Monday, February 28, 2011

Rules Committee Reports HJ Res 44 – Two Week CR

This evening the House Rules Committee met to consider a rule to provide for the debate of HJ Res 44, Further Continuing Appropriations Amendments, 2011. This is the continuing resolution that I blogged about this last weekend. The Committee approved H. Res. 115 that outlines the rules for that debate. This will be a closed rule with limited debate (one hour on H. Res 115 and then another hour on HJ Res 44) and no amendments; either approved in the Rules Committee or to be offered on the floor.

HJ Res 44 will almost certainly pass in the House on a party-line vote; maybe as early as tomorrow. There are indications that Sen. Reid will allow it to come to a vote in the Senate and that it will pass there on some sort of ‘bipartisan’ vote. At least that’s what a number of different news organizations are reporting. That would allow some additional time for a deal of some sort to be worked out with the Senate on revisions to HR1 that could be approved by both houses.

ISCD Reorganization

Effective tomorrow there will be a significant reorganization of the Infrastructure Security Compliance Division (ISCD), the organization within NPPD that runs the CFATS program. Rick Diggers, the new acting director (as of December 20th) has directed the reorganization that will place the inspection force under his direct control, and moving all engineering, analysis, document review and industry relation work to the Compliance Branch (currently headed by a new acting branch chief, reportedly with an industry PR background). This greatly reduces the work load (to almost non-existent by some reports) of the three remaining branches of the Division.

Supposedly Diggers was brought into shake up the Division because of delays in CFATS implementation and the slow development of the ammonium nitrate regulations. It seems that the CFATS delays extend beyond the slow completion of SSP approvals. Other delayed areas include program development for:

• Agricultural production facilities currently under a ‘temporary Top Screen exemption’ since 2008;
• Reviewing and approving alternative security programs; and
• Reviewing and approving requests for re-determination (over 600 pending).
Rumors abound that the reorganization was directed and guided by Sue Armstrong, the former Director of ISCD and currently Assistant Secretary for NIPD where she still retains responsibility for ISCD. If true, this would be interesting since the problems date back to her tenure as Director. Actually it seems that many of the current problems being experienced by ISCD, including the personnel issues that I’ve discussed before, date back to period when Sue ran the Division and are only now coming to public view.

Since Diggers is statutorily limited to a 120-day tenure as ‘Acting Director’ and NPPD is currently reviewing applications for the permanent director, it seems that these changes may only last until a new director is hired. Since Diggers has never managed a program of this size (either in manpower or budget) before, he is unlikely to remain in the ISCD Director position.

I don’t know enough about the internal workings of ISCD to be able to truly gauge the effectiveness of these changes, but it does seem to me that putting the Regional Commanders of the inspection force under the direct control of the Director is unworkable. Span of control issues, Digger’s lack of knowledge about the CFATS program, the chemical industry (he has an intel background), and security programs in general make it unlikely that he will be able to effectively manage the inspection force.

Oh, well. I guess we’ll just have to wait and see how this works itself out. I’m getting more and more concerned though that this program is heading the way of so many of poorly managed and supported chemical safety programs. Fortunately, it seems that the terrorists are even more poorly organized and managed. Let’s hope that their lack of organization stays worse than that of ISCD.

Saturday, February 26, 2011

Draft Short-Term Continuing Resolution

Yesterday afternoon I included in a post about congressional hearings for next week a comment that we should be seeing a draft of a short-term continuing resolution (CR) that would extend the current March 4th deadline for coming up with an FY 2011 appropriations bill. Well, a couple of hours later the House Rules Committee updated their web site where they discuss the bills that are scheduled to come to the floor of the House in the upcoming week. Sure enough there is a House Joint Resolution (currently unnumbered), Further Continuing Appropriations Amendments, 2011, listed as being considered ‘pursuant to a rule’.

This resolution would extend the current March 4th deadline to March 18th, giving Congress another two weeks to deal with the issue. It amends the current continuing resolution {the Continuing Appropriations Act, 2011 (PL 111–242)}. As one would expect, there are some changes to the amounts authorized under this proposed extension. For the chemical security related provisions of the changes are really hard to determine with any exactitude as they are included in much larger portions of the DHS budget. So the best we can do is look at how the spending for larger organizations that contain chemical security spending would fare. These larger programs are:

• TSA Surface Transportation Security (includes the freight rail security program) spending – No change [This is an effective increase from provisions of HR1 from $105 Million to $138 Million]

• Coast Guard Operating Expenses (includes MTSA) spending reduced from $6.9 Billion to $6.8 Billion [Effectively the same as HR1]

• NPPD Infrastructure Protection and Information Security (includes CFATS and CERT) spending increased from $878 Million to $880 Million [This is an effective increase from the provisions of HR 1 from $805 Million]
The way the expiration date of the current CR is changed this proposed short-term CR also extends the current authorization for the CFATS program until March 18th.

It will be interesting to see how this plays out this week. There’s enough here in the overall proposal to upset both Freshmen Republicans in the House and Senate Democrats; which may mean it’s a workable compromise.

HEARING Notice: The Rules Committee will hold a hearing on the rule for the consideration of this Resolution on Monday at 5:00 pm.

Friday, February 25, 2011

The Spread of Stuxnet

I have been following Stuxnet since news became generally available last summer. I thought that I had a pretty good understanding of the general operation (but certainly not the technical details) of Stuxnet and readers have probably gotten the idea that I have been pretty concerned with the potential threat that this worm presents for the future. Realistically I have only been mildly concerned, that is until I read a recent paper published on-line by Byres, Ginter and Langill entitled: “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems”. Now, I’m officially very concerned.

An Overview of the ‘Attack’

What these three men have done is taken the known information about how Stuxnet operates and applied that to a theoretical industrial control system that is following the current ‘best practices’ security guidance for that system. Using that knowledge and that construct they determined the routes that Stuxnet could use in the system to get from an attacker to a specific PLC to do its dirty work. As if that weren’t enough, at each step of the spread of the infection, they posit additional pathways that could have done the same thing.

Take for example, the initial attack vector, the zero point of the attack. Their main proposal should not surprise anyone; it is very similar to what has been assumed in the standard discussions of the Stuxnet worm – an infected USB. Their attack starts with (pg 14):

“In our primary scenario, a company employee returns from an off-site visit to a contractor’s facility with an infected USB flash drive. The employee has been given the infected drive deliberately by a saboteur employed at the contractor facility.”
The alternatives get a little more creative. The final one deserves special mention for reasons that will be obvious later in this blog. They propose a spear phishing attack with an email carrying an infected attachment. They even went so far as to “construct a proof-of-concept dropper for of Stuxnet that is based on an infected PDF”. That is scary thoroughness.

That’s the last I’m going to describe of the details of their analysis of the transfer mechanisms for the Stuxnet attack. You can (and should) get the document yourself and read their analysis. It’s free (registration required) from the Tofino Security web site (Abterra Technologies, and link back to the Tofino site). I know that there have been some complaints about requiring a registration to read the paper, but it is a very small price to pay for an important piece of Stuxnet explication. Besides, if you’re really worried about compromising your privacy, just use a disposable email address and then never use it again.

Stuxnet and Night Dragon

The authors make the point a couple of times in this paper that the system they are describing is using the commonly accepted best practices available and suggested for that system. They also note that very few SCADA systems are protected as well as the construct that they use for their analysis. Given the business that each of these gentlemen are involved in, one might be forgiven for assuming that that claim might be a little self-serving.

That is, except for the recent report released by McAfee on the multi-year Night Dragon assault on multiple, large oil and gas company cyber-assets. The Night Dragon report makes it clear that even the largest companies, ones with the resources (both financial and technical) necessary to protect those systems, were sadly lacking in their ability to prevent the compromise of their cyber assets by relatively unsophisticated attack tools.

One of the many routes of entry into the cyber security perimeter described in the Night Dragon report is the spear phishing attack on various personnel within the organization. It is always amazing how effective these targeted email attacks can be. And remember that Stuxnet dropper in a .PDF file? What better attack vector in the real world.?

If you were to read these two reports, back-to-back, like I just did, you would be struck by just how vulnerable our industrial control systems are to a concerted attack. “How Stuxnet Spreads” shows how easily the worm could navigate a well protected (at least compliant) system. Just imagine how quickly it would spread through a system that was not compliant.

Congressional Hearings – Week of February 28th

Next week Congress will be dominated by budget matters. With the March 4th deadline for approval of FY 2011 appropriations fast approaching, there will be some sort of action or deliberate inaction on that front. And the President’s FY 2012 budget will get continued attention. The only hearings currently scheduled that will be of interest to the chemical security community will be about the FY 2012 budget.

