Monday, December 31, 2012

S 3454 Passes in House – Intel Authorization

This evening the House passed S 3454 in a bipartisan vote of 373 to 29. The Intelligence Authorization Act for FY 2013 contains a few cybersecurity provisions, one of which requires the Director of National Intelligence to report to Congress on the security implications of buying foreign made cyber-components that are manufactured by organizations that are part of, or closely linked with adversarial governments.

Reader Comment – 12-30-12 – Vulnerable Facilities

Dale Peterson, a long time reader and cybersecurity blogger/expert, left an interesting comment on yesterday’s post about industrial feedlot vulnerabilities. He noted that:

“A lot of control systems may not be critical infrastructure but have a big impact on an individual or business if compromised.
“A few years back we did an assessment at a prominent University. One of their big concerns was a multi-hour electrical outage or HVAC failure could wipe out numerous grad and doctoral students' research projects.”

Dale is absolutely correct; everyone that owns any kind of control system has something to lose if that control system is compromised, even if it is nothing more than the inconvenience of not being able to open your garage door. Of course, the same could be said about concerns about the general reliability of the system.

Risk Assessment

This is the reason that all control system owners, down to the garage-door opener owners, need to conduct a risk assessment for their systems. I think that a realistic risk appraisal by most ICS system owners would not show a high threat of terrorist attack. Critical infrastructure facilities would probably be an exception and some other facilities where a specific group would have an ax to grind with facility owner/operator (our feedlot example for instance). On the whole, however, most facility owners do not have to worry about terrorist cyber-attacks.

Two other types of outsider cyber-attacks should be considered in any reasonable risk assessment; electronic thieves and ruthless competitors. Electronic thieves may be after anything of value including ‘protection payments’ for not shutting down the control system. Ruthless competitors (and that includes some nation-states) could be after process information or be trying to compromise the integrity of the control system to put competitive production at a disadvantage.

There is one other form of outsider attacks that is probably going to become more prevalent now that the vulnerabilities of control systems and their internet accessibility are becoming better known; script kiddies. These are frequently adolescent (not necessarily age defined) individuals seeing what they can accomplish to make a name for themselves. As more ICS attack tools become generally available on the Internet, the number and exploits of these denizens of the dark side of the Internet will become more of a problem for control system owners.

The most common form of cyber-attack for most facilities is not an outsider. Most ‘attacks’ will come from within the firewall and may be deliberate attacks by employees or contractors with personal grudges or, probably more common, accidental ‘attacks’ where employees or contractors inadvertently do something that has some sort of disruptive effect on the system. The last category is probably the most common form of control system incident and needs to be better documented.

Control System Vulnerabilities

All of the control system vulnerabilities that are reported by folks like ICS-CERT, vendors (like the Siemens-CERT) and independent security researchers (white hats) make any of the above described attacks easier. As these vulnerabilities are discovered and mitigated (or mitigations are developed) it is the responsibility of the ICS owner to ensure that the mitigations and protective tools are applied to their systems.

Unfortunately, I would suspect that the vast number of control systems do not have systems engineers available to track vulnerabilities and implement protective mitigations. Large company systems probably have some level of protective services available, but most small company owners that employ the lower cost systems have no idea that the vulnerabilities exist, much less how to protect them.

The Solutions Are Not Easy

The ‘easy answer’ would be to require vendors to push vulnerability report and mitigation measures to the owners. There are a couple of problems with this. First, many systems are not sold directly by the vendor so they have no way to contact all of the owners. Systems where a direct push of new versions and updates to the ICS (and we have seen more reports of this type action lately on ICS-CERT advisories) is possible, the vendor runs the risk of disrupting the actual operation of the control system.

Finally, the long time over which an ICS is used ensures that there will be a turnover of knowledgeable employees on site and maybe even of the management team while the system still runs. There are some unknown number of systems where the current owners are just letting the system run, hoping that nothing breaks down that their routine maintenance can’t address.

The long term solution is to engineer industrial control systems with security part of the integral design. Even that won’t be a perfect solution. It just takes too long for control systems to die. That and the fact that even with security part of the design process, there will still be hole to find and exploit. Just look at how long Microsoft has been working at their security processes; they have their security updates down to just a couple of times per month…

Moving Forward

No, everyone in the ICS sector needs to be more aware of the security problems and there has to be better communications between everyone in the community. Vendors need to reach out to owners. Owners need to network to gain access to the necessary information. White Hats need to keep plugging away at problem identification. And people like me need to keep bugging the world about the problem.

HR 1 Passes in Senate – Sandy Relief

On Friday the Senate passed HR 1 after renaming it an “Act making appropriations for disaster relief for the fiscal year ending September 30, 2013, and for other purposes”. Why they just couldn’t rename it the Sandy Relief Act, nobody knows. The vote was a mixed 62 – 32 in favor, hardly a ringing endorsement.

No CFATS Coverage

The bill did not address the effects of Sandy on the security of high-risk chemical facilities in the covered area as I suggested in an earlier blog posting. I am disappointed that the Senate was not interested in the continuing security of the CFATS covered facilities in the area, but I am not surprised. After all there were more important things like the agreement between the US and Palau for the response to the 2010 Super Typhoon Bopha (SA 3344; which failed by the way by a vote of 52 – 43, 60 being required to pass).

Well, maybe this will be taken up when the House considers the Senate action on HR1, though the bill did not make the long list of bills on today’s agenda for the House. So maybe we will have to start all over again in the 113th Congress.

In any case I have developed some suggested language to either be added to a comprehensive CFATS bill (yep, we’ll soon be talking about that again) or to a Sandy Relief bill lacking that. Actually, it will probably have a better chance of passing on a Sandy related bill than on a CFATS bill. The language below would be in the form of an amendment to the Homeland Security Act of 2002.

