Thursday, September 30, 2010

House Passes HR 3081 and Recesses

Very early this morning the House passed HR 3081, the legislative vehicle for the Continuing Resolution that will continue funding the Federal Government while Congressmen head home to try to save their jobs. The bill will continue funding at current levels until December 3rd, potentially giving Congress time to pass some real spending bills when they return to a post-election session on November 15th.

As I mentioned in last night’s late blog post, the CFATS authorization was specifically extended in this legislation, so we won’t have to worry about if a general funding extensions would cover keeping CFATS running.

The house adjourned this morning pursuant to H. Con. Res. 321. This provides that the House will return to legislative work in mid-November. Yesterday evening the Senate but won’t technically be affected by the election recess. They will be in ‘regular’ session through November 12th.

According to an article on this was done so that the President can’t put anyone into a normally Senate approved position via a recess appointment, a tool that Sen. Reid developed to counter President Bush’s use of that tool. The article provides an interesting discussion of why Reid is using it against the leader of his party. In any case, the daily Senate Sessions should just take minutes to complete.

There were a flurry of other bills passed by the House last night; I’ll get around to looking at the ones that could be of interest to the chemical security community in the coming days.

All Hazards CFATS

Because FEMA is such a large part of DHS, there has been a lot of legitimate talk in the Department about what portions of the other agencies can have an ‘all hazards’ influence; that is looking at problems other than just terrorism as cause for homeland security issues. Certainly earthquakes and hurricanes and fires and floods can have serious impacts on homeland security.

With this in mind, a reader challenged me to take a look at CFATS and see if there were any potential ‘all hazards’ problems that the CFATS program ought to look at. I always appreciate a challenge and love to tell government people what they ought to do. More importantly it will allow us to take a look at the real purpose of looking at security programs.

What are the Hazards

First off lets define the different categories of hazards that can affect high-risk chemical facilities and I would like to limit those hazards those that could result in an off-site hazard uniquely traced to the chemical facility. For example, a flue epidemic could cause a worker shortage that could cause serious business consequences for a chemical facility, but those consequences would be no different for a food processor, widget manufacturer or any other non-chemical employer.

Potential hazards could include:

● Terrorist attacks (duh)
● Natural disasters (floods, fires, hurricanes, tornados, etc)
● Utility disruptions (stoppage of water, electric, gas, etc)
● Mechanical integrity problems (failure of equipment)
● Process upsets (over/under pressure, over/under temperature, too much/little flow, etc)
● Personnel upsets (shooters, sabotage, etc)
● Management issues (failure to comply with various regulations, failure to provide for maintenance, failure to provide training, etc)
Now any of these hazards could result in hazardous situations for neighbors and local communities. The first category is the type of hazard that the CFATS program is specifically designed to regulate and reduce the potential consequences; reduce the consequences by reducing the probability of a successful attack.

Other Hazards and CFATS

Two other hazards on the list can be directly related to terrorist attacks and so should be addressed in some manner under the CFATS program. If utility disruptions can lead to a chemical release or uncontrolled chemical reaction then disrupting those utilities could be a tool for a terrorist attack. If a disgruntled or unstable employee can be influenced or controlled by a terrorist organization then their actions can be made part of a terrorist attack.

The natural disasters category can have a potential impact on security operations at high-risk chemical facilities. I have addressed those in a couple of hurricane related blogs. Facilities in areas with well known natural hazards should address the potential responses to security issues related to those hazards in their security planning process.

Process upset problems caused by externally generated computer problems (worms, viruses and Trojans targeted generally at computers rather than specifically at the control system or the facility) will be prevented to some degree by the control system security procedures put in place as part of the site security plan.

As CFATS is currently configured (and authorized), it appears that those are the limits of the ‘all hazards’ considerations addressed in the CFATS program. Other federal programs (primarily EPA and OSHA), to one degree or another, address the remaining issues at many of the chemical facilities covered under the CFATS programs.

CFATS and Remaining Hazards

There is also another way of looking at this; we can ask: “Is there anyway that the CFATS process can affect the prevention and response to the other hazards?” Do things that are done because of CFATS security plans contribute to or detract from dealing with these?

I can’t think of anything in a properly crafted, well thought out security plan that would detract from dealing with any of these hazards. I have heard people question the potential effects of CVI on dealing with outsiders, but that should only apply to CFATS information in a CFATS context. If the information is not presented in a security context CVI should have no effect on disclosure.

Some people have also expressed concerns that searches, restricted areas and other personnel restrictive measures will make it more difficult for emergency responders, utility personnel and contractors to respond to problems at the facility. That should not be true for emergency response personnel, especially when the security force knows that they are expected. The brief delays to verify utility personnel and contractor identities should not cause any significant problems. The only potential problem area is the escorting requirements after normal operational hours and that does deserve special mention in security plans.

Likewise, I don’t see anything in the CFATS rules or the Risk Based Performance Standards Guidance that specifically helps to make these problems easier to deal with. Some of the internal surveillance tools might make it easier to manage an incident related to these hazards. The facility security center (if the facility establishes one on site) would probably be a good location for the emergency management team to work out of because of the communications and surveillance tools available.

CFATS – Chemical Facility All-hazards Threat Solution

Since the real goal of the current CFATS program is to really prevent off-site consequences of a terrorist attack, couldn’t many of the same tools be used to prevent off-site consequences from these other hazards as well? The short answer to this question is actually: No. Since CFATS focuses on preventing attacks instead of managing consequences of an attack the utility of the CFATS tools in managing the consequences of these other hazards is minimal at best. The CFATS prevention tools are not really useful in preventing most of these other types of hazards; guards are not going to stop a hurricane.

If consequence management tools were added to the CFATS programs the answer would change significantly. I have often argued that the major drawback of the CFATS program is that it essentially ceases to function once the toxic cloud has been released. There are no provisions for off-site consequence management or planning. There are good reasons for that; a private facility can not be made responsible for governmental responses off-site. But it is still a major shortcoming of the program.

I’ll take a more detailed look at how CFATS could be made more of an ‘all hazards’ program in a future posting.

Wednesday, September 29, 2010

HR 3081 Status 09-29-10

This evening the Senate passed an amended version of HR 3081 that acts as a Continuing Resolution, keeping the Federal Government funded at current rates through December 3, 2010. The bill, as amended, contains specific authorization to continue the CFATS program through the same date.

There were two Republican amendments considered on this legislation before it passed on a final roll call vote of 69-30; with 10 Republicans voting Yeah and one Democrat voting Nay. The votes on the two amendments were closer.

The Thune amendment was considered first and would have reduced the ‘other than National Security’ funding by 5%. This failed by the slim margin of 48-51 with eight Democrats joining the Republicans in supporting the measure. The DeMint amendment also failed, but by a larger margin 39-60. Four Democrats and five Republicans voted with the other side in rejecting the move to extend the CR until February 4, 2011.

The temporary reauthorization of the CFATS program was found in §124 of the amended bill. As was expected, it was a simple date substitution for the expiration date of the previously amended §550 authorizing language.

As of the time of this posting (10:45 pm EDT) the House was getting ready to vote on considering whether to begin debate on accepting the Senate amendment to HR 3081. It will be real early Thursday morning before they can possibly vote on the bill, and it may be held for an afternoon session. The rule for the consideration of HR 3081 does not provide for any amendments, which is good since the Senate has already left for their election recess and doesn’t intend to come back to do legislative work until after the election.

New DHS ICS-CERT Stuxnet Advisory

This afternoon the DHS ICS-CERT has published a new Stuxnet Advisory on their web site. The new advisory provides three lists of file names that are indications of Stuxnet infection. They can be found in computers with the Siemens software installed, while some can also be found in infected computers without Siemens SIMATIC WinCC or SIMATIC STEP 7 software installed.

Yesterday I mentioned the recently detected transmission route via project files. This alert addresses infection indicators related to these files, noting:

“In infected projects, the malicious *.sav files are stored in the GraCS subdirectory within a project’s root directory. This can occur in compressed or zipped project files. It appears that the malware specifically looks for demo projects commonly installed as part of the WinCC software. If any of these malicious *.sav files are found, it is likely that the malware has injected malicious stored procedures into one or more of the project’s database files. If any of these malicious *.sav files are detected, please contact ICS-CERT for further assistance [emphasis added].”

