Saturday, August 31, 2013

OMB Approves PHMSA Rail Safety ANPRM

Yesterday the Office of Management and Budget announced that it had approved, consistent with change, the advance notice of proposed rulemaking (ANPRM) on hazmat rail safety from the Pipeline and Hazardous Material Safety Administration that I had briefly discussed in a previous blog.

The Unified Agenda describes this proposed rulemaking this way:

“PHMSA is considering amendments that would enhance safety and revise and clarify the HMR applicable to the transportation of hazardous materials by rail. This action responds to petitions for rulemaking submitted by the regulated community and NTSB recommendations that are associated with the petitions.”

The rulemaking looks like it will include:

•Identifying elements of non-conformity that do not require a movement approval from the Federal Railroad Administration (FRA);
•Correcting an unsafe condition associated with pressure relief valves (PRV) on rail cars transporting carbon dioxide, refrigerated liquid;
•Revising outdated regulations applicable to the repair and maintenance of DOT Specification 110, DOT Specification 106, and ICC 27 tank car tanks (ton tanks);
•Excepting ruptured discs from removal if the inspection itself damages, changes, or alters the intended operation of the device; and
•Enhancing the standards for DOT Specification 111 tank cars used to transport Packing Group I and II hazardous materials.


It looks like PHMSA is on track for issuing this ANPRM (HM-251) in September as outlined in the Unified Agenda. Depending on how extensive the OMB directed changes were, I think that we can expect to see this ANPRM in a couple of weeks.

BTW: This might end up being a good regulatory vehicle for addressing the safety issues associated with the Canadian crude oil incident.

Cybersecurity Framework Update – 8-31-13

As just about anyone who comments on cybersecurity issues has noted on a wide variety of social networking outlets the last couple of days, the folks at the NIST Information Technology Laboratory (ITL) published the promised Discussion Draft of the Preliminary Cybersecurity Framework. The tweaking of this document will be one of the prime activities that will take place next month at the 4th Cybersecurity Framework Workshop in Dallas, TX.

Actually the ITL folks have been much more prolific than that. There are actually four new discussion draft documents posted to their Cybersecurity Framework web site as well as an updated draft agenda for the Dallas Workshop. The four new discussion draft documents are:

• A collection of Illustrative Examples;
• A control system specific illustrative example, an ICS Profile for the Electrical Subsector.

Each of the above documents deserve detailed examination and I’ll probably comment on them in more detail (particularly the last document) in future posts. Today I’ll take a quick look at the new draft agenda focusing on the changes from the previous version posted earlier this month. There are no real changes to the agenda, just a fleshing out of some of the details.

The previously ‘to be determined’ panel discussions have now been identified:

• Threat Panel (9-11 am) – a discussion of “how threat information can inform the development of the Cybersecurity Framework and how it can be utilized in an organization’s risk management process”;
• Insurance Panel (9-12 am) – a discussion of “the current state of the cybersecurity insurance market, how the Cybersecurity Framework could help insurance carriers grow the first-party market and be incorporated into underwriting/brokering processes, and anticipated challenges that may arise”;
• Cross-sector Panel (9-12 am) – a discussion of the “applicability of the Cybersecurity • Framework to a range of diverse sectors and organizations”; and
• Implementation Panel (9-13 am) – a discussion of “the harmonization of existing practices and standards with the Cybersecurity Framework”.

The breakout groups that will form the working sessions have also been identified:

• Framework Presentation and Tools;
• Framework Implementation Tiers;
• Framework Governance;
• Areas for Improvement for the Cybersecurity Framework;
• Executive Engagement; and
• DHS Voluntary Program


It certainly looks like an interesting workshop and I look forward to being able to participate.

Friday, August 30, 2013

FRA Requests Emergency Safety ICR

Today the Federal Railroad Administration published an emergency information collection request (ICR) in the Federal Register (78 FR 53818-53819) supporting their recent Emergency Order 28. The FRA is asking for OMB approval of the ICR by September 1st for 180 days’ worth of information collections.

The ICR would cover the requirements from the Emergency Order to:

Develop a plan to identify specific locations and circumstances when HAZMAT trains or vehicles may be left unattended;
Communicate, record, and verify securement information about HAZMAT trains that are left unattended;
Review and revise procedures for determining the number of hand brakes that must be set on HAZMAT trains that are left unattended;
Implement procedures for discussing process for security HAZMAT trains that are to be left unattended; and
Establish procedures to ensure job briefings of all employees that will conduct train securement of HAZMAT trains to be left unattended.

These requirements were already set in place by Emergency Order #28, this ICR would provide administrative approval for FRA to require the developing and maintaining of the documentation demonstrating compliance with the requirements.


The FRA estimates that the 655 railroad covered by this order in the United States will have a total of over 23 million individual responses to these requirements over the next year for a total of over 1.9 million hours of regulatory burden. No estimate is made of how much this regulatory burden will cost the railroad industry. Neither does this emergency ICR address the additional burden associated with the joint safety advisory published on the same day and topic by the FRA and PHMSA.

FRA Announces Potential RSAC Actions

Yesterday a press release from the Federal Railroad Administration (FRA) announced the results from the Railroad Safety Advisory Committee’s emergency meeting to discuss potential regulatory actions that the FRA might consider in light of the Canadian oil train derailment earlier this summer.

During the meeting the RSAC agreed to address four areas:

• The appropriate train crew size;
• The requirements for the securement of trains;
• The operational testing for employees to ensure appropriate processes and procedures for securing trains are followed; and
• The hazardous materials issues relating to the identification, classification, operational control and handling of such shipments in transportation. 

Since part of the RSAC mandates is to examine safety issues and identify “cost effective solutions based on the agreed-upon facts; and identify regulatory options where necessary to implement those solutions”, it is very possible that regulatory actions might result from this process.


But don’t expect quick action. The RSAC operates on a consensus building process and then its recommendations for legislative action must be referred to FRA and DOT for subsequent action. And then, of course, the whole public publish, response and review process still has to unfold. The first step, the RSAC recommendations, is supposed to be filed with the FRA by April of next year.

Thursday, August 29, 2013

ICS-CERT Publishes Another Crain-Sistrunk Advisory

Today ICS-CERT published an advisory for a buffer overflow vulnerability on the MatrikonOPC SCADA DNP3 OPC Server. Actually the document published today is a revised version of an advisory published on the US-CERT secure Portal back on August 2nd. The vulnerability was reported by Adam Crain and Chris Sistrunk in a coordinated disclosure.

The Advisory

ICS-CERT reported that the vulnerability can be remotely exploited by a moderately skilled attacker to execute a DOS attack. MatrikonOPC insists that an exploit would require “in-depth technical knowledge of the DNP3 protocol and the specific vulnerability in the MatrikonOPC software”. I guess (sarcasm alert) that Adam and Chris were just lucky to be able to find the ‘specific vulnerability’.

