Sunday, June 30, 2013

DHS HSAAC Meeting to Address Cybersecurity

DHS has posted a meeting notice in Monday’s Federal Register (78 FR 39301-39302, available on-line Saturday) for the Homeland Security Academic Advisory Council (HSAAC) for July 17th 2013 in Washington, DC. Cybersecurity presentations are expected to be made by the Subcommittee on Cybersecurity in response to recent taskings by Secretary Napolitano.

At the last HSAAC meeting Secretary Napolitano provided a tasking letter for the Subcommittees that included six specific cybersecurity jobs program taskings for the Cybersecurity Subcommittee. While the other subcommittees also received taskings in that letter, the meeting notice focuses on the expected responses from the Cybersecurity Subcommittee.

The Secretary asked the Cybersecurity Subcommittee to look at:

1. How to attract students, student veterans and recent graduates to cybersecurity jobs at DHS;
2. How DHS can better promote the DHS/ National Security Agency National Centers of Academic Excellence cybersecurity programs to the higher education community;
3. How to define the core elements of cybersecurity degree and certificate programs to prepare graduates for mission-critical cyber jobs at DHS;
4. How DHS can facilitate and strengthen strategic partnerships with industry, national labs, colleges, universities and others to build the cybersecurity workforce;
5. How DHS can partner with academia to build a pipeline of diverse students in Science, Technology, Engineering and Math (STEM); and
6. How key subcategories in cybersecurity – such as policy, critical infrastructure, human factors, intellectual property, and others – can inform academic pathways to meet national needs.

Public participation in the meeting is being solicited by DHS. Public comments on the topics listed above may be submitted for the Council’s consideration before they adopted for forwarding to the Secretary. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2013-0044). There will also be a public comment period during the meeting, with a 3-minute time limit for speakers. Register in advance to make public comments with the Office of Academic Engagement (AcademicEngagement@hq.dhs.gov).


NOTE: As I have come to expect from DHS (excepting the Coast Guard), there appears to be no provisions for web casting this meeting. One of these days the rest of DHS will enter the 21st Century.

S 1197 Introduced – FY 2014 DOD Authorization

As I noted earlier Sen. Levin (D,MI) introduced S 1197, the National Defense Authorization Act for Fiscal Year 2014, and the bill has been reported favorably by the Senate Armed Services Committee. As expected the bill has some significant cybersecurity provisions including support for the development of tools for checking software code vulnerability, looking at the use of National Guard troops for homeland cyber-response tasks and controls on the trade in ‘cyber-weapons’.

Cyberspace Subtitle

Subtitle D of Title IX (DOD Organization and Management) deals with ‘Cyberspace-Related Matters’. Most of the provisions relate to cyber-warfare but some deal with cybersecurity related matters. The eight sections within the Subtitle are:

• Section 941: Authorities, capabilities, and oversight of the United States Cyber Command.
• Section 942: Joint software assurance center for the Department of Defense.
• Section 943: Supervision of the acquisition of cloud computing capabilities for intelligence analysis.
• Section 944: Cyber vulnerabilities of Department of Defense weapon systems and tactical communications systems.
• Section 945: Strategy on use of the reserve components of the Armed Forces to support Department of Defense cyber missions.
• Section 946: Control of the proliferation of cyber weapons.
• Section 947: Integrated policy to deter adversaries in cyberspace.
• Section 948: Centers of Academic Excellence for Information

Probably the most significant of the DOD provisions in this Subtitle can be found in §941. It provides for the separation of the DOD cyber-warfare (offensive and defensive) organizations from the cyber intelligence program and the information security program in DOD. This specifically includes providing separate hardware and internet access capabilities for US Cyber Command (USCC) separate from the National Security Agency. It does not, however, address the current fact that the commander of both the NSA and the USCC are the same person.

Software Assurance Tools

Section 942 requires DOD to establish a Joint Software Assurance Center separate from the one established by the National Security Agency (more separation of USCC from NSA). The new JSAC would work with the NSA agency to establish a “program of research and development to improve automated software code vulnerability analysis and testing tools” {§942(c)(3)}.

The Committee report further emphasizes this the importance of this program in the Committee report (pg 46, Adobe 69) by providing an additional $10 million for the Air Force version of this proposed organization, Application Software Assurance Center of Excellence (ASACOE).

The Committee report also notes that this proposed JSAC would help the military comply with the §933 requirements of the FY 2103 National Defense Authorization Act.

There is nothing in §942 that would address the availability of such tools for work in the civilian sector, but it is reasonable to suppose that it might be made available to DHS in support of cybersecurity activities in the critical infrastructure sectors.

Homeland Cyber Response

It is apparent that the use of National Guard cyber-warriors is the ‘cybersecurity’ idea of the year. We have seen it proposed in two identical bills (HR 1640 and S 658) and a version was included in the House DOD spending bill, HR 2397, Committee Report. This bill provides yet a third version of the idea as part of §945 examination of the use of the Reserve Components in DOD cyber missions.

DOD and DHS would be required to take a coordinated look at the use of National Guard in a cyber homeland defense role. The bill specifically tasks the two departments to get input from the Governors on “State cyber capabilities, and State cyber needs that cannot be fulfilled through the private sector” {§945(b)(2)}. This is part of the requirement to determine if the National Guard, operating under State status “can operate under unique and useful authorities to support domestic cyber missions and requirements of the Department or the United States Cyber Command” {§945(b)(4)}.

The bill even goes so far as to suggest that DOD looks into if it would be appropriate to hire part-time National Guard Technicians with appropriate cybersecurity expertise to assist “the National Guard in protecting critical infrastructure [emphasis added] and carrying out cyber security missions in defense of the United States homeland” {§945(b)(5)}.

