Sunday, October 30, 2011

Symantec Reports Concerted Attacks on Chemical Companies

A report that will be ‘released’ tomorrow by Symantec (available on their site now) outlines what they are calling the ‘Nitro Attacks’ on information assets of a number of chemical companies. The attacks were (conducted from late-July to mid-September of this year) apparently an attempt to gather “intellectual property such as design documents, formulas, and manufacturing processes [emphasis added]” (pg 1). This may be being done just to gain a competitive advantage (China is mentioned but not accused in the report), but there may be a more control-system security-related reason as well (my opinion not Symantec’s).

With W32.Duqu apparently targeting industrial equipment suppliers (As do apparently the Nitro Attacks; Symantec lists among the target companies those “involved in developing manufacturing infrastructure for the chemical and advanced materials industry) and now someone trying to gain information on chemical processes, one begins to suspect (only a bit of paranoia here) that a combination of the two types of information may allow for targeted attacks on chemical control systems.

A side note to authors Chien and O-Gorman: I like the term ‘manufacturing infrastructure’ much better than ‘industrial industry manufacturers’. Are they both describing similar targets?

While I have long maintained that multiple-random PLC manipulations will suffice for successful attack on a chemical processing system, I must note that for a truly catastrophic attack on a chemical facility, one must understand both the process system/equipment and the methodology of the attack. These two recent attacks on chemical manufacturing related targets makes me think that someone else (with less benign intentions) agrees with me.

In any case, I encourage everyone in the chemical processing industry to read this Symantec report. Not only does it provide an important warning about the targeting of that industry, it also provides a nicely detailed description of how one goes about executing a social engineering attack on a specific industry.

BTW: I was pointed at this publication by a TWEET by @danchodanchev.

Congressional Hearings – Week of 10-31-11

After two weeks of alternating working in Washington and staying home, both the House and Senate will be in session this week. That doesn’t mean that there will be any committee work on chemical or cyber security issues; there is nothing currently scheduled for either topic. There is the possibility, however, that the House Rules Committee will announce a change to that shortly.

Coast Guard Authorization


Late Friday night the House Rules Committee added HR 2838, Coast Guard and Maritime Transportation Act of 2011, to the list of bills that might be considered on the floor of the House this week, though it is not yet on the Majority Leader’s Weekly Schedule. The Rules Committee does not yet have a hearing scheduled to formulate the rule for the consideration of HR 2838, but they have asked Members to submit proposed amendments by 10:00 am Thursday.

It seems likely to me that a Rules Committee hearing could be called for Thursday evening with a floor vote on adopting the rule possible Friday. I doubt that the bill itself would actually come to the floor until next week.

Spending Bills


With the November 18th deadline for a spending bill fast approaching the only work officially being done on appropriations bills is the Senate consideration of HR 2112, Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2012. The Senate adopted the Inouye substitute language on the 21st that expanded the bill to cover Commerce, Justice, Science, and related agencies (Division B) as well Transportation, Housing And Urban Development, and related agencies. That means that some chemical safety/security issues and cyber security issues could make their way into this bill as consideration continues this week.

BTW: Rumors are circulating that the House Appropriations Committee is working on another CR that would continue spending until Christmas; not unexpected.

Friday, October 28, 2011

CSB Weighs in on Chemical Security

A report issued yesterday by the Chemical Safety Board (CSB) points out that security is not just an issue at large chemical facilities, or even just necessary to prevent terrorist attacks. They point to 44 fatalities and 26 injuries at relatively isolated oil and gas production sites that could have been prevented if minimal security procedures had been in place. The really sad part of the study indicates that the majority of those affected by the incidents were teenagers.

Incidents


The CSB investigated three recent incidents where there were explosions at remote oil and/or gas production facilities that involved non-employees ‘hanging-out’ at the facility. They also examined reports from first responders for 23 other incidents around the country where news reports identified similar incidents. The victims were essentially trespassing on the facilities, but the storage tanks and processing equipment involved was not protected by fences, gates or signage; all minimal security measures.

The CSB report notes that approximately 85% of the over 820,000 active oil and gas wells in the United States in 2009 were relatively small sites (less than 15 barrel of oil equivalents per day) like those involved in these incidents. There are no federal regulations governing security at these sites and the State and local regulations vary from non-existent to relatively comprehensive (see Table 1 on page 38 of report).

The CSB investigation of these incident uncovered 9 separate finding covered in their final report. They include:

• Members of the public, most often children and young adults, commonly visit oil and gas production sites without authorization for recreational purposes.

• Members of the public gain access to production tanks via attached unsecured ladders and catwalks, and may come into contact with flammable vapors from tank vents or unsecured tank hatches.

• Members of the public, unaware of the explosion and fire hazards associated with the tanks, unintentionally introduce ignition sources for the flammable vapor, leading to explosions.

• The storage tanks did not include inherently safer design features to prevent tank explosions. Safer design features used in the downstream, refining sector would likely prevent tank explosions at E&P sites. These include the use of vents fitted with pressure-vacuum devices, flame arrestors, vapor recovery systems, floating roofs or an equivalent alternative.

• E&P storage tanks are exempt from the security requirements of the Clean Water Act and from the risk management requirements of the Clean Air Act.

Last year (the press release says on April 13th, 2011 when it was actually 2010), early on in this investigation process, the CSB produced a safety video outlining the potential hazards about these storage tanks for the general public. As is typical with CSB safety videos it provides a very clear explanation of the hazards associated with these tanks but it also examines the impact one of the incidents had on the families and community involved.

Security Recommendations


Since the CSB has no regulatory authority of its own, it typically makes non-binding recommendations to various regulatory agencies (Federal, State and local) and organizations that develop standards for the applicable industries. This report provides guidance on security measures to the following bodies:

• The US Environmental Protection Agency;

• The Mississippi Oil and Gas Board;

• The Oklahoma Corporation Commission;

• The Texas Railroad Commission;

• The American Petroleum Institute; and

• The National Fire Protection Association.

Each of the above listed organizations has a slightly different set of recommendation proposed for their action. The differences reflect the nature of the regulatory authority involved and the existing regulations and guidance that require modification. The specific recommendations for the EPA are the most comprehensive; suggesting that the EPA publish a safety alert on the problem identifying the following actions that should be taken under the ‘general duty clause’ of the Clean Air Act (pg 52);

• “Warn that storage tanks at unmanned facilities may be subject to tampering or introduction of ignition sources by members of the public, which could result in a tank explosion or other accidental release to the environment;

• “Recommend the use of inherently safer storage tank design features to reduce the likelihood of explosions, including restrictions on the use of open vents for flammable hydrocarbons, flame arrestors, pressure vacuum vent valves, floating roofs, vapor recovery systems or an equivalent alternative;

• “Describe sufficient security measures to prevent non-employee access to flammable storage tanks, including such measures as a full fence surrounding the tank with locked gate, hatch locks on tank manways, and barriers securely attached to tank external ladders or stairways; [and]

• “Recommend that hazard signs or placards be displayed on or near tanks to identify the fire and explosion hazards using words and symbols recognizable by the general public.”