MatrikonOPC has developed a new version of the OPC Server for DNP3 that eliminates this vulnerability. ICS-CERT reports that Adam has verified the efficacy of the update.

The Update

As I noted earlier this publicly available version of the advisory is actually an update of the earlier, limited release version. There are two changes listed in the update; a more detailed explanation of the mechanism of the vulnerability and an additional suggested mitigation to prevent the vulnerability from being remotely accessible.

The update notes that the server only stops communication because of this vulnerability after receiving a malformed DNP3 packet from a device. In an unusual move ICS-CERT added additional language indicating that Adam and Chris suggested that an additional mitigation measure would be to block “DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific (sic) rule sets”.


This is actually a pretty specific expansion of a standard ICS-CERT recommendation to protect control systems from unauthorized access via the use of a firewall or IPS. It is not surprising that Adam and Chris would focus on DNP3 communications since this is an area that they have been spending a great deal of time investigating here recently. It might be interesting if they were to post on the Automatak blog a more detailed discussion about the types of DNP3 rule sets that would provide additional control system protections for DNP3 servers in general.

First Responders Community of Practice ICR Renewal – 60-day Notice

Today the DHS Science and Technology Directorate published a 60-day information collection request (ICR) notice in the Federal Register (78 FR 53464) for the renewal of their ICR (1640-0016) supporting their First Responders Community of Practice web site. This limited access web site allows for the exchange of information between registered members of the first responder community.

The previous renewal of this ICR only provided a one-year extension of the ICR. In the previous approval OMB noted that DHS should provide the following information in the next submission to justify the continued collection of the required information:

• How the First Responders Community of Practice is being used.
• Has the intended audience been reached?
• An analysis by DHS of the practical utility of the collection.
• An analysis by DHS of other similar platforms currently in use by first responders.

The requested information has not been provided in this ICR submission. I suspect that, unless the requested information is added to the 30-day submission notice that this ICR will be rejected by OMB. It would have been nice to have that information available for the 60-day public comment period.


NOTE: This submission continues the current practice of not including a cost burden estimate. The previously approved ICR showed an estimated annual cost burden of $50,000 for 2,000 (registration) responses at a half-hour each. This comes out to $50/hour for the value of a first responder’s time. I know that they wish they got paid that much.

OMB Approves Chemical Defense Project ICR

The Office of Management and Budget announced yesterday that it had approved the information collection request (ICR) for the DHS Office of Health Affairs (OHA) Chemical Defense Program. This ICR would allow the OHA to collect application information for proposed demonstration project aimed at developing a comprehensive chemical defense framework.

The announcement notes that the approval was made ‘with change’. The only change actually noted was that OMB approved the ICR for eighteen months rather than the requested (and standard) months. No reason was given for the change.

While there is nothing on the OHA web site about this program I know that demonstration projects have already been undertaken. The classic example is the Boston subway chemical dispersion project of a couple of years ago. I have already discussed some of the projects that I would like to see addressed in this program in my post on the 60-day ICR submission.

Copies of the project submission form can be downloaded from the OMB site (since OHA does not make them available on line). State, Local, Tribal and Territorial (SLTT) agencies may submit the completed form to CAPT Joselito Ignacio (joselito.ignacio@hq.dhs.gov).


NOTE: Congress is considering extending this small ($0.8 million) program in the current DHS funding bill.

Wednesday, August 28, 2013

ICS-CERT Publishes Deceptively Simple Advisory

Today the DHS ICS-CERT published an advisory for twin improper input validation vulnerabilities in products from Triangle MicrWorks. The vulnerabilities were reported by Adam Crain and Chis Sistrunk in a coordinated disclosure.

The Advisory

ICS-CERT reports that the twin vulnerabilities exist separately in serial and IP communications. The serial version is only locally exploitable and the IP version may be remotely exploited. ICS-CERT reports that a higher skill level is required to exploit the serial version of the vulnerability because “physical access to the device or some amount of social engineering is required”. I’m not sure why social engineering skills are considered to be a ‘high skill level’ unless they have determined that advanced social engineering skills are required for the serial exploit.

According to ICS-CERT the successful exploit of either version of the vulnerability could result in a denial of service situation because the software could be sent “into an infinite loop” requiring a manual reset.

Triangle MicroWorks has produced an update and release notes to resolve the vulnerabilities. Actually a causal review of the release notes makes it clear that much (32 pages of much) more than just this vulnerability was fixed in this update. It makes good sense to fix multiple problems in a single update, but I have to wonder if the release was delayed to fix these security vulnerabilities or if the release of the security fix was delayed to fix other problems as well. ICS-CERT reports that Adam has validated the efficacy of the update.

The Rest of the Story (apologies to Paul Harvey)

I got an interesting email from Adam pointing out that this is a bigger issue than it may look like in the advisory. Adam notes:

“Note that this is a source code library. TMW has > 50% market share. We don't know where this code is deployed/sold and DHS lacks authority to force disclosure.”

Now this is not an uncommon problem. In fact, I have mentioned similar situations with a number of software vulnerabilities as have others. Fortunately (sarcasm alert) this is only a denial of service vulnerability. It’s not like it allows an attacker to execute arbitrary code, so it’s not a real problem (end sarcasm alert).

Adam makes a good point about the lack of authority of DHS, except that he’s making that lack of authority too specific in his complaint. Let’s face it, outside of the federal government, DHS (and most emphatically including ICS-CERT) has no cybersecurity authority to compel industry to do anything. At most they have the gentle power of persuasion and the threat of disclosure to try to modify the behavior of the advised (as opposed to regulated) industries.

If this had been an uncoordinated disclosure, Adam would have had exploit code posted on a web site somewhere and other researchers could have explored other DNP3 applications to see if the same exploit could be found on other systems. Without that that other researchers will just have to look at a variety of TCP packets to see what works on the Triangle MicroWorks supported systems  and then evaluate the rediscovered exploits (or maybe new ones, you never can tell) on other systems. That probably won’t be a significant delay.

This raises a couple of interesting questions:

How many of the ‘other’ researchers will notify the vendor in a coordinated disclosure versus selling the vulnerability to the highest bidder?

Has Triangle MicroWorks notified each of it customers that the vulnerability is affecting their systems?


How many of the downstream vendors do not have the  application expertise to adapt the Triangle MicroWorks update to their own system.

CFATS PSP and TWIC

I’m hearing rumors that DHS is getting close to the point where they will be issuing their 30-day notice for the information collection request supporting the CFATS personnel surety program (PSP). I did a series of blogs (the last in the series contains links to the others) on the comments that were received when DHS published the 60-day notice. This is part of a continuing series looking at some of the issues that will need to be addressed in the 30-day notice. Earlier posts in the series were:


In this post I would like to address some of the issues with the use of the TWIC as part of the CFATS PSP. The folks at ISCD did not think that the TWIC would form a major part of the facility PSP program, but the comments received would tend to indicate otherwise. This means that ISCD will have to make some modifications to the way the PSP deals with TWIC.