Operation of the National Guard units under State status is an important legal distinction. Because of restrictions on the domestic use of military forces under the Posse Comitatus Act (18 USC 1385) it would be necessary to use National Guard units under the command of Governors to participate in many cyber related homeland defense missions.

Control of Cyber Weapons

Section 946 addresses attempt to control the international trade in cyber weapons. It requires the President to establish yet another “interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons” {§946(a)}.

Since there is not currently a legal definition of ‘cyber weapons’ the same interagency process is also required to identify “the types of dangerous software that can and should be controlled through export controls” {§946(b)(1)}. The Committee Report notes:

“This process will require developing definitions and categories for controlled cyber technologies and determining how to address dual use, lawful intercept, and penetration testing technologies.” (pg 159, Adobe 181)

It is clear that someone on the Senate Armed Forces Committee staff realizes that many of these ‘cyber weapons’ might have legitimate uses in the cybersecurity field. The Committee Report states:

“However, the approaches developed must also take into account the needs of legitimate cybersecurity professionals to mitigate vulnerabilities, and not stifle innovation in tools and technology that are necessary for national security and the cybersecurity of the Nation.” (pg 160, Adobe 182)

The section requires the identification of methods that should be used to “suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense” {§946(b)(2)}.

Moving Forward


I expect that the Senate will move forward with its consideration of S 1197 in the few weeks remaining before the Summer Recess. The bill will pass after some significant amendments are offered and wrangled over. The Senate will then vote to substitute the wording from this bill for the House wording of HR 1960. The bill will then go to conference to work out the differences between the two bills. That won’t happen until sometime later this year, probably after the start of FY 2014.

NTSB Investigative Hearing Announced – 7-10-13

The National Transportation Safety Board published a hearing notice in Friday’s Federal Register (78 FR 39017-39018) concerning an investigative hearing that will be held in Washington, DC on July 10th, 2013. The hearing will be looking into the Conrail derailment outside of Paulsboro, NJ on November 30th, 2012, and the subsequent release of 180,000 lbs of vinyl chloride.

According to the notice, the hearing will discuss:

• Conrail bridge operations;
• Conrail procedures;
• Incident command actions and emergency response decisions in the first day;
• Hazardous materials emergency response operations;
• Roles of the response teams;
• Evacuations and communications;
• Incident response protocols;
• Hazmat training;
• Oversight of Paulsboro emergency preparedness;
• Roles of local, state and Federal agencies in emergency hazmat response; and
• Interaction between state and Federal agencies in establishing a unified command.

The NTSB intends to use this hearing to:

• Gather additional factual information regarding the actions of the first responders in Paulsboro;
• To explore the hierarchy of New Jersey State and local emergency management;
• Training, regulations and standards applicable to emergency response personnel; and
• To examine the oversight of the Paulsboro emergency operations

The hearing will be open to the public and the NTSB will web cast the hearing on its web site.

NOTE: It will be interesting to see if the issue of dispersion modeling that I discussed here after that accident is raised.

HR 2466 Introduced – Trade Secrets

As I noted earlier, Rep. Lofgren (D,CA) introduced HR 2466, the Private Right of Action Against Theft of Trade Secrets Act of 2013. While the bill was apparently inspired by the large volume of intellectual property theft via cyber-espionage, there is nothing in this bill that makes the provisions specifically cybersecurity related; it would apply to all forms of trade secret theft.

Section 2 of this short bill would amend the criminal statute 18 USC 1832, Theft of Trade Secrets, by adding two new paragraphs. The first paragraph provides for the use of civil action (law suits) by parties injured by theft of trade secrets to seek “compensatory damages and injunctive relief or other equitable relief” {§1832(c)}. It also provides a two year time limit on pursuing such civil actions; the time being based upon the date of the theft or the “date of the discovery of the damage”.


The second added paragraph defines the term ‘without authorization’ used in the existing language of §1832 to ensure that reverse engineering or independently arriving at the same idea cannot be penalized under the section. While the clarification is certainly necessary, it does provide an increased level of complexity in both criminal and civil actions against theft of trade secrets.

Saturday, June 29, 2013

NIST Updates Progress on Framework

Yesterday the National Institute of Standards and Technology updated their Cybersecurity Framework web site to provide links to three new documents related to the President’s cybersecurity executive order (EO 13636). They just made their self-imposed deadline for getting the information out, but there should be adequate time for participants at the next Framework Workshop (to be held in San Diego) to review the documents and determine what specific changes they would like to see before the July 10th meeting.

The three documents are:


The Draft Framework

Actually this would be more accurately called a format for the Framework. There is some possible language in the document that might find its way into the Draft that will be submitted to the President this fall, but it is boilerplate language. Much of that language is a rehash of the President’s requirements for the Framework taken from the EO.

The parts of this document that will likely survive intact (in format anyway) to appear in the Draft Framework are found in links included in the document. Many of these are spread sheets and .PDF documents to be used by organizations implementing the Framework and will act as an implementation record for those organizations. The linked documents include:

Function Matrix Shell (spreadsheet explanation);
• Draft Framework Compendium (embedded spreadsheet: Standards and information sources for cybersecurity);
Framework Implementation Levels (Example for Framework data recording);
Draft Illustrative Framework (embedded spreadsheet: Example of linking standards and information sources to implementation tasks); and

There is a long way to go to get from this document to a Draft Cybersecurity Framework this fall. I suspect that there will be significant changes to the documents format and a great deal of fleshing out of the details. I wish them the best of luck at the upcoming Cybersecurity Framework Workshops.