DHS Department Budget Request

Secretary Napolitano will be making two appearances on Capitol Hill this week to explain the President’s DHS budget request for FY 2012. She will appear before the Homeland Security Subcommittee of the House Appropriations Committee on Wednesday afternoon. On Thursday morning she will make her appearance before the House Homeland Security Community that was originally scheduled for the 17th.

Her prepared testimony will be essentially the same as she presented to the Senate Homeland Security and Governmental Affairs Committee on the 17th. The questions will likely be a little different, reflecting the parochial interests of the various committee members.

Typically we would not expect to see much in the way of questions about CFATS; it’s just too small a program from a budget perspective. That may change this week for two reasons. First, there is a remote chance that Chairman King might take the opportunity to ask a question or two about delays in the CFATS implementation as they might indicate a lack of resources for internal review of SSP submissions.

I wouldn’t be surprised if the Wednesday arrest of 20-year-old Saudi Khalid Ali-M Aldawsari in Texas on charges related to improvised explosives (or WMD as it is known to the FBI) weren’t the subject of at least a few questions. There might be specific questions about his ability to buy the chemicals and equipment necessary to make an IED (something of no surprise to anyone in the chemical community). Secretary Napolitano would certainly be expected to include in her response that it was a chemical company’s warning that led to his arrest.

Coast Guard Budget Request

While his name does not yet appear on the House Transportation Committee web site for the Tuesday morning hearing before the Subcommittee on Coast Guard and Maritime Transportation, the Commandant of the Coast Guard will certainly be one of the three government witnesses that will testify on maritime related budget requests. Again MTSA will not likely appear in his written testimony because of its relatively small budget impact. Questions might be asked about the TWIC Reader implementation process.

FY 2011 Continuing Resolution

There is not currently any hearings scheduled on HR 1 in the Senate. There have been news reports that the Senate Appropriations Committee is crafting an alternative to the House bill. It is unlikely that there would be hearings on that alternative; it would most likely show up on the Senate floor as an amendment in the form of a substitute. Until that alternative actually makes an appearance it is difficult to forecast its potential for passing in the Senate.

With the deadline fast approaching and almost everybody expecting some sort of a fight between the Senate and the House on HR 1 there has been much talk of a potential government shut down. Yesterday we started to see news reports that the Republicans in the House were working on a shorter term version of HR 1 to be offered as deadline bridge to allow that fight to be fully played out. Such a bill would certainly call for a Rules Committee hearing, but one is not yet scheduled. Such a bill and hearing would have to be announced early in the week to conform to the new House Rules.

Thursday, February 24, 2011

OMB Approves Interim Guidance on TWIC Readers

Today the web site reported that the Office of Management and Budget approved the ‘pre-rule’ document for the Coast Guard’s TWIC Reader Rule. Readers might remember that back in January, I reported this being submitted to OMB as the TWIC Reader NPRM. Fortunately an alert reader, John C.W. Bennett, pointed out that what had been erroneously reported by OMB as the TWIC NPRM was actually an interim user guidance document providing guidance on the use of TWIC Readers pending the completion of the rule making process.

The document was reported ‘consistent with change’ which means that minor changes were requested by OMB. We would expect to see the final version of this ‘interim guidance’ document posted in the Federal Register in anywhere from a couple of weeks to a couple of months.

The last that I heard was that the target date of November for the publication of the NPRM is still looking possible.

S 413 – Risk Based Security Measures

As I noted in my initial blog posting on the recently introduced S 413, the Cybersecurity and Internet Freedom Act of 2011, would require to establish regulations to require security protections for industrial control systems in certain critical infrastructure facilities. Today I would like to take a look at the requirements for those regulations outlined in this bill.

Risk Assessment

Section 248(a) of the bill would require the Director of the National Center for Cybersecurity and Communications (NCCC), in conjunction with appropriate governmental regulating agencies, to conduct a cyber risk assessment “on a continuous and sector-by-sector basis [emphasis added], [to] identify and evaluate the cyber risks to covered critical infrastructure” {§248(a)(1)}. The risk assessment would look both at the potential for attack and the consequences of a potential attack.

The first such report would be due within 180 days of the passage of this legislation. There is also a requirement for annual updates of these reports. The reports would be submitted to Congress, but to aid in the widest possible dissemination of the information, the reports are required to be unclassified. To allow Congress to be informed of risks based upon classified information, the Director may include a classified annex to the report.

An interesting component of this risk assessment is the requirement for the Director to establish “process under which owners and operators of covered critical infrastructure may provide input on the findings of the reports” {§248(a)(3)(B)}. A potential method that could be used to fulfill this responsibility would be to establish a cyber security fusion center.

Risk-Based Security Performance Measures

After the first risk assessments are required to be completed the Director would have an additional 90 days to publish, again in ‘coordination’ with the appropriate federal regulating authorities, “interim final regulations establishing risk-based security performance requirements to secure covered critical infrastructure against cyber risks through the adoption of security measures that satisfy the security performance requirements identified by the Director” {§248(b)(1)}. The phrase ‘interim final regulations’ is important because it allows (but does not require) the director to skip the requirement for publishing a notice of proposed regulation, shortening the regulation development process.

These regulations would provide for notification of owners and operators of ‘covered critical infrastructure’ of the cyber risks identified by the Director, security performance requirements and identified best practices to remediate or mitigate those risks. The regulations would provide for owner/operators to select appropriate security measures and/or best practices to deal with those risks and report that selection to the Director. The regulations would also prescribe a process that the Director would use to “determine whether the proposed security measures satisfy the security performance requirements established by the Director” {§248(b)(2)(D)(ii)}.

The regulations would allow facilities to develop their own ‘best practices or security measures’ and report those to the Director. These reports would be protected by “applicable law relating to the protection of trade secrets” {§248(b)(2)(E)(iii)} not the stronger protections provided for security measures afforded to facilities under other federal security rules like CFATS or MTSA.

This section includes language similar to that found in the §550 authorization for the CFATS program, stating that “the Director may not disapprove under this section any proposed security measures, or combination thereof, based on the presence or absence of any particular security measure if the proposed security measures, or combination thereof, satisfy the security performance requirements established by the Director” {§248(b)(4)(C)(i)}.

As we have seen during the implementation of the CFATS process, this complicates the regulatory process, but does provide the maximum flexibility for owners/operators to design their security processes. The drafters of this legislation have attempted to decrease those potential complications by specifically allowing the Director to ‘recommend’ (but not require) specific security measures “that will satisfy the security performance requirements established by the Director” {§248(b)(4)(C)(ii)}.

International Cooperation

There is an interesting component of this section that I have never seen before. Section 248(b)(3) provides authority for the Director to inform the owner/operator of facilities outside of the United States of cyber risks to those facilities as long as the ‘disruption’ of the facility “could result in national or regional catastrophic damage in the United States” {§248(b)(3)(i)}. The awkwardly worded paragraph also allows the Director to make such a notification to the foreign government involved.

Surprisingly this is the only portion of §248 that specifically refers to ‘information infrastructure’ so it would not apply to industrial control systems outside of the United States.

CFATS Success

I received an interesting email from a reader about the CFATS delay blog that I wrote earlier this week. He noted that Congress would not get upset about Beer’s less than complete testimony about SSP delays because “CFATS is a success”. In many ways I have to agree. As I have said on numerous occasions, DHS has done a great job in getting this program up and running. A major reason for their success to date is that they have really worked with industry to put into place a workable and effective regulatory program that actually increases security at high-risk chemical facilities.

What I am afraid of is that all of that could get ruined if DHS has to start cutting corners in this program because it does not have the necessary resources to complete the SSP review/approval process. In an era of increasing budgetary constraints it would become very easy for this process to turn into a rubber stamp of submitted site security plans. If that happens, then CFATS will go the way of EPA and OSHA chemical safety programs; responsive only after the fact. Unfortunately an after-the-fact inspection in the DHS sense could mean the deaths of thousands of people as the result of a terrorist attack.

My friends at SOCMA and ACC are quick to point out that they have been working hard at security long before CFATS and that is true. I worked at a facility that worked hard at getting their Responsible Care certification, but did not have a real effective security program because they just did not understand security. It wasn’t that they tried to take shortcuts to try to skate by, but they did take shortcuts because no one had ever told them the proper way to do things.

If this could happen at a Responsible Care facility, just think about the security measures that are routinely found at smaller facilities. One just has to look at the number of anhydrous ammonia releases at farm supply stores across this country because of theft by amateur methamphetamine manufacturers to see how lax security is at many potentially high-risk facilities.

Until we get an effective CFATS process down to the Tier 3 and 4 facilities across this country, the vast number of the covered facilities, we can’t really call the CFAT program a success. And it won’t continue to be a success if it starts to take the easy way out on SSPs; high-risk facilities must be held to standards that favor security.

