Wednesday, August 31, 2011

Active Shooter Training

Yesterday the DHS Office of Infrastructure Protection updated their Critical Infrastructure Learning Series web page by adding information about an upcoming Active Shooter Awareness Virtual Roundtable. This web-based program will happen on September 27th, 2011 at 2:00 to 3:30 pm EDT.

An active shooter is a person that comes into a facility and starts shooting at people. Historically in the United States this is not a terrorist (someone out to further a political agenda using violence), but is usually someone with a personal connection to the facility that is taking violent action to ‘address’ a personal problem with the people or organizations located at the facility.

These situations are typically very chaotic and there may be no apparent reason for the shooter’s target selection. “To help you prepare for the possibility of an active shooter incident, the Active Shooter Awareness Virtual Roundtable will raise awareness of common triggers and characteristics of active shooters and help you understand how to prepare for potential incidents.”

According to the web page this “free, online interactive roundtable will include video, commentary by behavioral and security experts, and a question-and-answer session”. It will “better prepare you to deal with an active shooter situation and to recognize dangerous behavior before it turns deadly”.

You can register for, and log into, the Roundtable via the Visual Webcaster page. Additional information can be obtained by email;

NOTE: This is not designed to address the peculiar situations of an active shooter in a chemical production area. This is a general industry course and would cover situations in the office areas of a chemical facility.  The Chemical Sector-Specific Agency has produced an booklet; Chemical Facility Security: Best Practices Guide for an Active Shooter Incident; that addresses some of these chemical facility issues. It can be obtained from the Chemical SSA;

NTSB Cites 4 SCADA Related Findings in San Bruno Disaster

Yesterday the National Transportation Safety Board (NTSB) held a public meeting about the results of their investigation of the 2010 San Bruno, CA pipeline explosion/fire. At the same time their web site posted a synopsis of the yet to be officially released report on the investigation. That synopsis lists 28 separate findings that resulted from their investigation; four of which specifically address SCADA related issues. Those findings are:

• PG&E lacked detailed and comprehensive procedures for responding to a large-scale emergency such as a transmission line break, including a defined command structure that clearly assigns a single point of leadership and allocates specific duties to supervisory control and data acquisition staff and other involved employees.

• PG&E's supervisory control and data acquisition system limitations contributed to the delay in recognizing that there had been a transmission line break and quickly pinpointing its location.

• The 95 minutes that PG&E took to stop the flow of gas by isolating the rupture site was excessive.

• Use of automatic shutoff valves or remote control valves along the entire length of Line 132 would have significantly reduced the amount of time taken to stop the flow of gas and to isolate the rupture.

Additionally there were three control system recommendations that the NTSB is making to the Pipeline and Hazardous Material Safety Administration (PHMSA) out of the 12 PHMSA recommendations. Those recommendations are:

• Require operators of natural gas transmission and distribution pipelines and hazardous liquid pipelines to ensure that their control room operators immediately and directly notify the 911 emergency call center(s) for the communities and jurisdictions in which those pipelines are located when a possible rupture of any pipeline is indicated. Â [Supersedes Recommendation P-11-2]

• Require that all operators of natural gas transmission and distribution pipelines equip their supervisory control and data acquisition systems with tools to assist in recognizing and pinpointing the location of leaks, including line breaks; such tools could include a real-time leak detection system and appropriately spaced flow and pressure transmitters along covered transmission lines.

• Amend Title 49 Code of Federal Regulations 192.935(c) to directly require that automatic shutoff valves or remote control valves in high consequence areas and in class 3 and 4 locations be installed and spaced at intervals that consider the factors listed in that regulation.

Additional information on the rationale and reasons for these findings and assessments will be available when the full final report is published in the coming weeks.

Gas Bombs

It appears that the folks at are back functioning again and have recently published another interesting intelligence document, this one from the Maryland Coordination and Analysis Center. The Maryland Fusion Center produced this ‘Officer Awareness Bulletin’ on Trash Bag (Balloon) Bombs last May; the document is marked ‘Unclassified/For Official Use Only’.

Security Warning: Government employees and contractors; under the Obama Administration’s WIKI Leaks doctrine, you may be subject to disciplinary action up to and including dismissal if you are caught reading the FOUO document without specific authorization.

The Bulletin describes the use of trash bags filled with a lighter-than-air flammable gas as an improvised explosive device. They note that acetylene is a commonly used gas for these IEDs. Its wide flammability range and ease of ignition make it more effective than the other commonly available flammable gas, propane. Acetylene gas bag bombs can self-ignite due to static electric accumulation and discharge while propane bombs would typically require some sort of flame producing detonator. Note: self-igniting bombs are very difficult to control.

They report two specific instances where these devices have detonated, producing personal injuries and relatively minor property damage. It notes that these were described on-line as early as 1985 (okay, ‘on-line’ is a stretch, my term not the Fusion Center’s) in the hacker e-zine Phrack. I actually played with a couple of these ‘devices’ in the early 70’s so this is not something really new.

Because of the small amount of explosives that can be ‘packed’ into these ‘devices’ (trash bags are not really pressure vessels), these are not very effective IED’s except in confined spaces where the overpressure effects can be maximized. It is difficult to attach anti-personnel projectiles to these balloons; it doesn’t take much to weigh them down and trash bags are very easy to tear. In short, these IED’s are not very effective weapons. I will give the Maryland Fusion Center credit; the Bulletin does not overhype the potential dangers of these devices.

Because there are a number of YouTube® videos showing these things making impressive looking explosions; lots of noise and flash; law enforcement types certainly need to know about the potential dangers associated with these devices. From a security perspective I suppose that these things could be used as distractive devices or even as initiators of secondary fires and explosions in flammable environments, but the difficulty in timing the detonation greatly reduces their potential effectiveness in these applications. If someone has access to appropriate detonators there are much more effective IED explosives readily available.

Tuesday, August 30, 2011

Certain Dangerous Cargo Security

Back in July I did a post about two public meetings that the Coast Guard was scheduling to discuss their development of a strategy for the protection of Certain Dangerous Cargo (CDC) chemicals in the maritime environment. I was not able to watch either of the public meetings (web cast though they were; good job Coasties), but fortunately John C.W. Bennett over at the Maritime Transportation Security News and Views was. He has one of his typically detailed reports on the second of the two meetings in a recent post on his blog; well worth the read if you have any maritime exposure to these chemicals.