Suggested Language

§21XX; Natural Disasters Affecting CFATS Covered Facilities

(a) In the event that the President declares a natural disaster in any political subdivision of the United States (eg: county, borough, parish, or tribal area) that contains a facility covered by the Chemical Facility Anti-Terrorism Standards (CFATS), the Secretary, acting through the Director of the Infrastructure Security Compliance Division (the Director), will dispatch appropriate Chemical Facility Security Inspector (CFSI) teams to assess the effect of that natural disaster on the security of covered facilities in the declared disaster area. Those teams will:

(I) Visit each covered facility in the area as soon as safely practicable;

(II) For Tier 1 and Tier 2 facilities in the declared natural disaster area, the CFSI Commander will determine if there is an immediate need for additional security personnel to prevent unauthorized access to the covered facility. Any such needs will be immediately communicated to the Responsible Federal Official for that disaster area as well as to the Director;

(III) Conduct an assessment of the damage to existing site security measures resulting from the natural disaster;

(IV)For facilities without an approved site security plan:

(A) Meet with the owner/operator of the facility;

(B) Determine the damage to currently existing critical security infrastructure at the facility;

(C) Determine the repairs necessitated by that damage that would allow the facility to deter, detect and delay intruders to the standards required by existing risk based performance standards (RBPS) applicable to the tier level, or interim tier level assigned to that facility;

(D) In consultation with the owner/operator prepare a report on the expected costs to effect the repairs outlined in (C) above;

(V) For facilities with an approved site security plan:

(A)  Meet with the owner/operator of the facility;

(B) Determine the damage to the current security measures described in the approved site security plan;

(C) Determine the repairs necessitated by that damage to return those security measures to the standards required by existing risk based performance standards (RBPS) applicable for the tier level assigned to that facility;

(D) Of the repairs determined in (C) above determine which repairs would be required to allow the facility to deter, detect and delay intruders to the standards required by existing RBPS for the tier level assigned to that facility

(E) In consultation with the owner/operator prepare a report:

(i) On the expected costs required to effect repairs outlined in (D) above; and

(ii) On the expected costs required to effect repairs outlined in (C) above less the cost determined in (i);

(VI) All reports required (IV) and (V) will be submitted to the Director within 1 week of CFSI being allowed into the declared disaster area;

(b)  Within two weeks of CFSI being allowed into the declared disaster area the Director will compile and forward reports to:

(I) The Administrator of the Federal Emergency Management Agency recommending that disaster recovery grants be awarded to covered facilities for the costs reported in (a)(IV)(D) and (a)(V)(E)(i);

(II) The Administrator of the Small Business Administration recommending that no cost disaster recovery loans be provided to covered facilities for the costs reported in (a)(V)(E)(ii); and

(III) Copies of both reports will be forwarded to the Homeland Security Committees in the House and Senate along with a summary of any recommendations made in (a)(II);

(c) Within one year of CFSI being allowed into the declared disaster area the Director will:

(I) Ensure that each facility inspected in (a) has been re-inspected to ensure that the required repairs have been made; and

(II) Report to the Homeland Security Committees in the House and Senate on the status of the repairs at covered facilities in the declared disaster area.


Basically the bill would require Chemical Facility Inspectors to check all covered facilities in the disaster area. The ISCD Director would recommend grants for fixing damaged security measures directly affecting Deter, Detect, and Delay to the appropriate tier level standards set forth in the RBPS Guidance document. Facilities with approved site security plans would have their other security related repairs recommended for no cost loans from the Small Business Administration. The actual awarding of those grants or loans would be determined by the appropriate Administrators.

Remember, the whole purpose of the CFATS program it to protect the communities surrounding these high-risk chemical facilities. The companies have had to pay the cost of getting their facility security measures up to the minimum standards established. They shouldn’t have to pay for the costs of re-establishing those security measures after a natural disaster. And it is in the best interests of the Nation that the necessary repairs are done in a timely manner.

Sunday, December 30, 2012

Industrial Feed Lots Cyber Targets?

While we seldom consider an industrial hog production facility to be a cyber-target a recent TV news story out of Iowa shows how an industrial control system could be used by eco-terrorists to conduct an attack. The news story tells of a Sioux County Sherriff report of tampering with a climate control system that resulted in the death of 475 hogs.

It appears that this tampering was done manually, but reports of vulnerabilities in environmental control systems clearly shows that remote manipulation of similar controls could have the same end. It would also make it easier to affect attacks on multiple facilities and make it less likely that the perpetrator would get caught in the act.

Industrial scale feed operations have long been a target of environmentalists (and one would assume by extension the radical fringe of that movement) because of the problems with waste management and the resulting environmental damage from the release of untreated wastes.

Now pig farms are hardly critical infrastructure and have not made anyone’s list of facilities that need cybersecurity regulation. But, it just goes to show that cyber-terrorism has the potential to be used by any number of malcontents. This is not a call for regulation, but a call for more widespread discussion about industrial control system vulnerabilities.

Saturday, December 29, 2012

S 3454 Passes in Senate

A little later than I predicted, but yesterday the Senate passed S 3454, the Intelligence Authorization Act for FY 2013. There was a short speech by Sen. Feinstein about the bill, but that was the limit of the debate. Also as predicted, there was no vote. The final version of the bill did contain the cyber supply-chain security provision I previously discussed.

Friday, December 28, 2012

ICS-CERT Publishes Last Monitor for 2012

Today the folks at ICS-CERT published their last Monthly Monitor for 2012. Actually still calling it a “Monthly” is just a little misleading because it covers the months of October, November and December.

ICS-CERT Responses

Once again we see another report of an ICS-CERT away team investigation. This time it concerns two SCADA engineering workstations that were infected with “sophisticated malware” via an infected USB drive. It’s a nice discussion of how to go about disinfecting an infected system without appropriate backups. Unfortunately (or fortunately depending on your point of view), it appears that the only thing ICS related was the primary use of the workstations. The name of the malware is not mentioned, but there was no real impact or infection of the SCADA system.

A briefer second piece describes the infection of some computers on the ‘control system network’ with some unidentified ‘crimeware’ again via an infected USB drive. Again, the location of the infection seems to be the only thing of ICS-CERT interest.

Of course, the routine use of USB drives in both cases served at the method of infection. That serves as an educational point, with the point being made that:

“ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media.” (Pg 2)

A second article provides a brief summary of the ICS-CERT operational responses to cyber incidents in FY 2012. They report a total of 198 cyber-incidents reported by industry. Again the only actual ICS related incident reported was the ‘hacked water system in Illinois’ that wasn’t hacked.

