Friday, July 30, 2010
“(1) a fingerprint-based criminal history records check (CHRC), “(2) a name-based check to determine whether the individual poses or is suspected of posing a threat to transportation or national security, including checks against terrorism, immigration or other databases TSA maintains or uses; and “(3) a professional responsibility check (for attorneys and court reporters)” (75 FR 44975)The results of that threat assessment will be used to make the final determination of “whether the provision of such access to the information for the proceeding presents a risk of harm to the Nation” and if the individual will, therefore, be granted access to the SSI at issue in the case. Public Comments TSA is requesting public comments on their request for an extension of the current ICR which has been in existence since January 12th, 2007. Public comments should be emailed to TSAPRA@dhs.gov by September 28, 2010.
Thursday, July 29, 2010
HSIN NextGen and the Common Operating Picture upgrade, The HSIN NextGen capabilities release schedule, The DHS portal consolidation program, Interoperability across Federal systems, The HSIN business case update, Desired future HSIN capabilities, and Relocation of the HSIN program.Written materials and comments for Committee consideration and requests to make an oral statement can be submitted by email(HSINAC@DHS.gov) and the docket number (DHS-2010-0061) must be included. Submissions must be made by August 20th.
Wednesday, July 28, 2010
“I would like to clarify that both H.R. 2868 as passed by the House of Representatives and S. 3599 as recently introduced by Senator Lautenberg would in fact impose IST consideration requirements on chemical distributors.”The point that I think that she, and most opponents of an IST consideration mandate, fail to realize is that while an assessment must be conducted, the law (as crafted) does not specify how that evaluation would have to be conducted. DHS would be responsible for crafting the regulations that describe those requirements. Furthermore, looking at how DHS has crafted the current CFATS program, it is rather obvious how the folks at ISCD would attempt to design the data collection and evaluation process. An IST tool in CSAT would be a series of on-line questions that facilities would respond to. There would be initial questions about the facility operations to determine how COI are used at the facility. The responses to those questions would lead to additional questions pertinent to that facility. For distribution facilities one could easily see that those questions would be limited to inventory level questions to track options for possibly reducing maximum inventory levels or dispersing the most hazardous chemicals in multiple, separated tanks to reduce the maximum potential release. Such information would be readily accessible to facility management. The cost of this type of ‘assessment’ would be reasonable. The inventory management controls necessary to implement such an IST would be a small additional burden, but those costs would also be relatively easy to estimate. Even estimating the cost of installing additional tankage, if there was room on the facility for a reasonable dispersion plan, would not be an overly costly exercise. It is certainly true that many chemical manufacturers could have a costly chemical and civil engineering task a head of them in evaluating potential IST possibilities for their facilities. Regulations supporting an IST consideration mandate would need to take into account the cost of the assessment, an extremely complex and expensive assessment process would only be justified for the highest risk facilities. But again, this is a consideration for the regulatory process not the legislative process. Keeping the difference between regulations and legislation in mind is an important concept. As HR 2868 moves toward the Senate floor industry organizations must realize that there will be further attempts to add IST language back into the bill. At least one Senator in today’s hearing mentioned his intention to introduce a floor amendment to require an New Jersey style IST consideration mandate. Such a mandate will probably be the minimum requirement to get House approval in conference. Actually, given the three year limit on HR 2868 (as amended today), it might make a great deal of sense for industry to support such a consideration mandate. This would allow industry and DHS to iron out the details of such a regulatory program in a way that would make the most sense. After all, no one can really argue that facilities should not take a serious look at the chemicals and processes they use with a view to reducing their risk, both from deliberate acts or accidental release. If a reasonable risk reduction can be obtained at a reasonable cost, it will only enhance the facility’s operations and profitability.
● 3 year re-authorization for the current CFATS program ● Voluntary exercise and training program ● Create in DHS a voluntary technical assistance program for methods to reduce consequences ● Create best practices clearing houseThe actual language of the substitute will not be available until the Committee report is published. Chairman Lieberman (I, CT) noted that there would need to be significant modifications made to this version of the bill for it to get through passage on the Senate floor and subsequently through negotiations in Conference with the House.