ICS Coverage

Having perused this document and various embedded and linked publications I feel a lot better about industrial control systems being included in the Framework coverage. There are numerous references to NERC CIP documents in the Compendium (I know; CIP is not strictly speaking a control system program, but it does include significant control systems mandates. And the Glossary definition of ‘Cyber Environment’ specifically includes a mention of ‘control systems’.


Having said that, this document  demonstrates that the focus (but not the exclusive focus) of the Framework will be targeted on information security. I am afraid that the amount of attention that will be addressed at control system security issues will minimal and ineffectual at best.

HR 2454 Introduced – Cybersecurity

As I mentioned last week Rep. Lofgren (D,CA) introduced HR 2454, Aaron’s Law Act of 2013. This bill was introduced in response to the suicide of Aaron Swartz, a noted activist/hacker, who apparently killed himself because of aggressive prosecution by federal authorities for hacking. The bill would revise the language of 18 USC 1030 to effectively change the definition of hacking from ‘exceeds authorized access’ to ‘access without authorization’.

Access Without Authorization

Section 2 of the bill replaces §1030(e)(6), removing the definition of ‘exceeds authorized access’ and adding the definition of ‘access without authorization’. The new term requires three components:

• The access must be made to “obtain information on a protected computer” {§1030(e)(6)(A)};
• The “accesser lacks authorization to obtain” {§1030(e)(6)(B)} access; and
• The access was gained by “knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information” {§1030(e)(6)(C)}.

The definition of the original term included language that encompassed either obtaining or altering information. The altering of information is not included in the definition of the new term.

Removes Fraud as an Offense

Section 3 of the bill removes §1030(a)(4). That paragraph made it an offense to “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value”.

There is no substitute fraud wording included in the bill.

Punishment

Section 4 of the bill modifies the language of §1030(c)(2). That paragraph sets for the punishments authorized for violations of the provisions of the section.

Similar wording changes are made in two separate sub-paragraphs {§1030(c)(2)(A) and §1030(c)(2)(C)} in that the bill changes the wording from “after a conviction for another offense” to “after a subsequent offense”. Since an offense cannot occur after a subsequent offense (by definition a ‘subsequent offense’ must occur after the other offense), this wording will have to be modified.

The bill introduces the term “fair market value” in two subparagraphs {§1030(c)(2)(B)(i) and §1030(c)(2)(B)(iii)}. In the first it adds the requirement that the “fair market value of the information obtained exceeds $5,000” for cases where the offense was committed for commercial advantage or personal gain. The second replaces the term ‘value’ in requiring that the value of the information obtained exceeds $5,000.

Unintended Consequences

As I mentioned earlier, this bill is intended to lower the consequences of hacking that is done purely for reasons of social or political activism such as defacing a web site. Unfortunately it appears that there may be some unintended consequences to the proposed changes.

Currently, the only language in 18 USC 1030 that can be used to define as criminal an attack on an industrial control system is found in two subparagraphs of §1030(a)(5). They are:

“(B) intentionally accesses a protected computer without authorization, and as a result of
such conduct, recklessly causes damage; or

“(C) intentionally accesses a protected computer without authorization, and as a result of
such conduct, causes damage and loss.”

The current language of §1030 does not define ‘accesses without authorization’ so there is certain amount of leeway that the courts have in interpreting that term. The definition provided in this bill, however, specifically requires that the access must be made “to obtain information on a protected computer” {§1030(e)(6)(A)}. Thus it appears that changing the programing of an ICS system or device would no longer be a federal offense under §1030, even if the attack resulted in ‘damage or loss’ intended or otherwise.

Moving Forward

I don’t see the House, in the current environment of concern about cybersecurity, taking up any legislation that has the appearance of reducing the seriousness of any kind of cybersecurity attack. The Senate version of this bill {S 1196 introduced by Sen. Wyden (D,OR)} may have an easier time getting considered, but I still don’t see it overcoming general cybersecurity concerns.


Including this in an authorization bill or an appropriations bill is not an option. This changes a criminal statute and thus cannot be included in spending bills according to both House and Senate rules. Including this (with some modifications) in a comprehensive cybersecurity bill would provide the best chance of passage, but no one is seriously pushing such a bill at this time.

Friday, June 28, 2013

DHS Publishes ICS-CERT Monitor

Yesterday the DHS ICS-CERT published their now quarterly (formerly monthly) Monitor. This issue is important because it describes publicly for the first time the first really documented attacks (unsuccessful) on privately-owned control systems.

Pipeline Control System Attacks

We have been hearing about these pipeline attacks for some time now, but the article in the Monitor provides information about the extent of the attack without providing any sensitive details.

One of the more important pieces of information provided in the article was that the initial report to ICS-CERT of these attacks came from a single owner “about an increase in brute force attempts to access their process control network”. System logs identified 10 IP addresses associated with the attempted access. When those addresses were shared with other operators by ICS-CERT similar attempted attacks were found in additional facility systems logs and more IP addresses were identified. This, again, demonstrates the needs for maintaining and checking system logs.

The article also mentions, for the first time that I have seen, the existence of the ‘Control Systems Center’ on the US-CERT Secure Portal and notes that:

“ICS-CERT periodically releases alerts, advisories, and indicator bulletins via the Control Systems Compartment of the US-CERT Secure Portal that provides critical infrastructure constituents with information intended to be useful for network defense.”

We have seen some of these documents make their way to the ICS-CERT web page, but only after they have been available for a couple of weeks on the Portal. It seems to me that owners and operators of control systems owe it to themselves to ensure that they at least have representatives who can routine access and monitor this site for valuable information.