Other Information

There is an interesting discussion of the CVSS Score that is reported in each ICS-CERT Advisory. It explains what the score means and how it is determined.

There is also a nice description of Project Shine, a result of a SHODAN investigation initiated by by Bob Radvanovsky and Jake Brodsky. They reported over 460,000 IP addresses of SCADA systems that appeared to be internet facing. Efforts are being made to identify and contact the owners of the systems to warn them of their exposure. ICS-CERT is concentrating on those critical infrastructure systems identified.

There is also a brief discussion of the continuing ICS-CERT response to the apparent coordinated attack on oil and natural gas pipeline operators. Still no information about direct involvement of control systems, though this piece does note that many “of these incidents targeted information pertaining to the ICS/SCADA environment, including data that could facilitate remote access and unauthorized operations”. (pg 4) This has also led to an increased out-reach effort by ICS-CERT to explain the ICS vulnerabilities present in critical infrastructure.

There is also a nice summary of the vulnerabilities reported in ICS-CERT advisories over FY 2012. Of the 177 different vulnerabilities reported, the largest number (44) were buffer overflow vulnerabilities with input validation vulnerabilities placing a distant second (18 instances).

Finally there is a brief summary of the Industrial Control Systems Joint Working Group (ICSJWG) 2012 Fall Meeting.

Oh, one final note; as usual the Monitor closes out with a listing of recent coordinated disclosures and a list of researchers currently working with ICS-CERT on disclosures. While our friend Luigi is mentioned on the first list on two separate vulnerability notices, he doesn’t make the final ‘working with list’. Could be his new company formed to sell 0-day vulnerabilities puts him outside of the coordinated disclosure network.

Thursday, December 27, 2012

ICS-CERT Publishes opLYNX Advisory

Today the DHS ICS-CERT published an advisory for i-GEN Solutions’ opLYNX Central application. The Advisory is based upon an authentication bypass vulnerability reported in a coordinated disclosure by Anthony Cicalla.

ICS-CERT reports that the vulnerability would allow a relatively unskilled attacker using publicly available tools to disable Javascript to remotely bypass the authentication on the system. A new version of opLYNX has been tested by the researcher who reports that it resolves the vulnerability.

Following an apparently common recent trend, i-GEN Solutions automatically installs the new version during logon and automatically applies it to the local system. It is nice to know that vendors have so thoroughly tested the revised version of the software that they know that it will properly work in all implementations of the system.

Interesting question: If i-GEN Solutions can change base program remotely, apparently without notification/permission, could an attacker infiltrate their enterprise system and do a mass change that would corrupt all user systems?

S 3454 Amendments – Intelligence Authorization Act

There is an interesting note on the House BillsThisWeek website about the possible consideration of S 3454, The Intelligence Authorization Act for FY 2013. Typically Senate bills are listed on this site only after they have passed in the Senate and are ready for consideration by the House. This bill, however, has not even begun consideration in the Senate, though it has been on the Senate Calendar since July. This is a high-profile authorization bill, so it may be brought up for consideration in the Senate today.

The other interesting thing about this notice is that the version of the bill is not the one introduced in the Senate by Sen. Feinstein (D,CA). It is instead an amendment in the nature of a substitute that has yet to be offered, officially, by Ms. Feinstein. There wasn’t anything in the original bill that really caught my attention, but that is not true of this substitute language.

Cyber Supply Chain Security

Section 503 of the proposed amendment addresses supply chain security measures for the “telecommunications networks of the United States”. It defines those networks as including{§503(c)}:

• Telephone systems;

• Internet systems;

• Fiber optic lines, including cable landings;

• Computer networks; and

• Smart grid technology under development by the Department of Energy.

The section requires the Director of National Intelligence (DNI) to produce a report within 90 days (awfully short reporting deadline if the research hasn’t already been done) that “identifies foreign suppliers of information technology (including equipment, software, and services) that are linked directly or indirectly to a foreign government” {§503(a)(1)}. It further defines those linkages as including:

• By ties to the military forces of a foreign government;

• By ties to the intelligence services of a foreign government; or

• By being the beneficiaries of significant low interest or no interest loans, loan forgiveness, or other support by a foreign government;

While this is almost certainly being targeted at various Chinese suppliers of cyber equipment and services, the final part of the definition could include any number of international suppliers depending on how sweeping the definition of  “other support” is employed by the DNI.

Most interestingly the report by the DNI is required to be unclassified {§503(b)} though classified annexes may be included. This almost insures that the report is intended to be publicly disclosed.

Moving Forward

It is entirely possible that the Senate could take up this bill today under a unanimous consent agreement and adopt the bill without discussion. The bill would then be taken up by the House if/when it meets in final session for the year under suspension of the rules with limited debate and no amendments. There is even the remote possibility that the bill could be considered without objection in a pro forma session of the House.

Wednesday, December 26, 2012

ACC ASP – Instructions

This is the third in a series of blog posts about the recently published American Chemistry Council Alternative Security Plan for the CFATS program. The earlier posts are listed below. This post will look at the “Alternate Security Program (ASP) Template Guidance and Instructions” (Instructions) that is imbedded in the “Alternate Security Program (ASP) Guidance for CFATS Covered Chemical Facilities” (Guidance document) that forms the core of the downloadable program.

The Instructions can be found on page 18 of the Guidance document. Click on the first ‘paperclip’ symbol on the page and you will open the file:

ACC ASP Template Guide and Instructions Final20121130.docx

The numbers at the end of the file name may change as the ACC updates and revises this program.

Chemical-Terrorism Vulnerability Information (CVI)

It was mentioned briefly in the ASP Guidance document that everyone that will be accessing the partially completed SSP/ASP document will have to be CVI trained and certified. Once any information about the security of the facility is entered into the template it becomes a document requiring CVI protection. Make sure that everyone who will be working with this information has completed the online training course and copies of their training certificates are on file.