CFATS Knowledge Center Update 09-29-10

Well, the Help Desk folks at DHS-ISCD have gotten around to adding the latest two CSAT manuals from last week to the documentation listed on the CFATS Knowledge Center page. You can find them if you search through the ‘Documentation’ section on the landing page. If you click on either the Top Screen or Site Security Plan button page the new manual will show up on the documentation list for those sub-pages.

There is still no explanation of or notice about the new manuals on this page a week after they were published. There is still no listing on the Top Screen or Site Security Plan web pages. It is really very disappointing for an organization that has done such a good job to date maintaining the CSAT web site.

HR 553 Passed in Senate and House

On Monday the Senate passed with amendment HR 553, the Reducing Over-Classification Act by unanimous consent. The amendment is essentially the same one that was proposed as substitute language in the report on the bill provided by the Senate Homeland Security and Governmental Oversight Committee. I reported on the details of that change in an earlier blog posting. Among other things, this bill will require DHS to produce unclassified versions of their intelligence reports to make it easier to share counter-terrorist intelligence with State and local governments as well as with potentially affected private sector entities.

Subsequently, on Tuesday the House concurred with the Senate amendment on a voice vote and the bill has been sent to President Obama for signature.

Tuesday, September 28, 2010

HR 3081 – the CR Legislative Vehicle

I made a mistake in my earlier posting about the pending Continuing Resolution. I reported that the legislative vehicle would be S 3676. The article I quoted reported that the Senate would use the State Department Appropriations bill, but did not include the bill number. I checked the House Appropriations Committee web site and they only listed the Senate bill on their chart of Appropriation Bills Status. This evening I had a chance to check the Senate web page that shows the results of today’s votes and it lists HR 3081 as the vehicle that the Senate will use to discuss and vote on the CR.

The Senate voted this evening to approve the cloture motion on HR 3081 (the vote tally was not reported as of 9:22 pm EDT). That means that the Senate will begin their discussion of HR 3081 tomorrow, probably starting with the offering of the amendment in the nature of a substitute that will be proposed CR. No other word on the Senate web site tonight about what other amendments might be offered before the vote on the CR is taken. That information may be available in the morning when the Congressional Record Daily Digest for today is posted.

The use of HR 3081 will obviously make the previous discussion about constitutional issues completely out of date and worthless. Oh well, that’s the way it goes.

No DHS Budget until after the Election

It doesn’t look like Congress will be getting around to passing any budget bills before the really stop work for electioneering; we’ll just have to live with the drama of Continuing Resolutions. There is an article on today about the Senate starting debate on the Continuing Resolution (CR) that will allow the government to continue functioning passed September 30th without a formal budget.

Don’t look for a piece of legislation called the ‘Continuing Resolution’, that would be too simple and direct. This year Sen. Reid (according to has selected the State Department appropriations bill (S 3676) as the ‘vehicle’ for the CR. Since this bill has already passed in Committee there will be an “amendment in the nature of a substitute” that will completely change the wording and meaning of the current bill.

All sorts of silly games are possible with this legislation. A clean bill will be just a couple of paragraphs long providing funding for all Federal Government Agencies until a specific date listed in the bill. Most lawyers that I’ve talked with feel that that would also give CFATS (set to expire October 4, 2010) an effective extension until the date provided for the continuation of funding.

The bill could also get all cluttered up with just about any kind of special provision, depending on how much dealing Reid has to do to get this thing passed. If they can’t get it passed by Thursday (the date the electioneering apparently is scheduled to begin in earnest with Senators back in their districts for the duration) then Reid will have to hold the Senate in session until something can be passed. And every day he keeps the Senators in Washington will make it that much easier for the Republicans to take control of the Senate along with the House in November.

Constitutional Issues

Remember back in August when Pelosi had to call the House back to vote on their version of a spending bill that the Senate had to come back in turn to vote on the House bill even though they had already passed their version? There were concerns because, according to the Constitution, spending bills must originate in the House. It seems that Madame Pelosi is now more concerned about the House Democrats getting stuck holding the bag for passing an unpopular CR that the Senate can’t even get to a vote because they lack 60 votes for cloture than with following Constitutional procedures.

And it is silly because the House has passed two spending bills, HR 5822 (Military and Veterans) and HR 5850 (Transportation HUD), that could have been used as the vehicle for the CR. The current language in those bills could have been added to one of the other spending bills after the election. Well, maybe a CR doesn’t really count as a spending bill.

Stuxnet Transmission

Just a quick note about another Stuxnet transmission technique discovered over at Symantec. Their latest Stuxnet blog describes how infected project files can transmit the malware between computers and even provides a way to re-infect a cleaned computer by running a back-up version of a project file. It certainly seems like the Stuxnet design team wanted to make sure that their toy had staying power. So now Stuxnet can be propagated via:
● USB Stick
● Print Spooler
● Network via P2P
● Project Files
The only thing missing is an email transmission mode via the address book list and the Vulcan Mind Meld. But, research is still on going.

BTW: Symantec has collected all of their Stuxnet blogs at one convenient URL:

Monday, September 27, 2010

Public Health and Chemical Testing

The Centers for Disease Control (CDC) released a report last week that looks at preparedness for threats to public health from natural, accidental or intentional means. This report focuses on the CDC’s evaluation of laboratory support metrics and response performance measures for public health threats. The report (pg 6) lists four major categories of these threats
● Biological Threats
● Natural Disasters
● Chemical and Radiological Materials
● Explosions
While everyone has an interest in the effectiveness of public health services in each of these four areas, members of the chemical security community have a special interest in the third category (at least the chemical aspects of it) with a lesser specific interest in the fourth category.

Laboratory Metrics

The report identifies the key role that public health labs play in responding to public health threats. It states that (pg 21):

“Laboratories identify disease agents, toxins, and other health threats found in tissue, food, or other substances. Rapid detection and characterization of health threats is essential for implementing appropriate control measures.”
To support public health agencies the CDC manages “the Laboratory Response Network (LRN), a group of local, state, federal, and international laboratories with unique testing capabilities for confirming high priority biological and chemical agents” (pg 22). There are currently 54 LRN facilities, of which 47 are level 1 or 2 (actually capable of identifying some all or some of the biological and chemical agents identified by the CDC as being a potential threat to public health.

Those 47 labs “undergo proficiency testing to determine if they can use six core methods to rapidly detect and measure chemical agents that can cause severe health effects. These methods can help determine the scope of an incident, identify those requiring long-term treatment, assist with non-emergency medical guidance, and help law enforcement officials determine the origin of the agent.” (pg 23)

Wrong Chemical Targets

Now when people talk about ‘chemical agents’ they typically mean military grade chemical warfare agents. There is certainly some level of concern that terrorists will get their hands on military chemical munitions of some sort, or attempt to manufacture their own like we saw in Japan with the Sarin subway attacks. But this is a very low probability attack scenario; a high-consequence possibility, but a low probability event.

With low-probability yet high-consequence attacks like this it probably makes sense from a risk-management perspective to limit the equipping, training, and conducting performance evaluations on a limited number of laboratories. Unfortunately, what this report doesn’t address is who will be doing the testing on the high-probability potentially high-consequence chemical that would result from either a deliberate attack on or an accidental release from an industrial chemical facility.

Part of the reason for that issue not being addressed is the problem of the overwhelming complexity of the problem. If these LRN facilities were required to be able to effectively test for every dangerous industrial chemical that could be released in a deliberate release or a chemical accident they would not have time to complete the necessary proficiency training, much less the training require to conduct the tests.

Decentralized Testing Capability

Instead of expecting the testing methodology to be maintained at centralized testing labs, industrial chemical identification should be pushed down to the local level. Then, instead of being required to be able to test for all potential industrial chemicals, they would be able to concentrate on just those chemicals used in the local area. Each chemical facility that was required by law to maintain a chemical response plan, would be required as part of that plan to identify on site chemicals to local health agencies.

Actually there would be two categories of chemicals required to be reported. The most important would be chemicals with potential off-site chemical hazards. This would include chemicals stored on-site that were of large enough volume to have off-site consequences in the event of a worst-case release. It would also include smaller volume chemicals that were shipped to or from the facility that could be released in transit as the result of an accidental or deliberate release.

The second category would be chemicals used on site that, in the event of an on-site release could affect on-site workers or visitors. This would allow doctors to confirm the chemical contaminant affecting a particular patient when they were brought in for industrial accidents, for example.