Now these tanks are certainly not high-risk targets for terrorist attacks; they are not covered by the security requirements of the CFATS program. But minimal security measures need to be put into place to protect these sites from accidental attacks by innocent members of the community.

Thursday, October 27, 2011

CFATS Knowledge Center Update

Yesterday the folks at ISCD added an interesting note in the ‘Latest News’ section of the CFATS Knowledge Center web page. It noted that they had removed eight frequently asked questions (FAQ) and replaced them with Article 1668; “CSAT User Account Passwords”. The eight FAQ dealt with CSAT password issues but Article 1668 provided the same (or more up-to-date) information in a single location.

Actually, this seems to be just a tad bit of FAQ housecleaning. Search for Article 1668 (type ‘1668’ into the search box at the top of the CFATS Knowledge Center page) and you get a link to an article that was last updated on July 13th, 2010. So there is no new information involved here; it is just an attempt to make it easier to access the information. That is always a good thing.

It would have been nice if they had listed the deleted FAQs, people like me like to keep track of these things. Realistically though, unless you had previously printed out the large .PDF file of all of the FAQs, you would never see the deleted FAQs. If you did, just throw it away and download a new one today. You still won’t know which ones aren’t there, but that isn’t really important.

Another Unclassified Duqu Update

Most of us will have missed the third update to the DHS Industrial Control System Cyber Emergency Response Team’s (ICS-CERT) alert for Duqu; it only received limited distribution because it was marked‘FOUO’ and posted on a limited access server. Yesterday, however, a fourth update (this one for general audiences) was published by ICS-CERT. This revision talks about additional variants of the Duqu Trojan that have been found in the wild; variants that may not be detectable by current anti-virus signatures.

There are no new details about targets or authors; and certainly nothing new about the purpose of the Trojan. We are still in the collecting information stage as far as Duqu goes. Still, no one is yet claiming that Duqu has directly targeted industrial control systems, so that is good news of sorts for our community.

The bad news is that Duqu looks more like the flu; it is constantly evolving and changing. That will make it difficult to defend against. With that in mind, this alert provides some ‘new’ ideas for defending against Duqu (page 4):

• Monitor for new and unknown services running on client machines;

• Monitor systems on their network for new files added to system directories such as system32, and system32\drivers; and

• Monitor for network traffic anomalies.

The interesting question that has not been asked is how many control system owners have the time or knowledge base to do this monitoring?

Wednesday, October 26, 2011

ICS-CERT Publishes October Monthly Monitor

This morning the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the October edition of their Monthly Monitor, a publication that

 highlights recent activities and information products affecting industrial control systems (ICS).

As we have come to expect with this publication we can find a combination of discussions about nearly current (the October issue address issues from September) ICS security issues, descriptions of various ICS-CERT activities, and probably most importantly extensive links to more detailed information. Anyone involved with industrial control systems should make it a habit to read this brief newsletter.

Risk Reporting and Evaluation


In their discussion of the “Dynamic Nature of Vulnerability Reporting and Disclosure” ICS-CERT reminds us that “each issue identified with potential impact to ICS systems must be assessed, understood, and addressed to minimize the overall risk to critical infrastructure and key resources (CIKR) owners and operators”. This appears to be a response to some recent criticism that ICS-CERT is spending too much time responding to common HMI vulnerabilities like those disclosed by Luigi rather than larger problems like general PLC communication security issues. As is usual in controversies of this sort, both sides have valuable points in their favor, making this an issue that needs further ‘frank and open’ discussions to reach a reasonable compromise.

Incident Information


One of the things that this publication does poorly is addressing current incidents. For instance, they mention in passing that:

“ICS-CERT recently responded to a particular incident relating to Internet facing substations. Access to monitoring and diagnostic functions could have been exploited using a known authentication bypass vulnerability. This is but one of many examples that have been brought to the attention of ICS-CERT over the past month.” (page 2)

Generally speaking ICS-CERT cannot report on any details regarding incidents that they respond to. First there is the confidentiality issues concerning system details of supported organizations; if they violate that confidentiality, no one will come to them for help ever again. Secondly they don’t want to give attackers any feedback on how effective their efforts were.

Having said that; it would be beneficial to the ICS community if a little more statistical detail were made available about the types of attacks discussed. Further down the page in a separate article they report that the FY 2011 incidents were up from the previous year (130 vs 40). Similar generic information could be provided about the types of incidents; for example how many internet facing control system incidents were reported? How many of them were just identification of vulnerabilities? How many of them were exploits that had been attempted and how many of those were ‘successful’?

You could have the same type of data available for a variety of incident types; DOS, information theft, system compromise, etc. This data could help industry and researchers prioritize their work.

Uncoordinated Disclosure Credit


More than a few of us that routinely blog about ICS security issues have questioned the ICS-CERT policy of not disclosing the name of researchers that publicly disclose newly discovered vulnerabilities rather than go through a coordinated disclosure process directly through the vendors or through reporting agencies like ICS-CERT. While that remains the official policy of ICS-CERT this edition does give back-door credit to Luigi Auriemma for his most recent batch of disclosures; they quote a PCWorld.com article about the disclosures and include Luigi’s name in that quote.

This final section of the Monitor “Open Source Situational Awareness Highlights” is a valuable contribution to the discussion within the community. I think that there is generally a good mix of sources include, though the quoting of blogs is kind of lite. While the Threat Post blog is quoted twice I have yet to see informative ICS blogs like those by Dale Peterson, Joel Langill, Eric Byres, or even mine (okay that’s a stretch but the other three are important contributors to the cyber security community).

STB Publishes List of Parties to CF Industries Case

Yesterday the Surface Transportation Board published the list of parties to Docket No. FD 35517, the TIH shipping dispute between CF Industries and three subsidiaries of RailAmerica. Actually the STB is considering this case and the case between PPG and another RailAmerica subsidiary since both cases revolve around similar TIH shipping rules imposed by the railroad companies.

The importance of this list is that each party on the list must provide copies of any submissions to the STB to each representative on the list. It is also an indication of who has a stake in the outcome of this dispute beyond the actual parties listed in the original complaints. The organizations represented on this list are:

Industry

CF Industries, Inc.

PPG Industries, Inc

Arkema Inc.

The Dow Chemical Company

American Chemistry Council

The Chlorine Institute, Inc.

The Fertilizer Institute

Railroads

Indiana & Ohio Railway Company

Point Comfort and Northern Railway Company

Michigan Shore Railroad, Inc

Alabama Gulf Coast Railway LLC

RailAmerica, Inc.