Facilities in and near port areas will find a large resident population that hold Transportation Worker Identification Credentials (TWIC). This will be especially true of the trades that commonly work in and around industrial facilities. Facilities will find it very helpful to include the use of the TWIC to vet contractor personnel moving in and out of the facility.

Truck drivers are another area where ISCD can expect to see wide spread use of the TWIC as part of the facility PSP. I fully expect that most facilities will require delivery drivers, particularly bulk carrier drivers who will have the most intimate access to critical areas of the facility, to present a TWIC as a prerequisite for facility entry. This will be the only way that a timely vetting of these drivers will be possible.

The 60-day notice made it clear that there will be no mandate to actually use TWIC Readers at the gate to verify the TWIC upon each entrance to the facility, but it did suggest that the TWIC could not be used purely as a flash pass either. Of course, part of the reason for any additional specificity in describing how often a TWIC would need to be verified by a Reader is the §550 prohibition on specifying the use of a particular security measure. Still ISCD will need to specifically state that electronic verification of a TWIC will (or will not) be necessary and whether or not it will have to be periodically repeated.

It is possible that ISCD may provide facilities with a dual option on the use of the TWIC. The TWIC might be allowed as a flash pass system if a listing of such TWICs (with only limited information required; name and TWIC # for instance) is provided to ISCD as part of the facility PSP data submission. Periodic use of a TWIC Reader may be allowed in lieu of such a submission. As I mentioned in the last post in this series a copy of the proposed CSAT PSP tool would go a long way to making the requirements clearer.


Actually, it may be difficult for ISCD to ‘require’ the electronic verification of the TWIC as part of the PSP until such verification is required as part of the MTSA PSP. It certainly looks like the CFATS PSP could be approved before the Coast Guard is able to get a TWIC Reader Rule published, particularly if various Congressional committees get involved.

Tuesday, August 27, 2013

FRA-PHMSA Meeting Agenda – 8-27-13

Today is the first of a two-day joint public meeting between the Federal Railroad Administration (FRA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) that I previously mentioned. The agenda for the meeting is available on line and it may not be too late to sign-up for the teleconference link.

There are a couple of interesting topics on the agenda for today. They include a discussion of the §174.24 requirement for train crews to have information on hazmat materials physically on hand and a discussion of §174.67 requirements for transloading operations.


The biggest non-surprise of the agenda is tomorrow’s discussion about the safe transportation of crude oil, ethanol and flammable gasses. Much of the discussion will presage the Railroad Safety Advisory Committee meeting on Thursday to specifically discuss the safety response to the Canadian crude oil train derailment. The agenda for that meeting is supposed to be published by tomorrow.

Reader Email – PSP Terrorist Match Notifications

A long time reader with more than a little experience in government regulatory affairs sent me a brief email yesterday about my recent blog post on the CFATS personnel surety program (PSP). While agreeing with much of what I said he made the following very important observation:

However, what the public, especially industry DOES have a right to is a specific, clear SOP that the govt will follow in the event of a positive match.  There is no reason on earth why ISCD cannot provide the SOP as part of the public information package on this.  Knowing how a positive match will be handled will go a long way toward assuaging the concerns of an increasingly skeptical workforce (and public). 

I am not sure what kind of detail such an SOP would entail since much of it would depend on the response of the TSA and the FBI to each particular instance of a positive Terrorist Screening Database (TSDB) match,  but I agree that the publication of such a document would at least provide a better understanding of how the Department would address their response to such a match. That would allow for a more intelligent conversation on the topic if nothing else.

This brings up another of the frequently heard complaints about the PSP process to date. The use of the information collection request (ICR) process to introduce the program of necessity leaves a number of questions unanswered. To be fair the 60-day notice is one of the most comprehensive ICR notices that I have seen, but it is not a rulemaking notice. It certainly provides most of the information one would expect in an notice of proposed rulemaking, but it does not address all of the legal technicalities of the rule making process. I am sure that the Department’s legal staff has vetted this process, but an NPRM (which would include the ICR notice) would have made the industry feel better about the process.

I think that the folks at ISCD could make things go a lot smoother upon the publication of their 30-day ICR notice (which I expect – hopefully – in the next couple of months) if they put up a CFATS-PSP web site that showed the proposed PSP tool for CSAT, a positive match response plan, and a more detailed discussion of how TWICs would be expected to be used for both facility personnel and ‘visitors’ like truck drivers and train crews.

The more information that ISCD can provide in advance of the 30-day ICR notice the fewer and less vociferous will be complaints sent to the OMB about the ICR. Everyone has to remember that the typical OMB response to ICR complaints is foot dragging in the approval process. That would not benefit anyone, ISCD or industry, in this case. We need a way, sooner rather than later, for facilities to ensure that their workforce and visitors do not include known or suspected terrorists. 

DOT Announces Connected Vehicle Research Meeting – 9-24-13

Today the DOT Intelligent Transportation Systems Joint Program Office (ITS-JPO) published  a meeting notice in the Federal Register (78 FR 42997) for the annual public meeting about the connected vehicle research program. The notice describes the program as “a multimodal program that involves using wireless communication between vehicles, infrastructure, and personal communications devices to improve safety, mobility, and environmental sustainability”.

As I noted in an earlier blog post there is very little related to cybersecurity listed on the programs rather extensive web site. This is an item of concern that may be addressed at the public meeting, but I tend to doubt it.

The meeting agenda is briefly described in this notice as covering:

• ITS JPO's Connected Vehicle safety program;
• Vehicle-to-vehicle communications;
• Safety pilot;
• Vehicle-to-infrastructure communications;
• Human factors;
ITS Strategic Plan for 2015 to 2019; and
• Developing USDOT Multimodal Plan for Vehicle Automation. 

The public is being specifically invited to attend the meeting and should register to attend. There is no indication in the notice that there will be a web cast of this meeting.

Monday, August 26, 2013

ICS-CERT Updates Sixnet Advisory

Today the DHS ICS-CERT updated an advisory they published last week for an undisclosed function vulnerability in the Sixnet universal protocol. As I noted earlier the original advisory did not state that anyone had validated the efficacy of the RTU firmware upgrade. This update explains that the Intelligent Systems Research Lab at the University of Louisville has validated the upgrade.

CFATS PSP and Suspected Terrorists

I’m hearing rumors that DHS is getting close to the point where they will be issuing their 30-day notice for the information collection request supporting the CFATS personnel surety program. I did a series of blogs (listed below) on the comments that were received when DHS published the 60-day notice, now it is time to take a closer look at some of the issues that ISCD will have to address when they publish the 30-day notice.