These lists of chemicals would have benefit beyond just establishing the testing capability for these chemicals. The local health officials, armed with the list of potential local chemical injuries could ensure that treatment protocols for those chemicals were established (drawing on CDC assets to identify those protocols) and then ensuring that those protocols were distributed to local medical facilities, doctors and emergency medical responders. This would also allow for the identification of training, equipment and medical supply needs to be established for large scale chemical releases of either a deliberate or accidental origin.

Effective Chemical Public Health Preparedness

I am glad to see that the CDC is not trying to push testing requirements for low-probability chemical release testing down to the local level. Time and resources at the local level are extremely limited and need to be focused on those tasks that they will most likely be required to perform. Testing for and providing treatment for industrial chemical releases in their local communities is a much higher probability event. This is what local public health agencies and providers need to be focusing upon.

Congressional Hearings Week of 09-27-10

It is another relatively light week for scheduled Congressional hearings that will be of probable interest to the chemical security community with two hearings of peripheral interest. The topics this week will be pipeline safety and intelligence sharing.

The Senate Commerce, Science and Transportation Committee’s Surface Transportation and Merchant Marine Subcommittee will be holding a hearing on Pipeline Security on Tuesday at 3:00 pm EDT. While they will be looking at recent accidents in San Burno, CA and other areas, there is always the chance that some Senator will ask about the possibility of a terrorist attack causing similar or more serious damage since there is effectively no Federal pipeline security program.

The Intelligence, Information Sharing and Terrorism Risk Assessment Subcommittee of the House Homeland Security Committee will be holding a hearing on Wednesday at 3:30 pm EDT looking at how well the DHS Office of Intelligence and Analysis shares information. Typically these hearings focus on communication with law enforcement agencies, but sharing information with potential targets in the private sector is also liable to come up, if only briefly.

Still no word on possible hearings on the Lautenberg water system security bill or on a potential House appropriations bill for DHS. There is more and more talk about a post election session of Congress where Democrats think they will be able to get more support for controversial legislation where members are not being held directly accountable to voters. This certainly may help in the House, but if Republicans make their expected gains in the House and Senate, it is hard to understand where any Republicans will switch sides in a lame duck session in the Senate.

The one exception to this outlook may be HR 2868. The Senate version might pick-up Senate Democratic support because of the three year extension of the CFATS authorization. Democrats may hope that this would allow them to revisit the inherently safer technology issue when re-authorization comes up again. I would still expect to see a floor fight to add IST, labor involvement, and whistleblower protections to the Collins version of HR 2868. If a modified IST assessment and report provision made it into the bill then it could possibly pass when the bill made it back to the House.

HSAC Closed Meeting 10-14-10

Today’s Federal Register includes a notice that the Homeland Security Advisory Council will be holding a meeting closed to the public on October 14, 2010 at DHS Headquarters in Washington, DC. The meeting will be closed because of the law enforcement investigative and intelligence information being discussed.

According to the notice the agenda for the meeting will include:

• Sensitive Threat Briefings against the Homeland.
• Governor and Homeland Security Advisors' Transitions.
• Policy and Planning Issues related to the ``If you see something, say something'' campaign.
• Watch List Operational Improvements.
• Lessons Learned from the cyber exercise.
Closed Door Meeting?

Closed door meetings of advisory councils frequently raise questions of accountability. The discussion of on-going law enforcement investigations and classified intelligence information clearly need to be conducted before a limited audience. The first and fourth items on the above agenda clearly fall under those qualifications.

The reasons for keeping the discussion of the other three agenda items out of the public domain are less clear. The last item could certainly be considered sensitive information about current vulnerabilities, but that claim is not made in this notice. The public closure of the two remaining items personally concerns me.

I applaud the Departments early planning for the information sharing responsibilities that they will face in the coming months with new Governors and Homeland Security Advisors as there will be several changes in State leadership due to the upcoming elections. Unless the discussion is going to look at the specific information that will be shared (possible but unlikely at this point) I find it hard to understand why the planning for sharing information would raise security concerns.

‘Watch List Operational Improvements’ are another area that requires a major stretch of imagination to see how security would be affected by a public discussion of the topic. Again, unless specific intelligence is being discussed, any discussion of how the Watch List and associated No Fly List is operated needs to be done in a public manner. There have been too many failures and near failures while isolated kids and grandmothers are labeled as ‘suspected terrorists’.

Finally, I can see no justification for closed door discussions about a very public program like ‘If you see something, say something” particularly when the agenda explains that the discussion will be on ‘Policy and Planning Issues’. If DHS wants public participation in this program (and that’s what the program is all about) then they better be prepared to discuss policy and planning issues in public.

I think that DHS and HSAC need to reconsider making this a two part meeting with separate public and private discussions where the differences are truly appropriate.

BTW: Provisions have been made for the public to submit written comments and information to be considered by the HSAC at this meeting. Submissions must be made by October 8th. Comments can be submitted electronically at (Docket Number DHS-2010-0078)

Sunday, September 26, 2010

TSA Pipeline Security ICR to OMB

We have had a lot of chemical security related ICRs news this week. On Friday the Office of Management and Budget (OMB) announced that the Transportation Safety Administration had submitted their information collection request to support the pending release of their new Pipeline Security Guideline. This is actually a late submission of the ICR to OMB since the Federal Register 30-day notice on this ICR was submitted on August 16th. With the comment period having closed on September 15th, this late submission has held up OMB action on this ICR by over a week.

This is probably due to the low priority for pipeline security issues at TSA, DHS and Congress. There is no legislative authority for running an active pipeline security activity so the TSA program that this ICR is supporting is a voluntary security reporting program. To the extent that there is no money for a pipeline security program, I suppose that TSA is to be commended for doing even this very limited amount of work on the program.

Iran and Stuxnet

The Stuxnet malware has finally hit the mainstream media’s radar screen and there is lots of reporting on the Iranian target connection. Many people in the cyber security community are cautioning that the discussion of the Iranian nuclear program being the target of Stuxnet is currently based on circumstantial evidence at best. That makes yesterday’s AP news report about the Iranian reaction even more interesting.

AP notes that “Iranian media reports say the country's nuclear agency is trying to combat a complex computer worm that has affected industrial sites in Iran”. This is a long way from confirming that there have been problems at their nuclear facilities because of the Stuxnet. Of course, since the concept of freedom of the press has never been big in Iran, it would be very surprising if the press, semi-official or otherwise, were to report actual disruptions.

Of course, we already know from Microsoft reports that there have been a significant number of Stuxnet infections in Iran (not the largest number by any stretch, the US still holds that honor). With the recent discussions in the mainstream western press that the Iranian nuclear program was the target, it would be a real head-in-the-sand agency that didn’t worry about what Stuxnet infected computers could do to their nuclear fuel enrichment program.

Iranian Detection of an Attack

If there was an actual cyber attack on Iran’s nuclear program, the government might not have realized that it had possibly been attacked until the Stuxnet discussion hit the mainstream press. The way that Stuxnet apparently works would cause problems that would look like natural process upsets under normal investigations. Process people typically accept that their control systems are doing what they are supposed to do, so it is unlikely that any cyber security experts would have been involved in a process upset investigation.

Since it was just about two weeks ago that the open speculation in the cyber security community in the west started about the Stuxnet target, I doubt that there was wide spread consideration of the attack scenario in Iran. Local cyber security experts wouldn’t have talked much about it because of the black mark it would have left on the appreciation of their capabilities by Iran’s rulers.

With the Stuxnet discussion hitting the mainstream press I think that we can assume that any process problems being experienced in their nuclear program are now going to be re-investigated by cyber security experts. I would bet that the vast majority of those investigations are not going to have any actual cyber component, but the process people will want to be able to explain their process problems on Stuxnet; it would take the pressure off of them.

I don’t expect that Iran has any more cyber security experts than does the United States; probably much fewer. Trying to determine if process problems were caused by Stuxnet, even on systems with an identified Stuxnet infection is going to be very time consuming. It may not actually be possible to make a real determination. If I were designing an attack program, I would include an instruction to erase the offending code from the PLC’s (programmable logic controllers) involved. At this point we don’t know if such a capability was programmed into Stuxnet; we still don’t know that much about all of the capabilities of this malware.

This would not be a good time to be a cyber security expert in Iran. Every process upset over the last year will be blamed on Stuxnet by the process owners (covering one’s butt in a restricted society is a very big thing). The prioritization of investigations is going to be confusing because it will depend so much on the power and influence of process sponsors. Finally, the evidence is probably going to be equivocal at best, so how does the cyber security expert color the final report? Do they admit that they failed the mullahs and allowed an attack to take place? Or do they accept the initial process upset reports as gospel to avoid taking responsibility for the problem?