CSX Transportation

Union Pacific Railroad Company

Norfolk Southern Corporation

American Short Line and Regional Railroad Association

Association of American Railroads

This case, along with the Canexus v BNSF case also being considered by the STB will almost certainly have a lasting effect on the relationships between TIH shippers and the railroads. Unfortunately, neither will address the underlying issue causing these conflicts; deciding who has financial responsibility for any catastrophic TIH release that results from a rail accident or a terrorist attack on a TIH rail shipment.

BTW: There was an interesting discussion on RailOrders.com this weekend about the Canexus case. That discussion used my blog post as a starting point for their look at this dispute.

CG Advisory Committee Teleconference

The Coast Guard published a notice in today’s Federal Register (76 FR 66313-66314) that the National Maritime Security Advisory Committee would be holding a teleconference on November 15th to discuss working group results from the review of the Draft Certain Dangerous Cargo (CDC) Security Strategy being developed by the Coast Guard. Public participation is being encouraged but there are only 100 teleconference lines available on a first-come first-serve basis.

Readers may recall that the Coast Guard held a series of public meetings on this topic in August. I reported on some of the issues under discussion and it will be interesting to see how these play out in the NMSAC discussions. Specifically the teleconference will address the following five goals of the CDC Security Strategy (76 FR 66313):

• “Provide to internal and external stakeholders realtime national, regional, and local awareness of the risk of intentional attacks on the CDC Marine Transportation System

• “Consistently assess vulnerability to threats of intentional attacks on the CDC Marine Transportation System and mitigate the vulnerability to an acceptable level

• “Dynamically assess the potential consequences of an intentional attack on the CDC Marine Transportation System and capably mitigate, through coordinated response, the impact of a successful attack

• “Lead the development of national, regional, and local resiliency/recovery capability from successful attacks on the CDC Marine Transportation System

• “Establish the internal organization and processes, and external stakeholder relationships, to manage the national maritime CDC security program to an acceptable risk level”

Members of the public that want to do more than just listen to the discussions need submit written materials for consideration or request to make a 2 minute oral presentation by November 7th. Written submissions may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2011-0975). People wishing to make oral-presentations need to contact Ryan Owens (202-372-1108 or ryan.f.owens@uscg.mil).

Tuesday, October 25, 2011

‘Chemical Bomb’ Thrown at Protestors

A short article on WGME.com has created a minor stir on the Internet including calls for a Homeland Security response. The reason for this is that the article describes an incident at the Occupy Maine encampment in Portland, ME; the incident involved a ‘chemical bomb’ thrown at into the tent area. The problem is that the term ‘chemical bomb’ conjures up images of sarin causing multiple, hideous deaths. The device used in Portland had nothing to do with chemical weapons.

The Devices


What the article actually describes is a fairly common device used to ‘attack’ mail boxes across the country; “a bomb made of kitchen chemicals in a Gatorade bottle”.  There are a number of variations of this ‘explosive’ device depending on the particular combination of chemicals used. They all consist of two or more chemicals sealed in a plastic container. The two chemicals react producing some sort of gas. As the gas production proceeds pressure inside of the bottle increases until the plastic container can no longer contain the pressure. The container ‘catastrophically’ fails producing a large pop and spraying the residual chemicals over a relatively small area.

Chemical Risk


Depending on the chemicals used, there may be a minor residual chemical threat involved. If cleaning chemicals (containing ammonia and bleach) are mixed the gas given off is chlorine gas. The amount of this toxic inhalation hazard (TIH) gas produced is seldom more than irritating unless it is detonated in a small enclosed area. A drain cleaner bomb produces hydrogen gas which is flammable, but the main risk is being sprayed by the caustic drain cleaner. Other chemicals produce different hazards.

I want to be careful not to overly minimize the potential chemical hazards associated with these devices, but they are not typically life threatening. Actually, the case can be made that the person assembling the device is at more of a danger of chemical exposure than people in the general area where the device goes off. Of course, no one should handle these devices if they are found without extensive protective clothing and specialized training.

Chemical Explosives


There is a significant portion of the population that over reacts whenever the word ‘chemical’ is used to describe something. Their visceral reaction is due, in large part, to a comprehensive misunderstanding of chemistry; they equate ‘chemistry’ with all sorts of horrors perpetrated upon humanity by multi-national chemical companies.

Take for example the term ‘chemical explosives’; all explosives are chemical explosives (okay an argument could be made for excluding nuclear bombs). They either require a chemical reaction to produce gasses that that in turn produce pressure or they undergo a phase change (from solid or liquid to gas) that results in the increase in pressure. In many cases the reactions are fast oxidation reactions that we generically call fire.

The True Import of this Chemical Bomb Attack


The explosives used in this case do not produce a great deal of energy and any damage is very localized, barely being enough to damage a mail box. In fact, most law enforcement personnel encounter these devices in mailboxes; a common suburban/rural student prank.

While this particular attack was made upon a ‘political’ target, it is very likely that this was a juvenile prank rather than a political attack on the protestors. If it was a political attack, or even a politically motivated prank, it substantially backfired (as such attacks usually do) in that it provided the protestors with some sympathetic press coverage.

Monday, October 24, 2011

EPA Publishes 2nd Methyl Bromide ICR Notice

In today’s Federal Register (published on-line Saturday) the Environmental Protection Agency published their 30-day information collection request (ICR) renewal notice (76 FR 65721-65722) for their methyl bromide phase-out program. The original 60-day notice was published back in March (76 FR 11447).

I didn’t address this ICR when the 60-day notice was published because there were other more pressing items to report on (FY 2011 continuing resolution and the introduction of three CFATS bills). Besides it was a fairly straightforward renewal, the program is winding down (slowly to be sure) and there just wasn’t much to write about.

I almost passed it by again except one thing caught my attention; this notice mentions the fact that there was a comment posted. So I read the notice more carefully looking for a comment about the public-comment and the EPA’s response. There wasn’t one so I checked the burden information included in the notice and found that it had changed since the 60-day notice.

BTW: The one public response had nothing to do with this change. It was an anonymous (J. Public) rant against the continued provision of the exceptions to the phase out of methyl bromide. In a more perfect world the folks at the EPA would have provided a brief response to this comment, even if it was nothing more than the bureaucratic ‘this issue is beyond the scope of the current action’.

Changes in the Burden Calculations


The original 60-day notice provided a pretty detailed accounting of the ‘burden’ imposed by this program. It included the following information:

• 52 Applicants – 1976 hours
• 4 Producers – 188 hours
• 75 Distributors – 975 hours
• 2000 End Users – 575 hours
• Total reported burden – 3714 hours
• Total respondents – 2131

Today’s notice doesn’t go into anywhere near the detail (typically the 30-day notices don’t) but it does provide the total burden and respondent numbers and they don’t match the 60-day notice. The new numbers, along with the change from the 30-day notice, are listed below. The notice does not explain (or even mention) the change.