Without a doubt the most controversial portion of earlier notice is the continued presence of a statement that DHS will not necessarily tell facilities if there is a positive match with the Terrorist Screening Database (TSDB). The notice states:

“Regardless of the [data submission] option, in the event that there is a potential match, the Department has procedures in place that it will follow to resolve the match and coordinate with appropriate law enforcement entities as necessary. High-risk chemical facilities may be contacted as part of law enforcement investigation activity, depending on the nature of the investigation.”

Needless to say facility owners and security managers are upset as hell that the folks at ISCD might allow a suspected terrorist to continue to continue to work at a high-risk chemical facility while some criminal investigation is underway. Almost as one industry commenters made clear that they would rather get a suspected terrorist out of their facility and risk not being able to take criminal action against them than allow them to stay and perhaps execute an actual attack while under investigation.

I am sure that David Wulf, Director of the Infrastructure Security Compliance Division, and his team of Chemical Security Inspectors (CSI, PLEASE someone change that title so we can get a different acronym) have the same concerns. I know that they realize that if a chemical facility attack happens under those circumstances that they will not be able to withstand the accusations of incompetence and malfeasance that will be leveled against them in Congress and the court of public opinion.

And those charges will be completely unjustified since it won’t be David’s call as to when facilities will be told that they have a suspected terrorist in their midst. That decision will almost certainly be made high within the ranks at the FBI or perhaps even in the office of the Attorney General. It is likely that David won’t even be told until such time as the law enforcement people have cleared the information for release.

The inevitable question that will be asked is why is it different for the TWIC? There the individual is notified if there is a positive match and there is an adjudication process in place for handling appeals. But TSA has never mentioned that they won’t tell an individual that his TWIC processing was rejected if there is a criminal investigation being conducted as a result of a TWIC submission. There will be an unexplained delay in the processing until the investigation is resolved. Then the individual will be notified of the reason, probably by an FBI SWAT Team.

It is a shame, in retrospect, that the folks at ISCD hadn’t just stood mute on the subject of criminal investigations of potential terrorist ties. If they had just said that the facility would be notified of any positive matches against the TSDB (which will eventually be the truth) things would have been fine. But no, someone decided to tell the whole story (or at least more of the whole story than had previously been done) and DHS is stuck with it.


Because, no matter how much industry legitimately complains about the risk to their facilities, the criminal justice system will not allow information about ongoing criminal investigations to be shared outside of the law enforcement community. Period, end of story.

Sunday, August 25, 2013

Reader Email – Reactive Chemistry

I received an interesting email from a reader, Jim, this week about my earlier posting on reactive chemistry and the President’s executive order on “Improving Chemical Facility Safety and Security” (EO 13650). He pointed out a much more common problem of reactive chemistry that I had overlooked that could be considered by the Chemical Facility Safety and Security Working Group while addressing the requirements of §6(c).

Incompatible Chemicals

The reactive chemicals that the reader addresses is the most basic type of chemical hazard, incompatible chemicals; chemicals that because of their most basic nature should not be allowed to come into contact with each other outside of the most controlled chemical process. We are talking things as basic and acids and bases, oxidizers and flammables, and monomers and initiators.

I missed this in my earlier discussion because to me, as chemical professional, this is the most basic component of chemical safety that I almost don’t consciously think about this as an issue. Which is, of course, why it is such a common problem. To be fair, every process hazard analysis (PHA) that I have ever participated in has addressed this issue for the chemicals under review. Jim suggests that the review should be extended to all chemicals at the facility that could come into physical contact with one another.

Reactivity Matrix

Jim suggests the establishment of a reactivity matrix. In its simplest form this would be a spread sheet listing of every chemical in the facility. Each chemical would be listed once on both the horizontal and vertical axis of the spread sheet. At each intersecting cell an entry would be placed that would describe the consequences of mixing the two chemicals. The listing would be (my terms not Jim’s):

• No reaction – quality issues are not a safety consideration;
• To be Avoided – A reaction occurs but, no heat or gasses are evolved, no toxic byproducts are produced, and the resulting material would not be hazardous waste;
• Administrative Controls Required – Minimal heat or non-flammable gasses may be evolved, but not enough to raise pressure in a sealed container with 5% headspace by 1 psig, toxic byproducts may be produced but do not require an increase in personal protective equipment to protect employees against exposure when handling, or waste may require disposal as hazardous waste; or
• Physical Controls Required – Will evolve heat or gasses that will raise pressure in a sealed container with 5% headspace by more than 1 psig, will evolve flammable gasses, or will produce toxic byproducts that will require an increase in personal protective equipment to handle.

Administrative controls are procedures and policies that control when and where such mixing of chemicals may take place. Any reaction requiring administrative controls should require that a HAZOP be performed to review and document those controls.

Physical controls are devices that prevent or control the mixing of the chemicals involved. Any reaction requiring physical controls should require that a PHA be performed to review and document those controls.

Information Availability

Jim makes the point that for most chemical combinations there will be no need for any basic research to take place to make a determination what the reaction label would be for most common chemicals. The information is generally available in the chemical literature. Unfortunately, there are many facilities that use dangerous chemicals that do not have anyone on staff qualified to conduct and interpret a literature search in this area.

A relatively simple and low cost alternative would be to have a research organization like NIST publish a database covering the most common industrial chemicals in use in the United States. The database could be set up to produce a matrix spread sheet by simply selecting the various chemicals that a facility had on site. The facility would only have to fill in the blanks for any chemicals or combination of chemicals not found in the database.

PSM or RMP or CFATS

Which federal agency would be responsible for enforcing this matrix? Well it would depend on the degree of hazard produced by the reactions. Facilities with reactions in only the first two categories (‘No Reaction” and ‘To Be Avoided’) would not generally be regulated for the chemical reactivity matrix. Facilities that have reactions that fall into the last two categories (‘Administrative Controls Required’ or ‘Physical Controls Required) would be required to do a worst case scenario analysis. If that analysis shows no off-site hazards (beyond disposal of hazardous waste) then PSM would be the only regulations addressing the reactivity matrix that the facility would be concerned with. If there were potential off-site consequences the RMP program would be involved and the CFATS people (keeping in mind the existing exemptions) would be notified so that a risk of terrorist attack based upon the reactivity matrix could be assessed.

Major Political Problem

While this all sounds very simple, there is a serious political impediment to this being adopted. We routinely accept chemical reaction risks in our everyday lives. In our kitchens we store incompatible chemicals under the sink, ammonia cleaners and bleach, peroxide and rubbing alcohol being the two common examples. Will every household have to conduct a HAZOP when they buy these materials? Not likely. We use pool chemicals that will violently react and produce chlorine gas. Will every pool cleaning company have to have people on staff to conduct a PHA? It would shut most of them down. Hell, even Mentos® and Coca-Cola® would be regulated under this scheme.