Iranian Response to an Attack

If and when the rulers of Iran decide that there was an actual attack on their nuclear program, things will start to get interesting. If this were a missile strike on the processing facilities, we would expect navel efforts to close the Straits of Hormuz, Hezbollah terror attacks in Israel and perhaps the United States, and disruptive attacks against US forces in Iraq. Whether a cyber attack would garner the same response is unknown; but it is entirely possible.

There is also the possibility of a more cyber related response to the attack. I doubt that Iran has the current capability to effect a Stuxnet type attack on American or Israeli infrastructure (though you can bet that they are now starting work on such capability). There have been reports, however, of a more conventional cyber attack capability in shadowy jihadist organizations. One should certainly expect that Iran would have that capability in house or in terror organizations that they sponsor.

We could expect to see more denial-of-service attacks against government and private computer systems in the United States and Israel. There would also be more persistent penetration type attacks on IT systems to try to get inside of such systems to damage or disrupt their operations.

We might also see other adversaries of the United States or Israel loan more advanced cyber attack capabilities to Iran. This would allow them to actively test and practice their cyber warfare capabilities with minimal possibilities of direct retaliatory strikes. Whether these capabilities could include attacks on industrial control systems (ICS) is not known; remember Stuxnet was the first such attack, that doesn’t mean it is the only ICS attack vector in existence.

Game Changer

Those of us in the cyber security community (well I’m loosely associated with that community as should be everyone in the chemical security community because of our dependence on computer control systems) has been aware of the potential vulnerabilities of industrial control systems. Because of the lack of apparent attacks on those systems, it has been hard to get the attention of management and regulators. With the public perception of Stuxnet rising, that will no longer be the case. More people are becoming involved in the industrial cyber security debate. It is just a matter of time, for instance, before there is a Stuxnet hearing in Congress.

If we get a response from Iran to an actual, documented attack on their nuclear facilities, then the situation will change once again. There will be a very real, loud, and expensive push to force the industrial control community to secure our cyber boundaries.

Saturday, September 25, 2010

FEMA Grant ICRs Re-filed with OMB 09-23-10

Earlier this week I noted that a number of FEMA grant information collection requests (ICRs) had been rejected by the Office of Management and Budget (OMB) because they had not adequately explained that the information was currently being collected without an approved ICR. The Paperwork Reduction Act requires that any collection of information from the public must be pre-approved by OMB via the ICR process.

According to the OMB web site yesterday the seven ICR’s that were of potential interest to the chemical security community were resubmitted on Thursday. The new submission specifically notes that the “Existing collection in use without an OMB Control Number”. I think that we can safely assume that the ICR submitting folks at FEMA talked with the folks at OMB to insure that the wording was adequate. I expect that the ICRs will probably be approved this next week; well in time for the FY 2011 grant application process.

CFATS Knowledge Center Update 09-24-10

Yesterday DHS updated their CFATS Knowledge Center web page. There were no changes in the Frequently Asked Questions list. They did remove the three explanatory notes under the Current News heading that had explained the on-going process of the Agriculture Survey. The deadline for submitting those surveys was last Monday so this information was no longer pertinent. I hope to have more information on those surveys next week.

Missing Information

What is interesting is what wasn’t changed on the Knowledge Center this week. DHS-ISCD published two new CSAT manuals and there was never a mention of this on the page. You can link to the CSAT Top-Screen Survey Application User Guide from the documentation section of the page, but only if you know the name of the old manual (CSAT Top-Screen User’s Manual); DHS kept the same URL for the new manual. There is no link to the new CSAT SSP Edit Process User Guide.

There also should have been mention of these two new manuals under the Current News heading. If it weren’t for bloggers like me and the Roberts Law Group, the only way that the CFATS community would know about these new manuals is through a careful detailed review of the numerous CFATS web sites; something that few have time to do. This was the whole point of the newly designed CFATS Knowledge Center and it failed the chemical security community this week.

Other Pages Lacking Changes

These two new manuals should also have shown up on a couple of other pages this week and were mysteriously absent. The CSAT Top-Screen page should have had the name changed for the new user guide. The CSAT Site Security Plan (SSP) page should have a listing/link for the new editing guide and probably a brief explanation of the difference between Administrative and Technical edits.

Generally speaking the folks at DHS-ISCD have done an excellent job with their web communication tools. They certainly have the most effective web pages of all of the government sites that I routinely deal with for chemical security and hazardous material regulations. This is why it is particularly disappointing to see that communications standard slip like it did this week.

Friday, September 24, 2010

Ballistic Protection for Hazmat Transport

One of the nice things about writing a blog like this one is that I get a number of interesting questions sent to me by a wide variety of readers. Usually they get a brief response, but other times the questions are interesting enough that they deserve a lengthier response that can best be done via a blog posting. One of the second type came via email a short while ago; a reader that wants to remain nameless asked: “Do you know if the government has any interest in ballistic protection for hazmat transportation?”

The immediate short answer is: No. In reality no one in Congress or in the executive branch appears to have much interest in any kind of potential attacks on chemical transport. The FRA is trying to increase the resilience of TIH tank cars, but they are concerned with collisions not attacks. TSA has looked at scheduling and hand-offs of TIH cars, but the only kind of attack that they have addressed at all is the placement of an IED. And no one cares about truck transport of hazardous chemicals.

In a country full of easily available hand guns, rifles and shotguns, shouldn’t we be concerned about some really simple attack like some wanna-be terrorist shooting up a hazmat truck or railcar? I mean, everyone has seen what Hollywood says will happen when a propane cylinder is hit by gunfire; it explodes in a ball of flames. A propane tank truck or rail car would be a dandy target, right?

Flammable Gas Ballistic Targets

Tank trucks and railcars designed to transport flammable gasses like propane are actually high-pressure vessels transporting a liquefied gas. They are designed to maintain their integrity at pressures up to about 300 psig. A container like that is not made of sheet metal. Most hand gun and rifle munitions will not penetrate such steel targets. There are some high-powered rifles that would probably do the job however. What would happen if a terrorist used one of those?

First, the bullet would punch a hole through the thick skin of the pressure vessel; a hole about a half-inch in diameter. The metal shell entering the liquid would be hot, very hot; certainly hot enough to ignite propane. Fortunately, heat alone is not enough to ignite propane or any other flammable gas, you must also have oxygen. There is no oxygen inside the pressure tank, so there will be no fire inside. Oxygen cannot enter through the hole made by the bullet, there is too much pressure on the inside pushing out to allow any oxygen to make its way into the tank.

As soon as the bullet cleared the inner wall of the tank, there would be a high-pressure stream of flammable gas exiting through the small hole. The phase transition from a high-pressure gas to an atmospheric pressure gas would cool the hole to sub-zero temperatures quickly. This would almost certainly mean that the heated metal would not be able to ignite the exiting gas stream.

There is, however, another potential ignition source; static electricity. The high speed movement of propane molecules, under the proper atmospheric conditions, could produce enough static electricity that a discharge could ignite the stream of propane gas. You would have a high-speed jet of flame shooting out from the side of the car. This would actually be the best case scenario for such an attack. The result would be noisy and visually impressive, but it would only affect a relatively limited area. Stop the truck/train in the right spot and wait for the news crews.

If the jet of escaping gas did not self-ignite and the truck/rail car was stationary, and there was next to no wind, then you would have a potentially serious problem; a propane cloud. Such a cloud would expand as a colorless invisible cloud until it reached an ignition source. Then the entire cloud would ignite and burn so quickly that it would be a massive explosion, a fuel-air explosion. There are too many ifs for it to be an effective terrorist weapon.

Toxic Gas Ballistic Targets

Toxic inhalation hazard gasses like Chlorine and Anhydrous Ammonia are transported in pressure vessels similar to the propane cars. Again, if you use the right weapon you may get a small hole in the tank. The small hole severely limits the toxic gas problem. If you have a wind sufficient to disperse the cloud over a wide area (threatening ‘hundreds of thousands of people’) then the cloud from this type of leak will be so diluted that the deaths would be very few and even the injuries would be fairly limited in scope. If there was not enough wind to disperse the cloud at less than toxic levels, emergency response personnel could deal with the material with water sprays and limit the consequences even more.

