a facility to choose a single technique to evaluate? This could allow some facilities to choose a cheap alternative that simple shifted the risk to other, perhaps larger populations. For example, how many people are now potentially exposed to the chlorine used to make the industrial strength bleach that Clorox will substitute for the chlorine that it used to use to make household bleach. Or would a facility choose a very expensive alternative, sure in the outcome that it could not be a financially feasible alternative. Political Decisions These are the kinds of questions that DHS is asking industry to help it solve. If industry abdicates and refuses to be associated with any kind of IST program, then it is likely that the backers of a radical IST agenda (elimination of the production and sale of chlorine for an extreme example) will have the majority of the input on how an IST provision is formed by Congress. The people that are advocating an IST implementation mandate have a very one dimensional view of the issue; chlorine is bad, use something else. For industry to maintain an equally myopic view of ‘leave my process alone’ is just as destructive. Those either-or decision making processes just set up the kind of back and forth regulatory environments that industry cannot afford. Change the rules when you change administrations is easy politically and only marginally difficult regulatorily. When it comes to planning for and running a business it is a sure way to bankruptcy. The professionals at DHS are trying to put together a program that will help industry to protect their facilities and neighborhoods in a predictable regulatory environment, one that is based on a level playing field where competitors will have similar security requirements. They are proficient at writing regulations, conducting inspections and investigations, and enforcing rules. They do not have a detailed background in the chemical and process engineering disciplines necessary to write effective regulations in this area. They need the proactive help of industry to determine what can be reasonably done and how to do it in an economically responsible manner. So, industry lets get off the dime. You have some of the best engineering and safety professionals in the world working for you. Help DHS figure out how to make this work. Just remember, Greenpeace and the Center for American Progress are certainly willing to give their assistance to DHS.

Congressional Hearings Week of 07-19-10

We have two hearings scheduled for the upcoming week that might be of interest to the chemical security community. Neither of them are directly about chemical security, but they are both looking at programs that have some impact on chemical facility security. Both will be held by Senate committees on Wednesday. The Committee on Commerce, Science and Transportation will be holding a hearing at 2:30 pm EDT the reauthorization of the SAFE Port Act. This legislation addresses security at ports around the nation. The Homeland Security and Governmental Affairs Committee hearing at 10:00 am EDT will look at the recently released Bottom Up Review of the Quadrennial Homeland Security Review. Since the QHSR looks at how the Department will be working for the next four years, this could affect a wide number of chemical security programs.

DHS FY 2011 Budget Update

As I reported on Friday, the Senate Appropriations Committee ordered three budget bills favorably reported, including the DHS appropriations bill. The DHS bill has yet to be introduced, but I did find an interesting comment in the report (S Report 111-221) for the Agriculture Department appropriations bill (S 3606). In describing the vote on the reporting of the three bills the report notes that the Committee has “authorized the chairman of the committee or the chairman of the subcommittee to offer the text of the Senate-reported bill as a committee amendment in the nature of a substitute to the House companion measure” (pg 104). This is a standard procedure in the Senate and means that the Senate does not intend to take up these bills until the House has passed their version of the legislation. Then the Senate will essentially erase what was done in the House and pass their version of the bill. This would then require the bill to go to conference to work out the differences between the two versions. We still have to wait to see what the Senate bill actually includes and the House has yet to address their version before the full House Appropriations Committee. There is a long way to go before we get to the point where the Conference Committee will be designated to work out these differences.