Prevention vs Mitigation

In any sort of risk reduction process there are two complementary approaches that can be taken, reducing the probability that the negative consequence event will happen (prevention) and reducing the negative consequences of the event if it does happen (mitigation). According to John, the Coast Guard addressed this dichotomy in their meetings;

“An interesting comment, to me at least, was the suggestion that if an area was good at consequence management, it might not need to devote as much effort to prevention (and vice versa)  This is a logical implication of the Risk Assessment Equation, Risk = Threat X Vulnerability X Consequence, but it isn’t usually suggested in the counter-terrorism context.”

The chemical industry is well familiar with dealing with these two sides of risk reduction in their process safety programs. There are numerous instances when there are just not enough ways to prevent (a single mode of prevention is never adequate) a safety incident so that mitigation measures must be addressed to achieve an acceptable level of safety. Since the element of ‘risk’ is the same in a security situation (with the exception that you are looking at intentional instead of accidental acts), the same considerations should apply.

While Risk Based Performance Standard (RBPS) 9 in the CFATS program deals with response to a security incident it doesn’t really address the issue of mitigation of the results of an attack. I’m encouraged to hear that the Coast Guard is at least considering this dichotomy in the development of their strategy.

Politically the Coast Guard is going to have an interesting fight on their hands if their plan includes a specific tradeoff between prevention and mitigation. The environmental folks (Greenpeace, etc) have never been comfortable with mitigation (or even prevention), they would much rather see the ‘dangerous chemicals’ outlawed. This is the whole basis for their campaign for ‘inherently safer technologies’ (IST).

Voluntary vs Mandated Standards

John notes that the Coast Guard strategy under development is looking at the issue of voluntary vs mandated standards and the integration of public and private security efforts. He writes:

“The Strategy is also looking at an “appropriate” mix of voluntary and mandatory standards.  It’s easier to adopt voluntary standards, but they don’t ensure consistent implementation.  Integration of public and private security is also envisioned, the questions being the right mix of private assets and how they are utilized.”

The chemical industry has been quick to point out in any forum where chemical security rules are discussed that they have spent huge sums of money increasing the security at their facilities in the wake of the 9/11 attacks. Industry organizations such as SOCMA and ACC have done a lot of work developing security standards to be integrated into their safety programs. The major shortcoming with these programs is that they only apply to organization members and any facility can opt out of the requirements by quitting the organization.

On the other hand, the use of mandatory standards is not without its own unique shortcomings. Mandatory programs always have to deal with the ‘compliance’ vs ‘real’ issue. In security the meeting of a set of minimum standards does not really ensure adequate security. But, most managers that are not well versed in security (and that probably includes the vast majority) will look at compliance as an adequate response.

This is further complicated by the fact that security requirements cannot be uniformly described for all facilities. Security for a 10,000 gallon anhydrous ammonia tank in an urban setting will have to be much more involved than that for a similar tank on an Iowa farm. The obvious response is to develop risk-based standards, but the problems that the ISCD folks are having with the implementation of their RBPS at CFATS facilities are at least partially traced to the use of risk-based standards. Trying to get agreement on the level of risk at any given facility certainly will cause conflict between the regulators and the regulated.

Security Response

We continue to have a discussion about the response to an armed attack on chemical facilities. John notes that one “commentator suggested that the Coast Guard could expect industry stakeholders to respond to a terrorist attack by following their Vessel and Facility Security Plans, but not by interdicting any aggressive forces, which would be a purely governmental function.” As I have noted in numerous posts in this blog, the chemical industry, for a number of legitimate and important reasons, is very reluctant (in many cases adamantly opposed) to provide for armed security on-site.

The CFATS program fails to deal with this issue and won’t even discuss the issue in their Guidance document. There are many reasons for this and an important one (beyond the industry stance) is that the folks at ISCD have no mandate or ability to regulate the response of local law enforcement personnel to an incident at a local chemical facility; the response capability used by almost every chemical facility covered under that program.

While any port side maritime program will also rely to some extent on local law enforcement agencies for their armed response to a terrorist attack, a major component of the typical response will include an armed Coast Guard response. That combined with the fact that CG Sector Commanders will already have a working relationship of some sort with local law enforcement agencies will ensure some level of coordination between the facility, the CG and LLE. It will be interesting to see how that discussion continues during the development of this strategy.

Moving Forward

The Coast Guard is required to report to Congress on the issues raised during the development of their strategy to secure the maritime transport of ‘especially hazardous cargo’ by October of this year and to adopt a strategy by April of next year. I’ll watch for progress in both areas and will certainly continue reporting on this area of chemical security. I’ll almost certainly also continue to refer readers to John’s blog as he continues his coverage.

Monday, August 29, 2011

Cyber Weapons of Mass Destruction

There is an interesting article over on by Steven Bucci that takes an interesting look at ‘weapons of mass destruction’. He would like to extend the definition of WMD to include cyber and economic attacks. I’ll leave the general discussion of ‘economic’ WMD to other, but I would like to expand on his idea of some cyber-attacks being included under the mantle of WMD.

Bucci does not want to include every kind of cyber hack/attack as part of the arsenal of potential WMDs. In fact, he’s not even sure that an APT hack that steals information should be called an attack (that’s a totally separate discussion). He does note, however, that with the advent of Stuxnet (and I would add the Beresford and Luigi vulnerability disclosures and the GLEGG tool as obvious enabling events) there now exists the demonstrated capabilities to use cyber controls as a means to cause destructive events.

He provides one clear example of how a cyber-attack could achieve WMD effects:

“One can imagine the elegance (for a terrorist or rouge state) of hitting the “enter” button on one continent and having all the valves in a chemical plant next to an American city open simultaneously? We would suddenly have a “Bopol [Bhopal], India-like” disaster that kills a multitude.”

I can add a number of other examples just to keep things interesting. They would include:

• Doctoring flow meter reporting so that large containers (storage tanks, rail cars, tank wagons, etc. are overfilled resulting in a large scale release;
• Opening a series of valves so that two incompatible chemicals are introduced into the same tank at the same time (results could include fire, explosions, toxic release, etc. depending on the chemicals involved); or
• Doctoring pressure reporting devices so that hazardous chemical or gas pipelines are over-pressured (ala San Bruno) resulting in explosion or toxic release.