Before You Start

Pages 2 thru 9 of the Instructions provide a general set of guidelines that should be followed when filling out the template. I strongly recommend that the entire team that will be working on the SSP/ASP preparation carefully read those 7 pages of the Instructions and be familiar with the any of the Risk Based Performance Standards (RBPS) in the RBPS Guidance document published by DHS that they may be responsible for. This familiarity will make it much easier to fill in the template with verbiage that includes the key words and phrases in the RBPS that the folks at DHS ISCD will be looking for in their evaluation of the SSP/ASP.


There is a brief discussion of the RBPS in the ASP Guidance document and there are two brief explanations of the RBPS in the Instructions, but both documents gloss over a very important point. While DHS may not (prohibited by Congress) specify a particular security measure they do spell out in the RBPS Guidance document the way they will measure compliance (RBPS Metrics) with each RBPS at the specific Tier level to which a facility has been assigned. The difference between the required performance metrics for two different tiers may be one word, eg: ‘routinely’ vs ‘usually’. Including these key words in the description of a security measure may make it easier for DHS analysts to understand the intent of the security plan.

Attack Scenarios

One of the more confusing ideas that DHS included in their CFATS program was the idea of “Attack Scenarios”. Security professionals initially thought that the seven scenarios proposed by DHS were the proposed design basis for the security plans, attacks that had to be prevented for the plan to be successful. That was not the intent of DHS. As the Instruction document explains (pg 3):

“Rather, the attack scenarios are analytical devices, supporting the evaluation of a facility’s security and enabling DHS to conduct comparative risk analysis across the sector.”

The Security Metrics in the RBPS explain how well the facility (at its specific tier level) must be able to deal with those scenarios. As the Instructions document explains, not all attack scenarios apply to each RBPS. But, when they do apply they should be specifically addressed in the words that are put into the template so that it is clear to the ISCD analysts that the facility has addressed the issue.

Security Approach

There is a nice discussion in the Instructions document about the differences between perimeter based and asset based security measures. Essentially, the ‘perimeter based’ approach includes the entire facility whereas the ‘asset based’ approach only provides security measures for a specific area of the facility where a COI is found. For a facility with a single high-risk COI, it may make more economic sense to confine the bulk of the security measures to the area where that COI is used/stored. For facilities with multiple COIs at varying security levels, it may make more sense to protect the facility at the level for the COI with the lowest tier ranking (provided by DHS) and reserve the more complex security arrangements for the area around the highest tier-ranked COI.

As noted on page 5 of the Instructions document:

“In the description of a specific security measure, ASP preparers should describe whether it is applied facility wide or to specific assets.”

Too Much Information

As the Instruction document alludes to, the problems that ISCD has had with not being able to authorize SSPs have been in large part due to not receiving enough information from the facility about their security plans. So generally speaking, the more the better, but there is a limit. As the Instructions document states on page 7:

“On the other hand, the preparer may wish to limit detail that does not relate to the listed COI or the performance of the specific security measure or system, to allow for minor changes without the need for ASP resubmission.”

This is an important point that needs to be clearly understood by facility management. Once the SSP/ASP is authorized by DHS it is essentially a legally binding document outlining the inspectable requirements for facility security under the CFATS program. The congressional prohibition against specifying particular security programs no longer applies. If a subsequent ISCD inspection does not find an authorized component of the SSP/ASP in place, the facility may be fined up to $25,000 per day or even shut down (an extreme case to be sure) for non-compliance. Any changes to the authorized ASP must be approved by ISCD before they are made.

One way to get around some of this problem will be to include the little details of the plan in separate documents describing specific procedures and processes. The Instructions document notes that:

“It is not necessary to include the text of every procedure that is described in the ASP.  Use an unambiguous reference that is clear to facility personnel and that inspectors can request by name for review, for example, ‘Suspicious Activity Reporting Procedure S.4.01’.”

There must be, however, enough detail in the submitted ASP to allow the ISCD analysts to determine if the RBPS Security Metrics have been met.

Take Credit for Everything

The last topic that is specifically discussed in the first nine pages of the Instruction document is a reminder to take a careful look at everything that the facility does to determine if it contributes to security. Many process safety and almost all emergency response measures already in place at the facility may contribute to the security plan, particularly the ‘Response’ RBPS. Simple things like referring to a COI by a company product name rather than an easily recognizable chemical name will make it harder for an attacker to find their target. Pages 8 and 9 of the Instruction document provides a short list of things to look at.

Just remember, though, if you take credit for it and list it in the ASP you must continue doing it until DHS gives you permission to change.

The Template

The remainder of the 30 page Instruction document is an annotated copy of the template. Explanatory material and completion suggestions are provided in blue type. Almost everything in black type should remain in the submitted document with appropriate additional supporting information. I’ll look at the actual template in some detail in later blog posts.

Tuesday, December 25, 2012

DOT Rules List

I recently did a blog post on the belated publication of the 2012 Unified Agenda by the Obama Administration and a separate look at some DHS rules that could have an impact on chemical facility security issues. Today I would like to take a brief look at the DOT Rule List for rulemakings that might impact on chemical transportation safety and pipeline safety.

There are a total of 28 such rulemakings listed in the DOT Rule List. While the vast majority come from the Pipeline and Hazardous Material Safety Administration (no surprise there) there were two rulemakings from the Federal Railroad Administration that made my shortlist; a PTC rule and a rule concerning the use of emergency escape breathing apparatus. Both of these I have previously addressed in this blog so I won’t dwell on these rules here.

New PHMSA Rules

Of the 26 PHMSA rulemakings listed in the DOT Rule List most are rules that have been making their way through the rulemaking process for quite some time and the regulated communities are well aware of their existence. There are, however, eight rulemakings that are new to the Unified Agenda and have never been officially addressed by PHMSA in the Federal Register. They are listed in the table below.