Wednesday, February 23, 2011

S 413 - Coverage of Industrial Control Systems

As I mentioned in Monday’s blog, while most of S 413 refers to ‘information systems’ in the federal government, there is a section of the bill that looks like it may provide authority for DHS to regulate the security of industrial control systems in critical infrastructure facilities. Section 248(b)(1) requires the Director of the National Center for Cybersecurity and Communications (NCCC) to “issue interim final regulations establishing risk-based security performance requirements to secure covered critical infrastructure [emphasis added] against cyber risks through the adoption of security measures that satisfy the security performance requirements identified by the Director”

Covered Facilities

The whole issue of what facilities would be covered hinges on a complex set of rules set forth later in the proposed legislation. The definition of ‘covered critical infrastructure’ is found in § 241(4); “the term ‘covered critical infrastructure’ means a system or asset identified by the Secretary as covered critical infrastructure under section 254”.

To find §254 you have to go way back to Title V of the bill (pg 210). There you find three requirements that must be met for the Secretary to declare that the ‘system or asset’ is covered critical infrastructure. The first of these is that “the destruction or the disruption of the reliable operation of the system or asset would cause national or regional catastrophic effects identified under section 210E(a)(2)(B)(iii)” {§254(a)(2)(A)(i)}. That section is also added by this new bill and includes mass casualty events, severe economic consequences, and mass evacuations. We can easily see where industrial facilities might be included in these requirements, particularly some (though certainly not all) high-risk chemical facilities.

The second requirement is that “the system or asset is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2)” {§254(a)(2)(A)(ii)}. That list is not generally available to the public, but we can assume that many of the facilities that would be included in the first requirement would also make placement on this list.

The final requirement is that the system or asset is either a component of the ‘national information infrastructure, or it relies upon that infrastructure for its ‘reliable operation’. Industrial control systems are not generally part of the ‘national information infrastructure’ (we hope) so the inclusion of an industrial control system under the coverage of this regulations required by this bill will hinge on the definition of ‘reliable operation’ which is not outlined in this bill.

Some assets like the electric grid or various pipeline systems that rely on internet communications or even telephone systems to coordinate the operations of its various components will certainly fall under the regulations required to be developed by this bill. Chemical facilities that rely on the inbound or outbound movement of chemicals via pipelines will also certainly be included.

Depending on how expansive a definition of ‘reliable operation’ the Secretary employs will determine how many other high-risk chemical facilities would be included under the cyber security regulations. Would, for example, facilities that rely on natural gas as an energy source be covered? Would the use of off-site electricity be sufficient? A positive answer to either would greatly expand the potential coverage of these regulations.

It might be interesting for Congress to consider more clearly defining what industrial control systems might be covered. As a suggestion, they might clearly state that CFATS covered facilities with release chemicals of interest as the primary source of their CFATS coverage would be included in the NCCC regulations.

Dual Regulatory Coverage

It would be hard to see how these regulations could made to apply to the control systems at all high-risk chemical facilities. Certainly none of the facilities covered under CFATS solely based upon the presence of theft/diversion COI could be included under the mass casualty provisions. So we would expect that if this bill passes that there will be at least two different types of CFATS covered facilities, those that are covered under the new cyber security regulations and those that are not.

It would be nice to see a requirement in this bill that would require the National Center for Cybersecurity and Communications (NCCC) and ISCD to coordinate their regulations of these facilities. I think it would be appropriate for the bill to specify that such dual coverage facilities would be exempt from or considered to have fulfilled the CFATS cyber security requirements under RBPS #8. One would assume that the cyber security experts at NCCC would provide more effective regulatory coverage of cyber security requirements than the limited expertise available to ISCD.

Similarly, facilities covered under MTSA that would also fall under these new regulations (many of the covered hazmat pipelines have port terminals) should have the relationship between MTSA and the NCCC regulations more clearly defined in this bill.

Another alternative would be a specific requirement that ISCD and the Coast Guard would be required to incorporate the cyber security rules developed by NCCC for control systems into their regulations for high-risk chemical facilities or MTSA covered facilities. Unfortunately, they would not be expected to have the personnel with the expertise to enforce such regulations.

Monday, February 21, 2011

The Real Cause of SSP Approval Delays

Over the last two years we have seen innumerable delays in the implementation of the CFATS programs. As I have mentioned on many occasions, this is a complex program being stood up on the fly and it goes without saying that there have been a number of under-estimations of the problems with that are associated with getting this complex program up and running.

The latest delay that we have heard about was caused by not enough information provided in the SSP submissions. It seems that just answering the questions is not enough. Now DHS wants submitters to check the ‘Other’ box where available and provide additional information via the explanatory text box or submitting separate documents. The questions did always seem to be just a little too simple; a whole bunch of them to be sure; but not very complex.

SSP Evaluation

The original idea was to have the computer answers scored by an evaluation program and then to have the data reviewed by subject matter experts to fine tune the results. According to information that I have just received that doesn’t seem to have worked out too well. There just isn’t enough differentiation available in the responses to the questions. And the added information is not in a machine reviewable format. Thus, DHS is having to rely much more on the subject matter expert review process.

Unfortunately, there is a sad lack of subject matter expertise in ISCD; it is after all a small organization that has been stood up with little thought about backing up the computer scoring system with chemical facility expertise. The way I understand it, there are three chemical engineers and one mechanical engineer with one cyber security guy to take care of the information and control systems evaluations.

Now, I want you to think about the very extensive questionnaire that is an SSP submission. Add to that the supplementary information and additional documents that ISCD is now requesting from the Tier 1 facilities (and will be requesting from all the remainder of the facilities). Think about how long it will take those five individuals to review almost 5,000 SSP submissions. A recent meeting of chemical inspectors from the Southeast Region was told that those five people would take 30 years to review the SSPs. I’ve heard a more reasonable 15 years from another source, though not too many people would think that 15 years would be a reasonable time to get the initial SSP submissions reviewed.

Contractor Solution

Now the folks in charge if NPPD and ISCD are not idiots; they know the current situation is untenable. This is why last summer some time they put out a request for bids for contractors to take over the SME review process. This is why early last fall there were number of the standard belt-way bandit organizations advertising for people with chemical facility security expertise. Review the job descriptions in those ads and it is clear what they would be working on. The contract was just about to be issued last December when it was withdrawn at the last minute.

None of my sources has been able to tell me why, but I can guess. Anyone that has been paying attention has heard Congress jumping all over DHS about the large number of contractors that the Department has been using for any number of jobs that they don’t have the head count or expertise to perform. Whether or not all of these contractors are necessary is a discussion for a venue other than this. What is certain, however, is that ISCD cannot do these SSP reviews without outside assistance.

Congressional Oversight

Once again this is a problem of underestimating the scope of the CFATS process and politics interfering with the career folks inside DHS. This may be why Under Secretary Rand Beers did not have a career professional sitting at the table next to him at the recent House Subcommittee hearing. He’s far enough removed from the problems at ISCD to not be questioned too closely about the reasons for the delays. His answers were correct as far as they went; the questions were just not deep enough.

Perhaps when the Senate Homeland Security Committee invites a DHS representative to update them on the status of CFATS they’ll invite someone with a little bit more knowledge of the details of the program. The new director (or is it acting director, it is so hard keeping track) of ISCD, Rick Driggers, was there in Orlando, FL last week when the Chemical Facility Security Inspectors were briefed on the current state of the problem; he should be able to explain to Sen. Lieberman and Sen. Collins what is really delaying the CFATS implementation process.

Or perhaps Chairman King wants to hold a full committee hearing to ask some real oversight questions instead of having people feed straight lines to opponents of IST.

HR 1 Passed in House

Late on the legislative day on Friday, which was actually early on Saturday morning, the House passed HR 1 by a roll call vote of 235-189 on a mainly party line vote. The bill was debated over four days on the floor with 583 amendments offered. Of those 162 had some formal action taken on the floor. A total of 66 amendments were passed and 59 were rejected by recorded votes. A total of nine were withdrawn by their authors and 28 were rejected by the Chair due to their violations of House Rules.

Of the twenty amendments that had something to do with DHS spending only two were considered and passed; the Pascrell (D, NJ) amendment that I discussed in an earlier blog and one submitted by Rep. Lowey (X, XX) that limits the grants under the Urban Area Security Initiative under section 2003 of the Homeland Security Act of 2002 (6 U.S.C. 604) to no more than 25 high-risk urban areas.

While the Democrats found little to like in the final bill, and none voted for it, that was due to their lack of votes, not a lack of chances to have their voices or ideas heard. They certainly have a voting record that they can take to the voters in 2012 to see if their view of this budget proposal better matched that of the voters.

The bill will go to the Senate when both the Senate and House return from their President’s Day district work session on February 28th. It is unlikely to nearly the point of impossibility that HR 1 will be approved in its current form by the Senate. In fact, there is a very good chance that it will not be brought to the floor of the Senate for consideration.