Of course all of these could also be considered to be chemical attacks with the cyber component being just the initiator. It could be argued that including these types of incidents in the discussion of WMD would be similar to calling a cell phone a WMD because it was used to detonate an IED. I think that such an argument would be shortsighted and oversimplified, the scale of skill necessary to implement the above attacks alone would justify calling the cyber component a weapon.

Outside of the chemical industry I could think of a couple other areas where cyber attacks could be raised to the level of WMD effects. Messing with the controls of a a large municipal water system so that the system was over-pressurized could lead to multiple large scale main ruptures which could essentially shutdown the water system for a prolonged period. Shutting down the automatic sterilization controls at a food packaging operation could result in subsequent illnesses.

In short, there are a number of ways that a control system could be manipulated to cause a significant impact on the community. If the results were catastrophic or physically impressive enough, the cyber attack could certainly be considered to be a WMD attack.

Saturday, August 27, 2011

ICS-CERT Publishes Sunway Force Control Alert

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an alert about an overwrite vulnerability in the structured exception handler for the Sunway Force Control SCADA system. This vulnerability may allow for execution of arbitrary code.

Very little information is available with this alert, which is to be expected. ICS-CERT issues these alerts when public disclosure of a vulnerability takes place outside of the coordinated disclosure process. ICS-CERT does say that they are working with the Chinese based vendorto validate and mitigate the reported vulnerability.

Friday, August 26, 2011


NOTE: This was sent to me by Scott Jensen from the American Chemistry Council. I think that this is important enough to print verbatim. Sorry about the delay in getting this posted, but I have been on the road today driving back from a chemplant where I have been doing some contract work.

Washington, D.C. (August 26, 2011) – With another hurricane season upon us and Hurricane Irene heading toward the eastern coast of the United States, the chemical industry is prepared to build on the successful actions taken to weather previous hurricanes.

During storms like Katrina and Ike, American Chemistry Council (ACC) members’ emergency preparations worked as planned. Not one employee at a chemical facility was injured, and neither the U.S. Environmental Protection Agency (EPA) nor any state agency reported a significant chemical release from ACC member facilities in the Gulf. 

In fact, most chemical facilities returned to full operational status in a matter of days, a tribute to planning, preparation and the fundamental design of ACC members’ facilities.

Preparation equals safety

Chemical companies know well to avoid the dangers of being unprepared for any threat, be it a hurricane, an accident, or something more sinister. This is why our member companies place great importance on implementing emergency plans focused on protecting the safety of employees and surrounding communities. Under Responsible Care®, our trademark health, safety, environment and security program, all ACC members have long-established emergency plans, which are activated in close coordination with local, state and national authorities, other businesses and transportation systems, along the path of the storms.

The well-rehearsed emergency plans for hurricanes involve many actions taken in advance of the storm. Depending on the severity of the storm, they include:

• Complete shutdown of facility following strict safety and operating procedures
• Evacuation of personnel
• Preparing the facility by activating generators, filling tanks and physically securing equipment
• Removal of unnecessary vehicles and other equipment

ACC members don’t just plan for severe contingencies like hurricanes, they consider them when designing and building chemical facilities to be safe. Specific construction elements can include hardened equipment, dikes and levees.

Cascading impacts on chemicals and customers

As previous storms like Katrina and Rita demonstrated, the impact of hurricanes can go well beyond the potential threat to employees and physical damage to facilities and their communities. Those storms served as a reminder of the interdependent nature of the nation’s critical infrastructure.

While most facilities did not suffer major structural damage and were operational within days, many were unable to resume normal production because of other external consequences of the storms. Extensive damage to the local infrastructure blocked the flow of key supplies, like electricity and natural gas, necessary to manufacture chemicals, while damaged roads and rail lines prevented the delivery of products to consumers.

Ultimately, this led to higher natural gas costs for everyone and curtailed the delivery of chemicals essential to producing important everyday items like clean drinking water and life-saving medicines.

Recovering from the storm

After a storm passes, specially trained teams visit the site to evaluate damage before response crews or other employees are allowed to return. Once it is deemed safe to return, employees begin the delicate process of restarting operations, which can take several days depending on the size of the facility.

As we have seen in the wake of past storms, the recovery operations of many companies extended past the fence lines of their facilities. On their own, through ACC and the state chemistry councils, and working directly with the Red Cross, Salvation Army and other organizations, America’s chemistry companies and their personnel responded compassionately, donating tens of millions of dollars for relief assistance, volunteering time and providing much-needed supplies. This industry-wide effort included companies and facilities from all parts of the nation.

In many instances, member company facilities became vital community resources, providing a wide range of support, including temporary housing and meals for employees, their families and even the broader community, in some instances. One company loaned its helicopter to the Red Cross for relief and rescue. Another facility helped run the small town where it was the only local institution with emergency power and communications.

Preparing for Irene and the Next Storm

While it is impossible to predict the exact path of Irene or the potential impact on member facilities, ACC member companies will continue to make sure all of their facilities are prepared to weather the storm and assist in the recovery.

Agriculture and Chemical Security

While we are having the on-going discussion in the United States about renewing the CFATS program it is interesting to note that Australia is still in the process of formulating their chemical security program. There is an interesting short article at about the agriculture industry’s attempt to avoid coverage by the program that the Australian government has been developing since 2008.

The article does not describe the ‘onerous’ security measures that would have to be put into place to protect IED precursor chemicals like potassium nitrate. It does note that they include measures to address:

•Employee and contractor checking and security awareness
•Inventory control, and
•Sales and distribution.

Since agriculture is one of the biggest bulk users of potassium nitrate it is hard to see how any effective program to keep that material out of the hands of potential terrorists could not include security at agricultural sites. Of course, having said that, readers of this blog will almost certainly remember that agricultural production facilities are still ‘temporarily’ exempted from coverage of the CFATS program.

Even the proposed ammonium nitrate regulations do not propose to impose any security requirements on ag producers beyond the simple registration of farmers buying the material. They will not even be required to report the theft or loss of ammonium nitrate to Federal authorities.