Outside Contributors

This issue marks the first time that the Monitor has included articles from outside contributors. Kyle Wilhoit from Trend Micro wrote “Your SCADA Devices Are Being Attacked” and Reid Wightman from IOActive wrote “Why Sanitize Excessed Equipment”.  Both short pieces provide valuable information. Inclusion of these outside contributors can only make the Monitor more helpful and maybe bring it back to a mostly monthly publication.

Other Offerings

There is a summary type article about the recent Verizon 2013 data breach report. For those that don’t have time to read the gritty details of that report, this is a good summary. ICS-CERT notes that they were one of the 19 global reporters of incident data that helped Verizon with that report.

There is a belated report on the introduction of CSET 5.0. There is still some good information, particularly about the changes that will probably be included in the next version. The article notes that customer feedback is one of the sources for new ideas that ICS-CERT is using trying to target in future versions. If you have ideas or comments contact the ICS-CERT folks at cset@hq.dhs.gov.


All of the standard features we have come to expect in the Monitor are still here. The list of security researchers that are currently working with ICS-CERT continues to grow. All of these people should be encouraged to continue to publicly disclose (preferable through a coordinated disclosure, IMHO) ICS vulnerabilities that they discover. As a community we need to develop some way to reward them for their efforts so that they don’t have to sell their research to the highest bidder that will probably keep the vulnerabilities quiet.

OMB Approves Emergency Renewal of TWIC ICR

The Office of Management and Budget (OMB) announced yesterday that it had approved a TSA emergency request for a modification of the Information Collection Request (ICR) for the Transportation Workers Identification Credential (TWIC) program. This is extremely odd, since OMB already approved this emergency request back in March. A follow-up request for a longer term approval of the revised ICR is already in the works.

A closer look at this request suggests that OMB is more than a little confused, or something out of the ordinary is occurring behind closed doors. Yesterday’s notice indicated that the requested change originated in November of last year (the same as the origination date of the earlier emergency request), but that the request wasn’t actually submitted to OMB until earlier this week (6-25-13).

To make things even more confusing the burden estimate numbers between the previous approved emergency request, this emergency request, and the follow-up request currently going through the public comment/review process do not match up. The table below shows the three sets of numbers.


Current
Previous
New Request
Response
1,008,304
852,310
Not Available
Time Burden
807,396
741,879
829,774
Cost
52,146,260
$42,786,620
$47,633,777

There is no telling where the OMB got the data for yesterday’s action; it has not been included in any of the public TSA documents. As I noted in my earlier blog there was no data in the recent request about the number of expected responses. I do have a serious problem though with estimated cost numbers (Once again I must note that TSA is one of the few federal agencies that still includes cost estimates in their ICR submissions); with the time burden numbers on yesterday’s approved ICR being between the two other requests, it is difficult to see how the estimated cost burden can be so high.

Now realistically, this is not a big issue. This whole ICR process is an administrative exercise that has no real meaning in the practical world. The submitting agency is only accountable to OMB for the accuracy of the information and OMB’s approval is a legal technicality that has been frequently ignored. The TWIC is still in use and people are still providing a great deal of information to TSA to get their cards issued or renewed.


Still, this does cause some questions about the whole ICR process.

Bills Introduced – 6-27-13

As we get closer to the summer recess we see an increase in the number of bills introduced as many congress critters want to be able to brag about their efforts supporting their constituents during their many speeches and public appearances during their summer break. The five bills that I have identified as being of potential interest to the chemical security/safety and cybersecurity communities only contains one sure bet, HR 2556, but the remainder may contain provisions of interest or may have such provisions added during the legislative process.

The bills from yesterday include:

S 1243 Latest Title: An original bill making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2014, and for other purposes. Sponsor: Sen Murray, Patty (D,WA)

S 1244 Latest Title: An original bill making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2014, and for other purposes. Sponsor: Sen Pryor, Mark L. (D.AR)

HR 2536 Latest Title: To amend the Elementary and Secondary Education Act of 1965 to strengthen elementary and secondary computer science education, and for other purposes.  Sponsor: Rep Brooks, Susan W. (R,IN)

HR 2537 Latest Title: To amend title 49, United States Code, with respect to employee protective arrangements, and for other purposes. Sponsor: Rep Gingrey, Phil (R,GA)

HR 2556 Latest Title: To provide for the establishment of Vertical Centers of Excellence on Cybersecurity to create solutions to, and promote best practices for, industry-specific cybersecurity challenges. Sponsor: Rep Honda, Michael M. (D,CA)

HR 2536 is the iffiest of the five, but I would like to think that any real computer science education program in today’s world would include cybersecurity.

Thursday, June 27, 2013

PHMSA Publishes 60-day ICR Notice for Pipeline Reports

Today the Pipeline and Hazardous Material Safety Administration (PHMSA) published a 60-day information collection request (ICR) notice in the Federal Register (78 FR 38803-38806) for the renewal of authority to collect pipeline safety information on seven separate pipeline reporting forms. This is an early renewal request because PHMSA is proposing changes to the information collected on these forms.