Flammable Liquid Ballistic Targets

Tank wagons and rail cars of a wide variety of flammable liquids are much more common than flammable gas transports. The shells of their tanks are much thinner and can be punctured by even most hand guns. The problem is that there is not much pressure pushing out the flammable liquid, so it is less likely to self-ignite. The small liquid stream would produce a very narrow, if lengthy puddle that could be ignited. It might be an interesting way to start a large brushfire, but it isn’t really a good terrorist weapon. And you still have to ignite the liquid puddle.

Toxic Liquid Ballistic Targets

Liquid chemicals that are also TIH, need to have large puddles to have much of a resulting toxic cloud. Again, the small holes made by bullets do not make much in the way of puddles unless the target is stationary. Even then emergency response personnel could deal with the situation fairly quickly limiting the potential casualties. Some people would get sick and a small number would die, but not enough to be an effective terrorist weapon.

Bullets against Hazmat Targets

In short, using fire arms against hazmat transportation would not provide the scale of casualties or damage that the common terrorist is looking to achieve. There is one potential exception to this conclusion; eco-terrorists might find the low casualty rate to be a plus as long as the target was visible enough to attract media attention. This would, however, still be a significant escalation of the types of actions these individuals have conducted to date.

The same cannot be said about firearm based attacks on fixed facilities. Flammable gas storage tanks could successfully be attacked by the right high-powered rifle. The terrorist would have to wait for a windless morning (inversion conditions would be best) and have some sort of incendiary round (tracer would probably suffice) for a second shot after the fuel-air cloud was established. The hardest part would be determining when to take the second shot. But that is a topic for another blog posting…

CSAT SSP Edit Process

Yesterday I noted that DHS had published a new manual as part of the Chemical Security Assessment Tool (CSAT). That manual, the CSAT SSP Edit Process User Guide, outlines the procedures to be used to edit either Administrative or Technical information in a submitted Site Security Plan.

PET PEAVE WARNING: Before I start looking at the details of the process outlined in the manual let me voice a vociferous complaint about a purely administrative matter. I really get upset when anyone, but especially a government entity, publishes a .PDF document with a security setting which prohibits the copying of information from the document. It serves no real security purpose and makes the job of reviewers like myself more difficult. It also makes it more difficult for covered facilities to incorporate information from the manual into local procedure documents. DHS has been pretty good about avoiding this setting, but this document is so protected. BAH HUMBUG.

Editing SSP

Once a facility’s site security plan (SSP) has been submitted there have been no provisions for going back and modifying information in that document without going through the Help Desk. This new manual explains how facilities can now go through the on-line CSAT to do this post-submission editing.

DHS and the writers of this manual take great pains to explain that starting the editing process does not change any of the time limits in the CFATS process for the editing facility. Modifications of deadlines for SSP or subsequent Top Screen Submission must be done through the extension process outlined for those submissions. This is explained in this manual and in on-line disclaimers which must be acknowledged before you can finish requesting to start an edit.

One other item that needs to be understood is how these edits affect an approved SSP. A currently approved SSP remains in effect until this edit is submitted and approved by DHS.

Administrative or Technical Edit

There are two distinct types of data that can be edited using this process and one item (Geospatial Information – Latitude and Longitude of facility) that must still be edited through the Help Desk. Administrative data is described as “information pertaining to your facility’s description, contact information, local police, fire, and Emergency Management Team (EMT) jurisdiction information, and employee and workshift information” (para 1.2, pg 1). Technical data is described as “information pertaining to your facility’s operations, security measures, and other areas which are not considered an administrative edit”.

NOTE: There is actually a third option. If the facility just needs to update the facility name, address, owner, or operator information the Submitter can use the ‘Update Facility Info’ button on the CSAT Survey List Screen when you first sign into the CSAT web site. This avoids the whole edit procedure.

To provide more clarity, DHS provides an exhaustive list of the Administrative Edit covered data in Appendix B. It provides a list of questions that are covered under the Administrative Edit. All other SSP questions (except the Geospatial data) are covered under the Technical Edit.

The reason for the different types of edits is related to the frequency which DHS-ISCD will allow the edits to be conducted. Technical edits can only be done once every 90-days while there are no restrictions on the number of times that a facility can execute an Administrative edit. The reason is that the questions eligible for Administrative edits are not substantive from a security perspective; they reflect descriptive data and point of contact information. The technical data has direct bearing on security issues and requires substantial review and approval on the part of DHS.

Edit Procedures

The procedures for conducting an edit are relatively simple (from a CSAT perspective) but somewhat time consuming. A facility Submitter will sign on to the CSAT web site. There they will have the option of selecting either an Administrative of Technical edit from the latest SSP submission on the CSAT Survey List Screen. Clicking on either button will take you to the appropriate Disclaimer page. This reminds people that the Edit function does not change due dates or become effective until approved by DHS.

When the Administrative Edit is selected the Submitter will be shown a screen listing the SSP questions that fall under that edit procedure (the same list as found in Appendix B). This provides one-last check to ensure that no Technical Edit questions need to be addressed. If an Administrative Edit is the appropriate edit, check the ‘Continue’ button and you will be returned to the CSAT Survey List Screen.

When the Technical Edit is selected there will be a brief additional disclaimer screen. If you have not waited at least 90 days since the last technical edit, when you click the ‘Continue’ button you will be taken to an error message letting you know when the current 90-day limit is up. If you don’t receive this error warning you will be returned to the CSAT Survey List Screen.

In both cases, returning to the CSAT Survey List Screen will show a “Pending Data Retrieval” message to the right of the latest SSP. No further action can be taken until DHS sends the Submitter an email letting him know that the SSP is now available for editing. Then the Preparer can sign back in to CSAT and will see a ‘New’ SSP listing with an appropriate ‘Input Changes’ Button to the far right of that new SSP. Clicking on that button will take the Preparer into the SSP Tool with all of the information pre-populated from the last SSP submitted.

At this point, all of the procedures for filling out the original SSP apply. This includes data entry procedures, moving between pages, saving copies, validating entries, printing copies and transmitting to the Submitter for the actual submission of the edited version. The only difference will be that when the Submitter actually pushes the ‘Submit’ button there will be an addition Disclaimer screen reminding the Submitter that due dates have not changed and that the existing (pre-editing) version of the SSP remains in effect until the edited version is reviewed and approved by DHS.


The hardest part of this new process seems to be deciding when to do a Technical Edit. I’m not talking about the decision between an Administrative Edit and the Technical Edit (Appendix B makes that decision simple), but the actual decision about when to make a Technical Edit. Because of the 90-day limit between making Technical Edits, facilities need to make sure that they consider consolidate pending changes into a single change.

If there is a time-critical change that will require a Technical Edit, facility management will have to decide if making that change will justify postponing any other planned changes until after the 90-day limit has passed. Generally speaking, consolidating Edits makes a lot of sense. I suspect that the folks reviewing/approving the edited versions of SSP’s will greatly appreciate such consolidation.

Thursday, September 23, 2010

New CSAT Manual for SSP Preparers

Today DHS-ISCD updated their Chemical Security Assessment Tool web page, adding a link to a new manual; the CSAT SSP Edit Process User Guide. According to the ‘Overview’ of the manual it’s purpose is described this way:

“This document provides instructions to facilities for editing and resubmitting their submitted Site Security Plan (SSP) through the Chemical Security Assessment Tool (CSAT). The instructions explain how to edit an SSP, either through an administrative edit or a technical edit [emphasis added] NOTE: These instructions apply only to the CSAT SSP Edit process.”
New stuff of obvious importance to those that have submitted their SSP and then have to change it because of process/chemical changes on site, or because of something new learned in DHS audit/inspection. At the very least we have to new terms (‘administrative edit’ and ‘technical edit’) to understand.

Once I’ve had a chance to read and digest I’ll get back to you.

FEMA ICRs Rejected by OMB

I frequently mention various information collection requests (ICR) that are submitted to OMB for approval. These are an important part of the regulatory process as this is the mechanism that has been designed to protect the public from having to provide inappropriate information to government agencies. Usually this is just a formality; sometimes OMB will approve an ICR with a note that some minor changes are required, on a relatively rare occasion they will return an ICR unapproved because major changes are made. On Tuesday OMB probably set a record with the number of ICR’s they returned to a single agency, FEMA. I did not count them all, but there were seven that would probably be of interest to the chemical security community.