I understand that production margins at many ag production facilities, particularly family owned facilities, are slim and variable. But, the same can be said for many small chemical production facilities, and they are not generically exempt from security requirements. I also realize that many rural facilities are far from the urban centers that are potential terrorist targets, but we are not expecting terrorists to bomb the family farm.

The security community is, however, concerned about terrorist potentially acquiring large amounts of IED precursors from rural facilities, via theft or diversion, and using them in terrorist attacks in urban centers. One only has to look at the bombing portion of the recent lone-wolf attack in Norway to see how easy it is to divert IED precursors from the agricultural supply chain.

One can only wish Australian regulators luck in bringing the ag producers into the chemical security fold. We are still waiting to see if/when the CFATS program will be made to apply to those production facilities here in the United States.

Thursday, August 25, 2011

ICS-CERT ClearSCADA Advisory

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) publicly published an advisory for Control Mircrosystems’ ClearSCADA platform. The advisory was originally published in limited distribution on the US-CERT portal in June. The vulnerability identified by Jeremy Brown would allow an unauthorized remote user access to system diagnostic information.

Control Microsystems has corrected the problem in ClearSCADA server 2010 R1.1 and newer versions. Patches will not be made available for older versions. They also recommend disabling logons on non-secure ports in the server configuration window. That would make it seem that the default settings specifically allow for logging onto the system via unsecure ports; that doesn’t seem right.

Hurricane Recovery – Flooded Chemical Storage Areas

I ran across an interesting article at (don’t you just love the Internet?) that looks at how farmers affected by hurricane flooding should deal with the problem of flooded pesticide storage areas. While a couple of the recommendations clearly only apply to pesticides (land application procedures for pesticide contaminated water for example), the general recommendations could apply to just about any chemical storage area.

Every chemical facility (in the broadest use of that term) that might be affected by flooding due to hurricanes or just atypical rains (and we’ve seen lots of that this year) need to consider what they are going to do when they return to a flooded facility. This needs to be included in any disaster recovery plan.

Remember, advance planning is an absolute requirement for these types of situations. For example, where are you going to get the personal protective equipment that is going to be required? The stuff stored in the flooded facility is going to be next to useless; you need to bring it with you when you return to the facility.

PHMSA ANPRM: Safety of Gas Transmission Pipelines

Today the Pipeline and Hazardous Material Safety Administration (PHMSA) published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (76 FR53086-53102 ) concerning changes that it is considering making to the Pipeline Safety Regulations (PSR; 49 CFR Parts 190-199). PHMSA is considering changes to rules governing safety of gas transmission pipelines, including potential changes to pipeline integrity management (IM) requirements and the definition of high consequence areas (HCAs).

Pipeline Integrity Management Changes

PHMSA notes that the current IM program has improved the safety of gas transmission pipelines in HCAs. Even with those improvements, however, fires and explosions like the San Bruno incident last year continue to occur. Additionally, during their inspections of current operator IM programs PHMSA has identified some concerns that “indicate a potential need to clarify and enhance some [IM] requirements” (76 FR 53088).

IM topics that have been identified for possible inclusion in the proposed rule include:

Modifying the definition of an HCA;
Strengthening the Integrity Management requirements in Part 192;
Modifying repair criteria;
Revising the requirements for collecting, validating, and integrating pipeline data;
 Making requirements related to the nature and application of risk models more prescriptive;
Strengthening requirements for applying knowledge gained through the IM program; and
 Strengthening requirements on the selection and use of assessment methods, including prescribing assessment methods for certain threats.

Issues Not Covered Under Current IM Rules

PHMSA has also identified some system integrity issues that are not adequately addressed by IM programs. They are considering strengthening and expanding these non-IM requirements. Some of the topics falling under this area include:

 Valve spacing and the need for remotely- or automatically-controlled valves;
 Corrosion control;
 Pipe with longitudinal weld seams with systemic integrity issues;
 Establishing requirements applicable to underground gas storage;
 Management of Change;
 Quality Management Systems (QMS);
 Exemptions applicable to1 facilities installed prior to the regulations; and
 Gathering lines.

Questions to Be Answered

As with ANPRMs this document does not generally specify proposed language that PHMSA. Rather, PHMSA provides a discussion of each of the 14 topics identified above. Along with that discussion they provide a list of questions that they would like to see answered in the public comment process. For example, under the topic concerning potential expansion of the current HCA definition, PHMSA includes (76 FR 53089) the following questions:

• Should PHMSA revise the existing criteria for identifying HCAs to expand the miles of pipeline included in HCAs?
• If so, what amendments to the criteria should PHMSA consider (e.g., increasing the number of buildings intended for human occupancy in Method 2)?
• Have improvements in assessment technology during the past few years led to changes in the cost of assessing pipelines?
• Given that most non-HCA mileage is already subjected to in-line inspection (ILI) does the contemplated expansion of HCAs represent any additional cost for conducting integrity assessments?
• If so, what are those costs?
• How would amendments to the current criteria impact state and local governments and other entities?

PHMSA is soliciting public responses to these questions as well as more general comments on the proposed changes to the PSR. These response can be submitted via the Federal eRulemaking Portal (; Docket # PHMSA-2011-0023). Responses need to be submitted by December 2nd, 2011.

Wednesday, August 24, 2011

CFATS Knowledge Center Update 08-24-11

Today the folks at ISCD provided a notice in the ‘Latest News’ section of the CFATS Knowledge Center web site that they had revised the response to FAQ # 1557. That Frequently Asked Question reads:

“What should I do if I think my facility was incorrectly determined to be high-risk or received an incorrect preliminary risk-based tier determination?”

Typing '1557' into the search box at the top of the page will take you to the FAQ with the link to the complete answer. There is no real change in the meat of the discussion, but there have been some changes made to the procedural details.

New ISCD Director

As I noted in a blog post earlier this month, there is a new ISCD Directory, Penny J. Anderson. Since the Director is the point of contact for initiating Requests for Redetermination or Requests for Consultation, her appointment necessitated changing the POC information in the response to this FAQ.

In addition, ISCD has provided two additional methods for contacting Ms. Anderson. Where the previous Director had only accepted requests via mail, Ms. Anderson is accepting them by email (through the CSAT Help Desk email address, and by FAX (866-731-2728). Presumably both of these new communications methods will get to her more quickly than via the US Mail.

