Thursday, January 31, 2013

S 67 – Secure Water Facilities Act

The GPO now has the official print of S67, the Secure Water Facilities Act, available on its web site. This bill is virtually identical to S 711 introduced during the last session and S 3598 introduced in the 111th Congress. There are two titles in this bill; Title 1 is the Secure Drinking Water Facilities Act and Title II is the Secure Wastewater Treatment Facilities Act. They both do basically the same thing but modify different laws covering existing security requirement at the two types of facilities.

Drinking Water Treatment Facilities

This title completely re-writes §1433 of the Safe Drinking Water Act (42 USC 300i-2). It requires the Administrator of the EPA to prepare regulations within two years to establish {§1433(b)(1)}:

• Risk-based performance standards (RBPS) for the security of covered (serving more than 3,300 individuals) water systems {§1433(b)(1)(A)};

• Requirements and deadlines for each covered water system to conduct a vulnerability assessment {§1433(b)(1)(B)}; and

• Requirements and deadlines for each covered water system to develop, implement, and submit to the Administrator a site security plan{§1433(b)(1)(C)};

The RBPS would be based in part on the CFATS standards in 6 CFR §27.230. The vulnerability assessment would specifically be required to address the risk of “a release of a substance of concern that is known, or may be reasonably anticipated, to cause death, injury, or serious adverse effects to human health or the environment” (§1433(d)(1).

There is still a requirement {§1433(f)} for facilities to prepare an emergency response plan (ERP) and to certify that plan to the Administrator, but those plans are not specifically to be included in the regulations described above. Nor is there a requirement to submit those plans for approval. A copy of the ERP would now be required to be provided to {§1433(f)(e)(B)}:

• A local emergency planning committee;

• A State emergency response commission;

• A local law enforcement official; or [emphasis added]

• A local emergency response provider.

There are two additional items adopted from the CFATS program; tier ranking {§1433(h)} and substances of concern (SOC) {§1433(i)}. The tier ranking provisions of the bill include a description of factors to be considered and a requirement to inform system owners of why they were assigned to a specific tier. The SOC provisions require the Administrator to develop a list of chemicals and screening threshold quantities similar to the DHS chemicals of interest (COI) list in Appendix A, 6 CFR Part 27 [NOTE: the GPO is currently having problems with their .PDF files corrupting Internet Explorer. When that is corrected this should be a good link].

There is an inherently safer technology (IST) provision in this bill; Methods to Reduce Consequences of Chemical Releases from Intentional Acts {§1433(i)}. All systems with SOC in excess of the screening threshold quantity are required to do an IST assessment as part of their site security plan. Tier 1 and 2 (highest risk rankings) facilities may be required by State regulatory authorities to implement assessed technologies.

Waste Water Treatment Facilities

Title II modifies Title III of the Federal Water Pollution Control Act (33 U.S.C. 1311) by adding §321 at the end. It establishes that a covered facility is one that has a treatment capacity of 2,500,000 gallons per day. The remainder of the Title is the same as Title I with the exception of some minor word changes to reflect the differences in the types of facilities involved.

No Way Forward

There was just one hearing held during the 111th Congress that Sen. Lautenberg (D,NJ) chaired that addressed the IST provisions in this bill, but no other work has been done on the two earlier versions of the bill. While the most vociferous opponent of IST requirements (contained in a weakened version in this bill for water treatment plants), Sen. Collins (R,ME) is no longer in the Senate, it is unlikely that this bill will move through the Senate Environment and Public Works Committee, very little does.

It is remotely possible that this bill could pass in the Senate if it came to a vote there. The water treatment industry does not have a large and powerful lobby and has never been vociferously opposed to IST like the chemical industry has. This bill would receive no consideration in the House even though there is some support for including water treatment and waste water treatment facilities with high-risk chemicals on site in the CFATS regulations. The IST provisions of the bill would, however, produce a knee jerk reaction in the Republican leadership that would prevent its consideration.

CFATS Knowledge Center Update – 01-31-13

This morning the folks at ISCD updated the CFATS Knowledge Center with a minor change to their response to the frequently asked question (FAQ) concerning where individuals can take Chemical-terrorism Vulnerability Information (CVI) training. The new response reads:

“Go to the DHS Critical Infrastructure: Chemical Security website ( and click on the link ‘Complete Chemical-terrorism Vulnerability Information (CVI) Training.’”

The only difference between this wording and the original wording from the August 23, 2007 posting is that the words “at the bottom of the page” have been removed from the end of the sentence. Those words were applicable to the old ‘Chemical Security’ web page that was discontinued when DHS updated their sites last year. This is a minor change, to be sure, but one that helps avoid some confusion on the part of facility personnel looking for information.

Interestingly, while the link provided does work, the actual website URL is

Wednesday, January 30, 2013

PHMSA Revises Time Standard for Reporting Pipeline Incidents

Today the Pipeline and Hazardous Material Safety Administration published an advisory bulleting (ADB-2013-01) in the Federal Register (78 FR 6402-6403) revising the expected reporting time frame for pipeline accidents and incidents for which pipeline operators are required to provide telephonic or electronic reports to the National Response Center. The notice also notes that PHMSA will be issuing new regulations formalizing that expected response time in accordance with §9 of the Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011 (PL 112-90).