Tuesday, July 27, 2010
Today the National Association of Chemical Distributors issued a press release urging the Senate Homeland Security and Governmental Affairs Committee to pass S 2996 instead of HR 2868 which they are scheduled to mark-up tomorrow. While most chemical industrial organizations have opposed the imposition of an inherently safer technology (IST) mandate the NACD came out today in opposition to even the requirement to consider IST implementation. This is a position that has not been clearly expressed before and needs to be examined in detail. Their press release explained:
“The act of conducting IST assessments would be extremely costly for chemical distributors. These assessments will require expertise with IST methods, the likelihood of these methods to reduce risk, and their costs. The majority of NACD members are small businesses that do not have teams of chemical and process safety engineers on staff that would be able to conduct the IST assessments. These companies would be forced to hire consultants, who at rates of hundreds of dollar per hour, would easily drive the costs of the assessments into tens of thousands of dollars per facility.”
Small Companies and IST While we don’t know exactly what chemical facilities make up the list of 6,000 plus CFATS covered facilities it is almost certainly true that most are small companies. For the most part NACD is absolutely correct that those facilities do not have “have teams of chemical and process safety engineers on staff”. In fact, I would be willing to bet that a significant number of these facilities do not have any chemical engineers or process safety engineers on staff. NACD uses that fact to argue that it is financially impractical for these facilities to conduct such assessments. Again, this certainly has a large element of truth supporting the claim. On the other hand, this can equally be viewed as an added reason to require such facilities to conduct such a review. We should be able to expect that larger facilities with the requisite staff would be conducting these types of reviews as a matter of course as a part of the on-going process safety management (PSM) program at the facility. Those in-depth PSM reviews would also be expected to identify and correct a wide variety of problems that could result in chemical releases in the event of process upsets, mechanical failures and terrorist attacks. Smaller companies without the same resources would not be able to conduct the same level of PSM reviews. While these smaller companies would have a PSM program in accordance with Federal regulations, they would not have the ability to conduct the same level of proactive review and process improvements as facilities with large in-house technical staffs. It is extremely unlikely that they would voluntarily undertake an assessment of their processes to determine if there were legitimately safer alternatives that would be economically feasible to implement. The safe and reasonable solution to that inherent problem is not to avoid the imposition of an IST consideration mandate, but to make it easier for smaller facilities to undertake the financial risk of conducting such a review. One way to accomplish that would be to include tax incentives to allow smaller companies to partner with engineering and chemical education institutions to conduct such reviews. Financial grants could also be provided to educational institutions to conduct such reviews. Either would have the additional benefit of producing a new crop of chemists and engineers with the training and experience to continue making such reviews. Chemical Distributors and IST Having said all of that, it is not clear that any IST mandate included in current legislation would actually apply to chemical distributors. Typically chemical distributors take chemicals produced by other companies and simply store, re-package and perhaps blend those chemicals prior to shipping them to other facilities for use in other manufacturing processes. If their customers are buying chlorine gas, for instance, there is no amount of substitution that is going to provide that customer with chlorine gas. Even inventory reductions would be difficult to accomplish because the original suppliers typically only ship large bulk orders. Otherwise the customer would go directly to the supplier, getting a price break by avoiding paying the middle-man’s costs. This should make any IST consideration at a chemical distribution facility fairly straight forward. They would simply need to look at storage and handling conditions and inventory management options. None of the other, more complex options would apply to a chemical distributor. Detailed reviews of storage and handling conditions are already a part of the required PSM process and inventory management is the lifeblood of a distributor’s business model. This means that the only IST requirement would be to document actions already undertaken by chemical distributors. Cost is a Legitimate Issue
So far Congress has attempted to deal with the cost issues of implementing an IST program. Legitimately Congress has exempted facilities from the IST implementation mandates in HR 2868 if the implementation is not financially feasible. Congress also needs to address the issue of the cost of conducting the IST review as HR 2868 continues to wend its way through the legislative process. None of the IST advocates that I have heard or talked with have any desire to run small businesses into bankruptcy. They should be more than willing to work with industry and Congress to develop methodologies to address the study cost issue for the large number of smaller facilities covered by the CFATS regulations.
“Letters with the corrected link to the CSAT Portal (https://csat.dhs.gov/csat) have been posted for facilities to access the Agriculture Survey. DHS regrets the initial error. Deadline for the Agriculture Survey is Monday, September 20, 2010.”Covered facilities should have already had the URL for CSAT nearly hardwired into their systems by this time, but this certainly could have confused some people. Please note, however, that the revised letters do not change the due date for submitting the Survey.