It is interesting to note, however, that the same multiple communications methods are not mentioned in connection with requesting an extension of a CFATS deadline. The next to last paragraph of this FAQ response still notes that such requests should be mailed to Ms. Anderson; no alternatives (email or FAX) are mentioned. I think that it was an odd oversight, particularly since a request for deadline extension is more time sensitive.

CAPTCHA Replacement

I noticed another interesting change when I was reviewing this FAQ. Down at the bottom of the page is the ‘User Feedback’ section; it was added to the FAQ when ISCD adopted the new CFATS Knowledge Center format. Below the text entry block where we have become used to seeing the CAPTCHA box (you know the twisted letters that you are asked to read and type in to verify that it is a person not a computer program responding) there is a new variation. Instead of reading the scrambled letters you are now asked to enter the ‘opposite’ of the word listed; they are calling this a ‘text challenge’. The one I’m looking at now is the word ‘IN’ and the appropriate response (presumably) would be ‘OUT’.

I had heard that someone had figured out how to get a computer to read the CAPTCHA letters (that was inevitable), but this is the first truly new person response checker that I have seen. This won’t take too long to get around; there is a relatively short list of terms that have unambiguous opposites. If they start using more ambiguous terms to get around the ‘read – lookup – respond’ capabilities of computers, they are going to start eliminating some literacy challenged individuals.

FRA Publishes NPRM Amending PTC Requirements

Today the Federal Railroad Administration (FRA) published in the Federal Register (76 FR 52918-52929) the notice of proposed rulemaking (NPRM) that I briefly mentioned in an earlier blog posting. According to the preamble to the NPRM:

“This notice proposes the removal of various regulatory requirements that require railroads to either conduct further analyses or meet certain risk-based criteria in order to avoid PTC system implementation on track segments that do not transport poison- or toxic-by-inhalation (PIH) hazardous materials traffic and are not used for intercity or commuter rail passenger transportation as of December 31, 2015.”


In 2008 Congress mandated {Section 104 of the Railroad Safety Improvement Act of 2008, Public Law 110-432, 122 Stat. 4854 (Oct. 16, 2008)} that the FRA establish requirements for the installation of automated positive train control systems (PTC) to control the operation of trains on certain designated lines. One of the methods of designating those lines required to be equipped with the expensive equipment was if a line segment provided transportation for poisonous (or toxic) by inhalation PIH (or TIH) chemicals as of 2008.

The railroads objected to the use of that date because other changes were made to rule concerning the transport of PIH chemicals at about that time that required potential changes to rail routings of those materials due to security and safety considerations. Those changes could have left the railroads with PTC mandates on lines that no longer qualified based upon their PIH tonnage.

Provisions were made for allowing railroad to request approval from the FRA to remove line segments from the PTC requirements. The requirements for that removal were stricter than those for the original classification of PTC covered segments. The American Association of Railroads filed a petition for review with the US Court of Appeals and ultimately reached a settlement agreement with the FRA that resulted in the publication of this NPRM.

New Requirement

The NPRM proposes to change the wording of 236.1005(b)(4)(ii) that would allow for changes to the PTC implementation requirements based upon three simple criteria:

(A) The cessation of passenger service on the involved track segment prior to January 1, 2016;

(B) A decline in gross tonnage below 5 million gross tons annually as computed over a 2-year period on the involved track segment; or

(C) The cessation or expected cessation of PIH traffic over the involved track segment prior to January 1, 2016.

The FRA predicts that this change would result in the removal of about 10,000 miles of rail line from the requirement to install PTC systems at a savings to the railroads of approximately $620.

Public Comments

As with all proposed rules, the FRA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (; docket number FRA-2011-0028). Such comments need to be submitted by October 24, 2011.

Tuesday, August 23, 2011

Hurricane Irene Targets East Coast

Yesterday I mentioned that Hurricane Irene looked like it was targeting Florida and the Georgia Coast. Today, more detailed data narrows the track down some and it looks like the entire East Coast as far north as Long Island, NY might be affected. So all chemical facilities located up through New Jersey along/near the Atlantic coast should go back and read my earlier post.

Actually the latest graphic from NOAA on the track of Hurricane Irene places the Sunday 8:00 pm EDT mark for the potential hurricane location on the west end of Long Island; smack dab in NYC. Could this be the dreaded LI version of Katrina? It’s way too early to tell, but not too early to start preparing.

Port Security Hearing Update

Earlier this week I wrote about tomorrow’s field hearing looking at port security in the Port of Houston. The House Homeland Security web site now has more information available about the witnesses that are scheduled to testify. The witnesses list does include the local Coast Guard Sector Commander, but there will be no one from ISCD representing the CFATS side of the Port.

The reason for that is found in a Committee Press release that provides Chairman McCaul’s (R,TX) reason for calling the meeting:

“Osama bin Laden’s personal files found in his compound in Pakistan revealed a brazen idea to blow up oil tankers.  The Port of Houston is perhaps the most target-rich environment.  In addition to the tragic loss of life that would occur, an attack that stops the flow of roughly 25 percent of America’s oil imports could cripple our already struggling economy.  If catastrophe struck the Port of Houston, there is little spare capacity to import and refine crude oil elsewhere in the country.  Securing this high value target is essential to our national and economic security.  This hearing will examine security in place to prevent such an attack, as well as measures not yet implemented.”

So the apparent emphasis will be on the water side of the port; except that the witness list also includes the Harris County Sheriff. I guess that we’ll just have to wait and see. Two other local officials representing the Port of Houston Authority and the Greater Houston Port Bureau, Inc. are also scheduled to testify.

The only ‘outsider’ testifying is a Government Accounting Office representative. This inevitably means that there will be a GAO report presented at this hearing. Mr. Stephen Caldwell is the
Director Maritime and Coast Guard Issues for the Homeland Security and Justice Team at the GAO. That means that the report could cover a wide variety of port security issues and need not be limited to issues affecting just the Houston Port.

Still no word about the possible appearance of Rep. Jackson-Lee (D, TX) or Rep. Gene Green (D, TX) at the hearing. Neither of their web sites mentions the hearing.

NSTAC Teleconference 9-8-11

The President's National Security Telecommunications Advisory Committee (NSTAC) published a notice in today’s Federal Register (76 FR 52672) that they would be holding a public teleconference on September 8th. Topics to be addressed include:

• An update on the the NSTAC's Cloud Computing Subcommittee's recent work; and

• A tasking from the Executive Office of the President regarding the National Public Safety Broadband Network.