Rejected ICRs

All of the rejected ICRs dealt with FEMA grant applications. Since FEMA administers most of the grant programs for DHS, this affected a wide variety of programs. The grant programs that would be of interest to the chemical security community include:

Trucking Security Program (TSP)
Freight Rail Security Grant Program (FRSGP)
Interoperable Emergency Communications Grant Program (IECGP)
Regional Catastrophic Preparedness Grant Program (RCPGP)
Port Security Grant Program (PSGP)
● Buffer Zone Protection Program (BZPP)
Homeland Security Grant Program (HSGP)
The information being collected for these grant programs that would be covered by the ICRs is the standard information that the applicant fills out when requesting these grants; information used by FEMA to determine who would get grants of how much money. None of this is new information because these grant programs have been around for some time. I’m not sure why these new ICRs were being submitted this year; they should have been submitted when these individual programs were first started.

Reason for Rejection

According to the OMB web site, each of these ICRs was rejected for the same reason; “DHS did not properly attribute burden change to a potential violation of the PRA.” I’m not exactly sure what that means, but it sounds like there was a bureaucratic error made on the paperwork. If that is the case, I expect that we’ll see these ICRs re-submitted to OMB in the near future. It doesn’t sound like they will have to be republished for public comment.

Practical Effect of Rejection

The practical effect of this rejection, other than requiring additional work by someone at FEMA, is non-existent. The public is not required to complete any form used by the Federal Government if it does not have an approved ICR collection number on it. Of course since there hasn’t been an approved ICR for these forms since they were initiated, no body has been paying any attention.

Practically speaking, if a State or local government agency or a private entity wanted to get money from these grant programs they are going to provide the information required by FEMA. This would probably extend to some inappropriate information; people will do a lot to get free money and that ‘people’ includes government agencies. Of course, that is the reason that the ICR program was established.

Reader Comment 09-21-10 Tracking FAQs

Yesterday an anonymous reader commented on an older post where I described the new CFATS Knowledge Center web page. Along with cogent comments about my blog post (read – agreed with me) Anonymous had a valuable suggestion that I would like to pass on since I know that there are some DHS-ISCD readers of this blog.

Question Sorting FAQs

Anonymous wrote: “. I'd sure like to see the FAQs in the future contain a reference to the specific numbered question one would find in the information gathering processes of Registration, Top-Screen, SVA, and SSP; eg [Q:7.005-14425] from the SSP questions.”

The average CSAT user looking for information will typically be working on one of the many submissions that are the heart of the CSAT system. Their questions will most likely be keyed to a specific question that they are being to answer in those submissions. Being able to enter that Question Number as a search term will make the search for the information they seek that much easier.

Now I understand that the FAQ listed on this page do not cover all of the questions. Since there are only 422 FAQ currently listed and there are more like a bazillion questions in all of the CSAT tools, it is obvious that most questions don’t have an associated FAQ. This is actually a good thing; it means that the vast majority of the questions are written clearly enough that there are no questions about the information that ISCD is looking for.

Question Numbers on Questions

We can extend that suggestion to the web form that DHS provides for CSAT users to submit questions to the Help Desk. If the Help Desk Web Form were to be slightly modified to include a field for CSAT question numbers, it would help to facilitate question searching of the FAQ.

More importantly it would also make it easier to actually address the information need of the questioner. Very few people are trained to write effective questions. When those questions are asked live to Help Desk personnel on the phone, clarifying questions can be asked in return to allow for a more effective answer to the CSAT User. This is more difficult to do when the question is submitted via the web form. With the CSAT Question identified on the form, it will make it easier for the Help Desk personnel to accurately answer the question that is really being asked.

Wednesday, September 22, 2010

FRA ICR for Reporting Alleged Violations Submitted to OMB

Yesterday the Federal Railroad Administration (FRA) submitted their information collection request (ICR) to the Office of Management and Budget (OMB) to allow the FRA to collect information from the public about alleged violations of Federal railroad safety and hazardous materials transportation laws, regulations, and orders. The collection would take place on the FRA web site via an on-line form. The FRA was directed to set up this collection by §307(b) of the Rail Safety Improvement Act of 2008 (P.L.110-432).

I briefly wrote about this ICR back in June when the required 30-day notice was published in the Federal Register (75 FR 34802). Typically the submission to the OMB is made at about the same time as the 30-day notice is published. This is because the public comments (if any) on the 30-day notice were directed to the OMB. According to the ICR submission no public comments were received on either the 30-day notice or the earlier 60-day notice (75 FR 18012).

There is no indication on the OMB site why there was a three-month delay in actually submitting the ICR to OMB. There was no deadline in the authorizing legislation for this particular information collection, so I suppose there is no big rush. After all we are only talking about safety incident reporting here. Nothing really important….

ICS-CERT Advisory – BACnet OPC Client

Last Friday I did a quick post about a control system vulnerability alert sent out by DHS ICS-CERT. Today the ICS-CERT folks have posted an ‘Advisory’ on the same vulnerability with additional information including mitigation measures to take to deal with the vulnerability in the SCADA Engine® BACnet OPC Client.

The Vulnerability

As I noted in the earlier blog the BACnet OPC Client allows communications between a workstation and the BACnet OPC server, which in turn allows for control of a number of building environmental, safety, and security controls. A successful exploitation of the vulnerability (a stack-based buffer overflow in SCADA Engine’s BACnet OPC Client; for those with more of a technical background than I have) “results in arbitrary code execution potentially leading to a system compromise” (pg 2).

I was kind of confused when the alert came out last Friday because it noted that ICS-CERT was in the process of contacting the vendor. The ICS-CERT vulnerability disclosure policy typically involves contacting the vendor and allowing a reasonable time to get mitigation measures developed before publicly announcing a vulnerability. The wording of the Alert did not seem to indicate that this was being done.

The reason for that deviation from policy is now apparent. There was an exploit code published on this vulnerability so anyone using this software was potentially at a real risk of attack. Typically security researchers don’t publish an exploit code without allowing the vendor to develop their mitigation efforts. The reason that Jeremy Brown (the researcher who discovered this vulnerability) did not wait is clear from the introduction to the exploit code; he maintains that SCADA Engine blew him off when he contacted them about the vulnerability.

The Mitigation

The vulnerability was discovered in version 1.0.24. A later version (1.0.025) has the vulnerability corrected. The new version is supposed to be downloadable from the SCADA Engine web site, but today the URL simply returns an “Internet Explorer cannot display the webpage” error message. They did work last Friday when I was preparing the earlier blog posting; probably too much traffic to the site.

As is usual with any mitigation measure for a control system that requires updating the software, ICS-CERT provides the following caution statement (pg 3):

“ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.”

Counter-Terrorism Intelligence

Last week I briefly reported on an ongoing controversy in Pennsylvania about the tracking of activists concerned about natural gas fracking activities in that State. Balancing the protection of free speech and the freedom to assemble against the need to identify potential terrorists is a difficult line to walk. Yesterday I ran into an interesting document on looking at the type information that domestic intelligence agencies are trying to use to identify potential homegrown terrorists before they can strike.

The document is called “An Information Needs Review”. It identifies some actions taken by an individual that could be indicators that a person has slipped over the line towards illegal terrorist activity. It is careful to claim that these indicators are not proof that the individual is guilty of terrorist activity noting that: “There may be a legitimate reason why some of the indicators described in this document are present; it is up to you to determine when that is not the case.” (pg 4)

This document was produced by DHS, the National Counter Terrorism Center and the FBI. It asks local law enforcement to report these types of ‘suspicious activity’ to the nearest State and Local Fusion Center and your local FBI Field Office or Joint Terrorism Task Force. Presumably those organizations will then make a determination if further investigative efforts of the individual are warranted.

The Indicators

The listed indicators (pg 3) are:

• New or increased advocacy of violence including providing material support or recruiting others to commit criminal acts.
• Adoption of new life styles and segregation from normal peer and family groups in association with advocating criminal or terrorist activity.
• The adoption of a new name.
• Behavior that could indicate participation in surveillance of potential targets.
• Acquisition of excessive quantities of weapons or materials that could be used to produce explosives such as ammonium nitrate-based fertilizers or hydrogen peroxide.
• Travel to or interest in traveling overseas to attend violent extremist institutions or paramilitary training camps.
• New or increased interest in Websites and reading materials that advocate violence and then initiating action in support of this activity.
• New or increased interest in critical infrastructure locations and landmarks, including obtaining aerial views of these locations.
Most people would agree that many of these indicators would be cause for concern if observed in one of their neighbors. There are three, however, that will raise some discussion of their appropriateness. The adoption of a new life style, a new name, or interest in critical infrastructure are arguably not nearly as clear cut an indicator of potential terror activity. I can certainly understand why they were included in the list, but I also know that there can be any number of people exhibiting these indicators that will never commit or contribute to a violent act.