This is one of the reasons that regulators have been so reluctant to try to add reactive chemicals to their chemical safety programs. How do you define realistic safety programs that do not unnecessarily interfere with how people live their lives? At what level in the supply chain should chemical safety controls come into play? Certainly not at the consumer level for all but the most serious hazards. Will the local grocery store have to implement physical controls to prevent the mixing of cleaners? Will the regional warehouse?  These are all political questions, not safety questions, that will have to be addressed.

One way around this is to apply the chemical reaction matrix requirement only to current PSM and RMP covered facilities. This would certainly expand the scope of the current rules, but would not bring any new facilities into the regulatory scheme. This would probably not have any quantum leap in chemical facility safety, but it would cause at least some facilities to take a harder look at chemical reactivity and that would certainly be a good thing.


In any case, this is one approach that the Working Group could take in addressing the requirements for their November 5th review of reactive chemistry required by §6(c) of EO 13650.

Saturday, August 24, 2013

HTUA Maps Missing

I have had a number of folks visiting my site looking for information about the maps of the High Threat Urban Areas (HTUA) that are an integral part of the TSA Rail Transportation Security Rule (49 CFR 1580). I did a quick check and can see why; the link to the TSA HTUA maps is dead again. This is a recurring problem for TSA.


This is a regulatory issue since these maps are the only way that facilities have of checking to see if they are covered by provisions of §1580. Well, that isn’t entirely true, they can call the TSA Freedom Center (703-563-3240 or 1-877-456-8722).

Friday, August 23, 2013

SSP Authorization Backlog

One of the problems that is currently facing the CFATS program is the problem of the backlog of authorizations and approvals of site security plans for covered facilities. The latest data that I have seen shows a total of 4298 CFATS covered facilities with 598 authorized site security plans and 182 approved plans. At the current rate of approvals, it is going to take from 7 to 10 years to clear that backlog and that is assuming that there is no significant increase in the number of covered facilities.

There are probably some increases in efficiency to be expected as ISCD gets more and more of these processes under their belt. But there is still a limit to the number of facilities that the current inspection force can reasonably and effectively visit in any given amount of time. Additionally, these same inspectors are going to be expected to start compliance inspections later this year and at some point in time ISCD is going to start implementing the Ammonium Nitrate Security Program (ANSP). That is going to decrease the staff support available for completing the site security plan reviews.

It is clear that some sort of radical game changing plan is going to have to be put into place. Doubling or tripling the number of Chemical Security Inspectors (NOTE: I really wish that ISCD would change that job title to ‘Chemical Facility Security Inspectors’ so that we don’t have to use the ‘CSI’ acronym) is clearly not an option. So we are going to have to reduce the number of site security plans reviewed or at least the level of review applied.

We already have a risk tiering system that divides the covered high-risk chemical facilities into for risk tiers. The folks at ISCD have concentrated their work on the highest risk tiers first, essentially having completed the authorization of all Tier 1 facility site security plans and most of the SSP approvals for that Tier. A great deal of work has already been done on the Tier 2 facilities. What if we reduce the level of review necessary for the Tier 3 and Tier 4 facilities?

Actually, I would prefer to suggest that we adopt the EPA and OSHA regulatory model (the first time that those response/safety plans are reviewed is when an inspector shows up at the facility) for those facilities, but the §550 authorization for the CFATS program specifically requires the Secretary to “review and approve each vulnerability assessment and site security plan”.

I think that for the Tier 3 and 4 facilities, the process would be better served if the review and approval process were conducted along the same lines as those used for the review and approval of the security vulnerability assessments. These are currently done as a mostly automated review of the submissions with some expert review but no visits conducted by the CSI staff. This would certainly speed up the authorization and approval process.


This would also have the added benefit of freeing up the CSI for the even more arduous task of conducting facility inspections to ensure that facilities are adequately complying with their site security plans. Properly done, this will be a much more time consuming task than checking to see if site security plans cover the necessary requirements.

Chemical Safety and Security EO – Reactive Chemical Hazards

This is part of a continuing series of blog posts discussing President Obama’s recently signed executive order on “Improving Chemical Facility Safety and Security” (EO 13650). The other posts in the series are:


Section 6(c) of the EO requires the EPA and OSHA to look at adding ‘additional regulated substances and types of hazards’ to their respective chemical safety programs. First and foremost (this is a response to the West Fertilizer incident after all) would be adding ammonium nitrate to the list of covered chemicals. Additionally, the Chemical Safety Board has long advocated the addition of ‘reactive chemical hazards’ to the coverage of these programs. In this post I’ll look at some of the types of hazards that this might include.

Reactive Chemical Hazards

There are a huge variety of known and potential chemical reactions. Under the wrong circumstances any one of these reactions could be considered hazardous, either in the products consumed or produced or the energies consumed or produced. No one advocates expanding the either the RMP or PSM programs to cover all of these reactions. Only those reactions that are sufficiently dangerous in their consequences that they pose an imminent danger to life, limb or property should be considered.

As a general rule the EPA Risk Management Plan (RMP) program would be best suited to the management of chemical processes that would have significant off-site consequences if the reactions got out of control. The OSHA Process Safety Management (PSM) program would address those that would potentially affect the health and safety of on-site personnel if they were not properly controlled. Since it is hard to imagine a process that could have significant off-site consequences without affecting facility personnel, it seems obvious that the PSM program should cover more chemical reactions than the RMP program.

I’ll leave for a separate discussion whether or not these reactions (or some sub-set of the reactions) should be considered for coverage under the CFATS program.

Defining the Reactions

One of the reasons that both EPA and OSHA have been dragging their feet on implementing the CSB recommendation to include reactive chemical hazards in the RMP and PSM safety programs is the difficulty in defining exactly what chemical processes or reactions would be covered. Both programs currently rely on a printed list of chemicals to determine what is covered and what isn’t. Things won’t be that easy with reactive chemical hazards.

To see why let’s look at a common class of reactive chemicals, monomers, and look at how we might determine which ones would be regulated and which wouldn’t. First, monomers are molecules that react with similar molecules to form long chains called polymers. Polymers can be made out of chains of one type monomer or multiple types.

Most polymerization reactions produce heat as a byproduct of the reaction. With most reactions the higher the temperature the reaction takes place at, the faster the reaction takes place. Thus, normally the heat of polymerization increases the rate of polymerization. For all practical purposes the polymerization reaction continues until all of the available monomer is consumed in the reaction.

In a commercial polymerization process the ratio of reactants and solvents, initiators (chemicals that start the polymerization process) and inhibitors (chemicals that impede the polymerization process) and reaction conditions of temperature and pressure are all tightly controlled to produce a specific desired polymer.