The forms covered by this ICR renewal request are:

• PHMSA F 7100.1 Incident Report—Gas Distribution System;
• PHMSA F 7100.1-2 Mechanical Fitting Failure Report Form for Calendar Year 20_ for Distribution Operators;
• PHMSA F 7100.2 Incident Report—Natural and Other Gas Transmission and Gathering Pipeline Systems;
• PHMSA F 7100.2-1 Annual Report for Calendar Year 20_ Natural and Other Gas Transmission and Gathering Pipeline Systems;
• PHMSA F 7100.3 Incident Report—Liquefied Natural Gas Facilities; and
• PHMSA F 7100.3-1 Annual Report for Calendar Year 20__ Liquefied Natural Gas Facilities

Gas Distribution Incident Report

Changes are being proposed in the following areas:

Adding pipe material type of reconditioned cast iron;
Adding commodity of landfill gas;
Revise instructions for National Response Center number;
Revise instructions for city;
Revise instructions for county or parish;
Revise instructions for incident preparer and authorizer; and

Mechanical Fitting Failure Report

Changes are being proposed in the following areas:

Reporting “Incorrect Operations” as an apparent cause; and

Incident Report—Natural and Other Gas Transmission and Gathering Pipeline System

Changes are being proposed in the following areas:

Restore MOAP established by section;
Adding commodity of Landfill Gas;
Revise instructions for National Response Center number;
Revise instructions for city;
Revise instructions for county or parish;
Revise instructions for incident preparer and authorizer; and
Estimated response and burden hours revision.

Annual Report—Natural and Other Gas Transmission and Gathering Pipeline Systems

PHMSA is proposing to remove Part C – Volume transported by transmission lines. In the future if PHMSA needs this data it will be obtained from the  FERC data which covers the largest component of the volume information.

Incident Report—Liquefied Natural Gas Facilities 

Changes are being proposed in the following areas:

Limit location data to the State;
Modify the “Regulated by” data; and

Annual Report for Calendar Year 20_ Liquefied Natural Gas Facilities

Changes are being proposed in the following areas:

Require entry of interstate or intrastate field;

Change to Reporting Burden

PHMSA noted that they expect only one of the above set of revisions to result in changes to their burden estimate; the Mechanical Fitting report. The number of reports is being revised based upon recent history and the time for submission is being reduced from 1 hour per report to 30 minutes. The total change in the burden estimate is shown below. PHMSA does not explain how a decreased number of reports and a decreased reporting time result in an increase in the total annual burden hours.


Total Annual Responses
21,864
12,164
Total Annual Burden Hours
83,131
96,471

Public Comments

PHMSA is soliciting public comments on the proposed changes to the forms and the ICR. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2013-0084). Comments should be submitted by August 26th, 2013.

DHS Announces NIAC Meetings for July, August and September

Today DHS published a meeting notice in the Federal Register (78 FR 38723-38724) establishing public meeting dates for the National Infrastructure Advisory Council for the next three months. Those meeting dates are:

• July 17th, 2013;
• August 14th, 2013; and
• September 17th, 2013.


The general agenda for all three meetings will be nearly identical. The Department will update the Council on the status of the implementation of the Cybersecurity Executive Order (EO 13636) and Presidential Policy Directive 21. The Council will then discuss that implementation and provide their recommendations on how to proceed. A more detailed agenda for each meeting will be published on the NIAC web site no later than one week before the scheduled meeting.

Ethanol Safety Training

There is an interesting short article over at www.ProgressiveRailroading.com about a series of ethanol safety seminars that will be held in California next month. The training co-hosted by the Renewable Fuels Association and the Ethanol Emergency Response Coalition (EERC) will address some of the peculiar problems that emergency responders will face with ethanol and ethanol-blended fuels incidents. Since ethanol fuels are typically moved by truck or rail (not pipeline for a number of technical reasons) first responders far from ethanol production facilities (and their associated expertise) are having to deal with ethanol related spills and fires.

The seminars will focus on:

• An introduction to ethanol and ethanol-blended fuels;
• Chemical and physical characteristics of ethanol and hydrocarbon fuels;
• Transportation and transfer of ethanol-blended fuels;
• Storage and dispensing locations;
• Firefighting foam principles and ethanol-blended fuel;
• Health and safety considerations for ethanol-blended fuel emergencies; and
• Tank farm and bulk storage fire incidents


For those not able to attend these seminars (and more are planned outside of California), the EERC has a web site with training materials for local responders to use to familiarize themselves with the ethanol response issues.

Wednesday, June 26, 2013

Update on West Fertilizer Hearing

The Senate Environment and Public Works Committee has updated their web site with additional information about tomorrow’s hearing on “Oversight of Federal Risk Management and Emergency Planning Programs to Prevent and Address Chemical Threats, Including the Events Leading Up to the Explosions in West, TX and Geismar, LA”.

The witness list is now up on the web site. Witnesses include:

• Rafael Moure-Eraso, Chemical Safety Board;
• Barry Breen, Environmental Protection Agency;
• Randall Sawyer, Contra Costa County, CA;
• Rick Webre, Ascension Parish, LA;
• Paul Orum, Coalition to Prevent Chemical Disasters;
• M. Sam Mannan, Mary Kay O'Connor Process Safety Center; and
• Kim Nibarger, United Steelworkers International Union

Well, this hearing is certainly not going to be about the West Fertilizer explosion; no one (with the exception of Mr.Moure-Eraso) has anything to do with the regulation of West Fertilizer, the emergency response to the accident, or the investigation of the incident. It’s not even about the Geismar, LA explosion; the sole Louisiana representative on the witness list is from the State Department of Homeland Security, mainly an emergency response agency.

As I noted in an earlier blog post about this hearing this is going to be a hearing about inherently safer technology (IST). Both Orum and Mannan have a long history of being very intelligent advocates for the implementation of IST; Orum more from a political point of view and Mannan from a chemical process point of view. Contra Costa County has an effective regulatory program stongly encouraging IST implementation. The United Steelworkers have also been long time political advocates for the mandatory implementation of IST programs.

I certainly believe that a coherent discussion of IST as part of a chemical safety program is important. The use of these two particular incidents, however, seems to be particularly inappropriate particularly where IST is a code-word for chemical substitution. There is no substitute chemical for ammonium nitrate fertilizer for a distributor whose customers want ammonium nitrate fertilizer. Propylene and ethylene (we are still not sure which was at root cause of the Geismar explosion) are a basic chemical feedstocks for which there is not viable substitute.  