What is not listed in this document, and what probably more concerns civil libertarians, is a description of what happens with this information. Properly vetted information of this sort certainly deserves further investigation. But what happens if no information supporting a terrorist designation is uncovered in that investigation. If the names of those people are then purged from the system there shouldn’t be a real privacy concern. If the files are kept active pending ‘further information’ people would have a legitimate reason for concern.

I have worked on the edge of the intelligence community (at the tactical level) in the military so I understand that the intelligence folks get concerned that an investigation is never really complete. There is always the possibility that just one more piece of information will provide conclusive identification of intent where there is currently only negative information. And no one wants to explain to Congressional investigators after a successful terrorist attack that they had looked at the attacker but determined that he/she wasn’t a threat.

Protections in Place

All of this is why DHS has an office that is responsible for overseeing the civil rights of the American public when it comes to investigations of individuals. Additionally, Congress has repeatedly tasked the DHS Inspectors General office with checking up on the protections put into place to prevent abuses of the investigational power of the Department. And finally, Congress itself has repeatedly demonstrated that they take their oversight responsibility very seriously in this area of DHS operations.

Will these protections be enough to stop all abuses, deliberate or unintentional, of the power to investigate citizens? Almost certainly not, this is a government of people and people make mistakes in judgment. Will the oversight provisions be able to identify abuses that do take place? Very probably, but the oversight is also done by people so it remains a possibility that some abuses will slip through the cracks.

But, we must remember that the abuses that are likely to happen will be mistakes of judgment made by people trying hard to protect this country. They won’t be evil people, setting out to destroy innocent civilians for their own personal gain. We must be alert and careful to find and correct the abuses that do happen, but we must avoid the temptation to demonize those that step over the line. The line dividing the protection of individual liberties and the prevention of terrorist attacks is seldom a sharp bright line.

Tuesday, September 21, 2010

New Top Screen Manual Reviewed

Well, as promised earlier I have had a chance to take a look at the new Top Screen Manual that DHS-ISCD published today. I kind of expected that this would be new rules for the reporting fuels at fuel terminals, but it turns out that there are no real changes in procedures provided in this manual. There are changes (including a name change), some good and some questionable, but no new policy.

First we will look at the change in names. The new manual is called the CSAT Top-Screen Survey Application User Guide. It is listed as version 1.99. The old manual was called the CSAT Top-Screen User’s Manual with a version number of 2.8. I suppose that this explains why there is no change history listed in the front of the manual to explain what changes were made from the previous version.

It is interesting that the new manual starts out with a ‘1.99’ version number. This would seem to indicate that there have been a large number of changes made in this new manual before it first saw the public light of day today. It would be interesting to know if there were policy changes proposed during the development process that were dropped for one reason or another. Too bad that kind of stuff seldom leaks.

Problems with New Manual

I only really have two minor issues with the latest version. The first deals with that name change thing. Now DHS can call these manuals anything that they want to. But it certainly looks like the change was done to avoid having to prepare an updated change history listing the changes that were made in this manual. On one hand there are significant organizational changes and it could be difficult to briefly describe those changes. But the lack of the change history makes it difficult to determine what has changed.

I have gone back and checked the two manuals against each other page by page, but it is entirely possible that I might have missed something. There were enough changes made in the order of information presentation that I may have missed some subtle changes. And there are few people in the industry who would even make the effort that I took this afternoon. A change history makes it easier to identify the differences and comply with the changes.

The second issue deals with one of the format changes made in the new manual. In the earlier version it was visually difficult to differentiate the text of the questions from the explanatory text. To give some help, the Top Screen question numbers were appended to the text of each question. The new manual physically separates the questions from the explanations in tabular form. It certainly makes it easier to distinguish the two.

Unfortunately, the question numbers are now gone (since they are not needed for clarity’s sake), but that makes it harder to track the questions in the actual Top Screen to the explanations in the manual. With a number of very similar questions found in different sections of the Top Screen, this will inevitably cause some confusion.

Positive Changes

Having started off this process with the picking of nits I have to admit that I really do think that this manual is better, easier to read and use than its predecessor. There is some stuff removed from the early sections dealing with the registration process and the roles of the various people involved in the CSAT process. But, as the new manual explains, those details are available in the CSAT User Registration User Guide. That information is really needed in the registration process not here.

In addition to abbreviating the introductory information the new manual provides a much more extensive table of contents. This allows for quick identification of the location of information that the Preparer and Submitter will need to complete the Top Screen.

The new visual layout of the pages and the tabular listing of Top Screen Questions paired with their explanation make it easier to find information on the page. Some of the screen shots in the new manual are smaller than the earlier version, but that only happens when the details on the page are less important for the explanation than the actual page layout.

Most of the wording from the earlier manual is simply cut-and-pasted into the new format. There were a couple of instances where I noticed that some clumsy wording in the original had been replaced with less confusing prose. There was only one place that I noticed that there was a significant change in the wording. During the discussion of what amounts of COI to count for release flammable COI an entire paragraph from the earlier manual was excised from this manual.

That excised material was a definition of ‘Tank Farms’ taken from the end of paragraph 5.2 on page 40 of the earlier manual. It didn’t really contribute much to the discussion in the new paragraph 7.2.1 on pages 50 and 51 of the new manual, but I was kind of surprised that it was removed. Filler material like that usually gets carried forward in cut-and-paste editing.

Missing Information

There is one important piece of information missing from the new manual that could confuse some new users of the system. There is no mention of the on-going agricultural facility ‘temporary’ exception to the Top Screen mandate. While one might assume that that is related to yesterday’s close of the Agriculture Survey, this information was also missing from the previous version of the manual.

It is also interesting that the two other web pages where the Top Screen User Manual is referenced (and linked) there is no mention of the change in manuals. The links on the CSAT Top-Screen page and the CFATS Knowledge Center page for this manual do link to the new manual simply because it retains the same URL as the old manual. The listing of the manual name is incorrect, but it is close enough that most people won’t get too confused.

Changing Manuals

If you have already completed your Top Screen submission, keep a copy of the version of the manual you used for that submission with your copy of the Top Screen. This way you can more readily understand why you made the decisions that were made in completing that submission. The subtle differences in the new wording might not lead to exactly the same conclusions.

It you have to submit a new Top Screen, down load the new version of the manual. Print it out and mark it up with your notes, questions and conclusions. It provides an excellent history of your compliance actions. But, do not print this out if you aren’t submitting a Top Screen any time soon. DHS is not bashful about updating their manuals with new information or better explanations. You always want to make sure that you are using the most up-to-date guidance available.

New Top Screen Manual

This morning DHS modified their Chemical Security Assessment Tool web page, providing a link to a new CSAT Top-Screen Survey Application User Guide. There are no visible changes to the CSAT Top-Screen web page, but the link on that page to the CSAT Top-Screen User Manual now takes one to the new manual. Since there a numerous organizational differences between the two manuals it will take me some time to figure exactly what has changed. Stay tuned….

Stuxnet and the Future

Late yesterday Dale Peterson at posted “[o]ne more Stuxnet post before we move on.” As typical, Dale’s blog post provides us with some valuable in-sight into Stuxnet. I certainly hope, though, that he isn’t implying that this will be the last post on the matter. He has been a good source of updated information about Stuxnet, explaining things that he and others have found out about the operation of Stuxnet.

Stuxnet Response

In this post Dale isn’t really looking at the details of Stuxnet; rather he is looking at how the industrial control system network responded to one of the most creative and complex assaults on system security. In his analysis ICS-CERT and Siemens come off looking bad while Langner Communications and Symantec received some well deserved praise.

Dale’s complaints about ICS-CERT are particularly important. This DHS office is the one charged with supporting cyber security activities in the industrial control sector. Since most companies using these control systems do not have the resources to watch out for, investigate, and formulate a response to sophisticated attacks like Stuxnet we turn to the Government for this type of support.

Dale points at possible political issues hampering a more aggressive public ICS-CERT response to Stuxnet. Unfortunately he doesn’t explain what stopped them from being able to “clear the bureaucratic hurdles required to release more information”. If Stuxnet was actually an Israeli attack on Iranian nuclear fuel processing as Dale and others have suggested as being a plausible explanation for the sophistication of the attack (and I agree that it does sound extremely plausible), then the intelligence community would have been reluctant to see that information released.