The deadline of March 4th is unlikely to be met by ultimate passage of this bill. There is a lot of finger pointing and posturing on whether or not there will be any budget action by that date. President Obama has threatened to veto HR 1 if it does reach his desk in anything close to its current form and it is unlikely that there would be enough votes in the Senate to overturn such a veto.

The one thing that is likely when Congress returns next week is that there will be lots of yelling and screaming about the FY 2011 budget. And Congress still has to consider FY 2012 spending.

BTW: The 'engrossed' version of the bill is not yet available on the GPO web site due to the Presidents Day Holiday.

S 413 Introduced – Cyber Security

Last Thursday Senators Lieberman (D, CT), Collins (R, ME) and Carper (D, DE) introduced S 413, the Cybersecurity and Internet Freedom Act of 2011. This bill would establish the Office of Cyberspace Policy (OCP) in the White House and the National Center for Cybersecurity and Communications (NCCC) in DHS. The OCP Director would have cyber security budget approval authority and the NCCC Director would have regulatory authority over cybersecurity activities within the Federal Government.

While this bill is mainly directed at “information infrastructure” there is one section in Title II that addresses cyber risks to covered critical infrastructure (§248) that very carefully never specifically limits its application to ‘information’ systems. That section requires the Director of the NCCC to “issue interim final regulations establishing risk-based security performance requirements to secure covered critical infrastructure against cyber risks through the adoption of security measures that satisfy the security performance requirements identified by the Director” {§248(b)(1)} within 270 days of passage of this bill.

Generally speaking the wording of this section looks like the crafters intend for establishment of a regulatory scheme similar in construction and operation to the CFATS regulations for high-risk chemical facilities. This nine page section of the bill certainly deserves a more detailed look in future blogs.

According to a press release on the Homeland Security and Governmental Affairs Committee web site, there “is no so-called ‘kill switch’ in our legislation because the very notion is antithetical to our goal of providing precise and targeted authorities to the President”. In fact, §2(c) specifically says that under this legislation “neither the President, the Director of the National Center for Cybersecurity and Communications, or any officer or employee of the United States Government shall have the authority to shut down the Internet”. This kill-switch issue stalled the earlier version of this bill in the last session. Hopefully this bill will now have a chance to move forward in the legislative process.

BTW: The official GPO version of this bill is not yet available. Sen. Lieberman has made a copy of the bill available via a link on the Senate Homeland Security Committee web site.

Sunday, February 20, 2011

S 372 Introduced – Cyber Security

Last week Sen. Cardin (D, MD) introduced S. 372, the Cybersecurity and Internet Safety Standards Act. It’s a high sounding title and addresses a serious potential security problem by requiring another study. I know that studies are important, but there comes a time when Congress must actually propose solutions to the problems it has identified.

If you want a sweeping description of the cyber security problem, this bill is willing to provide it. The findings section of the bill {§3(3)} notes that:

“The Government and the private sector need to work together to develop and enforce minimum voluntary or mandatory cybersecurity and Internet safety standards for users of computers to prevent terrorists, criminals, spies, and other malicious actors from compromising, disrupting, damaging, or destroying the computer networks, critical infrastructure, and key resources of the United States.”
Such a sweeping, all encompassing problem statement requires an equally sweeping study requirement. Section 4 of the legislation requires:

“The Secretary, in consultation with the Attorney General, the Secretary of Commerce, and the Director of National Intelligence, shall conduct an analysis to determine the costs and benefits of requiring providers to develop and enforce voluntary or mandatory minimum cybersecurity and Internet safety standards for users of computers to prevent terrorists, criminals, spies, and other malicious actors from compromising, disrupting, damaging, or destroying computer networks, critical infrastructure, and key resources.”
To make it perfectly clear that this is truly a sweeping study, a study to end all studies, a study to put the matter once and for all completely to rest, the bill goes on to ensure that the Secretary examines:

● “all relevant factors, including the effect that the development and enforcement of minimum voluntary or mandatory cybersecurity and Internet safety standards may have on homeland security, the global economy, innovation, individual liberty, and privacy; and” {§4(b)(1)}

● “any legal impediments that may exist to the implementation of such standards.” {§4(b)(2)}
When the Secretary files this most comprehensive report with Congress in a year, there will no longer be any reason for Congress not to be able to solve all of the cyber security ills of the world in a single piece of comprehensive, all encompassing and perfect cyber security legislation.

Please forgive the virulent sarcasm, but I am sick and tired of Congress trying to dump its inability to legislate on the Executive Branch. Let’s give this bill no additional attention and pass on to real legislation that actually does something.

BTW: The GPO web site is having some sort of problem and does not recognize the link to this and a couple of other bills. The copy of the bill I used for this review can be found on by searching for S 372.

Saturday, February 19, 2011

TSA Pipeline Threat Assessment

[SECURITY WARNING: various government agencies have warned employees and contractors that accessing limited distribution documents via open sources may be considered a violation of security policies. Keep that in mind when opening the first two links in this post.]

Yesterday the folks at posted an excerpt from the January 2011 report by TSA Office of Intelligence on their assessment of the risk of a terrorist attack on the US pipeline industry with a link to the entire document. The unclassified, for-official-use-only (FOUO) document is based, at least in part, upon open-source intelligence information collected in 2010 from January thru October. Generally speaking, TSA-OI reports “with high confidence that the terrorist threat to the U.S. pipeline industry is low” (pg 3).

A closer reading of the document shows the limitations that the intelligence analyst has to work under when preparing a threat analysis like this.

Credible Threats

First off, the report clearly states that al-Qa’ida (apparently the current rendering of the Arabic into English of the name of our best known terrorist adversary) has expressed an interest in conducting (or having someone conduct) attacks on pipeline or other energy related assets in the United States. It also notes that eco-terrorists, lone wolf attackers, and disgruntled insiders all pose a potential threat to these pipelines.

While reporting that TSA knows of potential actors that might be interested conducting terrorist attacks on pipeline interests in the United States, the report states:

“TSA-OI has no specific or credible threat information indicating that violent transnational extremist groups or domestic extremists are actively plotting [emphasis added] to conduct attacks on the U.S. pipeline industry”
The problem with that statement is that the US Intelligence community has demonstrated singularly little capability to infiltrate these extremist groups. The FBI has been able to identify and ‘assist’ a number of individuals and small groups of local wackos that have had plans to conduct a variety of attacks over the last couple of years, but we have seen no reports [even I have to use these intelligence weenie caveats] of any significant human intelligence penetration of the target organizations.

The extensive technical intelligence collection capabilities that the US developed in its post-WWI conflict with the Soviet Union (reconnaissance satellites and electroic intercept capability) have been of little use against sophisticated terrorists since 9-11. Early successes at intercepting communications were negated when politicians publicly bragged about listening in on satellite-phone conversations between al Qaeda planners.

So the ‘lack of credible threat information’ is, to my mind, not that good an indicator of terrorist intentions as many in the intelligence community would like people to believe. It is certainly a piece of information that must be included in the analysis, but it should not be the primary indicator of threat intentions.

Missing Information

The other limitation is the timeliness of this report. The publication date is January 18, 2011 yet the document notes that the intelligence reports that it uses covered the time period of January to October 2010 (to be fair the ‘Endnotes’ page lists one source with later a later date; the TSA Suspicious Activity Database, December 3rd, 2010). The time lag certainly had little to do with the process of writing this document and more with the political approval process before it could be shared with the private sector.

The early cut-off date for the intelligence makes it almost certain that the most important information about the Stuxnet malware did not have a chance to influence the brief discussion in this report about cyber security. Stuxnet was mentioned, but was passed over as being more of academic interest because it was beyond the capability of al Qaeda to use such sophisticated attack tools. Later Stuxnet reports tend to indicate that the development of Stuxnet required advanced cyber capabilities, but that subsequent use of the tools made available by that worm would be well within the capabilities of anyone that understood the physical processes being attacked. Oil and gas processing and pipeline operations are well understood by many of the engineers associated with al Qaeda.

The early cut-off date for information on worldwide attacks on pipelines also meant that there was no mention in this report of a series of attacks on remote Canadian gas pipelines from 2008-9 (almost certainly a lone wacko) and some spectacular (physically, politically and economically) attacks on oil pipelines in Mexico from the same time period, attacks attributed variously to native rebel groups, the drug cartels or a combination of the two. Both of these sets of attacks are much more relevant to a discussion of US pipeline security than the politico-economic attacks in Nigeria.