Hazardous Materials: Rail Petitions and Recommendations to Improve the Safety of Railroad Tank Car Transportation (RRR)
Proposed Rule
Hazardous Materials: Requirements for the Safe Transportation of Bulk Explosives (RRR)
Proposed Rule
Pipeline Safety: Standards for Conducting Condition Assessments of In-Service Pipelines
Proposed Rule
Pipeline Safety: Changes to the National Pipeline Mapping System Data Collection and Standards
Proposed Rule
Pipeline Safety: Miscellaneous Amendments Related to Reauthorization and Petitions for Rulemaking (RRR)
Proposed Rule
Hazardous Materials: Resumption of Transportation
Final Rule
Hazardous Materials: Temporary Reduction of Registration Fees
Final Rule
Hazardous Materials: Penalty Action Guidelines Update

Table 1: New PHMSA Rulemakings

Direct Rulemaking

I’ll discuss the last two first as they concern rules that are going directly to publication of Final Rules without going through the interim process of publishing an notice of proposed rulemaking. This is allowed under US law when the rule mainly concerns internal operations of the rulemaking agency or it has a negligible impact on the regulated community.

The first rule would modify 49 CFR §107.612 for the 2013-2014 registration period, reducing the registration fees for persons who transport, or offer for transportation, certain categories and quantities of hazardous materials. Annual adjustments to the fee structure are required to maintain the national Hazardous Materials Emergency Preparedness (HMEP) grants program. This reduction is necessary because there was an excess remaining in that fund at the end of the 2011-2-12 registration period. The Unified Agenda listing for this rule does not indicate how large a reduction is anticipated, but any reduction is apparently deemed an insignificant impact on the regulated community.

The justification for the direct rulemaking for the Penalty Action Guidelines Update is less clear. PHMSA is responding to requirements in MAP 21 (PL 112-141 §33010) to eliminate the minimum civil penalties (except for training related deficiencies) and to increase the maximum penalties for a knowing violation and a violation resulting in death, serious illness, or severe injury to any person or substantial destruction of property to $75,000 and $175,000, respectively. While a $75,000 (or $175,000) may seem to be significant (it sure does to me), since it may only be levied on violators, the argument is made that it would not have a significant effect on the regulated community as a whole.

New Hazardous Materials Rulemakings

The first of the hazardous material rulemakings would address some petitions from industry and recommendations made by the NTSB. The proposed rulemaking would:

• Identify elements of non-conformity that do not require a movement approval from the Federal Railroad Administration (FRA);

• Correct an unsafe condition associated with pressure relief valves (PRV) on rail cars transporting carbon dioxide, refrigerated liquid;

• Revise outdated regulations applicable to the repair and maintenance of DOT Specification 110, DOT Specification 106, and ICC 27 tank car tanks (ton tanks);

• Except ruptured discs from removal if the inspection itself damages, changes, or alters the intended operation of the device; and

• Enhance the standards for DOT Specification 111 tank cars used to transport Packing Group I and II hazardous materials

PHMSA expects to have an advanced notice of proposed rulemaking (ANPRM) published in the Federal Register in February 2013.

The bulk explosives rulemaking would update the HMR to reflect current special permit and competent authority rulings and are the result of petitions by industry. The revision would authorize the transportation of certain explosives, ammonium nitrate, ammonium nitrate emulsions, and other specific hazardous materials in bulk packagings for use in blasting operations on specialized vehicles, multi-purpose bulk trucks (MBTs). This is part of PHMSA’s effort to codify some long standing special permits.

PHMSA expects to publish an NPRM in July, 2013.

The final hazardous materials related rule addresses a problem with a relatively recent PHMSA rule that allows inspectors to open packagings enroute to determine if they comply with the hazmat packaging regulations. Industry has long complained about the delays in transit this causes for certain perishable items, including ratio-isotopes. This rulemaking would address the requirements of MAP 21 (§33009) to address:

• The safe and expeditious resumption of transportation of perishable hazardous material, including radio-pharmaceuticals and other medical products, that may require timely delivery due to life-threatening situations;

• The means by which non-compliant packages are placed out-of-service or the resumption of transportation of compliant packages;

• Appropriate training and equipment for inspectors; and

• The proper closure of packages in accordance with the hazmat regulations.

PHMSA expects to publish this NPRM in February, 2013.

Pipeline Safety Rulemakings

The first pipeline safety rule making would address the standards for conducting condition assessments of in-service pipelines. It would incorporate by reference existing consensus standards for assessing internal corrosion and stress corrosion cracking. PHMSA expects to have this rulemaking published in March, 2013.

The second rulemaking would address the submission of geospatial information, including the data accuracy standards for mapping, and more complete description of facilities, including elements such as:

• Pipeline diameter;
• "Smart piggability";
• Type/location of blocking valves; and
• Coating of pipe

PHMSA expects to have the NPRM for this rule published in June, 2013.

The final pipeline safety rulemaking is a catch-all rule that would make revisions based on various legislative initiatives and petitions for rulemakings. Among other things it would address:

• Renewal process for special permits;
• Cost recovery for design reviews; and
• Incident reporting

PHMSA expects to publish this NPRM in June, 2013.

Rulemaking Delays

If, as I mentioned in an earlier blog, DHS is notorious for missing deadlines, I don’t think that PHMSA has ever met a deadline. While part of that is due to the large number of rules that PHMSA has in the pipeline a greater part of the problem in bureaucratic inertia. Since January 1st 2011, PHMSA has only submitted six rules to OMB for approval, and only one of those was in 2012. With 26 rules ‘planned’ for submission in 2013, it will be remarkable if more than a handful make it to publication in the Federal Register.

ACC ASP – Guidance Document

This is the second in a series of blog posts about the recently published American Chemistry Council Alternative Security Plan for the CFATS program. The initial blog post is listed below and dealt with an overview of the place of the ASP in the CFATS program. This post will look at the “Alternate Security Program (ASP) Guidance for CFATS Covered Chemical Facilities” (Guidance document) that forms the core of the downloadable program.

There are two embedded documents in the Guidance document; the template and the instructions for the ASP and they form the basis of the actual ASP that will be submitted to DHS as part of the facility site security plan. There is a significant amount of additional information available in the document.

CFATS Overview

The first five pages of the Guidance document provide a fairly detailed guide to the CFATS program. Now anyone who is in the process of considering options for submitting an ASP in lieu of an SSP should be fairly familiar with the CFATS program, so this would seem to be somewhat superfluous.

We have to remember, however, that once a facility reaches the SSP stage of the SSP process, the funding issues become rather large. The upper level management that needs to become involved in the budgeting process at this point could use a high level lesson in the requirements of the CFATS program and these five pages could form a good starting point for that discussion.