According to the notice the Committee is soliciting “public comment on the issues to be considered by the committee”. This appears to be a pro forma solicitation as there is no information available on the NSTAC’s web site on the Cloud Computing Subcommittee much less it’s work. I understand why there is no information about the new tasking; it hasn’t been received yet; but some indication of the Subcommittee’s scope of examination about ‘Cloud Computing’ would be helpful.

Of course, if the aim is to avoid public scrutiny or participation, then obfuscation of this sort really is appropriate.

There will be an opportunity for public oral comments during the teleconference; registration of intent to make an oral presentation is required. Written comments to be considered by the Committee may be submitted via email to; the docket number (DHS-2011-0064) needs to be included on the subject line.

Ignition Vulnerability Advisory Published by ICS-CERT

I don’t know how I missed writing about this before now, I mean the headline is incredibly catchy, but last Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory about an information disclosure vulnerability in Inductive Automation’s Ignition software. The vulnerability was discovered by Ruben Santamarta and it allows unauthorized users to remotely download system and project information (including authorized usernames and password hashes) via a simple connection to a specific URL address.

Inductive Automation has developed an upgraded version of the Ignition software which is available for download.

I’m always amazed at the ability of security researchers to discover these vulnerabilities in complex control system software. It takes a peculiar twist of the mind to be able to read code as if it were one’s birth tongue rather than a foreign language learned late in life. My hat’s off to Ruben for the effort and ability that went into discovering this obscure but potentially devastating vulnerability. I’m glad that he’s working on the disclosure side of that skill set, not the exploitation side.

BTW: Yesterday ICS-CERT published an update of their Siemens PLC vulnerability summary advisory that I discussed earlier. They corrected an apparent typo on page 8; substituting the word ‘interoperability’ for ‘inoperability’. Interestingly this is one of the specific sentences in the advisory that Ralph Langner took objection to in his blog post criticizing this advisory and somehow he read it the way that ICS-CERT intended it to read (as corrected here) not how it was actually published.

Monday, August 22, 2011

First Hurricane of 2011 Season Targets Florida

Today the National Hurricane Center named the first Hurricane of the 2011 Season, Hurricane Irene. Currently just off of the Northeast coast of Puerto Rico, Irene is a Category 1 hurricane. The current track carries it toward the East coast of Florida. That track has it skirting the entire East Coast Friday as it heads generally North-northeast with a possible landfall on the Georgia coast early Saturday morning. The National Hurricane center reminds people that the current track is an estimate and that the “most recent 5-year average errors at those forecast times [four and five days] are 200 and 250 miles...respectively”.

While it has been a couple of years since a hurricane has hit the State of Florida, I’m sure the residents and resident companies all have an idea of what they need to do to prepare for this potentially major hurricane. I would like to point out that in addition to typical safety precautions high-risk chemical facilities need to consider the potential security implications for a hurricane.

Thanks to the folks at the I have found a copy of a 2003 DHS ‘Red Cell’ report on those security implications (NOTE PI is having legal issues, you will have to view a cahed copy of this document). Actually, it does not directly address chemical facilities (surprise…not) but it does point out a number of attack vulnerabilities that could apply to CFATS facilities. It’s well worth reading the four page document.

SECURITY WARNING: This eight-year-old document is marked FOUO. Under the WIKI Leaks rules issued by the Obama Administration, viewing this document by government employees or contractors might result in them being subject to disciplinary action up-to and including termination.

Chemically Targeting Evacuation Routes

One important area to consider is the potential for terrorists targeting evacuation routes. The report notes in its ‘Pre-Event’ table the possible impacts of this type of attack:

• Mass panic
• Possible high casualties
• Destabilization
• Loss of public confidence in the government
• Immobile population
• Increased media coverage

A very high-profile attack on these routes could be effected by using a tank-truck or rail car of hazardous materials. It wouldn’t have to be a spectacular or even particularly effective attack in this situation. In fact, even a visible attack with non-hazardous chemicals could have a pretty devastating effect in the highly charged atmosphere of an evacuation. A visible attack on a chemical facility located along an evacuation route would be even more effective at destabilization.

Congressional Hearing Week of 8-22-11

Well, Congress is still out of Washington, though technically they are still in session, meeting twice a week in pro-forma meetings on Tuesday and Friday. Generally speaking this has just about eliminated Congressional Hearings until after they return to the City after Labor Day. There are a few exceptions to that rule and one is occurring this week in Houston, TX. The Subcommittee on Oversight, Investigations and Management of the House Homeland Security Committee will be holding a hearing on port security on Wednesday.

Chairman McCaul’s (R,TX) Subcommittee is tasked with ‘general oversight of homeland security programs’ so that probably provides enough leeway for him to look at “Preventing an Economic Shock Wave: Securing the Port of Houston from a Terrorist Attack” even though it probably would be a more appropriate topic for the Border and Maritime Security or the Counterterrorism and Intelligence Subcommittees. Of course, neither of those subcommittees is chaired by someone from Houston, TX.

There is no witness list available yet, but I would expect to see someone representing the Coast Guard’s local Captain of the Port as that office has primary responsibility for the enforcement of the Maritime Transportation Security Act (MTSA) in that area. It will be interesting to see if there is a representative of ISCD, perhaps the local Commander of Chemical Facility Security Inspectors, at the hearing because of the large number of high-risk chemical facilities in the area. Since this hearing is potentially politically charged, both agencies may buck-up representation to their Washington staffs.

The Port of Houston would be a great place to look at the interaction between the MTSA and CFATS programs. Perhaps Chairman McCaul could get DHS to explain the actual status of the memorandum of understanding between the Coast Guard and NPPD on how the two agencies would handle chemical security issues in port areas. Additionally, I would hope that the hearing would address the Coast Guard’s plan to require CFATS Top Screen submissions from MTSA covered chemical facilities.

This will also be a good chance to look at bipartisanship in Homeland Security. There are two other Representatives, both Democrats, which have responsibilities for parts of the Houston area, Gene Green and Sheila Jackson-Lee. Ms. Lee is a member of the Committee but not McCaul’s Subcommittee; I would not be surprised to see her at the dais. Green is on a competing committee (Energy and Commerce), but political decorum would probably dictate his being present as well.