Night Dragon Impact

Of course the most important piece of intelligence information directly applicable to this report broke publicly after the publication date, so the TSA-OI people can be excused for not including it in their analysis. I’m talking, of course about the ‘Night Dragon’ report. The extensive compromise of oil and gas industry computer systems, reportedly including SCADA systems, changes the whole potential for cyber attacks on pipeline control systems by a wide variety of potential antagonists; including terrorists, criminals, foreign government agents and even commodity speculators. Hopefully TSA-OSI will issue an emergency advisory dealing with that potentiality in the not too distant future.

I have no great hopes for that; there are very few people in the intelligence community in general, and almost certainly none at TSA that would understand control system vulnerabilities. That’s not a slam against TSA or the intelligence community in general. There are not that many people in the world that really understand control system engineering and they’re making more money in industry than the government could pay.

Besides TSA deals with transportation security and everyone knows that there are no cyber control systems employed in the transportation industry; outside of pipeline control rooms, railroad positive train control (PTC) systems, the FAA, various vehicle control systems…. Hmm; maybe the TSA needs to get some control system experts too.

How Vulnerable are Pipelines?

So how good is the conclusion of this report? It feels like an underestimation of the threat to me, but don’t ask me to prove it. I’m smart enough to know that I don’t have enough information to predict the intentions of any one of a number of potential terrorist adversaries. I doubt that anyone does. And that includes the various intelligence agencies that are required to make such predictions.

During my brief stint working in tactical intelligence in the Army, I quickly had it beat into my head that predicting enemy intentions was akin to reading a crystal ball. You provided the Commander with information about enemy capabilities and described what that particular enemy had done in similar situations in the past. And you knew that the best commanders would do something unpredictable; that’s what made them good. So you kept watching, tasking people to look for specific indicators, and hoped that you didn’t miss anything.

The one major thing that is missing from this threat assessment is an analysis of potential consequences of a terrorist attack. What would happen to the economy if a major fuel pipeline pumping station were successfully attacked and destroyed? What would the consequences be if an anhydrous ammonia pipeline in the Tampa, FL area were attacked where it crossed, above ground, a river? What would happen if a natural gas pipeline control system were directed to over-pressurize long stretches of urban pipelines?

The answer to these questions would tend to put the ‘conclusion’ of this report in proper perspective. The threat may be low (I don’t think so, but it may be), but the potential consequences are high. We can’t dismiss the low threat, knowing what we don’t know about the adversary’s intentions, and knowing what the potential consequences really are.

Friday, February 18, 2011

OMB Approves PHMSA Bulk Loading Rule

Yesterday, the Office of Management and Budget (OMB), via it web site, announced that it had approved, ‘consistent with change, the Pipeline and Hazardous Material Safety Administrations NPRM (HM-247) for possible regulation of bulk hazardous material loading and unloading operations. Now we just need to wait for PHMSA to get around to making the suggested corrections and publishing the NPRM in the Federal Register.

PHMSA describes the rule this way:

“This rulemaking would request information from industry that would consider whether additional requirements governing bulk loading and unloading operations are necessary. PHMSA has reviewed transportation incident data and findings of several National Transportation Safety Board and Chemical Safety Board accident investigations involving bulk hazardous materials loading and unloading operations, which suggest there may be opportunities to enhance the safety of such operations. In particular, PHMSA is examining what, if any, safety benefits would accrue from a requirement for persons conducting bulk loading and unloading operations to develop and implement operating procedures governing these operations. PHMSA has decided to publish a proposed rule instead of a pre-rule.”
It will be interesting to see if they include any potential security actions in this rule. For example, before loading a truck or rail car, has there been an inspection done to determine if there has been any tampering done with the tank? The same kind of inspections should be done before bulk unloading as well. Additionally some sort of check needs to be done to confirm the material in the tank is what is described on the manifest.

Anyone want to bet about how long it will take PHMSA to get this rule into the Federal Register? My guess is somewhere between 2 weeks and six month.

TSA Surface Enforcement Activity

Yesterday the Transportation Security Administration published a notice in the Federal Register regarding the summary of their 2010 enforcement activity for surface transportation requirements. In a twisted sense of bureaucratic efficiency, the Federal Register notice does not include the actual summary, it just notes that it is available at under docket number TSA-2009-0024.

Downloading the two page summary document one can see that the TSA Surface Inspectors noted violations in 16 different enforcement actions during 2010. Those violations fall into five categories:

• Railcar chain of custody {49 CFR 1580.107}, twelve instances

• Failure to allow TSA inspection {49 CFR 1580.5}, two instances

• Railcar security {49 CFR 1580.107(f)}, one instance

• Reporting security concern {49 CFR 1580.105}, one instance

• Use of another’s TWIC {49 CFR 1570.7}, one instance
The penalties assessed for these violations range from ‘counseling’, through a ‘warning notice’, to a ‘letter of correction’. No monetary penalties were assessed even though TSA has been given authority {49 U.S.C. 114(v)} “to impose civil penalties of up to $10,000 per violation of any surface transportation requirement under 49 U.S.C. or any requirement related to transportation worker identification credentials (TWIC) under 46 U.S.C. chapter 701” (76 FR 9358).

Security requirements obviously preclude TSA from providing more details about the specific violations. It would be more instructive, however, if TSA were to describe, for instance, what constituted a ‘railcar chain of custody’ violation in each instance. The provisions of §1580.107 cover a wide range of requirements for a variety of rail car transfers including shipper to rail road, rail road to rail road, and rail road to receiver. It would be interesting to see which type of transfer had the most problems

One would like to assume that enforcement activities were consistent enough that we could assume that there was some difference in the severity of the violations that drew these different sanction levels. We would be able to see if this were true if we had a better idea of the actual violations were.

Since 2010 was the first full year of enforcement activities under §1580, I understand why TSA would not have assessed a monetary penalty for technical violations of this relatively new regulation. Of course, that is only true if outreach efforts were being made to educate the industry in how TSA inspectors are looking at the regulations. That really only happens if more information is included in communications like this.

None of the above comments about enforcement activities applies to the TWIC violation noted in the summary. The whole point of the TWIC regulations are that the card provides an assurance that people be given access to port facilities have been appropriately vetted. If someone is using someone else’s card that assurance disappears. This program has been in place for a long enough period that there is no justification for not penalizing violations. If TSA is not willing to assess some monetary penalty (the full $10,000 is probably inappropriate) for violations of this basic requirement, there is no sense in continuing to maintain this expensive system.

Thursday, February 17, 2011

Bundled Software Issues

Earlier today I did a blog post on the updated advisory for the multiple vulnerabilities for the ClearSCADA software package. The update was necessary, not because of a change in knowledge about the vulnerability or its mitigation, but because ICS-CERT became aware that the ClearSCADA software had been bundled into another ICS package, extending the vulnerabilities to a new system. This raises a whole host of potential issues that need to be addressed in the ICS security community.

Identifying Bundled Software

Back in the good-ole days software was not complex; a program did only one thing; data processing. The first program that I wrote (okay I was part of a six kid programming team) was in 1964 and we wrote a program to print out the ‘n’ powers of 2 in decimal and binary notation from n = 0 to 100. We watched the code being punched into the cards, the code compiled in a card reader and then run on a huge computer two rooms distant from where we pushed our noses up against the glass.

I learned about running routines when I progressed to Basic, calling sub-routines in Fortran and then using libraries in C++. That was the last of my programming and the world has changed much in the decade and a half since then. Now systems engineers, particularly in control systems, bundle a number of different programs together, each one doing a different job, or handling a different piece of equipment or interface with another system. The larger companies use mainly their own software, smaller companies buy programs from what ever provider gives them the best price. The pieces of the equipment are wired together and the software is virtually connected to every other piece of software in the system. From that point forward the users and owners are unlikely to know who supplied what part of the bundle; most won’t even know there is a bundle.

This system obviously works pretty well because most people don’t even realize that it is there. Unfortunately, when one piece of the bundle is susceptible to an attack because of an internal vulnerability, it most likely makes the entire bundle potentially subject to that attack. When a software developer writes a patch for a piece of software it is unlikely to address downstream issues or connectivity issues driven by the vulnerability.

So for example when the Serck realized that one of the components of their bundled SCX software (ClearSCADA) had an identified vulnerability, they could not just tell their customers to download the patch for that component. While it might still mitigate the vulnerability, ClearSCADA would have no way of knowing how that update might affect the remaining elements of the bundle. So Serck had to take the ClearSCADA patch, apply it to their bundle and ensure that it didn’t cause any problems for the system. They also may have had to make modifications to make it (or their system) compatible with the newly patched bundle.

Who’s Responsible for Updating the Bundle?

In this case someone obviously stepped forward and notified ICS-CERT that Serck bundled ClearSCADA in their SCX package. It could have been Control Microsystems (ClearSCADA), knowing that they sold ClearSCADA to Serck. It could have been Serck once they became aware of the ClearSCADA vulnerability. It could have been the third party security researcher who identified the ClearSCADA vulnerability. Or it could even have been ICS-CERT that became aware of the interconnection and shared vulnerability. The updated advisory doesn’t tell us.