• Number of Respondents 1919 (212 Change)
• Total Reported Hours 3258 (456 Change)

Now I suspect that the decrease is due to recent changes in the program where the EPA canceled some registrations for the use of methyl bromide since there were now ‘technically and financially feasible’ alternatives available. It certainly would have been nice, however, if the drafters of this notice had deigned to mention this fact. The whole purpose of this ICR exercise is to provide both the public and OMB a full accounting and justification for the reasons that the public is being required to provide information to the ‘Guvmint’.

Care always must be taken to prevent the arrogancy of bureaucracy from getting to be too great.

Public Comments

Public comments are being solicited by EPA on this notice. The EPA continues to allow the use of the Federal eRulemaking Portal (www.Regulations.gov; Docket number EPA-HQ-OAR-2011-0085) for these submissions. All comments need to be posted by November 23, 2011.

NOTE: A copy of this blog posting will be added to the public docket on this ICR.

Sunday, October 23, 2011

PHMSA Pipeline ICR 30-Day Renewal Notice

On Monday morning (it was actually published on-line on Saturday) the Pipeline and Hazardous Material Safety Administration (PHMSA) published a follow-up notice in the Federal Register (76 FR 65778-65779) that they would be requesting that the Office of Management and Budget would approve a three year extension of some of the information collection requests (ICRs) that support their pipeline safety program. This 30-day notice follows their 60-day notice that was published back on August 1, 2011.

I typically don’t write about these follow-up notices since very few people ever avail themselves of the information to file a comment on the government’s paperwork burden on industry. Again, there were no comments filed on the earlier notice during the 60-day comment period. And my readers know that I never beat dead horses (well, only a few).

In this case I will make an exception since PHMSA is making two substantial changes to this ICR. First they are eliminating one ICR and then they are merging two ICRs.

Excess Flow Valves – Customer Notifications


PHMSA begins their listing of ICRs by explaining that pipeline operators “are no longer required to provide notifications about excess flow valves to service line customers” (76 FR 65778) so they are discontinuing the ICR that supported that old requirement. This was not mentioned in the earlier notice. Of course I’m sure that any number of operators will complain about the end of this ICR (just a little sarcasm).

Pipeline Integrity Management


There are currently two different ICR’s supporting PHMSA’s pipeline integrity management program for pipelines in High Consequence Areas; one for operators with less than 500 miles of hazardous liquid pipelines (2137-0605) and one for those with more than 500 miles (2137-0604). PHMSA is merging the two ICRs into one under a retitled 2137-0605; Integrity Management in High Consequence Areas for Operators of Hazardous Liquid Pipelines (76 FR 65779).

Public Comments


As is required under federal law, PHMSA is soliciting public comments about the renewal, elimination and modification of these ICR’s. Public comments need to be submitted by November 23, 2011, directly to OMB. There are no provisions in this notice for electronic submissions; only a mailing address is provided. That address is:

OMB
Office of Information and Regulatory Affairs
Attn: Desk Officer for the U.S. Department of Transportation (PHMSA)
725 17th Street, NW.
Washington, DC 20503

Typically, these 30-day notice comment solicitations include either an email address or fax number for the OMB submission. There isn’t one in this case and OMB is too good to use the Federal eRulemaking Portal (www.regulation.gov) for managing their public comments.

Saturday, October 22, 2011

Senate Report on S 473 Available

Earlier I wrote that the Senate Homeland Security and Governmental Affairs Committee had reported S 473, the Continuing Chemical Facilities Antiterrorism Security Act of 2011, without a written report. The written report was submitted this week and published yesterday by the GPO.

The only new information in the report is the Congressional Budget Office cost estimate (pages 5 and 6). It notes that there might be a small, but inconsequential increase in income to the Federal government because of fines levied under the program. They note that the program would cost the government $267 million over the period of 2012-16. Interestingly this estimate assumes that DHS will continue spending about $67 million in 2015 and $26 million 2016 after the Collins’ extension expires.

Industrial Industry Manufacturers Clarified

Okay, I have an semi-official (here is what we meant, but please don’t quote me) clarification of what Symantec was trying to say when they came up with the phrase ‘Industrial Industry Manufacturers’ it means “industrial control system manufacturers and any other organizations who provide solutions to industrial facilities”. In other words anyone that makes the software or hardware used to control industrial processes; with hardware being used in the manufacturing plant terminology (not limited to control system terminology) to include pumps, valves, motors, frequency converters, pipes, etc.

Good; This I can understand. From a process chemist’s point of view that covers a whole bunch of stuff that I hadn’t worried much about from a security perspective before. But it certainly makes a lot of sense if you think about how you might go about destroying a manufacturing facility. You could just randomly operate relays and that would almost certainly screw up production and/or quality but might not shut down a facility. To shut down a facility you need to be able to destroy equipment (catastrophically if possible). To do that remotely you need to understand the design criteria and the various failure modes of that equipment. That’s all information that the equipment manufacturer will probably have on hand on some networked computer somewhere.

When I worked with the Intel (tactical level only) folks for a brief period in the Army they had a very interesting counter-intelligence term; EEFI – Essential Elements of Friendly Information. It was used to describe the information that the Commander did not want his enemy to know about his forces. So from an industrial security perspective (protecting the facility not just the cyber systems) it looks like whoever wrote Duqu was targeting our (the collective good guys) EEFI.

That’s even scarier than just Stuxnet…

BTW: That really seems to make the latest ICS-CERT update extremely confusing. Perhaps they should have said Duqu was not just [emphasis added] targeting ICS vendors.

ICS-CERT Updates Duqu and Luigi

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued a second update to their alert about the W32.Duqu Trojan and provided an advisory for one the round-2 Luigi vulnerabilities (leaving by my count just two round-2.1 vulnerabilities unaddressed by vendors).

Duqu and ICS Vendors/Systems


Did Duqu get over hyped? Well the latest update to the ICS-CERT alert would certainly seem to indicate that. The lead paragraph to the updated section states:

“ICS-CERT, in close coordination with Symantec and the original researchers, has determined after additional analysis that neither industrial control systems nor vendors/manufacturers were targeted by Duqu [emphasis in original]. In addition, as of October 21, 2011, there have been very few infections and there is no evidence based on current code analysis that Duqu presents a specific threat to industrial control systems.”

Boy doesn’t that make Symantec seem to be a tad bit overblown in their report? Maybe, but it gets less clear when you go to the Symantec blogs and see what they have to say. This is from Eric Chien on their late night update yesterday:

I wrote Symantec's original blog post describing the discovery of Duqu. In that blog I use the term "industrial control system manufacturers" and (after discussions with a variety of parties) we want to change that term to "industrial industry manufacturers" to more accurately define where Duqu has been found. We already made this change to our paper.”