Pre-Authorization Inspection

In its discussion of the CFATS inspection process the Guidance document provides a reasonably good description of the purpose and process of the Pre-Authorization Inspection. Since DHS ISCD has yet to formally address this addition to the CFATS program in any of their written documents the following description taken from the Guidance document serves an important purpose;

“Pre-Authorization Inspections (PAI) are conducted AFTER the submission of an SSP/ASP but BEFORE a letter of authorization, in which the SSP/ASP is preliminarily approved as the regulatory standard for that facility. Pre-authorization inspections were instituted after it became clear that the CSAT SSP template was not producing enough detail to result in the issuance of letters of authorization. Their purpose is for the inspection team to establish the facts on the ground and for DHS to provide feedback for both the improvement of the detailed content of the SSP/ASP and potentially for improvements in existing security measures to meet the RBPSs.”

Of course, part of the purpose of the publication of this ASP template and instructions is to provide an initial data submission to DHS and ISCD that precludes the necessity for DHS to conduct such PAIs.

Authorization Inspection Process

The ACC Guidance document provides information on the Authorization Inspection process as well. Again this is another area where detailed information has been lacking from the folks at ISCD, unless they are providing it directly to facilities when they schedule the inspections. In any case, the information provided here will be very beneficial to any facility beginning to prepare for their authorization inspections.

The Appendixes

The Guidance document includes four appendixes that provide a variety of additional information on the CFATS program. The four appendixes are:

• Definitions and Acronyms

• Alternate Security Program Template

• CFATS RiskBased Performance Standards

• CFATS Reference Links

Of the four the second is, of course, the most important for facilities considering the submission of their SSP. It includes two imbedded Word® documents that form the basis for the ASP submission.

• ACC ASP Template Guide and Instructions Final20121130.docx

• ACC ASP Template Final20121107.docx

I’ll discuss these two documents in later blog posts in the series, but I suspect that the ACC will be a tad bit more proactive in updating these files as additional facilities use them to prepare and submit their SSP/ASP


I think that the ACC has produced a very good CFATS summary document here. In many cases it is more informative than the formal DHS documents upon which it draws. The major drawback is that it spends almost no time discussing the preparation of the ASP. While that is covered in the imbedded instruction document, it would be helpful if there were some discussion here about some of the ASP/SSP issues.

For instance, there is nothing said about the relationship between an adequate level of information necessary for DHS assessment and the need to leave room for minor modifications in the program that won’t require a resubmission of the ASP. Too much detail and the smallest change will have to go through a long-delayed reassessment process at ISCD. Too little detail and the facility will have to go through the added problem of an AIP inspection.

Additionally, I think that there should be a little more emphasis on the fact that any security procedures, processes and equipment mentioned in the authorized SSP/ASP become a regulatory requirement for the facility in all future DHS-ISCD inspections. While DHS cannot specify which security processes need to be employed to get an SSP/ASP authorized, they can and will require strict adherence to the authorized SSP/ASP.

I’ll look at how these issues are addressed in the instructions and template in future blog posts.

All and all this is a much better document than anything that the folks at DHS have done for the SSP process.

Monday, December 24, 2012

Closer Look at 2012 DHS Rules List

As I mentioned in my earlier blog post the OMB’s Office of Information and Regulatory Affairs (OIRA) recently update their Unified Agenda and the associated agency rule lists. Today I would like to take a closer look at the rulemaking actions on the DHS Rule List that would be of potential interest to readers of this blog.

Classified Information

The one new rulemaking listing in this List deals with the DHS regulation of Classified National Security Information (RIN 1601-AA68). According to the Abstract:

“The Department of Homeland Security (DHS) is revising its procedures for managing classified national security information. DHS is updating its regulations to incorporate new and revised procedures pursuant to Executive Order 13526, ‘Classified National Security Information.’ Further, DHS is delegating to the Chief Security Officer of DHS the responsibility of serving as the ‘Senior Agency Official’ pursuant to Executive Order 13526.”

Apparently the folks at DHS are intending to go directly to issuing a Final Rule in May, 2013 without the intermediate step of issuing a notice of proposed rulemaking. This methodology is allowed if the rule only affects internal actions in the Department and has no significant impact on State, local or tribal governments of private citizens. We will just have to wait and see what the Final Rule actually says.

Maritime Shipping Safety

We have two rulemakings from the Coast Guard dealing with maritime shipping safety that remain on the DHS Rule List. They are:

• Cargo Securing on Vessels Operating in U.S. Waters (RIN 1625-AA25)

• Bulk Packaging To Allow for Transfer of Hazardous Liquid Cargoes (RIN 1625-AB63)

Neither of these has a statutory mandate for date of issue. The Coast Guard intends to issue a supplemental Cargo Securing NPRM in April and a final rule for the Bulk Packaging rule in January.

Maritime Security

There are two Coast Guard rulemakings on the List that deal with MTSA issues. They are:

• TWIC Card Reader Requirements (RIN 1625-AB21)

• Updates to Maritime Security (RIN 1625-AB38)

The Card Reader rule has been long delayed, partly due to problems the TSA had with their field trials of various card readers. The final rule was required to be published in August of 2010 and the Coast Guard is now estimating that the notice of proposed rulemaking will be published in February. As I noted in an earlier blog posting this rule has already been sent to the OMB for review so this date may not be too far out of line, but that still leaves us at least a year before the final rule is published.

According to the Abstract for the Updates to Maritime Security rulemaking this would be the first major update to Subchapter H of 33 CFR since the MTSA regulations were adopted. The Abstract explains that:

“The proposed changes would further the goals of domestic compliance and international cooperation by incorporating requirements from legislation implemented since the original publication of these regulations, such as the SAFE Port Act, and including international standards such as STCW security training. This rulemaking has international interest because of the close relationship between subchapter H and the International Ship and Port Security Code (ISPS).”

The Coast Guard is planning on issuing the NPRM for this rulemaking in April of 2013.