In this instance whom ever did the notification, the system apparently worked and fairly quickly at that. The original advisory was published on February 1st and this one just barely more than 2 weeks later; and with a working patch. Halleluiah, the System Works.

Or does it? How many other control systems include ClearSCADA in their software bundle? How many SCADA components that have been identified in the last six months as having identified vulnerabilities are included in bundles that have not been updated?

So the question is, who is responsible for initiating the chain of events that ends up with all bundled software being updated whenever a component vulnerability is identified and patched? Right now no one really is required to initiate that notification. So, who should be?

The easy answer is that the company with the initial vulnerability should be required to ‘push’ the information to all customers that use that software/equipment. That is what the automotive recall procedure attempts to do for car defects. Unfortunately, there is no legislation or rule that mandates a similar recall procedure for ICS systems. Perhaps that ought to be considered in any ICS cyber security legislation. At the same time it could make ICS-CERT the legal clearing house for the vulnerability information.

ICS-CERT Updated ClearSCADA Advisory

This morning the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) updated their vulnerability advisory on ClearSCADA Software. I described the earlier advisory in an earlier blog. There are no new vulnerabilities disclosed in this update. Interestingly ICS-CERT has expanded the systems affected to include SCX (from Serck UK or Serck Aus) software because Serck bundles ClearSCADA in their product.

Owners of SCX Version 67 R4.5 or SCX Version 68 R3.9 (or older versions) need to update their software. No web site for the needed download exists. Owners need to directly contact the nearest Serck office to obtain the appropriate downloads. The nearest office can be found via:

HR 1 Floor Amendments Analyzed

Well I’ve now had a chance to go back and look at all 583 potential amendments to HR 1 that were published in the Congressional Record for February 14th and February 15th. Of the 583 only 20 deal specifically with DHS related expenditures and some of those are duplicates or corrections of earlier submitted amendments. None of the amendments deals with the amounts that would be appropriated for the National Protective Programs Directorate (NPPD) so ISCD and CFATS would be unaffected.

TSA does get targeted by a number of these amendments, though none specifically target the Surface Transportation side of the agency; those parts that would affect pipeline, rail or truck security. There are a couple of amendments that would target staffing levels at TSA HQ and Regional Offices [Mica (R, FL) – 440 and Mica – 543].

Substitute Amendment

There is one amendment [LaTourette (R, OH) – 540] that is a complete re-write of the HR 1, essentially an ‘amendment in the form of a substitute’. This would be a much shorter bill (less than two pages in the Congressional Record) and would use FY 2010 as the base year for calculating expenditures. Adjustments to those expenditures would range from 69.18% (Dept of Agriculture) to 101.30 (Dept of Defense). DHS would fall on the high side, receiving 95.25% of their FY 2010 authorization. The shortened amendment continues essentially all programs requiring periodic reauthorization in a general provision (§104) but provides specific authorization for the §550 CFATS authorization (§116) until September 30, 2011.

Amendments Processed to Date

The debate and voting continue in the House today but as of 3:45 this morning (when the House adjourned to get some well needed rest) they had dealt with, in one way or another 66 of the 583 amendments. It will be interesting to see how much longer they can continue on the present pace of operations. The table below provides a summary of the actions to date.
Action                  2-15-11             2-16-11

Agreed to                 2                       10

Rejected                   6                       15

Withdrawn                1                         2

Points of Order         4                       13

Postponed              15                       13


1. ‘Points of Order’ are amendments that the Chair of the Committee of the Whole has agreed (sustained) with a member’s opinion that the presented amendment violated one or more of the House rules for processing amendments.

2. ‘Postponed’ are amendments where a vote was ‘demanded’ by a member. They group these votes so that members don’t have to keep running back and forth to the floor of the House.
DHS Amendment Passed

As of the end of yesterday’s session only one of the 20 amendments that addresses DHS issues has been considered. It was Pascrell (D, NJ) Amendment #223. It was agreed to (Recorded vote - 318 to 113). It increased funding for Firefighter Assistance Grants by $510 Million, while reducing DHS S&T spending by the same amount.

Night Dragon Analysis

Last week I wrote about the Night Dragon vulnerability report put out by DHS ICS-CERT. I did a fairly straight forward report on the ICS-CERT report, though I did note that I surprised at how simple the attack processes were. Yesterday Andrew Ginter at the Control System Security blog did a much more extensive analysis of the importance of this attack.

I want you to pay particular attention to one specific point that Andrew made. He wrote:

“The McAfee report doesn't say it outright, but it seems very likely that this same adversary could have taken over and sabotaged the physical processes behind the control systems they compromised, if they had been given that objective. The team had remote control of all the control system assets they compromised, and a remote-control tool on a computer with HMI capabilities gives the attacker control of the physical process through the HMI [human machine interface].”
That combined with the point that Andrew and I both made that this was not a sophisticated attack should cause a lot of people to be very disturbed. Stuxnet was a complex attack tool that cost a lot of money and expertise to develop. It is unlikely that criminals or terrorists could be expected to develop attacks that sophisticated. Since most facilities are not going to run afoul of State level agencies, they are at little risk of being attacked by such high-level original programs.

What Night Dragon is so effective at pointing out is that it does not require Stuxnet-level sophistication to execute an attack on a control system. There are a whole host of less sophisticated attack tools that are readily available that can be used for a Night Dragon like attack. Many of these tools are available for free download, others are for sale. More importantly there are a wide variety of people out there who are very skilled in the use of these tools who are more than willing to sell or rent their skills and expertise in this field.

Fortunately, defending against these types of attacks is also well understood. Andrew, who is in the business of defending cyber control systems, points out the basic techniques:

• “Look seriously at whitelisting/application control/HIPS protections,

• “Increase network segmentation,

• “Strengthen firewall rules, reducing the number and scope of connections,

• “Reduce the number and scope of VPN connections,

• “Install anomaly-based host and network intrusion detection systems,

• “Consider multi-factor authentication to reduce the impact of stolen or cracked passwords, and

• “Consider isolating the most critical parts of your control systems entirely with unidirectional diodes/gateways.”
ICS-CERT has an entire publication dealing with the basic security techniques designed to deal with this type of attack; Control System Security Program (CSSP) Recommended Practices.

Another important component of protecting against this common level of attack is training. So much of cyber security depends on computer users being aware of the potential types of attacks, actively watching their systems, including emails, for evidence of these attacks and taking the appropriate response.

The McAffee paper made it clear that a key tool in executing these types of attacks is phishing and spear phishing. Finding the weak link in a company security system can allow for operation behind many of the security defenses. Insuring that all computer users are adequately trained to do their part in the defending sensitive computer systems is a key part of any cyber security system. Particular attention needs to be paid to any computer user that has routine remote access to the corporate or ICS networks.

While we have been justifiably concerned with advanced attack techniques like Stuxnet, Night Dragon reminds us that more common attacks still have the potential to provide a route into our control systems.

Wednesday, February 16, 2011

S 301 Introduce – PTC Revisions

Back on February 8th, Sen. Hutchison (R, TX) introduced S 301, a bill that would make “technical and minor modifications to the positive train control requirements under chapter 201”. This bill, with its ‘minor modifications’ could have serious implications for the profitability of railroads and routing decisions Class 1 railroad make for toxic inhalation hazard chemicals.


I looked at the TIH-PTC issue in a blog posting almost two years ago for the NPRM for the PTC rule. One of the key components of the PTC rule is that Class I railroads need to install this expensive safety equipment on lines with significant TIH shipping traffic. There has been some concern expressed that TIH routings would be changed to reduce the number of track miles that would have to be equipped with PTC equipment, routing changes that would disregard other safety and security considerations.

Congress dealt with this concern in their legislation mandating PTC installation by setting the route determinations as those that were in place in 2008. If TIH cars were shipped on rail lines then, those lines would have to have PTC installed. There were provisions requiring new TIH lines added to the PTC requirement, but no provisions were made for not including 2008 TIH lines that no longer had such shipments because of safety/security rerouting decisions ‘mandated’ (suggested would probably be a better term) by TSA.

When the PTC NPRM was published the rail industry objected to the 2008 cut-off, noting that they would be required to ‘waste’ money installing PTC on lines where it wasn’t really required. The FRA response in the final rule preamble was essentially that there hands had been tied by Congress; they were the ones that set the 2008 rule.

S 301 Provisions

Sen. Hutchison’s bill would address that issue by setting December 31st, 2015 as the date which would be used to determine which lines would have to be updated to PTC standards; this is the date by which the railroads would have to have their PTC systems installed. The amount of wording changed (this is only a two page bill – which may explain why it took the GPO so long to get it posted to their web site – minor sarcasm alert) may qualify as a minor change, but the cost and safety implications are anything but minor.