Okay, can someone please explain to me what an ‘industrial industry manufacturer’ is? Symantec doesn’t define the term but they do note that the change in language doesn’t affect who they think is at risk. Then they add this clarifying remark:

“Considering the history of Stuxnet, the potential of the same attackers, and currently known targets, we urge industrial control system manufacturers and any other organizations who provide solutions to industrial facilities to audit their network for Duqu. The command and control IP is a reliable network indicator of Duqu infection for all the variants discovered so far.”

Well, it is still early in the Duqu story and if Stuxnet is any clue we will be talking about updates for quite some time.

Updates for Luigi 2.0


Okay that (Luigi 2.0) is my term so I better explain it; it refers to the second batch of multiple disclosures made by Luigi Auriemma back in September. There have been some individual disclosures made by Luigi since then they could be numbered 2.X sequentially. If he makes another mass disclosure it would be 3.0. Enough about terminology…

The last of the 2.0 disclosures was addressed in the ICS-CERT advisory issued yesterday and it dealt with the Progrea Movicon HMI. Three vulnerabilities were addressed, two buffer overflows (CVE-2011-3491 and CVE-2011-3498) and one memory corruption (CVE-2011-3499). A ‘hot fix’ has been developed by Progea to address these vulnerabilities.

According to the ICS-CERT Advisory a low skilled attacker could remotely exploit these vulnerabilities to conduct a DOS attack. A ‘skilled attacker’ (Sorry guys an ‘attacker with a low skill level’ is still a ‘skilled attacker’; your terminology needs to be cleaned up; try at least a ‘more skilled attacker’) could exploit these vulnerabilities to execute arbitrary code.

Friday, October 21, 2011

S 1665 Introduced – Coast Guard Authorization

Earlier this month (and just published this week by the GPO) Sen. Begich (D, AK) introduced S 1665, the Coast Guard Authorization Act for Fiscal Years 2012 and 2013. Begich is the Chair of the Oceans, Atmosphere, Fisheries, and Coast Guard Subcommittee of the Senate Commerce Science and Transportation Committee which is why he gets the blame for this piece of weak legislation.

There is nothing in this bill that addresses chemical security or safety issues. In fact, the Coast Guard’s homeland security mission is completely ignored in this bill. For instance §101(a)(3) provides the following as a list of Coast Guard missions to be supported by R&D funding:

• Search and rescue;  
• Aids to navigation;
• Marine safety;
• Marine environmental protection;
• Enforcement of laws and treaties;
• Ice operations;
• Oceanographic research; and
• Defense readiness.

I suppose that the MTSA community should be happy that there are no new requirements added in this bill, but it does appear that the reason is not that the regulatory environment is completely covered but more because of a lack of attention.

Thursday, October 20, 2011

ICS-CERT Issues Duqu Update, New Advisory and New Link

Today was a busy day for the folks at the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT); they updated their alert on Duqu, they published a new advisory on a completely separate control system issue and updated the bad link previously identified by some muckraker.

Duqu Update


Less than a day after their initial information alert on w32.Duqu, ICS-CERT provides some added details (presumably supplied by Symantec and/or McAfee) that may allow targeted vendors to identify if their systems have been attacked by Duqu. They provided the command and control server IP address (already shut down according to the alert) and recommended that network and proxy logs be checked for communications with that IP; a sure sign of past or current infections.

They also noted that organizations should update their ‘antivirus definitions’ to allow for detection/prevention of present or future attacks (both McAfee and Symantec have announced that such definition updates are available for their products).

A strange question occurred to me today while reading some of the other conversations and articles about Duku; does this sound like a coordinated disclosure to anybody? I know… this is really a vulnerability in a ICS system so maybe ‘coordinated disclosure’ is not really a proper term to use. But, it does seem to me that the same reasoning should apply; keeping this quiet should have allowed ICS-CERT to coordinate with the relatively small targeted community to detect and isolate this particular Trojan. A public disclosure like this gives the perpetrators too much information about the mistakes that they made that allowed them to be detected.

The reason that I ask is that if this wasn’t the equivalent to a coordinated disclosure (and there is no indication that ICS-CERT got any earlier warning than did the rest of us) why do Symantec and McAfee get their names mentioned when researchers like Beresford and Luigi get specifically un-named? I know what I suspect the answer is, but I’ll leave that as an exercise for the reader.

Schneider Electric Advisory


This new advisory addresses a buffer overflow vulnerability reported (in a coordinated fashion) by Kuang-Chun Hung from the Information and Communication Security Technology Center (ICST) in a device driver used by six different software packages from Schneider Electric.



The ICS-CERT advisory notes that an attacker with a low skill level could use this vulnerability to execute a denial of service (DOS) attack. It would take a more skilled individual to use the vulnerability to execute arbitrary code. Both types of attacks could be remotely executed.

Schneider Electric has published a patch and provided customers with notification describing the vulnerability. The effectiveness of the patch has been verified by ICST.

CSSP Year in Review


Earlier today I noted the bad (incorrect) link associated with the publication of the CSSP Year in Review. The folks at the DHS Control Systems Security Program have corrected that problem and there is now a good link to a pretty PR-document.

Leading people to believe that this is a review of the work that CSSP has done during the last fiscal year is misleading at best. There is a single 8-bullet listing on page 3 that explicates (very broadly and briefly) the accomplishments of CSSP.  For example the first bullet point is:

“• ICS-CERT fly-away teams were deployed to seven organizations over the fiscal year (FY).”

Don’t get me wrong; I understand that these fly-away teams provide an important functional capability, but that is not even addressed. But, we now know that they deployed.

Unfortunately, the things that I was hoping to see addressed did not make the cut. In my quick skim of the 16 pages (filled with color photos) I did not see a single mention of Stuxnet, Beresford v Siemens or Luigi v HMI. Oh well good PR is always valuable for organizations, particularly for public funded organizations.

CSSP Year in Review???

I actually started to write this post yesterday evening, but held off to see if the folks at ICS-CERT or one of the other readers would catch/correct this….

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) posted a cute graphic on their web page with a note beside it; “CSSP Year in Review – FY 2011”. Unfortunately, the link takes one to an earlier alert that has nothing to do with the publication. Too bad, I was hoping to see what ICS-CERT had to say about issues like Stuxnet and Beresford and Luigi in hind sight.

Wednesday, October 19, 2011

OMB Receives Declassification Final Rule

Yesterday the Office of Management and Budget (OMB) announced that it had received for review the final rule for Declassification of National Security Information from the National Archives and Records Administration. This rule would implement changes to the National Security Information declassification processes mandated by §3.7 of EO 13526.