General Aviation Security

TSA is still struggling to overcome resistance to rules governing the security of general aviation aircraft. Their NPRM that was published in 2008 met so much opposition from the public and Congress that TSA will be issuing a ‘supplemental’ NPRM that will almost certainly be a total re-write of their General Aviation Security and Other Aircraft Operator Security rulemaking (RIN 1652-AA53). They expect to issue their supplemental in August of 2013.

Surface Transportation Security Training

A while back TSA rolled three congressionally mandate rulemaking requirements into a single rulemaking, Security Training for Surface Mode Employees (RIN 1652-AA55). The thee mandated publication dates were in 2007 and 2008 and TSA has yet to produce their first public version of the rule that would “propose general requirements for the owner/operators of a freight railroad, public transportation system, passenger railroad, and an over-the-road bus operation determined by TSA to be high-risk to develop and implement a security training program to prepare security-sensitive employees, including frontline employees identified in sections 1402 and 1501 of the Act [the Implementing Recommendations of the 9/11 Commission Act of 2007], for potential security threats and conditions”.

While that certainly seems to be a fairly comprehensive program TSA also intends to extend the “security coordinator and reporting security incident requirements applicable to rail operators under current 49 CFR part 1580” to other portions of the surface transportation industry.

TSA expects to have the NPRM finally go to publication in July of 2013.

Railroad Security Planning

Another long overdue requirement from the Implementing Recommendations of the 9/11 Commission Act of 2007 is the Freight Railroads and Passenger Railroads--Vulnerability Assessment and Security Plan rulemaking (RIN 1652-AA56). According to the Abstract:

“This rulemaking will propose thresholds for which a risk determination can be made to determine whether a freight railroad and passenger railroad should be considered "high risk." The rulemaking will also propose requirements for vulnerability assessments and security plans for owner/operators of those railroads. The proposed requirements include procedures for TSA's review and approval of these assessments and plans, and recordkeeping requirements. The regulation will take into consideration any current security assessment and planning requirements or best practices.”

This rule could easily become the TSA’s version of the CFATS regulations in scope and impact, potentially requiring a significant expansion of the number of Surface Transportation Security Inspectors, something never authorized by Congress; coming up with an effective rule that can overcome that funding obstacle is a real challenge. TSA expects to have the NPRM published by July of 2013.

TSA Security Threat Assessments

The TSA does the security threat assessments for a number of travel related security programs including the Hazardous Materials Endorsement for CDLs and the TWIC as well as future programs such as the CFATS personnel surety program. Each of these programs is currently governed by a slightly different set of rules. With this Standardized Vetting, Adjudication, and Redress Services rulemaking (RIN 1652-AA61) the TSA “intends to propose new regulations to revise and standardize the procedures, adjudication criteria, and fees for most of the security threat assessments (STA) of individuals for which TSA is responsible”. According to the Abstract:

“In accordance with the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act), the scope of the rulemaking will include transportation workers from all modes of transportation who are required to undergo an STA in other regulatory programs, including certain aviation workers and frontline employees for public transportation agencies and railroads. In addition, TSA will propose fees to cover the cost of the STAs and credentials for some personnel. TSA plans to improve efficiencies in processing STAs and streamline existing regulations by simplifying language and removing redundancies.”

TSA intends to issue their notice of proposed rulemaking for this rule in July of 2013.

Actual Dates for Rulemaking

The dates that I have been reporting for the intended date that DHS components would act on these rulemakings were provided in the DHS Rule List. There is no statutory requirement about the accuracy of these estimates and, even if there were, DHS is more than notorious for missing congressionally mandated deadlines. The only one of the above listed dates that I would have any sort of confidence in is the one for the TWIC Reader Rule and that is because it has already been submitted to OMB for approval, but even that could be delayed for months in the OMB approval process and there is no guarantee that OMB will approve the submitted NPRM.

Sunday, December 23, 2012

ACC Publishes CFATS Alternative Security Program

On Friday the American Chemistry Council posted their “Alternate Security Program (ASP) Guidance for CFATS Covered Facilities” on their web site. This .PDF document, along with its two embedded .DOCX documents provide information and a template for submitting an alternative (this is the DHS terminology) security program to DHS in lieu of the complete Site Security Plan DHS provides on its Chemical Security Assessment Tool (CSAT) site.


Section 550(a) of the Homeland Security Appropriations Act of 2007 specifically authorizes the DHS Secretary to “approve alternative security programs established by private sector entities, Federal, State, or local authorities, or other applicable laws if the Secretary determines that the requirements of such programs meet the requirements of this section and the interim regulations”.

In a number of Congressional hearings I have heard Congressmen incorrectly explaining to industry and DHS witnesses that the ASP allows DHS to “give industry credit for work they have already done on site security”. This is very misleading in that there are no provisions in the law or regulation that allows the approval of an ASP for a security program that does not meet the standards set forth in the Risk Based Performance Standards (RBPS) Guidelines document based upon §27.230 of the CFATS interim regulations.

Nor does the preparation of an ASP obviate the need for using the Site Security Plan tool within CSAT. The SSP tool will, in fact, be the tool used to submit the ASP. After the facility ensures that the Facility information portion of the tool has been completed, the SSP tool {Site Security Plan Instruction Manual, pg 29} will ask four questions about the potential use of an ASP:

• Does the ASP address each security/vulnerability issue identified in the facility’s SVA, and identify and describe security measures to address each such security/vulnerability issue? [Q:5.61-18413]

• Does the ASP identify and describe how security measures selected by the facility will address the risk-based performance standards and potential mode of terrorist attack? [Q:5.61-18414]

• Does the ASP identify and describe how security measures selected and utilized by the facility will address each applicable performance standard for the appropriate risk-based tier for the facility?

• Does the ASP provide other information that the Assistant Secretary has deemed necessary, through the DHS Final Notification Letter or other means, regarding facility security? [Q:5.61-18416]

Only if a submitter can answer ‘Yes’ to all four questions should the ASP be submitted.

So, if all of the work necessary to prepare an SSP has to be done anyway, why use an ASP? The answer is three-fold.