That would have been a piss poor (though entirely predictable) reason to restrict the spread of information about Stuxnet. Once Iran was identified as having an unusually large number of Stuxnet infections it didn’t require a great deal of ‘jumping to conclusions’ to start to think that Israel might have discovered a new means to execute offensive operations against a target that they have publicly warned that they intend to attack before Iran could produce a nuclear weapon.

Actually I suspect that the ICS-CERT failure in this situation was more based upon resources and a lack of imagination than the lack of political will. While DHS is a large organization their manpower is spread thin. Their lack of depth is further aggravated by the political necessity of having a huge amount of manpower involved in the symbolic protection of commercial air traffic. We continue to see understaffed agencies ‘protecting’ high-risk chemical facilities, Hazmat pipelines, and toxic freight rail targets. Until those targets are actually hit, the politicians will continue to only provide token monies to support those programs.

Cyber Weapons

As we continue to hear discussions about cyber warfare and governmental cyber attacks, this Stuxnet incident points out a unique problem with cyber weapons, once they are employed in the wild, they become public property. While Langner Communications and Symantec have done some valuable work explaining what Stuxnet does and how it works, we must not forget that every government in the world with a modicum cyber expertise has been hard at work doing the same thing.

Dale touches briefly on this in his posting, but I think that this deserves more attention. The developers of Stuxnet (Mosad, the Russian Mob, a bored pimply-faced kid, who ever) has done the hard work. They developed the tools to attack Siemens-based control systems. Those installed systems will now be forever suspect of being vulnerable to attack. And any government, any large criminal organization, will have access to the tools necessary to execute those attacks.

We are now at the cyber equivalent of August 1945, with the Stuxnet shaped cloud rising on the horizon, proclaiming that the world will never be the same again. If this was an attack on the Iranian nuclear program, the irony is totally appropriate. With the potential ability to conduct anonymous attacks on civilian and military infrastructure at will we are heading into a dangerous new era of international politics.

Unfortunately, it will be the private sector in the United States that will bear the brunt of the damage and cost of this new type of warfare. The targets will largely be owned by private companies and they will bear the brunt of both defending against and responding to the results of those attacks.

The world has become an even more dangerous place and there’s not much we can do about.

Monday, September 20, 2010

Chemical Sector Training Resources Guide

As I reported last Monday, I requested a copy of the Chemical Sector Training Resources Guide that was recently listed on the Chemical Sector Training and Resources web page. I received my copy of the .PDF document on Tuesday. The email transmitting that document describes the Guide this way:

“The guide contains a list of free or low-cost training, Web-based classes and seminars that are routinely available through one of several component agencies within the U.S. Department of Homeland Security.”
The email from the Chemical Sector-Specific Agency also advised that there were two new tabletop exercises recently made available by the DHS FEMA private sector office that were not listed in the Guide. Those are a Hurricane Tabletop Exercise and a Chemical Accident Tabletop Exercise. The later exercise scenario reportedly ‘simulates a chlorine rail accident with release of chlorine’. Exercise information can be downloaded at

The 28 page Guide provides an overview of the training resources made available through FEMA, NPPD, and TSA. It then provides a listing of individual courses that are available with a brief summary of each course. That summary typically includes a description of the target audience, the type presentation and a link to the course. For live courses taught at limited facilities or for arranging live courses to be taught at a local facility that link is typically an email point of contact.

Anyone with training responsibilities at a high-risk chemical facility should certainly get a copy of this document. Additionally, trainers in the emergency response and emergency planning business will also find this a guide to DHS training resources. Again, all you have to do to get your copy is request it by email through the Chemical Sector-Specific Agency.

Sunday, September 19, 2010

More Methyl Bromide

I know, I sorta promised to back off on the methyl bromide platform, but I just can’t help it. Somebody just keeps serving up big fat lob shots. This time it is from a news story from It seems that two companies in the fair city of Suffolk have been using methyl bromide to fumigate pallets and other lumber products; a very good (effective) way of killing pests.

For the purposes of this blog we’ll ignore the alleged fact that the companies did not have state permits to use toxic chemicals, or that they were allegedly exhausting the excess methyl bromide to the atmosphere. The environmental folks will be looking into that. No what concerns me is that the companies were sited, according to the news article, near residential areas. In fact, one was near downtown Suffolk and the other is within 100 yards of a public school.

We would assume that the use of a toxic inhalation hazard chemical (at a rate of 10 tons per year) near a population center would place one firmly on the high-risk chemical facility list. But no, remember DHS took methyl bromide off their list of chemicals of interest (COI) when the EPA informed them that the chemical was being phased out and wouldn’t be around long enough for DHS to really regulate. OOPS….

I understand that DHS and industry are looking at updating the Appendix A list of COI. Let’s make sure that we put methyl bromide back where it belongs, on the list of release toxic COI. If and when the EPA actually approves effective alternate chemicals for the areas where methyl bromide is currently used, and actually prohibits the use of methyl bromide as a fumigant, and the remaining stocks are actually consumed/destroyed, if and when that happens, then DHS can remove the deadly chemical from the list at its leisure.

Saturday, September 18, 2010

Committee Hearings Week of 09-20-10

This coming week the two Homeland Security committees will be holding separate hearings that might be of interest to the chemical security community. Neither hearing is specifically about chemical security issues, but will rather look at larger issues that could affect facility security issues.

Evolving Terrorism

On Wednesday, 9-22-10, at 10:00 am EDT, the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on “Confronting the Terrorist Threat to the Homeland”. Like last weeks House hearing this hearing takes the opportunity of the 9th anniversary of the 9/11 attack to look at how the current terror threat has changed since that ‘fateful day’.

The witnesses at the earlier hearing were essentially academics who researched terrorists, their organization, and their tactics. This week’s hearing, on the other hand, will have witnesses who have responsibility for preventing terrorist attacks. They include DHS Secretary Napolitano, FBI Director Mueller, and NCC Director Leiter. Presumably they will be telling the Senators about their view of the current terror threat.

Transportation Security

On Thursday, 9-23-10, at 2:00 pm EDT, the House Homeland Security Committee will hold a hearing on “The Target of Terrorists and TSA’s New Direction”. The new TSA Administrator, John Pistole, will be making his first appearance as Administrator before this Committee. Thus the Committee web site notes that “this hearing will give Mr. Pistole an opportunity to lay out his vision for TSA”.

Until now the primary focus of TSA has been protecting aviation. Since the 9/11 attacks were aviation based attacks, this is probably understandable. Now TSA is starting to take a harder look at security measures for other transportation modes, public transit (train and bus), freight railroads, and pipelines. Hopefully, Administrator Pistole will spend some time explaining that widened focus.

Missing Hearings

There are a couple of hearings that it is a little surprising not to see scheduled for this week. First Senator Boxer’s Environment and Public Works Committee should have a mark-up hearing for S 3598, Sen. Lautenberg’s water facility security legislation. If this has any chance of getting considered this session, it will have to be reported out of the EPW Committee very soon. The longer it takes to markup and report out the bill, the less likely it is to be passed before the November elections.

The second hearing that I have been waiting to see is the House Appropriations meetings on the DHS budget bill. Work was apparently stopped on this weeks before the recess for political reasons. If a DHS budget is to be passed before the start of the new fiscal year (October 1st) it will have to clear this committee. The longer things go before Appropriations introduces their FY 2011 budget bill, the more likely the budget will be postponed until the 112th Congress convenes in January via a Continuing Resolution.

The CFATS community is concerned about the DHS budget for a couple of reasons. First the current authorization for the CFATS program expires on October 4th. Since a comprehensive CFATS reauthorization bill is practically impossible at this point, an amendment of the expiration date is expected to be included in the DHS budget bill. Fortunately, a continuing resolution would effectively do the same thing while that resolution was in effect. Secondly, we can always hope that Congress would include in the DHS budget some increased funding for more CFATS inspection personnel.

Of course, either (or both) of these hearings could still happen this week. Since neither would require witnesses to testify, little coordination needs to be made to hold these hearings.

S 3800 - No Cybersecurity Provisions

Following up on a blog earlier this week, we are now looking at the DOD appropriations bill, S 3800, that was introduced on Thursday. I finally had a chance to review the bill and there are no significant cybersecurity provisions in the bill beyond simply funding DOD cybersecurity operations.

No new cybersecurity programs have been added to this bill, but that doesn’t mean that they won’t be added in the legislative process. I’ll continue to track this bill as it wends its way through the Senate.
/* Use this with templates/template-twocol.html */