Sunday, August 21, 2011

ICS-CERT Monthly Monitor

Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the latest edition of their ICS security newsletter, the ICS-CERT Monthly Monitor; which this issue covers two months. A number of interesting topics are covered in this issue, including Spear Phishing, Black Hat 2011, the Siemens fiasco and preserving cyber forensics data.

Spear Phishing

A nice article on Spear Phishing notes that ICS-CERT has been responding to an “increasing number of spear phishing attacks”. One would assume that when ICS-CERT got involved it was a successful spear phishing attack where something ‘malicious’ was noted on the attacked network. It is interesting to note in the article (mentioned in passing as it were) that the apparent response to a successful spear phishing attack involves shutting down the corporate email system “until the extent of the problem [is] known and mitigation steps [are] taken”.

Black Hat Briefings

The brief piece on the Black Hat Briefings conference provides a brief bit of information from the conference that I haven’t seen mentioned elsewhere; the description of an airborne hacker tool. The wireless aerial survey platform (WASP) is apparently a remotely piloted vehicle that would fly over an installation trying to detect and intercept Wi-Fi and cell transmissions. With the increased use of wireless communications between control systems components, this could provide another route of access into the control system network. Of course, high-risk chemical facilities should already be concerned about the use of RPVs for surveillance or even attacks, so this is just one more reason to acquire sophisticated anti-aircraft attack capabilities (just a little sarcasm).


The brief piece on the Siemens issues provides essentially a summary of their summarizing advisory that I have previously addressed. I would like to suggest that an alternative analysis of the ICS-CERT approach to the Siemens issues can be found at Ralph Langner’s recent blog posting on the issue. Anyone who has read Ralph’s stuff on Stuxnet will not be surprised that he has been less than enamored with the response of ICS-CERT on much of anything to do with Siemens.

Cyber Forensics

There is a relatively lengthy piece on cyber forensics and the importance of planning for how to respond to a cyber incident. Most facilities will be focusing on getting their systems back into the normal functional mode when something goes wrong with their system (either from an attack, human error, or just a glitch piece of equipment/software). Cyber forensics is used to determine why and how a problem occurred and is important in figuring out how to limit the current problem and prevent it from happening again. This piece is well worth the read and further exploration. Some of the techniques suggested for preserving forensics data would normally fly in the face of standard procedures for quickly restoring functionality, but with more cyber-attacks occurring, facilities really need to consider these techniques as a method of discovering the true extent of what happened.

Other Information

There is also a nice text box describing the wonders and benefits of ‘coordinated vulnerability disclosure’. ICS-CERT has a vested interest in the CVD process, so they can be expected to support it. It seems to me that when the process works (ie: the vendor responds promptly and puts forth a reasonable effort to fix the problem) this system provides the most effective method for identifying and responding to vulnerabilities. When there is no response, or an inadequate response, then alternate methods of communication need to be used.

Finally, the Monitor closes with two pages of ‘Open Source Situational Awareness Highlights’; a listing or articles and blog posts of significance to the control system security community. While certainly not an exhaustive bibliography, it certainly provides a pretty good reading list. I was impressed that there are a couple of blog posts included in their list (none of mine, alas). I would have been more impressed if they had included a listing of some posts by people like Ralph Langner or Dale Peterson that questioned the various responses of ICS-CERT to cyber security issues, but that would be expecting a bit more objectivity than is probably reasonable.

In short, this is a fairly impressive newsletter by a government agency that is small but important cornerstone of the Federal response to cyber security issues in industrial control systems. Everyone in the ICS security community should read it.

Saturday, August 20, 2011

ISCD Updates CFATS Knowledge Center – Minor FAQ Correction

Yesterday the folks running the CFATS Knowledge Center updated one of the responses to a frequently asked question (FAQ). It was a minor correction (removing an inappropriate ‘mail to’ link from FAQ #1544), but it does show a willingness to keep the minor details straight. There’s no telling how the discovered the error and it is on a question that is not probably accessed that often any longer (it deals with CSAT registration issues), but good quality control does required the correction of even seemingly inconsequential mistakes.

Friday, August 19, 2011

New ICS-CERT Alert on GLEG Agora SCADA+

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a new alert on the GLEG Agora SCADA+ Exploit pack. This Alert addresses release 1.4. ICS-CERT has addressed two earlier versions of the Agora SCADA+ Exploit Pack (ICSA-11-096-01 and ICS-ALERT-11-111-01). Readers will probably remember that the Agora SCADA+ Exploit Pack is an add-on for Immunity’s CANVAS system and is produced the Russian research group GLEG. The CANVAS system is an automated exploit system similar to Metasploit designed for use by penetration testers and security researchers.

According to ICS-CERTs analysis of the latest version there are 40 vulnerability exploits included in the exploit pack; most of which have been addressed by ICS-CERT alerts or advisories. Six of the vulnerabilities were publicly identified before the formation of ICS-CERT so there were no alerts or advisories for those vulnerabilities; there are CERT/NIST CVE records identified for each of these.

There are apparently 13 previously-unidentified vulnerabilities included in the list. ICS-CERT has not been able to provide any significant details on these vulnerabilities. Nor is it apparently willing and/or able to ‘confirm’ their existence. The systems potentially affected include:

• Beckhoff, TwinCAT ENI Server;

• Broadwin/Advantech, WebAccess (3);

• CACHE, Database (2);

• CodeSys, ENI Server v.;

• ITS, Unknown;

• Outlaw Automation, ICSADA;

• RealWin, Unknown;

• Trace Mode, Data Center; and

• Wintr, Unknown (2).

Thursday, August 18, 2011

CSSS Potential Threats and SAR Briefings

I haven’t written about any of the presentations at this year’s Chemical Sector Security Summit since I wrote about the slide presentations becoming available. One of the main reasons is that Ryan Loughin has been periodically reviewing the presentations over on his blog at He has a distinct advantage in writing about them as he was actually there and heard the speaker; that’s always a better way to review a presentation.

His latest post on the potential threats program is even better because he was the host of that panel discussion. Unfortunately, only the Carafano presentation from this panel is available on line.