First, the document that a facility will upload to the SSP tool for their ASP (in the case of this ASP in any case) will actually be able to serve as a formal site security plan. The document will actually be able to be read and understood by both facility personnel and DHS Chemical Facility Inspectors, and the information will be readily accessible. The same cannot be said for the printed copy of the question/answer format of the DHS SSP tool.

Second, we know that the current SSP tool has proven to be totally inadequate as an effective data collection device. The routine responses to the questions asked in the tool have not provided adequate information for DHS analysts to determine if the facility site security plan adequately addresses the RBPS guidelines. This ASP does seem to me to better address the data collection needs of DHS, making for a smoother SSP approval process.

Finally, at the end of the day, the approved SSP (SSP/ASP) will serve as the standard by which the facility security program is measured in all future inspections by DHS. A formal document like the one prepared in this ASP will be a much better reference for facility personnel and DHS inspectors to go back to determine what the actual approved security program is for that facility; something that cannot be easily done with the current SSP tool format.


The American Chemistry Council is a large industry group that represents a significant portion of American chemical production companies. They developed this ASP principally as a tool for their member organizations that have facilities covered by the CFATS program. As I currently understand things the ACC will allow anyone to use their ASP. There is no log-in required to be able to download the document and the ACC has no way of know who uses their format to submit data to DHS.

As would be expected, the ACC is not making any specific claims about the use of this ASP; they have no control of the information the facility places within the document. Their guidance document clearly states that:

ACC takes no responsibility for any action taken by an individual ACC member or other party.”

The format and style has been approved by DHS. That does not mean that DHS will automatically approve an SSP submitted using this format. It simply means that DHS has worked with ACC and that the format, properly executed, should be able to provide the necessary information in a format that DHS can use to evaluate the efficacy of the facilities SSP.

According to Scott Jensen, Director for Issues Communications at the ACC, there have been at least two facilities that have used this ASP to complete their SSP filing. In both instances, the folks at DHS used a protocol that was used very successfully in the development of the Top Screen and the Security Vulnerability Assessment tools; they had folks (analysts and inspectors) on site during the submission process to see how things actually worked on the ground. Their feedback along with comments from the facility teams, allowed the ACC to do the fine tuning necessary to make this a workable ASP format.

More Work Required

One thing is very clear to me, it is going to take much more work to complete the ACC ASP than it would be to answer the questions in the DHS SSP. Writing out the information in clear and understandable prose can be hard work, much harder than clicking on boxes or preparing short answers to specific questions. On the other hand nobody has gotten a site security plan authorized based upon the submission of the SSP tool. DHS has had to come back and dig for additional information to get what they needed.

Additionally, the facility was going to have to write a useable site security plan document in any case and that was going to be duplicative work. Why not use the same document to fulfill both requirements?

Future Posts

As my long time readers will have come to expect, I’ll be taking a more detailed look at the ACC ASP in future blog posts.

Saturday, December 22, 2012

2012 Unified Agenda Finally Published

Today the OMB’s Office of Information and Regulatory Affairs (OIRA) finally got around to publishing the 2012 Unified Agenda. It broke with the previous process of publishing Spring and Fall versions of the UA, apparently because it was so far behind in keeping up with that process. The last UA published was the Fall 2011 UA; published in January of this year.

Current DHS Rule List

Readers of this blog are going to be primarily interested in the DHS Rule list. This lists the currently active and planned rule making processes being pursued by the Department. I’ve extracted the ones of most interest to readers of this blog and posted it in Table 1 below.

Final Rule
Classified National Security Information
Proposed Rule
Cargo Securing on Vessels Operating in U.S. Waters
Proposed Rule
Transportation Worker Identification Credential (TWIC); Card Reader Requirements
Proposed Rule
Updates to Maritime Security
Final Rule
Bulk Packaging To Allow for Transfer of Hazardous Liquid Cargoes
Proposed Rule
General Aviation Security and Other Aircraft Operator Security
Proposed Rule
Security Training for Surface Mode Employees
Proposed Rule
Freight Railroads and Passenger Railroads--Vulnerability Assessment and Security Plan
Proposed Rule
Standardized Vetting, Adjudication, and Redress Services

Table 1: Current Items on DHS Agency Rule List

I’ll discuss these proposed rulemakings in some more detail in future posts.

Rulemaking Missing from List

To paraphrase Sherlock Holmes, what is interesting is what is not on the list. Comparing the 2012 UA to the Fall 2011 UA there are three rules of interest that are missing from the current list. Rulemaking has not been completed on these three so they were either removed from the list by the Obama Administration or were overlooked somehow. Those three rulemakings are listed in Table 2.

Proposed Rule
Secure Handling of Ammonium Nitrate Program
Proposed Rule
Top Screen Information Collection from MTSA-Regulated Facilities Handling Chemicals
Proposed Rule
Sensitive Security Information: Disclosure in Federal Civil Court Proceedings

Table 2: Rulemakings missing from DHS Rule list

Surely the Ammonium Nitrate Security Program (ANSP) was an oversight since this is a Congressionally mandated (and much overdue) rulemaking. The NPRM had been published in August of last year with the comment period closing on December 1st, 2011. We have been waiting patiently for the final rule to be published. I expect that Rep. Thompson (D,MS) will be one of the first to question why this isn’t on the current UA.

The MTSA Top Screen rule was initiated as part of the process of harmonizing the chemical security rules between CFATS and MTSA. This was going to be essentially a data collection and analysis rule since there were no specific intentions (and no Congressional authority) to require MTSA covered facilities to comply with the CFATS rule. I suspect that this rulemaking was specifically removed from the UA.

The SSI Disclosure rule has been on the Agenda as long as I have been looking at it. The intent has been to establish rules for vetting a limited number of people involved in a Federal civil case to be authorized to view data that has been labeled Sensitive Security Information. This may have been removed because of conflicts between the SSI rules being developed under the President’s Executive Order on Controlled Unclassified Information. Actions on that EO have been delayed.

Next Step

With the long delayed publication of the UA we can now patiently wait for the President’s flexibility agenda to be published in the Federal Register. This will provide more details on how the above actions will be prioritized by the Administration. Earlier this year there was almost a month delay between the publication of the UA and the posting of the flexibility agenda.
/* Use this with templates/template-twocol.html */