Monday, July 26, 2010
For facilities that are required to complete the DHS CFATS Agricultural Survey (you will have received a letter from DHS notifying you to complete the survey) there is an interesting article at CropLife.com that might be of interest to you. It is a short article that briefly addresses this new program. There is very little information in the article (about what I included in my first blog on the subject) but they do provide an interesting link in the article. They have produced a .PDF document showing the actual CSAT pages (WARNING: this is a very large download file) from an Ag Survey for a generic facility. Someone has set up a dummy facility in CSAT, Mike’s Dev Facility 4, that services customers in the Oil Seed and Grain Farming NAICS. They then answered some of the initial questions for that facility and then printed a summary screen for that facility’s survey. They then recommend “printing the Ag Survey Screen Captures and completing a draft of the survey before inputting information into the CSAT system”. Typically ISCD folks have provided a similar service by producing a ‘Questions’ manual to accompany the ‘Users Guide’ manual. In this case they have only made the Users Guide manual available on their web site. This makes the document made available at CropLife.com a valuable tool for completing the survey. Facility Specific Information There is a potential problem with this tool, there is no way of knowing for sure that all of the pages that a facility will see on their Ag Survey are included in this file. DHS has designed their tool so that a facility will see only the questions that apply for their site. The preparers of Mike’s Dev Facility 4 answered the initial questions about their facility and those answers will not be the same as the answers produced by any other facility. Using a document like this will certainly make the on-line completion of the survey easier. It will allow facilities to identify the specific information that they will need to complete the survey and will organize that information in a readily useable manner. While the provided screen prints would be a valuable addition to the Users Guide, I think that there is a better way to develop a facility specific ‘questions’ manual. I would suggest that a facility should develop their own tailored questions document by completing the first three sections of the Ag Survey (use the first 8 pages of the CropLife.com document as an information collection template to prepare for this). After saving the Survey at this point the facility preparer can print a facility specific version of the survey questions by using the ‘View Summary Report’ link on the left side of most Survey pages and following the subsequent instructions. There may still be pages on which the facility will have to answer questions that do not appear in the summary document as the default answers on the various questions shown may not provide access to all possible pages. These CSAT tools are very complicated documents (which is one of the reasons that they take so long to produce), but there is a very generous time limit on getting this survey completed (September 20th, 2010). Facilities should certainly plan on taking multiple sessions to complete this survey. CVI Note Technically speaking the document provided by the CropLife.com folks is a violation of the CVI rules. Anytime that there is any facility information provided on the Ag Survey, the printed (electronic or paper) copy of the survey becomes Chemical-terrorism Vulnerability Information. It must be marked in accordance with the requirements of the Chemical-terrorism Vulnerability Information Procedures Manual. I’m sure that DHS will take cognizance of the fact that this isn’t an actual facility and ignore the technical violation.
Facilities, on the other hand can expect that they will be required to protect any working copies of their Ag Survey as CVI. As soon as any facility specific information is added to the Survey it becomes CVI. This certainly includes working copies of the ‘blank’ survey found at CropLife.com.
Sunday, July 25, 2010
Saturday, July 24, 2010
Friday, July 23, 2010
Thursday, July 22, 2010
Wednesday, July 21, 2010
“On July 19, 2010, Ted Cromwell became acting CFATS Senior Compliance Officer, replacing Laurie Boulden who takes over as Technical Analysis Branch Chief. Rest assured that during the transition and forward, ISCD compliance policies, actions, and branch staff—including the Help Desk—will continue to implement CFATS in a consistent, seamless manner. As always, we are eager to hear from you with questions and concerns.”I talked with Laurie Boulden when I did an article for the Journal of Hazmat Transportation on her Corporate Reporting Tool. She is a very well spoken and informative woman who was very helpful in providing information about the program that she had worked so hard on to develop. I’m sure that she’ll do well as the Technical Analysis Branch Chief. Congratulations Laurie. Agricultural Survey
The ‘Latest News’ section also includes this notice about the Agricultural Survey:
“DHS is requesting information from approximately 1274 CFATS high-risk covered facilities that may sell, transfer or commercially apply COI-containing products (e.g., pesticides, fertilizers) used in agricultural activities by agricultural production facilities (e.g., farms, ranches, dairies, equine facilities, parks). Recipients must complete and submit the Agriculture Survey by Monday, September 20, 2010. DHS indefinitely extended the Top-Screen submission due date for agricultural production facilities in December 2007. The survey will provide DHS with additional information on potential risks, vulnerabilities and consequences related to facilities throughout the agricultural COI distribution chain – including manufacturers, distributors and retailers, commercial applicators and end users – and help the Department determine its next steps regarding the Top Screen extension.”Additionally, there are 10 new frequently asked questions (and responses, of course) directly targeting this new CSAT tool. Those questions are:
1671: I sell pesticides, but only deliver them to customers on an "as needed" basis. How do I answer the questions regarding delivery of my pesticide products?