Practical Effects of this Bill

The railroads certainly have financial justification for not wanting to install any more of the PTC equipment than they have to. Congress agreed with this concern by limiting the application of PTC to the most potentially dangerous stretches of the Class I railroad lines. One of the key metrics used by Congress in establishing that potential danger was the presence of TIH shipments; Congress clearly decided that PTC was not cost effective enough to be placed on all rail lines. From the political point of view, given that earlier decision, this bill makes good sense.

From the point of view of safety and security we have to remember that most major rail lines historically run through major urban areas, particularly west of the Appalachians. The reason is that cities grew up around the railroads and the major rail yards. To go around these urban areas, then, requires traveling extra miles. The added cost for installing PTC systems on those added miles will be quite high. So railroads would prefer to PTC the shorter routes.

What this means is that the routes through cities become favored routes for shipping TIH chemicals. This is exactly the opposite of what many safety and security advocates have been fighting for. Keeping TIH rail cars out of major urban areas significantly reduces the risk of accident or terrorist attack.

If we had real security routing rules for TIH chemicals this bill would be of little consequence to safety or security. The security rules would dictate the TIH routing decisions and this bill would allow railroads to save money by not installing ‘wasted’ PTC equipment on lines without significant TIH shipments.

Unfortunately, the security rule is so weak as to be only a paper drill. It is not a serious impediment to any TIH routing the railroads would make for whatever reason. In that situation the effects of this bill will be to drive more TIH shipments over the shorter mileage routes through major urban areas.

HR 1 Floor Debate

Well, the Republican leadership in the House has kept their promise and is allowing an open debate and amendment process in their consideration of HR 1, the bill that will provide for funding the Federal government for the remainder of FY 2011. The resolution providing for that debate, H. Res 92, allows any member to propose amendments to the bill and insures that those amendments will be debated and voted upon by the Committee of the Whole House. The only restriction is that they must be published in the Congressional Record on February 14th or February 15th.

There were 403 amendments published in the Congressional Record for the 14th. There were a number of duplicative amendments and I’m sure that most will not actually be brought to the floor by the submitting representative. Even so this process will be a time consuming process as can be seen by the late debate last night.

Another interesting thing about this process, given the rules of this session of the House, is that for any increase in funding for one program must be offset by a decrease in spending on another. It makes for some interesting amendments. You see things like [from amendment #227 by Mr. Goodlatte (R, VA)] :

“Page 252, line 15, after the first dollar amount, insert ‘(reduced by $5,000,000)’.
“Page 359, line 11, after the dollar amount, insert ‘(increased by $5,000,000)’.”
In the February 14th list of amendments I counted six that would modify the DHS portion of the bill. I haven’t had a chance to look at them in enough detail to see if any would specifically address chemical security issues. It will take some time to get through all of this. Watch this space.

Tuesday, February 15, 2011

Chemical Sector Training and Resources Page Update

Today, the DHS Chemical Sector-Specific Agency (SSA) updated their Chemical Sector Training and Resources web page. They updated the availability dates of some previously announced live training courses, canceled one such date, and announced a new training program.

Scheduled Training Dates

There are two training programs listed on the page where there are live training classes held at various locations around the county. These programs are

● Chemical Sector Explosive Threat Awareness Training Program (CSETAT); a course for chemical facility security officers to increase sector awareness of IEDs and VBIEDs; and

● Security Seminar & Exercise Series for Chemical Industry Stakeholders; a program designed to foster communication between facilities and their local emergency response teams by encouraging representatives to share their insight.
The following dates were added for CSETAT training sites that previously listed the dates as “TBD”

● Orlando, Fla. (3/10);
● Cedar Rapids, Iowa (6/17);
One previously ‘TBD’ Security Exercise was canceled (Columbus, OH) and a date is now listed for the exercise at Ponce, PR (4/26).

New Security Awareness Training Program

The updated page lists a new security awareness training program that is part of the Department’s "If You See Something, Say Something" campaign. The program is the Surveillance Detection Awareness – Discussion Resources Kit. It provides resources on a CD that would allow a facility to conduct their own training on counter-surveillance operations.

Contact Information

There are no links on this web page for any of these programs. To get more information on them you have to send an email requesting that information to:

BTW: Last week ISCD updated their Chemical Security web page to update the verbiage associated with the link to this page. They added the following note:
“Voluntary use of the tools and resources does not ensure CFATS compliance.”
In other words security training required under CFATS is more than just using these free training programs. Risk-Based Performance Standard #11 addresses this issue. The training programs on this recently updated page will help a facility meet some of their training needs, but they will probably not be sufficient by themselves.

EPA to Update Two ICRs

Yesterday, the Environmental Protection Agency published two information collection request renewal (ICR) notices in the Federal Register. These current ICRs deal with chemical inventory reporting requirements under two community-right-to-know rules and the filing of vulnerability assessments and emergency response plans for water treatment facilities. The current Office of Management and Budget (OMB) approval for these ICRs will expire in the near future

Community RTK

The chemical inventory reporting requirement ICR (OMB Control No. 2050-0072) notice is the initial 60-day renewal notice for the requirements under sections 311 and 312 of the Emergency Planning and Community Right-to-Know Act (EPCRA). There is no change in the current reporting requirements and the only change in this ICR submission may be the number of facilities covered; that may be revised based on then currently available information when the ICR is actually submitted to the OMB for approval.

Public comments on this ICR are being solicited by EPA. Comments may be filed through the Federal eRulemaking Portal (, Docket # EPA-HQ-SFUND-2004-0006). Comments need to be submitted before April 15, 2011.

Water Facility SVAs

The community water systems security reporting requirements ICR (OMB Control No. 2040-0253) notice is the follow-up 30-day notice for the requirements under Title IV of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. The 60-day notice was submitted last year on August 25, 2010 (75 FR 52326) and no public comments were submitted.

Public comments on this ICR are being solicited by EPA. Comments may be filed through the Federal eRulemaking Portal (, Docket # EPA-HQ-OW-2003-0013). Comments need to be submitted before March 16, 2011.

There is an interesting anomaly associated with this ICR notice. The notice reports (76 FR 8362) that the expected number of respondents to be just 80 Community Water Systems. Now there are certainly more than 80 such systems that serve more than 3,300 people, so why this low number? The answer is that this is a one-time requirement. Congress made no provisions for EPA to require periodic or significant change in system reporting updates. It’s comforting to know that water facility security requirements are so static (SARCASM Warning).

DHS FY 2012 Budget Message

Yesterday the Office of Management and Budget web site posted the President’s Budget Message including the report on the FY 2012 DHS Budget Request. This is really more of a political justification for the budget request than the actual proposed spending numbers. The actual numbers will be provided to Congress later this week. Overall spending request for DHS ($46.9 Billion) is up from the actually approved FY 2010 budget ($44.5 Billion), but down from the FY 2011 ‘estimate’ ($48.1 Billion) but no real numbers are available for FY 2011 since Congress has yet to finalize that budget.

This six-page document only provides high-level numbers so we can’t see the affect the President’s budget request would have (if Congress actually passes it) on chemical security programs. We can see decreases in TSA spending ($5.1 Billion requested; down from $5.5 Billion), and NPPD spending ($1.43 Billion requested; down from $1.44 Billion). Coast Guard discretionary spending will increase ($8.7 Billion requested, up from $8.6 Billion).

Interestingly, the only mention of critical infrastructure protection in this document is when it mentions the Comprehensive National Cyber Security Initiative and it only addresses “the vital missions of preventing terrorism and enhancing security” in passing in the opening paragraph (pg 87).

Oh, well. We’ll continue to watch the unfolding budget debates; both the FY 2011 and FY 2012 budgets. This is going to be a lovely season for blogging.

Monday, February 14, 2011

Chemical Facility Security Hearing

Last Friday the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Homeland Security Committee held a hearing looking at the CFATS program. Under Secretary Rand Beers provided an update on the implementation process and three private sector witnesses addressed the issue of inherently safer technology as it relates to CFATS.

CFATS Update

In his written testimony Beers gave a fairly detailed report on the progress of the CFATS implementation process. Here is a quick look at some of the numbers that he reported:

>39,000 Top Screen submissions
>7,000 Preliminary high-risk designations
4,755 Current high-risk facilities
4,094 Current final high-risk designations
>4,000 SSP/ASP submissions
>175 Pre-Authorization Inspections
65 Administrative Orders issued
In his initial oral presentation to the sub-committee Sec. Beers provided the following additional numbers

9 Letters of Authorization issued
4 Authorization Inspections completed
0 Facilities with fully approved SSP
1246 Facilities removed all COI from site
584 Reduced COI inventories below STQ
There is no explanation in his written testimony about why there has been this unexpected delay in completing the SSP approval process. In fact, there is no specific indication in that document that there has been a delay. In response to questioning by Chairman Lungren (R, CA), Beers acknowledged the delay, but provided no detailed explanation for the reason beyond blaming ‘inadequate submissions for SSPs’. He was not pressed to explain why all SSP submissions reviewed to date have been inadequate.