Actually, I think that this OMB announcement may be in error, I believe that this was the notice of proposed rulemaking (NPRM) not the final rule that was submitted. According to the Spring 2011 Unified Agenda the NPRM was supposed to have been published in June, but I can find no record on the RegInfo.gov web site that it was.

This rule may be of interest to the chemical security community because of its derivative impact on DHS implementation of EO 13549 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities [including fusion centers]) and potentially the sharing of intelligence information with the chemical security community.

S 473 Reported in Senate – CFATS Extension

On Monday the Senate Homeland Security and Governmental Affairs Committee favorably reported S 473, the  Continuing Chemical Facilities Antiterrorism Security Act of 2011. There is no written report but the revised version of the bill is now available from the GPO; no new surprises there.

The bill is now ‘placed on the calendar’ in the Senate and ‘could’ be considered at ‘any time’. While Sen. Collins (R,ME) is reportedly pressing for its consideration, I continue to suspect that she will have a hard time getting it to the floor. If it does get to the floor it is very likely (almost certainly) to get bogged down in the amendment process.

We now have three CFATS extension bills reported out of Committee with no word when or if they will be considered by their respective houses.

ICS-CERT Issues W32.Duqu Alert

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a rather extensive alert concerning the W32.Duqu remote access Trojan (RAT). The relative wealth of detail (for an alert) is possible because of the detailed report published yesterday Symantec. Duqu (‘dyü-kyü’ for the ‘~DQ’ prefix for some of the files in the Trojan) was discovered in the wild by an as yet unnamed ‘research lab with strong international connections’ who reported it to Symantec.

No one is reporting that Duqu is currently targeting industrial control systems, but Symantec (and by extension ICS-CERT) are claiming that it targets ICS manufacturers. McAfee reports, however, that it is targeting Certificate Authorities (CAs). In any case the current versions (at least two versions appear to have been discovered in the wild) appear to be information acquisition malware rather than an actual attack vector.

What has caught the attention of many in the cyber security community (see Dark Reading or SC Magazine for example) is the fact that some of the code in Duqu appears to come from Stuxnet. Symantec bloggers write that this new Trojan “is essentially the precursor to a future Stuxnet-like attack”; explaining that the attackers are “looking for information such as design documents that could help them mount a future attack on an industrial control facility”. If that is true, this ICS-CERT alert could be closing the proverbial ‘barn door’ since variants of this malware appear to have been in circulation since December of last year.

What is certain is that we have not heard the last of Duqu.

Tuesday, October 18, 2011

Senate Amends and Passes S 275 – Pipeline Safety

Yesterday the Senate passed S 275, the Pipeline Transportation Safety Improvement Act of 2011. Two amendments to the reported language; one administrative and one substantive; along with the bill were all adopted by unanimous consent with no debate.

New Regulations Required


The substantive amendment offered by Sen. Paul (R,KY) adjusted some dates in the sections 26 thru 29 reflecting the fact that it is already FY 2012 and 2011 is nearly over. More importantly a new sub-section was added that would require the Secretary to “prescribe regulations for conducting tests to confirm the material strength of previously untested natural gas transmission pipelines located in areas identified pursuant to section 60109(a) of title 49, United States Code, and operating at a pressure greater than 30 percent of specified minimum yield strength” {§27(d)}.

Section 27 had already required operators to conduct such testing but there had been no provisions for the establishment of regulations specifying how that testing should be conducted. This addition corrects that shortcoming.

Moving Forward


The Senate was the first to get their pipeline safety bill passed so it will be their language that probably gets ignored in the other house. The House will probably take up this bill fairly quickly and substitute language already adopted by committee for the language in this bill. In this case that will probably be HR 2937 that was passed by the House Energy and Commerce Committee on September 21st (Note: the committee report on that bill has yet to be published).

Other Bills are Now Dead


With the Senate taking up this bill S 234, the Strengthening Pipeline Safety and Enforcement Act of 2011, has essentially been killed. While not nearly identical to S 275 the two bills overlap enough that there would endless confusion if it was considered and passed. The fate of S 1502 is not nearly so clear. That bill specifically addresses pipelines and river crossings and could still receive consideration. Actually, I’m surprised that its language wasn’t offered as an amendment to this bill. Since it is slightly more controversial than S 275 the Senate leadership may have wanted to avoid having a combined bill that might require debate and amendment.

Reader Comment – Coast Guard TWIC ANPRM

Maritime Protective Services and his comments on all things Coast Guard are always valuable. This time he points us at §809 of the Coast Guard Authorization Act of 2010 as a possible topic for the ANPRM.

Section 809 Provisions


In summarizing the provisions of that section John writes:

“In a somewhat convoluted way, section 809 reduces the number of people required to have TWICs by limiting these TWIC requirements to those people serving on vessels that have MTSA Vessel Security Plans.”

John’s comment goes on to explain some of the potential problems with that provision and its potential effects on chemical facilities. His comment is relatively brief but well worth reading, as usual.

Other TWIC Provisions


John’s comment caused me to go back and look at my earlier blog posting about the final version of that bill when it passed last year. I completely missed the potential import of §809, but it is one of those convoluted amendments that you see packed into these authorization bills. In any case I did briefly summarize some other TWIC provisions that might also be included in this ANPRM. I wrote:

The TWIC program continues to attract Congressional attention. Section 814 allows the use of a “secondary authentication system to verify identification” when an individuals fingerprints cannot be taken or read. Section 815 requires an assessment of the adequacy of TWIC enrollment sites. Section 818 addresses the time it takes to get a TWIC issued, both allowing escorted access to individuals awaiting a TWIC to be re-issued and requiring studies about the time it takes get cards issued. And §819 allows the Secretary to extend TWIC expirations to align that expiration with “the expiration of a license, certificate of registry, or merchant mariner document”.

Again, there is nothing in the OMB announcement that would provide a clear indication which, if any of these provisions may be addressed in the proposed regulations. If, in fact, this ANPRM does address provisions of this Authorization Bill, it doesn’t explain why the Administration did not include this in their Spring Regulatory Agenda.

Monday, October 17, 2011

ICS-CERT Warns of Anonymous Potential to Attack Control Systems

Thanks to the folks at PublicIntelligence.net for posting a copy of the FOUO bulletin from DHS ICS-CERT concerning their assessment of the threat from Anonymous to attack control systems. ICS-CERT looks at reports that Anonymous has recently expressed an interest in targeting industrial control systems (ICS). They look at open source reports related to capabilities and intentions.

WARNING: Under the Obama Administration’s WIKI leaks doctrine government employees and contractors accessing this document or discussing its contents on the internet may be liable to disciplinary actions up to and including dismissal.