1672: For purpose of completing the Agriculture Survey, how will I know if a pesticide includes an agricultural chemical of interest (COI) at or above the minimum concentration? Where can I find the EPA Registration Number for the pesticide? Where can I find the percent by weight of a COI in the pesticide?
1673: Where can I read about the current indefinite extension to the Top-Screen deadline for agricultural facilities? 1674: Do the Appendix A minimum concentrations apply to the Agriculture Survey? What about the Appendix A screening threshold quantities (STQ)?
1675: I sell fuels that are Appendix A COI or that include COI, such as propane, to agricultural facilities. Should I include these fuels in the Agriculture Survey?
1679: What does the term “COI-containing products” mean in the Agriculture Survey? 1680: When is the Agriculture Survey due?
Tuesday, July 20, 2010
“Sec. 543. Section 550(b) of the Department of Homeland Security Appropriations Act, 2007 (Public Law 109-295; 6 U.S.C. 121 note), is amended by striking `on October 4, 2010' and inserting `on October 4, 2011'.”It is easier to review the .PDF version than the one currently available on the Library of Congress site. I’ll wait to do my detailed review until after the GPO version becomes available. Besides, nothing more will probably be done on this bill until after the summer recess.
“And what is Siemens doing about the hard coded database password issue? THAT is the real problem, not the Microsoft 0-day...”Actually, as I pointed out in the original blog posting from last week, there are three components of the Trojan, now named the ‘Stuxnet worm’, that make it work so well; the new Microsoft vulnerability, a trusted security signature and the Siemens password. Last week the initial response from both Microsoft and Siemens was to point fingers at the other’s part of the problem. That, now at least, seems to have changed; both seem to be responding to their part of the problem. Well, as PCM points out, Siemens seems to be working on methods to deal with the Stuxnet, but they have not publicly addressed the hardwired password issue. From various discussions going on around the net it seems that for some reason Siemens hardwired in a set of passwords into this SCADA system. They don’t seem to be used in the way a normal password is used to allow a user to sign into a system. Instead it appears to be used to allow a piece of software to verify that it is authorized to be run on the system. It seems to me (and remember I am not a software engineer, just an old rooky programmer) that this type of password has to be hard wired into the program. Allowing someone to change or shutdown the password would destroy the capability of the program to recognize new code or separate programs that are necessary to the operation of the complex system. This means that the agency employing this type of hard-wired password-based authentication system must provide nearly absolute security to protect the identity of the password. It would even be smart to keep the fact of existence of such a password very closely held. Unfortunately neither seems to have been well done in this case (an article at PCWorld.com notes that the password was disclosed on the web in 2008). Any security expert would respond to that last comment with a sigh and ‘No DUH’; providing absolute protection for anything is just not possible. There are other methods of providing this type of internal verification. They too are subject to compromise. Some, however, are easier to fix after a situation like this arises. It will be interesting to see how long it takes Siemens to come up with a patch to fix this problem, though ‘patch’ probably is an inadequate word to describe the complexity of the software change that will be needed to eliminate this hole. ICS-CERT Response Meanwhile, go read the PCWorld.com article. It provides some updated information and a good explanation of what is known to date. They also mention that DHS ICS-CERT has responded to this situation with an alert (ICS-ALERT-10-196-01) but noted that “the information is not publicly available”. I understand that the ICS-CERT has a Vulnerability Disclosure Policy, but that is supposed to prevent the spread of a previously unidentified vulnerability until the vendor has a chance to correct the problem. That hardly applies here; word about the vulnerability is fully in the public domain. NOTE: While I was getting ready to post this I got another Reader Comment on the same subject from Andrew Ginter, a well known SCADA Security Blogger. Andrew wrote:
“The ICS CERT released an advisory on the malware dated today, July 20. You can find it at: http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01%20-%20USB%20Malware%20Targeting%20Siemens%20Control%20Software.pdf”In any case, SCADA systems have now officially joined the target community. Anyone who thought that SCADA was just ‘too complex’ to attack had better re-examine their reasoning. System owners really need to paint a bulls-eye on the case of their SCADA server to remind them that they are a target and need to be prepared to actively defend their systems.