Polymerization Hazard

In an improperly controlled process a number of things can go wrong to make bad things happen. Most of those ‘bad’ things are bad in the business sense; off-spec material is produced that must undergo additional handling and possibly costly disposal. Those consequences are of no real concern to the PSM or RMP programs.

In some cases, however, dangerous bad things can happen. For example, when polymerization takes place in a volatile solvent the improperly controlled heat of reaction can heat the solvent to the boiling point greatly increasing the pressure in the reaction vessel. If that vessel is not properly vented, the pressure can increase to the point where the vessel catastrophically fails in an incident that closely resembles an explosion. If the solvent is above its flashpoint and there is an ignition source available near the vessel failure there may be a fire or even an actual explosion that results. That type of reaction could certainly be of concern to an EPA or OSHA regulator.

The regulatory definition problem here is that it is the combination of the monomer and solvent that is dangerous. With a different solvent, no solvent, or more solvent there might be no way the reaction could produce enough heat to reach the boiling point. If the boiling point cannot be reached there is nothing of interest for the EPA or OSHA to regulate.

Now, you could define a regulatable (made-up word) polymerization process as any combination of solvent and monomer in a single container that the heat of polymerization of the available monomer is sufficient to raise the available solvent to its boiling point. Those are values that can be reasonably calculated from publicly available data for most monomers and solvents. Where the information is not publicly available any competent chemist or chemical engineer or laboratory technician can measure the appropriate data in a reasonably equipped laboratory.

Other Reactions

A polymerization reaction is the easiest of the potentially dangerous chemical reactions to define and it is probably one of the least violent. To be really dangerous on a catastrophic scale you have to turn to reactions that not only produce heat but also evolve gasses. A good example of this type of reaction is the self-accelerating decomposition reaction (SADR). These reactions typically involve chemical intermediates and are much more difficult to describe in a concise manner. To see a good discussion of the hazards involved in this type of reaction see the Chemical Safety Board’s investigation of the T2 Laboratories explosion.

Establishing a regulatory definition for these types of reactions will be much more difficult. Relying on a list of reactions will be of very little use. People using known SADR reactions will typically be taking appropriate precautions. The newly discovered reactions of this type are most often described in accident literature.

Expected Working Group Actions


I will be very surprised if the Working Group is able to do much more by the November 5th deadline for the §6(c) requirement to look at reactive chemistries than recommend that ammonium nitrate be added to the current list PSM and RMP chemicals. Actions beyond that will be rely on reaction descriptions that will be too controversial to be able to resolve through just a standard rule making process. They will require legislative action on a complex technical issue that there is currently no political consensus to support.

Thursday, August 22, 2013

ICS-CERT Publishes Two Advisories – Schneider and Top Server

Today the DHS ICS-CERT published two control system advisories; one for an encryption vulnerability in the Schneider Electric Trio J-Series Radios and one for an input validation vulnerability in the Software Toolbox TOP Server DNP Master OPC product.

Schneider Vulnerability

This advisory concerns a self-reported hard-coded encryption key vulnerability (NOTE: The Schneider web site reports that this vulnerability was reported by an unnamed security researcher). Some versions of the firmware in the Trio J-Series License Free Ethernet Radio does not properly generate an AES encryption key. Schneider reports that simply upgrading to a newer version of the firmware does not necessarily correct the problem.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to take control of the communications network and the control system attached to it. Schneider reports that they have updated firmware, that properly applied, will mitigate the problem. There is no indication that the original researcher has validated the update.

NOTE: Schneider identified this problem and solution in May and posted it on their web site on August 8th. That delay was almost certainly due to attempting to notify customers of the problem. The delay in the ICS-CERT reporting of this issue is not explained.

TOP Server Vulnerability

This advisory concerns an improper input validation vulnerability on the TOP Server DNP Master OPD product identified by Adam Crain and Chris Sistrunk. Oh, hell, just read my Kepware blog post of last week; this advisory is for the same vulnerability in the same system, it’s just marketed under a different label. Adam pointed this out to ICS-CERT but they would not add it to the earlier advisory. Adam and Chris get credit for another coordinated disclosure because they pushed ICS-CERT to publish this advisory so that the TOP Server owners would understand that this vulnerability applied to them.

This is an ongoing problem with hardware, software and firmware sold under different names or included in other systems. As more of these types of vulnerabilities are reported blackhats will begin to realize that systems are vulnerable because owners don’t realize that available patches and upgrades apply to their equipment. ICS-CERT needs to step up and be proactive in these types of situations and not have to be pressured into acting by concerned researchers.


BTW: The Project Robus web site takes credit for this advisory and reports that there are now 17 disclosures pending.

OCS Safety Systems Proposed Rule – No Cybersecurity

Today the Bureau of Safety and Environmental Enforcement (BSEE) published a proposed rule in the Federal Register (78 FR 52239-52284) that would revise the regulation of production safety systems for Oil and Gas and Sulphur Operations on the Outer Continental Shelf. This is a very complex rule with most of it being outside my professional comfort zone, but I am concerned that I can find no mention of any requirements for cybersecurity to protect these critical safety systems.

There are numerous references to various control systems and monitoring systems that are integral parts of the safety systems controlled by these regulations. Because much of the monitoring and control involved in these systems is done remotely these systems are potentially vulnerable to remote cyber-attacks. A successful cyber-attack on these safety systems, either in conjunction with other attacks on the platforms or as stand-alone attacks on the safety systems could have catastrophic consequences.


The failure to specifically address the electronic and physical security of these safety systems makes no sense, particularly when there have been well documented efforts made to compromise control systems in the oil and gas industry.

Wednesday, August 21, 2013

ICS-CERT Publishes Another Self-Reported Siemens Advisory

This afternoon the DHS ICS-CERT published an advisory for a self-reported privilege escalation vulnerability in the Siemens COMOS database application. I assume that it is self-reported from the wording of the ICS-CERT advisory. The Siemens Product-CERT advisory says that “Siemens was notified of a vulnerability”, but no information was provided about a researcher responsible for the notification, so it appears that it was an internal notification.

ICS-CERT reports that a relatively low-skilled attacker with authenticated system access could use this vulnerability to escalate their access to system engineering files. This is not strictly speaking a control system vulnerability, but information available from the system could be used to make an attack on a control system more effective.

Siemens has developed a patch for this vulnerability. Since this is a self-reported vulnerability there is no expectation that there will be an independent verification of the efficacy of the patch.


NOTE: Siemens reports the publication date of their advisory as August 9th, 2013. There seems to be an increasing delay in ICS-CERT publishing advisories about self-reported disclosures and coordinated disclosures that are not coordinated through ICS-CERT. I am not sure if this is a funding issue or just a failure of ICS-CERT to routinely check vendor disclosure sites. I suppose that whether or not that is a problem depends on how many organizations are actually depending on ICS-CERT for vulnerability notification.