The summary of the document states that:

“While Anonymous recently expressed intent to target ICS, they have not demonstrated a capability to inflict damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methods, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web-based applications and windows systems) by employing tactics such as denial of service. Anonymous’ increased interest may indicate intent to develop an offensive ICS capability in the future. ICS-CERT assesses that the publically available information regarding exploitation of ICS could be leveraged to reduce the amount of time to develop offensive ICS capabilities. However, the lack of centralized leadership/coordination and specific expertise may pose challenges to this effort.”

Politicizing Hacking


The increasing politicization of the hacktavist community probably increases the potential threat of successful attacks on industrial control systems. While there are probably only a small minority of that community with an interest in attacking chemical controls systems for political reasons, the general anarchistic nature of the hacktavist community ensures that there will be a significant amount of information and assistance available for anyone within that community desiring to conduct such attacks.

Moreover, unsuccessful or partially successful attacks are sure to encourage apolitical members of the community to press those attacks to completion just to establish or increase community credibility.

Known terrorist or extremist groups desiring to attack chemical facilities to turn them or their products into chemical weapons have long been the concern of security professionals and politicians, even though these potential attacks are low probability events. This possibility of hacktavist attacks raises the stakes by increasing the universe of potential attackers; attackers that will be harder to detect in the pre-attack process.

Negative Comments about Siemens


In the closest thing that I have seen from ICS-CERT to expressing concerns about Siemens control systems; the report notes that an anonymous (as opposed to Anonymous I suppose) individual tweeted about access to multiple Siemens control systems. While ICS-CERT doubted the extent of those claims, they did not that the code published could be “used to create password dump files for a human-machine interface control system software product from Siemens” (page 2).

They also noted that additional code published by the individual “is used in server communication with control system devices such as programmable logic controllers, remote terminal units, intelligent-electronic devices, and industrial controllers”. ICS-CERT notes that this is not directly exploitable code but is a necessary prequel to producing that code.

Preventing Attacks


The ICS-CERT report closes with:

“Asset owners and operators of critical infrastructure control systems are encouraged to engage in addressing the security needs of their control system assets.”

This is extremely helpful information (pardon the sarcasm), but it is a valid point. It would be more helpful and valid if ICS-CERT hadn’t put FOUO markings on this document; allowing wider dissemination of the document. It could have actually been posted on the ICS-CERT open web page, for instance.

BTW: ICS-CERT authors need to pay a little closer attention to their paragraph classification markings (those codes at the beginning of the paragraph that tells readers which portions of the document actually contain protected information). The first paragraph under the “ICS-CERT Assessment of Capabilities” clearly should be marked ‘(U)’ since it just describes a TWITTER post; clearly not protected information.

House HS Committee Marks-up HR 3116 – DHS Authorization

Last week in two days of hearings the House Homeland Security Committee marked-up HR 3116, the Department of Homeland Security Authorization Act for Fiscal Year 2012. The lengthy hearing was necessary because of the more than 70 offered to Chairman King’s substitute language to the bill. While the adopted amendments came from members of both parties, the final vote on passage was a very partisan vote of 20 to 12.

As I mentioned in my earlier posting about this bill there is very little that directly addresses chemical or cyber security matters; much the same can be said about the amendments that were considered. Only four of the adopted and one of the rejected amendments dealt with chemical security matters (very broadly speaking) and only two of the rejected amendments dealt with cybersecurity matters.

Ammonium Nitrate Security Program


There is only one amendment that directly addresses chemical security issues and it was introduced by Ranking Member Thompson (D,MS). The amendment would add a new section modifying the underlying authorization authority for the Ammonium Nitrate Security Program. It addresses some technical issues with the definitions of ‘ownership’ and ‘possession’ that will have to be addressed in the interminably pending DHS regulations.

More importantly it would require DHS to exempt “persons engaged in transportation activities” from coverage under this rule. This is another attempt to ensure that people already vetted under the TWIC program do not have to be re-vetted under another program. Unfortunately, the broad wording of this amendment will cause problems for the regulation drafters (who already have enough problems with the Ag folks) in that it would not technically allow for even checking of the TWIC.

Chem and Bio Testing Equipment


The issue of evaluating chemical detection equipment was addressed by an amendment introduced by Rep. Turner (R,OH). This would require DHS to establish a “test and evaluation program for commercially available chemical and biological detection equipment” {Amendment (e)(1)}. Unfortunately the copy of this amendment available on the Committee web site so it isn’t clear how Turner expects DHS S&T to pay for this program.

TWIC


Two of the five chemical related amendments dealt with the Transportation Workers Identification Credential (TWIC); one adopted and one rejected. Both amendments closely paralleled separate bills addressing the same issues.

Rep. Richmond’s (D,LA) Amendment #1VV addressed TWIC application and renewal processing. This amendment very closely mimics HR 3173, co-sponsored by Richmond. That bill and this amendment would only allow the TSA to require an applicant or renewant (okay I made up that word) to make one visit to a “a designated enrollment center except in cases in which there are extenuating circumstances” {Amendment(b)} for purposes of enrollment, activation, issuance or renewal of a TWIC. The way the amendment is actually worded a renewant would not have to physically appear having already made at least one trip to the enrollment center.

In passing this amendment the Committee is ignoring the recommendations of the GAO, TSA and the requirements of Federal Information Processing Standards (FIPS) Publication 201-1 (addressed in an earlier blog post). They are bowing to political pressure from both unions and many TWIC related companies (so support from political bases of both parties). Once again politics trumps security.

The rejected TWIC amendment was introduced by Ranking Member Thompson and would have extended the expiration dates of current TWICs until December 31, 2014 or whenever DHS implements their final TWIC Reader regulations, whichever comes first. This was nearly identical to HR 1105 introduced by Thompson. Thompson wanted to avoid possible problems that might arise if the TWIC Reader regulations require some changes in the physical TWIC.

Maritime SAR Immunity


Rep. Rigell (R,VA) introduced an amendment that would have added specific language to the suspicious activity reporting (SAR) immunity provisions of this bill that would include maritime SAR reports. The language is much different than was included in Rigell’s HR 2846 but it accomplishes the same thing.

NOTE: I must admit that I have not included any mention of a number of failed amendments that Democrats introduced that would have attempted to address their concerns with the potential profiling issues they see involved in the SARs immunity issue. We will undoubtedly see these re-introduced and rejected if and when this bill gets to the floor of the House.

Cybersecurity


Both cybersecurity related amendments were rejected on party line votes and were introduced by Rep. Clarke (D,NY). The first would have changed NPPD to the Directorate of Infrastructure Protection and Cybersecurity and establish the National Cybersecurity Division within that Directorate. There was nothing really substantive about cybersecurity issues in that amendment.

The second amendment would have required DHS to train State and local law enforcement personnel on “cybersecurity standards, procedures and best practices” {Amendment (b)(1)}. Actually this would only be a pilot training program. This appears to be primarily directed at protecting law enforcement networks rather than any other information systems. It certainly would not address control system security.