Sen. Boxer (D,CA), the Committee Chair, has also been a long-time proponent for mandatory IST implementation. Given that there are no IST opposition voices included on the witness list and no chemical industry representatives, I expect that this will be a very one-sided hearing that will conclude that IST is the be-all and end-all of chemical/environmental safety. That is a shame as it will only contribute to the polarization of what should be a cooperative debate on the subject.

Bills Introduced – 06-25-13

Two bills were introduced yesterday that may be of potential interest to the chemical security/safety and cybersecurity communities. That ‘may be’ is a bit more tenuous today than normal, bill titles can be misleading. The two bills are:

HR 2495 Latest Title: To amend the Department of Energy High-End Computing Revitalization Act of 2004 to improve the high-end computing research and development program of the Department of Energy, and for other purposes. Sponsor: Rep Hultgren, Randy (R,IL)

HR 2498 Latest Title: To reauthorize agricultural programs through 2018. SponsorRep Loebsack, David (D,IA)


These ‘High-End Computing’ bills frequently (but not nearly always) include significant cybersecurity provisions. This ag authorization bill might end up containing chemical safety and security provisions following the West Fertilizer explosion.

DHS ITF IdeaScale Cybersecurity Project – Risk Benefit Analysis

This is part of a continuing series of blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier post in this series was:


Yesterday there was an interesting comment left on my latest contribution to the IdeaScale Cybersecurity Project by Richard Bennett. While the question was left on my proposal of an information sharing program it would apply to just about anything to do with the cybersecurity project. Richard asked:

“DHS and industry may be talking past each other when speaking of "actionable intelligence" since the question is not "can you do something?" but rather "should we do something?". When the level of service for water, electricity, waste disposal or such is deemed acceptible when natural disasters can cause weeks-long outages, it is difficult to say that marginal improvements in preventing a man-made outage are worth the effort.”

Similarities to Regional Storm Damage

While the question would certainly have a different response for a commercial production facility, it is apparent that the shutting down of a public utility on a regional level is something that we have come to tolerate with a modicum of discomfort. As long as a utility production facility is not catastrophically destroyed, wouldn’t the damage from a cyber-attack be ‘as easy’ to repair as say an outage caused by a large hurricane, flood or snowstorm?

Actually, cyber-damage should be easier to repair because it would not be taking place spread over a wide geographic area like the damage to power lines after a major storm. Additionally the crews would not have to be working on the proximate cause of the damage (downed tree limbs for example) before they could repair the actual system damage.

Differences

There is one significant difference that might make cyber-attack damage more of an issue than say utility damage from a hurricane. Large-scale damaging weather events are usually forecast a couple of days in advance. People have a chance to fine-tune their emergency response plan before the damage occurs. Individuals have a chance to go to the store to stock-up on emergency supplies before the incident and utilities have a chance to stage response-personnel near the to-be-damaged area before the damage occurs.

Another, harder to quantify difference would be the psychological and sociological aspects of the response. With a storm there is a chance to mentally prepare oneself for the potential effects of the storm damage. In a terrorist attack, that does not occur. Additionally, in a properly conducted terror attack, there is the additional unknown factor about what else might also be about to be attacked. Panic brought about by the fear of the unknown is something that would be expected to be more of a problem with a terror attack than with storm damage.

Issues Discussion

Richard’s response to my suggestion is a perfect example of the benefit we can derive from these IdeaScale projects. Ideas can get discussed in a public venue with input from a wide variety of personnel with different backgrounds and experiences. Anyone can put forward an idea, and everyone can respond to that idea in a public venue that can engender further input.


Once again, I would like to take the opportunity to urge everyone to visit this IdeaScale site and put in your two cents worth. If you have no more time available than to read a couple of the ideas that catch your fancy, please vote on whether or not you thing the idea has merit. If you have more time available, contribute a comment like Richard did; it will add to the discussion. But better yet, put one of your ideas down on paper and then post it to the site for others to read, vote upon and discuss. Be a real contributor to the development of national policy.

Tuesday, June 25, 2013

Rules Committee Adopts Open Rule for HR 2410

This evening the House Rules Committee adopted H. Res 274 that includes the rule for the consideration of HR 2410, the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2014. This will be the standard open rule that the House Republican Leadership has used for the consideration for appropriations bills in the 112th and 113th Congress.

The House will act as a Committee of the Whole House to consider HR 2410. The Clerk will read the bill and as the appropriate sections of the bill are reached, members will rise to offer amendments to the bill. When two or more members rise to offer amendments to the same section, the Chair (appointed by the Speaker) will give priority recognition to the amendment that was previously published in the Congressional Record (None have been offered yet).

Once again I expect that there will be at least one chemical security amendment addressing the involvement of the Department of Agriculture (USDA) in chemical security and chemical safety efforts. Considering that I have been hearing some rumors that ISCD will try to address the current temporary Top Screen exemption given to agricultural producers, I also expect that there may be attempts to limit the ability of ISCD to collect Top Screen data from producers.


The Rules Committee web page indicates that the House Leadership has not yet set a date for the debate of HR 2410. The other two bills considered in this hearing (HR 1613 and HR 2231) will be on the House floor for the remainder of the week. Next week will be the Fourth of July recess, so this bill probably won’t be debated until the week of July 8th. One would like to think that the House leadership will use that time to make sure that they have the votes for the final passage of this bill.