Monday, July 19, 2010
“Provide mechanisms and opportunities for the U.S. Sector and Government Coordinating Councils and the Canadian sector networks to work together to improve sector-specific cross-border collaboration.” (pg 6)Since so many companies operate in both countries, it is likely that many of those companies already coordinate the security operations of facilities on both sides of the border. Facilitating the cooperation between companies that don’t have cross-border corporate ties is certainly a good idea. Inter-Government Communication Of course, one of the problems with this cooperative effort among the government agencies is working out the issue of information sharing. With so much of the critical infrastructure information protected by national laws on both sides of the border, finding legal methods for sharing that information while protecting proprietary information will be difficult. This new document recognizes this problem and outlines an appropriate action item of:
“The United States and Canada will work together to develop compatible mechanisms and protocols to protect and share sensitive critical infrastructure information.” (pg 7)This is likely going to require modification of the laws mandating the information protection protocols. Intelligence Analysis Sharing A similar problem with sharing of intelligence information is also identified in the document. Again a general action item statement addresses the issue stating that:
“The United States and Canada will work together to identify public and private sector information requirements to support the development of valuable analytic products.” (pg 7)Moving Forward It will be interesting to see if DHS and its Canadian counterparts actually take any concrete action to further these goals. If these goals are to see any real success it will require action on the part of Congress to authorize many of these actions. Trying to get that agenda acted upon will almost certainly have to wait for the 112th Congress. The outcome of the fall elections will certainly have a major impact on how Congress proceeds with this process next year.
Sunday, July 18, 2010
Saturday, July 17, 2010
“Consistent with the Surface Transportation Security Priority Assessment Implementation Plan, TSA should work with the DoT [sic] to implement an integrated Federal approach for security assessments, audits, and inspections to produce more thorough evaluations and effective follow-up actions for reducing risk, enhancing security, and minimizing burdens on assessed surface transportation entities. TSA should also coordinate data requests with the established single data repository to avoid redundant efforts, take advantage of existing data sets, and establish data access control. Within six months TSA should provide to OMB a status report regarding these efforts.”As I noted in an earlier blog this CSR program deals with the collection of information from owners and operators of school bus, motor coach, and trucking (general freight and hazardous materials) companies during corporate security review visits by TSA Surface Inspectors. The information collected during these face-to-face visits is used to “establish the current state of security practices for highway modes of transportation. TSA will then be able to make policy and programmatic decisions to improve the overall security posture within the surface transportation community.” (74 FR 57326) Last summer I noted that as many as three TSA inspectors conduct these interviews. Typical interviews last two to three hours and cover “eleven topics: Management and oversight of the security plan, threat assessment, criticality assessment, vulnerability assessment, personnel security, training, physical security countermeasures, en route security, information technology security, security exercises and drills, and a hazardous materials addendum” (74 FR 28264). TSA expects to conduct 400 of these CSR within the next year. Since they are targeted at all commercial surface wheeled transportation, there is no telling how many of these will actually be targeted at trucking companies carrying hazardous materials. With the old program only conducting 100 CSR per year, whatever the number of hazmat trucking inspections actually is, it will likely be a significant increase over the previous program.
If this bill does actually start to move forward in the legislative process (unlikely in my opinion) I would hope that SOCMA and other chemical organizations would provide alternative suggestions for modifications of the bill to make it more acceptable to their interests. I fully understand their opposition to the IST provisions as written, but I am a firm believer in the process of politics and the art of compromise. I would hope that the industry would be part of that process.