Chemical Safety and Security EO – Information Sharing

This is part of a continuing series of blog posts discussing President Obama’s recently signed executive order on “Improving Chemical Facility Safety and Security”. The other posts in the series are:


In this post I would like to look at the voluntary nature of compliance with the three main chemical safety and security regulations; CFATS (DHS), RMP (EPA), and PSM (OSHA). One of the complaints that came out of the West Fertilizer incident was that DHS was not aware of the existence of the West Fertilizer facility and that somehow this contributed to that particular disaster.

Self-Identification

None of the three main programs that address chemical safety and security are voluntary. All three have clearly defined rules based upon separate (but similar) lists of chemicals that require facilities to take clearly specified actions. What has given the media appearance of these being voluntary programs is the fact that facilities are required to identify themselves as being covered under the requirements of the program.

For example the CFATS program requires that facilities having in inventory any of the 300+ DHS chemicals of interest (COI) listed in Appendix A to 6 CFR Part 27 at or above the screening threshold quantity to file a Top Screen report with the Infrastructure Security Compliance Division (ISCD) of DHS via the on-line Chemical Security Assessment Tool (CSAT).

Over 30,000 chemical facilities (as very broadly defined under the CFATS regulations) have filed Top Screens due to their possessing COI. ISCD reviewed each of those submissions and determined that the vast majority of the facilities were not at high-risk of terrorist attack. DHS will not share the specifics of that analysis process, but it is clear that many (if not most) of those determined not to be at risk (and thus not covered by the remaining CFATS requirements) were based upon their location; generally speaking rural or remote locations do not make for high-risk terrorist targets.

Directed Submissions

Beyond the self-identification process, there are provisions in the CFATS regulations {§27.200(b)(1)} for DHS to direct facilities, either individually by letter or by classification via the Federal Register, to complete a Top Screen submission. And there is nothing in the CFATS regulations that requires those directed submissions to be reviewed in the same manner as the self-identified submissions. The CFATS authorization language found in §550 of the 2007 DHS Appropriations bill makes it clear that the Secretary of DHS has sole discretionary authority to decide what facility is determined to be at high-risk of a terrorist attack.

Information Sharing

The question is how would the Department go about identifying the facilities that it would direct to submit a Top Screen? One way that has been suggested is for the various agencies of the Federal government to share the information that they have in the separate programs to aid in the identification of all of the facilities that might be covered. This suggestion has been formalized in §5(a) of the Executive Order.

“Within 90 days of the date of this order, the Working Group shall develop an analysis, including recommendations, on the potential to improve information collection by and sharing between agencies to help identify chemical facilities which may not have provided all required information or may be non-compliant with Federal requirements to ensure chemical facility safety. This analysis should consider ongoing data-sharing efforts, other federally collected information, and chemical facility reporting among agencies (including information shared with State, local, and tribal governments).”

Director Wulf in recent testimony before Congress has reported on various efforts to compare facility information with data compiled by other federal programs. The most effective matching effort to-date compared data between the RMP facility list and the CFATS facility list. The differences between the two data sets and the systems in which the data is being stored required DHS to farm out the list comparison work to Oak Ridge National Laboratory (ORNL). Wulf reported that once an exception list was generated, DHS had to go back and identify which facilities on the list were statutorily exempted from the CFATS program. ISCD has since gone back and contacted the remaining facilities on the list to clarify their CFATS status.

I have heard from a number of sources that the sharing of data with the other chemical safety and security programs operated by various organizations in the federal government will be more difficult. This is due to the wider differences in facility coverage between those programs and the CFATS program, different types of information maintained, and the disparities in the data storage systems. It looks like the expense of establishing the data conversion/analysis process will be prohibitive.

Working Group Analysis


The Chemical Facility Safety and Security Working Group has until November 5th to complete their analysis of the potential for information sharing. The information developed by ORNL and ISCD will go a long way to providing a logical basis for that analysis. This is especially helpful since that time limit includes compiling a report and making recommendations.

Tuesday, August 20, 2013

DHS Data Privacy and Integrity Advisory Committee Meeting – 9-12-13

NOTE: It seems that the GPO is having some problems getting the Federal Register out today. The article referenced below is not on the table of contents page on line but it can be found on both the HTML and .PDF versions of the complete Federal Register for today.

The DHS Privacy Office published a meeting notice in today’s Federal Register (78 FR 51198-51199) for a meeting of the DHS Data Privacy and Integrity Advisory Committee (DPIAC) on September 12th, 2013 in Washington, DC. The meeting will be open to the public and will be webcast.

The meeting agenda will include DHS subject matter expert briefings on:

• Privacy updates regarding DHS's use of unmanned aerial systems;
• Federated information sharing policy and technology practices; and
• Implementation of the February 2013 Cybersecurity Executive Order.


Public participation is being solicited. The webcast information will posted on the DPIAC web site along with a final agenda before September 3rd. There is nothing in the notice about public comments during the meeting, but written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2013-0055).

ICS-CERT Publishes Sixnet Advisory

Yesterday the DHS ICS-CERT published an advisory [an alert reader noted that this link is now dead, it seems that ICS-CERT has deleted just the original advisory, versions A and B are still available on the ICS-CERT web site. This may get corrected after the federal government funding is restored]for an undisclosed function vulnerability in the Sixnet universal protocol. The vulnerability was identified by Mehdi Sabraoui in a coordinated disclosure. (NOTE: It appears that Mehdi will be discussing Sixnet testing at DerbyCon – Friday, 9-27-13; 3:30).

ICS-CERT reports that a relatively unskilled attacker could use the undocumented codes to remotely execute arbitrary code on the system. The advisory notes that network access is required for exploitation, but the vulnerable systems are designed for remote access.

The advisory notes that Sixnet has developed a new version (4.8) of the RTU firmware (available through customer service) that requires authentication before the newly identified ops codes can be used. There is no indication that Sabraoui has verified the efficacy of the updated firmware. It appears that older versions of the firmware are still available for download on the Sixnet web site.

Sunday, August 18, 2013

Chemical Safety and Security EO – DHS CFATS Actions

This is part of a continuing series of blog posts discussing President Obama’s recently signed executive order on “Improving Chemical Facility Safety and Security”. The other posts in the series are:


Sharing CFATS Data

As I noted in the original blog post on the Chemical Safety and Security EO (EO 13650) there are two actions required by the DHS Secretary that will be taken in coordination with the Working Group, but are specifically required to be accomplished by the Secretary. One of those areas addresses the requirement to improve operational coordination with State, Local, and Tribal partners, the Secretary is specifically required (by November 5th) to “assess the feasibility of sharing Chemical Facility Anti-Terrorism Standards (CFATS) data with SERCs, TEPCs, and LEPCs on a categorical basis” {§3(c)}.