DHS Chemical Security Web Page Restored

Last week I noted a change in the Critical Infrastructure: Chemical Security web site that eliminated a number of valuable links. Today that web page was restored to its former state along with all of the links. The fact that neither change was accompanied or explained by an email announcing the change (I have signed up for such notifications, it’s a readily available service for selected DHS web pages may just mean that this was one of those inadvertent changes that crop up in active web sites from time to time.

The later changes to the CSAT SVA web site upon which I reported are still in place and are, to my mind, clearly intended and justified changes (well the change in SVA response time at least) to the processes. There is no change notification process for that site, but it would still have been helpful if a notice about those changes had been posted somewhere on the DHS web site (probably the CFATS Knowledge Center).

And again, the changes to the CFATS Help Desk operating hours that I reported yesterday are still in place (again for fairly obvious, if unstated, reasons).

Now I am very happy to see the information links restored to the Chemical Security web site and I’m willing to accept that that was an unintended change. The other changes, however, were intended and, if my assumptions are correct, justifiable and well intentioned. What I continue to object to is the apparent reversion to a version of the CFATS enforcement where ISCD did not talk to the regulated community.


I hope that I am wrong and the failure to communicate these changes was just an oversight.

FirstNet Short Notice Teleconference – 6-27-13

The National Telecommunications and Information Administration (NTIA) published a meeting notice in today’s Federal Register (78 FR 38014) concerning a public teleconference that the First Responder Network Authority (FirstNet) Board will be conducting on June 27th, 2013 at 1:00 pm EDT.

The notice indicates that the agenda for the meeting will be published on the FirstNet website, but there is nothing there as of 6:30 am EDT.

There is nothing in the notice that indicates why this very short notice for a public meeting has been issued. The only thing of current note on the FirstNet web site is the on-going negotiations with Broadband Technology Opportunities Program (BTOP) for spectrum lease agreements.


Personnel wishing to listen to the teleconference may dial in on a limited, first-come, first-serve basis (1 (888) 469-3306 and use passcode “FirstNet”).

NARA Announces NISPPAC Meeting – 7-17-13

Today the National Archives and Records Administration (NARA) published a meeting notice in the Federal Register (78 FR 38077) for a July 17th meeting of the National Industrial Security Program Policy Advisory Committee (NISPPAC) in Washington, DC.

There is no information in the notice about the agenda and the NISPPAC web page does not appear to publish agenda’s in advance of their meetings.


Anyone wishing to attend this public meeting must register with the Information Security Oversight Office (ISOO) by contacting David Best (david.best@nara.gov) by July 12th, 2013.

Monday, June 24, 2013

Rules Committee Updates Info for HR 2410 Hearing

The House Rules Committee web site now has a link to both HR 2410, the FY 2014 Ag spending bill, and the Appropriations Committee Report (H. Rept 113-116). Having done a quick review of both, I can find no specific mention of potential chemical security, chemical safety or cybersecurity mentions in the bill (beyond an appropriation for cybersecurity measures for the Department’s computer networks.


I still suspect that we will see a floor amendment to this bill that would in some way appropriate monies for addressing AG related chemical security issues. It might even be mentioned in tomorrow’s Rules Committee Hearing.

CFATS Knowledge Center Update – 06-24-13

Today the folks at DHS Infrastructure Security Compliance Division (ISCD) updated the CFATS Knowledge Center; revising two of the responses to Frequently Asked Questions (FAQ). That FAQs that were updated were #1390 and #1647 (sorry, but there are no permanent links to the FAQs).

The same change was made to both responses; the hours of operation of the CFATS Help Desk were changed from 07:00 am to 07:00 pm to 08:30 am to 5:00 pm. There is no explanation given for the change in hours, but it doesn’t take a genius to guess that it is a cost saving measure. We all hate that something like this is necessary, but that is the type of action that the Sequestration demands.

Having said that, I do think that it is sad that ISCD has again made changes to a FAQ response (again a legitimate change) without actually notifying anyone about the change. This is certainly a small thing (especially since callers get a message providing the new hours when they call while the Help Desk is closed), but it is part of a recent pattern of not communicating with the regulated community.


We had begun to once again expect better of ISCD. Please don’t make this a permanent part of the ISCD regulatory model.

Comments on GSA-DOD Cybersecurity RFI – 6-22-13

This is part of a continuing series of blog posts concerning the GSA-DOD request for information (RFI) concerning the use of federal acquisition regulations (FAR) as incentives to participate in the President’s Cybersecurity Framework being developed by NIST. The first post in the series was:


The comment period on this RFI closed on June 12th and the second batch of responses was posted to the docket on June 18th. Of course the GSA/DOD report to the President was due on June 19th {EO 13636, §3(e)}, so this was mainly an exercise in futility except for those entities that were preferentially given advance copies of the draft GSA/DOD report upon which to base their comments (see comments from ACT-ICT and Tech-America).

EO Mandates

Dakkota Integrated Systems suggests that EO 13636 should be used as the authority to “compel
the acquisition of secure IT and telecommunications equipment by critical infrastructure elements” (pg 3).

CTIA, the Wireless Association, takes an opposing stance noting that “GSA should not seek to use procurement policy as a lever to effectively enforce compliance with otherwise “voluntary” programs that may come out of the EO” (pg 7, Adobe 9).

The Professional Services Council (PSC) suggests that the NIST Cybersecurity Framework be completed before GSA takes any steps to implement additional cybersecurity requirements in the FARS process, noting that “the cybersecurity framework should drive acquisition requirements, not vice versa” (pg 5).

Limit Acquisition to US Manufacturers

Dakkota maintains that the only way to ensure that adequate inspections of the supply chain (from component manufacture to secure installation) can insure that devices have not been compromised is to limit the acquisition process to US manufacturers.