Ryan also addresses in this post the Suspicious Activity Reporting (SAR) panel discussion. The DHS/DOJ presentation by Steve King is available on-line, but Ryan’s blog also briefly describes some of the additional information provided by other speakers on that panel.

Lacking a video copy of the presentations, I suggest following the postings on Ryan’s blog. I’ll either mention them here or in my TWITTER posts.

Gasoline and Sewer Explosions

Thanks to Jake Brodsky over at the WATERSEC list for pointing me (actually all list members not me specifically) at a recent article about gasoline leaking into sewer systems and a Wikipedia article about the infamous consequences of a similar type leak in Guadalajara, Mexico in 1992. This helps to reinforce a point I have made a couple of times in this blog about the potential use of gasoline tank trucks in making interesting improvised explosive devices.

I first got interested in this subject when I was stationed with the US Army Berlin where I spent some time working on the Berlin Brigade’s Military Operations on Urbanized Terrain (MOUT) program. One of the things that we looked at was the potential use of improvised explosive devices utilizing gasoline. I found an interesting study done at the US Army Engineer School about making anti-tank obstacles utilizing fuel-air explosions in sewer lines. That study was inspired, in turn, by a sewer-line explosion in Akron, OH in 1977.

Now I’m sure that there will be some reader that will remind me that the specific fuel-air mixture requirements for a gasoline explosion are not that easy to achieve in a sewer line. This is absolutely true; it is probably why there was no explosion related to the Cedarville incident earlier this week. There are, however, a few relatively simple steps that a terrorist could take to increase the probability of achieving the proper mixture.

Besides, even if an explosion did not result from a terrorist infusion of gasoline into a public sewer system, the inevitable evacuations while the situation was cleaned up would be disruptive enough that it would have to be considered a successful terrorist attack.

Wednesday, August 17, 2011

Photographer’s Rights and Counter-Terrorism

There is an interesting article over at about a recent confrontation (actually that term might be a bit overblown) between a photographer and a police officer over the issue of taking photographs of a chemical facility. The photographer claims he was detained, but it appears from his description that he was stopped, questioned and required to show identification. The civil libertarians are incensed and the police are confused about their concern.

This is an issue that I have addressed before (most recently last December) and it is certainly a controversial issue, weighing security needs against individual freedoms. Let me see if I can outline both sides of the issue.

Counter Surveillance

It is well established that a ‘professional’ terrorist needs to collect information about their targets to aid them in the planning necessary for a successful attack. Pre-attack surveillance can take a lot of forms, but a common one would be to take photographs of the facility, particularly the security measures.

It doesn’t take a security expert to realize that detecting a potential attack early in the planning process makes it easier to disrupt the attack. This is the reason that I have frequently commented that a successful facility security program must include a counter surveillance program to try to detect potential attacks in the pre-attack planning process.

So, anytime someone is seen taking photographs of a high-risk chemical facility, there is legitimate need to determine if the photographer is potentially taking pre-attack surveillance photos of the facility.

Photographer Rights

Generally speaking photography is a constitutionally protected activity under at least three different types of free speech. Since much photography is often connected with journalistic endeavors the freedom of the press provisions may apply. Photography is also a well-recognized art form and thus protected under general freedom of expression provisions. Additionally, many political organizations, like Greenpeace, use photography to support their political agenda which is also clearly protected under free speech provisions.

So, as long as someone is not violating some other law, like trespass, it will be difficult to legally stop someone from taking photographs of a chemical facility. Even if a legitimate rationale can be found, the firestorm of protest that would result would be counterproductive to say the least.

Balancing Act

As can be seen through this article, balancing the two legitimate requirements of community security and personal liberties is going to be a hard line for police departments to follow. Private security forces are going to have even a greater problem with this as there are already too many people that think such forces are a threat to civil liberty in the first place.

A great deal of care and planning is going to have to go into any encounter with someone taking photographs of a chemical facility. Security managers are going to have to think the process through and establish specific guidelines for such encounters and make sure that they are frequently covered in their security training program.

The presumption that is going to have to guide these encounters is that the vast majority of people taking such photographs are not terrorists. If security personnel can keep that in mind they will be better able to avoid taking a confrontational approach with the photographer. The goal should be to determine if there is anything in the actions or demeanor of person that is not in keeping with an innocent reason for taking the pictures. If there is, that should be reported to law enforcement authorities for follow-up investigation.

Remember, even if the photography is in support of pre-operational planning for a terrorist attack, it does not mean that an attack is imminent. The simple act of professionally talking to the photographer might be enough of a show of security presence to convince the terrorist organization to look for an easier target.

Tuesday, August 16, 2011

OMB Approves FRA PTC Amendment Rule

The Office of Management and Budget announced on their web site yesterday that they had approved ‘consistent with change’ (OMB speak for make some minor changes please) a Federal Railroad Administration proposed rule amending the Positive Train Control regulations. Since this rule was not published in the Unified Agenda we have no way of knowing what this proposed rule will contain until it is published in the next week or two in the Federal Register.

OMB was kind enough to tell us that it is ‘economically significant’ and that it will effect small businesses.

ICS-CERT Updates Honeywell ScanServer Advisory

Yesterday afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an update on an advisory that was originally published last April. The revised advisory updates the researcher attribution, vulnerability details, and new mitigation information.

The update identifies Secunia as the ‘security researcher’ that originally identified this vulnerability and provides links to two different Secunia pages about the vulnerability. While this information is important to Secunia (and probably the rest of the security research community) the more important bit of information included in this updated is the Microsoft mitigation measure identified (the availability of an Active X killbit for the control exploited in this vulnerability).

Social Engineering Exploit

Still, the most important thing about this vulnerability, and most vulnerabilities involving ActiveX controls, is that not only does it involve a control system software issue, but it requires the active involvement of someone at the facility. No, not an insider attack, but someone accessing a malicious web site. These web sites are not going to be randomly surfed by the facility employee/contractor; they are going to be drawn to the web site by a social engineering attack.

While the mitigation measures provided by Honeywell and Microsoft for this particular attack will allow facilities to avoid this particular problem, a more important mitigation measure would be to train (and re-train frequently) all employees with control system access on how to identify and avoid social engineering attacks. That would help to prevent exploitation of this vulnerability and a whole host of yet to be identified zero-day vulnerabilities in this and other control systems.
/* Use this with templates/template-twocol.html */