One new CFATS related program was reported in the DHS written testimony, the “CFATS-Share” program. It isn’t that new, having been initiated in May 2010, but this newly-reported on-line tool is an information sharing portal that provides “interested state Homeland Security Advisors, DHS Protective Security Advisors, and fusion centers access to detailed CFATS facility information as needed” (pg 6).

Inherently Safer Technology

The Obama Administration has long asserted its support for including some form of inherently safer technology (IST) mandate in the CFATS program. This was reiterated in the Beers written testimony with the following list of their “policy principals” with regards to IST (pg 9):

o The Administration supports consistency of IST approaches for facilities regardless of sector.

o The Administration believes that all high-risk chemical facilities, Tiers 1-4, should assess IST methods and report the assessment in the facilities’ SSPs.

o Further, the appropriate regulatory entity should have the authority to require facilities posing the highest degree of risk (Tiers 1 and 2) to implement IST method(s) if such methods demonstrably enhance overall security, are determined to be feasible, and, in the case of water sector facilities, consider public health and environmental requirements.

o For Tier 3 and 4 facilities, the appropriate regulatory entity should review the IST assessment contained in the SSP. The entity should be authorized to provide recommendations on implementing IST, but it would not have the authority to require facilities to implement the IST methods.

o The Administration believes that flexibility and staggered implementation would be required in implementing this new IST policy.
Not surprisingly, Chairman Lungren clearly expressed his opposition to any IST mandate being included in CFATS reauthorization legislation. This is a policy shared by the full committee chair, Rep. King (R, NY). With that powerful opposition in place it was more than a little surprising that the main focus of the oral testimony focused on IST. Having said that, the deck was stacked favoring the Chairman’s point of view (not surprising since he is the Chairman).

The industry representative, Timothy J. Scott (from DOW and representing ACC) clearly expressed his opposition to any IST consideration or implementation mandate being included in the CFATS process. Dr. M. Sam Mannan, (Director, Mary Kay O’Connor Process Safety Center) provided technical support for the anti-IST position noting that there is no clear definition of, or metric for, IST that would allow for including such a mandate in the program.

The only public witness supporting an IST mandate, albeit indirectly, was George Hawkins, the General Manager of the Washington, DC water utility. This utility is one of the pro-IST exemplars, removing chlorine gas and sulfur dioxide from their water treatment process largely as a response to the perceived threat from release of those two chemicals. Even his support, however, fell into the category of ‘damning with faint praise’. His testimony noted the high capital cost and increased on-going chemical costs necessary to make his facility safer.

He also provided the best anti-IST argument for water treatment facilities in his response to questioning by Rep. Long (R, MO). He noted that his utility would follow whatever regulations imposed by the government, but noted that increased costs would inevitably further reduce the money he can spend on maintaining his deteriorating piping system, a common problem for these utilities. Of course, this same argument can be used to justify failing to upgrade the currently inadequate security requirements imposed upon utilities.

CFATS Reauthorization

The underlying theme for this hearing was one that everyone apparently supported; the need to permanently authorize the CFATS program. Of course, that is the generic policy. The details of what would be included in such authorization legislation are where there will be significant disagreement. Chairman Lungren made clear his opposition to including an IST mandate while Ranking Member Clarke (D, NY) made equally clear her desire to see an IST mandate included.

Other issues are apparently still open for discussion. Lungren maintained that he is ‘an agnostic’ on the issue of removing the water system CFATS exemption. He explained that the current exemption was added to make the chemical security legislation easier to get through House Committee system. Under questioning by Rep. Richardson (D, CA) he mentioned that he could probably support adding whistleblower protections, depending on how they were worded.

It will be interesting to see how the legislative process proceeds in this session of Congress. Will the various sides of the debate be able to craft legislation that will make it through both the Republican dominated House and the barely controlled Democratic Senate? We’ll just have to see.

Sunday, February 13, 2011

HR 1 Introduced – Continuing Resolution

On Friday Rep. Boehner (R, OH) and Rep. Rogers (R, KY) introduced HR 1, the Full-Year Continuing Appropriations for Fiscal Year 2011 (actually only the title for Division B of the bill). Division B is intended to serve as the vehicle for the continued funding of the Federal government after the current Continuing Resolution expires on March 4th.

Chemical Security Provisions

There are lots of things going on in this bill and political pundits will have lots to say about a lot of those provisions. In this blog post (at least) I will try to focus on those provisions of specific interest to the chemical security provisions.

First and perhaps foremost is that §1116 will extend the §550 authorization for the CFATS program until September 31, 2011. This is a slightly different provision than we have seen in the past that provided an October 4th date for the termination of authorization. It is a purely technical difference since these extensions have been based in the DHS budget which practically speaking means the end of the fiscal year is the ‘real’ expiration.

Now for the money; this bill (§1624) would authorize the annual spending level for “Department of Homeland Security, National Protection and Programs Directorate, Infrastructure Protection and Information Security” (the agency that includes ISCD/CFATS and CERT) would be set at $805,965,000. [FY 2011 Request - $865,965,000; FY 2010 Authorized - $899,416,000]. There is no indication in the bill where the in NPPD the actual spending would be cut. We will have to wait to see the Appropriations Committee report on this bill to get some sort of idea.

Similarly the bill (§1615) would reduce funds for “Department of Homeland Security, Transportation Security Administration, Surface Transportation Security” to $105,961,000 [FY 2011 Request - $137,558,000; FY 2010 Authorized - $110,516,000]. Again, there are no details of where those cuts would be applied.

Politics and HR 1

I can’t imagine any Democrats in the House voting for this bill, and I imagine that there will be some Republican defections on the final vote. Will those defections be enough to kill this bill in the House? Probably not.

What will be interesting in the House is how much this bill will be subject to amendment. That will be determined in tomorrow evenings Rules Committee Hearing. On one hand the Republicans have promised more open rules, on the other hand there is an approaching deadline of March 4th for some sort of action.

An entirely different reality faces this bill in the Senate. The Chairman of the Senate Appropriations Committee, Sen. Inouye (D, HI) has essentially declared this bill dead in the Senate. In an official press release he explains:

“It is clear from this proposal that House Republicans are committed to pursuing an ineffective approach to deficit reduction that attempts to balance the budget on the back of domestic discretionary investments, which constitute only a small percentage of overall federal spending.”
Sen. Reid (D, NV) has been quoted as saying:

“Although Democrats have repeatedly urged them to join us in responsibly cutting waste and excess, Republicans have taken a meat ax to the initiatives that invest in our economy and create jobs for the sake of appeasing their base.”
I would like to assume that the Republicans will cast a symbolic vote (ala healthcare) on HR 1 and then get down to some serious negotiations on a bill that is marginally acceptable to mainstream Republicans and Democrats. I’m hopeful that the talk of shutting the government down over this budget is just so much noise.

If the CR Stalls – Whither CFATS?

If the two sides fail to make a reasonable deal and no budget bill or continuing resolution passes by midnight on March 4th, what happens to CFATS? Well that answer is simple, along with most of the rest of the Federal government, it shuts down. When (no ‘ifs’ about it) a budget bill is finally passed it will contain a provision essentially the same as §1116 of HR 1, and CFATS will continue on until the next budget bill or someone finally gets around to passing a ‘permanent’ or ‘long-term’ reauthorization bill.

Saturday, February 12, 2011

Congressional Hearings Week of 02-14-11

There are currently three hearings scheduled that will be of potential interest to the chemical security community. All three hearings deal with budget matters, one for FY 2011 and two for FY 2012

FY 2011 New Continuing Resolution

Readers should remember that the current funding authorization for FY 2011 (which started on October 1st, 2010) ends on March 4, 2011; just a few short weeks away. On Friday HR 1 was introduced and it will be the vehicle for the first shot at a continuing resolution for the remainder of the fiscal year. I should have a post tomorrow evening sometime about the chemical security details (if any). Here we just need to know that the House Rules Committee will be holding their hearing on this bill on Monday, the 14th at 5:00 pm EST.

FY 2012 DHS Budget

On Thursday the 17th both Homeland Security Committees will be visited by Sec. Napolitano who will be explaining the President’s budget request for DHS in FY 2012. The House committee will be starting off at 10:00 a.m. EST with the Senate hearing in the afternoon at 2:30 pm EST.
/* Use this with templates/template-twocol.html */