The main impediment to sharing CFATS information with these local officials is the fact that the appropriate information has been protected by the Chemical-Terrorism Vulnerability Information (CVI), a sensitive but unclassified program established by Congress in the §550 authorization for the CFATS program. A DHS web site outlines the requirements for information sharing with State, Local and Tribal agencies that have been established for that program. More detailed information is available on Page 12 of the CVI Procedures Manual.

There are two prerequisites that must be met before CVI information can be shared. First the personnel receiving the information must have completed the on-line training program that provides the information about the program and how the information must be protected. Second the person to whom the information is being given must have a need to know the information.

Having personally completed the training program there is little problem with meeting this requirement. The training program is relatively easy to complete and shouldn’t take more than 30 minutes for any individual to complete the training. Once the training is completed the individual is provided with a certificate and ISCD maintains a list of people that have completed the training so that facilities can verify that that prerequisite has been met.

What has not been established in this executive order requirement is whether a valid need to know exists that would support the categorical sharing of the CVI information. I am not questioning the need of these organizations to know about the emergency response plans for CFATS covered facilities; this is something that I have been preaching since the CFATS program was established. But emergency response plans are not covered under the CVI program, specifically because of the need to share those plans with a wide audience, much wider than the organizations listed in §3(c) of the EO.

In fact, there is no specific requirement in the CFATS regulations for having an emergency response plan. The requirement for that plan falls under the EPA’s Emergency Planning and Community Right to Know Act (EPCRA). That program requires that the facility notifies the State Emergency Response Commission within 60 days of receiving the first shipment of a qualifying amount of an extremely hazardous substance (40 CFR part 355).

The Part 355 list is not identical to the list of DHS chemicals of interest (COI) that define the CFATS program. Most of the EPA’s list can be found on the DHS list (this was one of the sources of information used by DHS in developing their COI list), but DHS added a number of other chemicals (including ammonium nitrate, for example) to their list.

While some of the DHS COI list should be added to the EPA’s extremely hazardous substance list (most notably ammonium nitrate), but a number of other chemicals, because of the extremely small quantities involved (various chemical weapon chemicals) of some of the  chemicals and because others are only dangerous when combined into improvised explosive devices or improvised chemical munitions, should not be added to the EPA list. The DHS coverage is not based upon release of these chemicals from the owning facility, but upon their theft and subsequent use as part of a terrorist weapon.

There is no clear need for facilities to share security information protected by the CVI program with emergency response personnel. Local law enforcement personnel and perhaps State law enforcement personnel, certainly need to be appraised of much of the security information protected under the CVI program. But emergency response personnel only need to be appraised of the emergency response planning information developed under EPCRA.

The Secretary needs to make a clear distinction between the two types of information and ensure that facilities understand the difference. Open sharing of EPCRA related emergency response information needs no special action by DHS; they do not own nor control the information developed under that program. There are no CFATS restrictions on sharing that information with SERCs, TEPCs, and LEPCs.

Within 90 days of the date of this order, the Secretary of Homeland Security shall identify a list of chemicals, including poisons and reactive substances, that should be considered for addition to the CFATS Chemicals of Interest list. §6(d)

Updating Appendix A

The second specific CFATS action required to be undertaken by the DHS Secretary is found in §6(d) of the EO. There the Secretary is required to “identify a list of chemicals, including poisons and reactive substances, that should be considered for addition to the CFATS Chemicals of Interest list”. This action also has a November 5th deadline.

Readers of this blog will certainly expect me to make my standard appeal for adding methyl bromide to the DHS COI list. I’ll make that here and get it out of the way. Methyl bromide was left of the COI list because DHS misunderstood the EPA program to phase out this chemical. If DHS had understood the process, methyl bromide probably would not have been removed from the list of COI in the first place; enough said.

One other chemical that has been repeatedly brought up as needing to be added to the COI list is sodium fluoroacetate a rodenticide that is produced in a single location in the United States and is principally manufactured for export. There is widespread concern with this product (with very limited us in the United States)  in the environmental activist community and that appears to be the driving force behind the COI listing of this material. It appears that the hope is that the additional security costs will drive the current manufacturer out of the business. Sodium flouroacetate does not meet the requirements of any of the current CFATS chemical categories as a potential terror weapon.

There are a couple of other categories of chemicals that were not listed or listed under unusually large quantities on the current COI list for political reasons. The most obvious example is propane. All other listed flammable gasses have a screening threshold quantity of 10,000 lbs. The STQ was set at 60,000 lbs at the insistence of the agricultural lobby. The reason given was that large quantities of propane are used in the agricultural sector and the security requirements for the smaller amounts would have been prohibitively expensive for farmers. The fact that farmers would probably not have had to do anything more than file a Top Screen report to have DHS decide that they were not at high-risk of terrorist attack and thus exempt from any security planning requirements was completely ignored by the farm lobby.

Similarly, gasoline and ethanol have all but been exempted from the CFATS program based upon political influence rather than risk assessment.

The EO specifically addresses adding poisons to the COI list. The DHS COI list currently includes toxic inhalation hazard (TIH) chemicals based upon their potential use as terrorist equivalents of chemical warfare agents. Most other poisons are excluded from the list. Potassium cyanide is an obvious exception, but it is listed as a sabotage hazard because when it is contaminated with water it produces a TIH chemical. Arsenic, on the other hand is not a listed COI.

Expanding the list of poisons beyond TIH chemicals or their precursors would add a huge additional burden to the CFATS enforcement program with little or no obvious benefit. One might as well add fireworks (used in the Boston Marathon IED) and commercial grades of peroxides and acetones because of their potential for use in IEDs. Reasonable lines must be drawn so that only chemicals at risk of use in terrorist weapons of mass destruction (and the FBI not withstanding, a pressure cooker bomb is not an WMD).
Overlooked DHS Mandate

There was a mandate that the President overlooked in his efforts to make chemical safety and security a broader area of executive responsibility. While OSHA were directed to look at the current PSM exemptions for retail facilities and commercial grade products, the current DHS CFATS exemption for agricultural production facilities was completely overlooked.

On January 9th, 2009 DHS published a letter in the Federal Register (73 FR 16400) establishing an “a time extension for farmers and other agricultural users who are required to submit information (known as the Chemical Security Assessment Tool Top-Screen) under federal chemical security regulations”. That exemption still stands and a large (unknown) number of agricultural facilities have not filed their required Top Screens for possessing COI at or above the screening threshold quantity.


A formal re-evaluation of this exemption needs to be accomplished (a preliminary record collection effort was undertaken a couple of years ago, but there were all sorts of problems with the questionnaire).
 
/* Use this with templates/template-twocol.html */