Sunday, October 16, 2011

Congressional Hearings – Week of 10-17-11

The House will be working at home this week with two pro-forma sessions; one on Tuesday and one on Friday; this leaves only the Senate to be holding real hearings (though the House Homeland Security Committee is holding a couple of Field Hearings). There is only one hearing on the Senate side that is of potential interest to the chemical security community and that deals with pipeline safety.

On Tuesday the Senate Committee on Commerce, Science, and Transportation will hold a hearing on “on the findings of the National Transportation Safety Board’s investigation into the San Bruno accident and pending pipeline safety legislation”. While the Committee web site doesn’t explain what legislation that they will be looking at, there are only three bills pending in the Senate; S 234, S 275, and S 1502; that deal with pipeline safety. S 275 has already been reported by the Committee and S 1502 deals with river leaks; so I expect that S 234 is the one that will looked at.

OMB Receives New CG TWIC ANPRM

On Friday the Office of Management and Budget (OMB) announced that they had received a new advance notice of proposed rulemaking (ANPMR) from the Coast Guard concerning the TWIC program. This new rule was not included in the Spring Unified Agenda so details are sketchy at best. The OMB notice does state that the rule pertains to ‘requirements for mariners’ so this new rule may not pertain to MTSA covered chemical facilities.

I would expect that it will be at least a couple of months before we see this ANPRM published in the Federal Register.

Friday, October 14, 2011

FRA Extends Comment Period on PTC Revision Rule

Today the Federal Railroad Administration published a notice in the Federal Register (76 FR 63899-63900) announcing that they would be holding a public meeting next month of their proposed revision to their Positive Train Control implementation regulations. They will also extend the comment period to allow comments on the public meeting.

The public meeting will be held on November 10th, 2011 in Washington, DC. The rule comment period will be extended until November 25th.

The FRA is requiring prior registration to make presentations at the meeting with a requirement to provide advance copies of any oral presentations. This needs to be accomplished 5 working days before the meeting. The information needs to be provided to Michelle Silva in the FRA’s Office of Chief Counsel by mail, fax (no fax number given in Notice), or email (michelle.silva@dot.gov).

ICS-CERT Addresses Another Luigi Vulnerability

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a new alert for reported vulnerabilities in the MICROSYS Promotic HMI; the same vulnerabilities that Luigi posted on his web site yesterday. Of course, ICS-CERT does not mention Luigi in their Alert.

NOTE: Luigi recently Tweeted® about this failure of ICS-CERT to acknowledge uncooperative disclosers. He wrote:

“[D]oes ICS-CERT know the difference between credits and reporting the original source of an information? security through obscurity or spite?”

Three vulnerabilities are identified and all are exploitable remotely. The vulnerabilities are:

• Directory Traversal – Data leakage;

• Stack Overflow – DOS, possible remote code execution; and

• Heap Overflow – DOS, possible remote code execution.

BTW: ICS-CERT has published a new public key to be used in encrypting sensitive communications (reports of a cyber-attack, for instance) being sent to ICS-CERT.

Thursday, October 13, 2011

Movement on CFATS Authorization?

There was a brief note today on SmartBrief.com about some possible movement on passing a CFATS authorization bill. It referenced an article on EENews.net that claims that Sen. Collins (R,ME) “will seek to have the full Senate vote on her bill reauthorizing the Chemical Facility Anti-Terrorism Standards program for three years”. Unfortunately EENews.net is a subscription only service so there are few details supporting that claim.

Politics


While Sen. Collins’ support for CFATS is well known, and she managed to get S 473 through the Senate Homeland Security Committee without and IST provision, I doubt that she has the political power to get her bill considered on the floor of the Senate. Too many liberal Democrats won’t back a bill that doesn’t include one or more of the following:

• Inherently Safer Technology (IST) language beyond the bill’s voluntary program;

• Worker protection against unreasonable use of security background checks;

• Worker participation in the security planning process;

• Enhanced whistleblower protection; and

• More public information about high-risk chemical facilities.

Interestingly there is no mention of her CFATS bill on her official web site and no recent mention of the bill on the Senate Homeland Security and Governmental Affairs web site that she prominently shares with Sen. Lieberman (I,CT). That certainly doesn’t mean that she isn’t working behind the scenes to push for consideration of her bill, but one would expect at least some public mention on one or both of those sites.

Riders


The SmartBrief.com piece briefly mentions another option; it notes that she “may also consider attaching the bill as an amendment to other legislation”. This is certainly how the CFATS program came into being in the first place. But that was as a compromise measure while the political process could put together a more comprehensive program. With the CFATS program in place, it would be harder to justify a one-sided compromise as an alternative to the current one-year extensions of the CFATS authority.

Having said that there are two possible bills that are large enough to make CFATS a minor provision and would have some chance of garnering enough non-CFATS support to make it difficult to remove the language from the bill. Those are the DHS Authorization bill (which has yet to make to the floor in either house since 2003 when the Department was formed) or the DHS spending bill which this year will probably be added to another spending bill since the original House bill (HR 1700) was used for the Continuing Spending Act.

The problem with this process is that the attempt to add it to either bill would have to come on the Senate floor with all of the debate limitations that that entails. The Senate DHS Authorization Bill has already been marked up in the Senate Homeland Security Committee so Collins cannot attach it in Committee to that bill and her Committee does not get involved in the markup of spending bills.

There is no rule that says that the CFATS rider would have to be attached to either of these two bills, but it would be difficult (though certainly not impossible) to find another bill that is close enough in subject matter to not fly in the face of even the Senates rather loose rules about legislative subject matter. But, unless it is added during a Senate Homeland Security markup hearing, she would still have to face the debate rule problem in adding the CFATS language to another bill.

Finally, I don’t think that the Committee would let her attach the current CFATS language from S 473 to another bill. Too many people, including Chairman Lieberman, wanted to see IST language added to that bill, but acquiesced to be able to report a bipartisan bill from Committee. They went along because they knew that they could attempt to add their pet provisions (and vowed in the mark-up hearing to do so) on the floor or, failing that, they could block passage by manipulating Senate debate rules.

Possible Compromise


As I have said numerous times, I don’t think that a comprehensive CFATS authorization bill with a realistic expiration date can pass in current political climate without significant compromise between last sessions’ HR 2868 and just about any of the bills under consideration in the House or Senate (Lautenberg’s bill, S709 doesn’t count; no one is considering it even in the friendly Senate Environment and Public Works Committee).

Readers might remember that I proposed just such compromise language back in November of last year. It might be a good time for people to take a look at that as starting point for putting together a workable compromise for a long-term CFATS extension bill.
 
/* Use this with templates/template-twocol.html */