Lineage Technologies notes the problems associated with ensuring that security standards are maintained in overseas manufacturers. They explain that: “China and other nations have restricted enforcement, characterizing inspection, verification, validation and related activities as breaches to their national sovereignty.” (pg 3)

CTIA notes that component testing by independent laboratories can ensure that a global supply chain can be used to produce lower cost secure systems. Lineage thinks that existing testing methodologies are not adequate with new chip designs and suggest that new testing methodologies need to be developed and adopted.

The US Chamber of Commerce notes that limiting the acquisition process to US manufacturers would cause other countries to do the same, hurting the ability of US manufacturers to compete in the global market.

Data Breach Notification

The American Bar Association notes that each state has its own requirements for data breach notification. They recommend that “either a “unified” federal standard or a consistent state model law” should be developed.

Wide Application of Covered Systems

Dakkota suggests that that secure acquisition rules extend to the widest possible definition of equipment connected to sensitive networks due to “potential exposure for chain-link events to infect connected networks”.

Serco notes that due “to the increasing threat federal cyber standards should apply to all electronic devices”. (Response to Question #8)

On the other hand, the PSC suggest that “acquisitions in which the contract requirements present a low risk of cyber intrusion should include only minimal or basic cybersecurity requirements” (pgs 2-3).

SRA International suggests that a tiered approach to security requirements based upon the level of access to critical systems presents the best approach to securing critical infrastructure cyber-systems. They propose a base level of security standards based upon specific measures in NIST 800-53 controls and higher requirements based upon FISMA risk management standards.

Evaluating Suppliers

Rapid7, a cybersecurity research firm, uses the following four step process to evaluate the security programs of vendors:

• Identify vendor security practices;
• Validate vendor security practices;
• Check solution logs; and
• Identify and refine access management controls for the solution.

Barriers to Entry

Wyle, an R&D organization providing cyber support to DOD, addressed the issues of limiting barriers to entry into the federal acquisition process by noting that:

“Effective cybersecurity requires all stakeholders to make significant investments in personnel, training, organization and infrastructure to establish and maintain a common level of security within a circle of trust.” (pg 4)

Tibbs Information Systems (TIS) suggests that a solution to this relatively high-cost of entry would have to include financial “subsidizing to small/disadvantaged firms to enact cybersecurity protocols on a universal
system while still maintaining competition and fairness” (pg 2). They further suggest that the development of a “’security startup’ package could be provided to new firms to expedite
their development” (pg 4).

Cost of Secure Systems

Dakkota expects that the cost of secure equipment (made by trusted US manufacturers shipped and installed via a controlled process) will be about 2.5 times the cost of off the shelf equipment.

Moving Forward

The comment period is now closed, but (given the GSA performance on posting responses to the RFI docket) there is no telling if there are other comments still pending. In any case the date for the GSA/DOD report to the President has also passed, so additional comments would serve little or no purpose.

It is not clear whether or not the Administration will publish a copy of the GSA/DOD report to the President when it gets (was?) published. What is clear is that any significant changes to the acquisition process will have to go through the regulatory process. This is where the Obama programs have had a tendency to stall.


It will be interesting to see if/what the GSA makes public about their analysis of these comments and the report they prepare for the President.

Congressional Hearings – Week of 6-23-13

Three spending bills are on the hearing agenda this week as we get ever closer to the ‘Summer Recess’ in August. Railroad policy and the West Fertilizer Explosion also make the list of hearings that might be of interest to the chemical safety/security and the cybersecurity communities this coming week.

Spending Bills

The House Rules Committee will hold a hearing to look at rules for three separate bills on Tuesday evening. One of the bills will be HR 2410, the Agriculture and related agencies spending bill. The draft of this bill was released last week and I did not see any specific chemical safety or chemical transportation issues addressed. After the failure of HR 1947 last week, I expect that we might see the Ag chemical security amendment being offered for this bill.

Both the House and Senate Appropriations Committees will be dealing with the final markup of their separate versions of the Transportation spending bill. The House full Committee hearing will be on Wednesday and the Senate Transportation, Housing and Urban Development Subcommittee will hold their markup on Tuesday and the Senate full Committee hearing will be on Thursday. As I reported last week the House subcommittee draft did not contain chemical safety or security measures. I haven’t seen a draft of the Senate bill yet.

Rail Policy
On Thursday the Railroads, Pipelines and Hazardous Materials Subcommittee of the House Transportation and Infrastructure Committee will hold a hearing on “National Rail Policy: Examining Goals, Objectives, and Responsibilities”. There is a possibility that chemical transportation issues might be addressed particularly toxic inhalation hazard (TIH) chemicals.

The witness list includes:

• Joseph Szabo, Federal Railroad Administration:
• Michael P. Melaniphy, American Public Transportation Association
• Edward Hamberger, Association of American Railroads
• Mike Lewis, American Association of State Highway & Transportation Officials
• John P. Tolman, Brotherhood of Locomotive Engineers and Trainmen

West Fertilizer Explosion

On Thursday the Senate Environment and Public Works Committee will hold the long promised hearing on the West Fertilizer Explosion. The purpose of the hearing will be muddied somewhat since the hearing will actually look at the “Events Up to the Explosions in West, TX and Geismar, LA”. It is disappointing that the Geismar explosion, at a regulated facility, is going to be combined with the explosion at West, at an unregulated (or at the very least under-regulated) facility.

No witness list is yet available, but I suspect that the major focus of this hearing will now be inherently safer technology (IST). That is unfortunate because it doesn’t appear that either facility would have been affected by such a measure.
 
/* Use this with templates/template-twocol.html */