Saturday, July 17, 2010

OMB Approves Reinstatement of Highway CSR

On Thursday the Office of Management and Budget (OMB) approved the reinstatement of the TSA Highway Corporate Security Review program. Instead of the requested three-year approval the OMB only provided a one year re-instatement of the information collection request (ICR – 1652-0036). OMB required TSA to provide a report on the efforts to improve the CSR program within six months. The OMB noted that:
“Consistent with the Surface Transportation Security Priority Assessment Implementation Plan, TSA should work with the DoT [sic] to implement an integrated Federal approach for security assessments, audits, and inspections to produce more thorough evaluations and effective follow-up actions for reducing risk, enhancing security, and minimizing burdens on assessed surface transportation entities. TSA should also coordinate data requests with the established single data repository to avoid redundant efforts, take advantage of existing data sets, and establish data access control. Within six months TSA should provide to OMB a status report regarding these efforts.”
As I noted in an earlier blog this CSR program deals with the collection of information from owners and operators of school bus, motor coach, and trucking (general freight and hazardous materials) companies during corporate security review visits by TSA Surface Inspectors. The information collected during these face-to-face visits is used to “establish the current state of security practices for highway modes of transportation. TSA will then be able to make policy and programmatic decisions to improve the overall security posture within the surface transportation community.” (74 FR 57326) Last summer I noted that as many as three TSA inspectors conduct these interviews. Typical interviews last two to three hours and cover “eleven topics: Management and oversight of the security plan, threat assessment, criticality assessment, vulnerability assessment, personnel security, training, physical security countermeasures, en route security, information technology security, security exercises and drills, and a hazardous materials addendum” (74 FR 28264). TSA expects to conduct 400 of these CSR within the next year. Since they are targeted at all commercial surface wheeled transportation, there is no telling how many of these will actually be targeted at trucking companies carrying hazardous materials. With the old program only conducting 100 CSR per year, whatever the number of hazmat trucking inspections actually is, it will likely be a significant increase over the previous program.

SOCMA Response

The folks at SOCMA did not take any time at all to come out with their response to the introduction of the new CFATS legislation by Sen. Lautenberg; it came out the same day. No one will be surprised that they are opposed to the IST mandate provisions included in the bill. While I have disagreed with SOCMA on occasion this response is a fair statement of their position and does propose a positive alternative to Lautenberg’s bill.

If this bill does actually start to move forward in the legislative process (unlikely in my opinion) I would hope that SOCMA and other chemical organizations would provide alternative suggestions for modifications of the bill to make it more acceptable to their interests. I fully understand their opposition to the IST provisions as written, but I am a firm believer in the process of politics and the art of compromise. I would hope that the industry would be part of that process.

Friday, July 16, 2010

DHS Appropriations Bill Reported in Senate

According to the Congressional Record for Thursday (pg D794) the Senate Appropriations Committee ordered a DHS Appropriations bill reported. No bill has yet been introduced (probably next week) nor has the bill actually been reported; though the Agriculture appropriations bill has been reported (Sen. Report 111-221). The Senate Appropriations Committee web site does have a press release covering the reporting of three bills (DHS, Agriculture, and Military Construction). That press release provides a link to a 5 page summary of the DHS bill. From that summary we can see that the Senate bill will provide the full $105 million requested by the Administration for the CFATS program and would include a one-year extension of the authorization for that program. Until we can see the actual wording of that extension section of the bill, we can’t be sure if there are any additions to that authorization. Since Sen. Lautenberg is now the acting chairman of the Homeland Security Subcommittee, he has a certain amount of leeway on what could be added to that section. Also of potential interest to the chemical security community is the spending authorization for the surface transportation security section of the TSA budget. The bill provides “$137 million for surface transportation security, including funds to annualize 100 new inspectors [emphasis added]” (page 3). This is compared to the 5,355 added Transportation Security Officers at airports to “staff new Advanced Imaging Technology (AIT) units”; we can see where surface transportation security ranks. We’ll just have to wait until next week to see what other interesting tidbits of information will be found in the Senate bill. Meanwhile, the House Appropriations Committee is not scheduled to take up the bill approved by their Homeland Security Subcommittee. So as has been the recent habit, the DHS Appropriations bill will not have any real chance of getting to the President before the end of the fiscal year.
 
/* Use this with templates/template-twocol.html */