Current regulations (49 CFR §191.5 and §195.52) require pipeline owners and operators to notify the NRC by telephone or electronically at the earliest practicable moment following discovery. In a 2002 advisory notice (67 FR 57060) PHMSA clarified that “at the earliest practicable opportunity” usually means one-to-two hours after discovery of the incident. In this advisory PHMSA is changing that guideline to one-hour.

The advisory goes on to explain that the information to be included in that initial report includes:

• The name of the operator;

• The name and telephone number of the person making the report;

• The location of the incident;

• The number of fatalities and injuries; and

• All other significant facts that are relevant to the cause of the incident or extent of the damages.

PHMSA will be issuing a regulatory change to reflect these new requirements.

OMB Approves Extension of TSA Rail Security ICR

Yesterday the Office of Management and Budget (OMB) approved a three year extension of the information collection request (ICR) for the rail security reporting requirements for the Transportation Security Administration (TSA). The four data collections supported by this ICR are:

Chain of Custody Documentation for transfers of railcars carrying ‘rail security-sensitive materials (RSSM) between shippers, carriers and receivers in High Threat Urban Areas (HTUA) (§1580.107);

Location and Shipping Information Reporting Burden for railcars carrying RSSM (§1580.103);

Security Concerns Reporting including security incidents, suspicious activities, and threat information (§1580.105); and

Rail Security Coordinator (RSC) Annual Reporting RSC designations and contact information (§1580.101).

These four are all required for freight railroads handling RSSM materials. The last two also apply to passenger rail systems.

ICR Changes

TSA reported that there were no changes in the proposed extension of the ICR other than an increase in the estimated number of entities reporting. As I noted in my earlier blog post about the initial 60-day public notice associated with this ICR, this is a less than accurate description of the proposed burden description. While there was an 17,603 (20%) increase in expected responses there was a decrease of 234,922 hours of burden associated with this ICR. There is no explanation in the public documentation of this ICR of where the increase in responses would come from or how there will be such a drastic (81.3%) decrease in the amount of time that the affected entities will spend on these reporting requirements. If TSA had listed the burden expectations for each of the four collections covered under this ICR we might be better able to understand these changes.

There is one other change in the ICR submission and approval that is not mentioned in the documentation for the requested ICR extension. The estimated cost burden was decreased from $9,388,567 to $0.00. I don’t think this change is due to changes in regulatory burden estimated at TSA; we have seen a total absence of estimated cost burden in all of the recent ICR renewals that I have looked at. It looks like the Obama Administration has changed their interpretation of the cost burden to only address the cost of establishing the reporting mechanism in the regulated community, not the cost of maintaining those systems and the costs associated with the actual reporting of the required information. It would be interesting to see the OMB’s justification for that change.

Information Sharing

OMB reported that they approved this ICR renewal with changes. The only change documented is an interesting requirement for TSA to look at the sharing of the collected information with the Department of Transportation (PHMSA in particular). The ICR extension approval notes that:

“Prior to resubmission, TSA should coordinate with DOT and PHMSA to explore whether there might be any opportunities to share information related to this collection. TSA should provide a joint briefing (with PHMSA) to OMB on this topic before 2/1/2014.”

It is hard to understand what freight rail safety information is covered by this ICR, but if any of this information will legitimately assist PHMSA in regulating the safe transportation of this limited segment of hazardous materials, the information should certainly be shared with PHMSA. Of course, some of this material is sensitive security information (SSI) and will have to be appropriately protected in the information sharing process.

STB Publishes Notice with Potential Chem Security Implications

Yesterday the Surface Transportation Board (STB) published a notice in the Federal Register (78 FR 6173) announcing that it would be conducting a ‘declaratory order proceeding’ to move forward with a resolution of a petition filed with the Board back in August of last year. The petition filed by seven private citizens in Upton, MA asked the STB to declare that operations at a local rail transloading station do not constitute ‘transportation by a rail carrier’. Currently the facility is claiming that it is not subject to local regulation since the STB federal preemption applies.

The Dispute

The petitioners argue that the operations at the facility operated by the Grafton and Upton Railroad do not meet the definitions of ‘transportation by a rail carrier’ established by regulation and actions by the STB. If the facility does not meet the definition then its operation would not be regulated by the STB and there would be no federal preemption that would stop local authorities from regulating the facility.

Briefly the issues revolve around who does what to the material that is being transferred from rail cars to ground transportation. Materials that are being handled at this particular facility include wood pellets that are being removed from bulk railcars, put into 40-lb bags and loaded on truck for transport off site. Additionally bulk chemicals are being transferred from railcars to tank trucks for further transportation to customers.

As is to be expected in this type of dispute the two sides disagree in the facts and the interpretations that are central to the case. A total of nine legal documents have been filed in the back in forth over the last six months (STB Docket FD 35652) and more will undoubtedly be filed before the principles appear before the Board.

Chemical Security Implications

There is nothing in the initial petition that describes the specific chemicals that are being transloaded at the facility. If the facility handles chemicals included in the list of DHS chemicals of interest (COI) in Appendix A of the CFATS regulations and those chemicals are put into ‘storage’ at the facility, then the STB ruling could have repercussions with regards to the facility’s status with regard to the CFATS regulations.

When the final interim rule for the CFATS regulations was published it included language in the preamble to the rule that indicated that DHS was going to allow TSA to conduct security regulation of railroad. Specifically the document stated (72 FR 17699) that:

“DHS presently does not plan to screen railroad facilities for inclusion in the Section 550 regulatory program, and therefore DHS will not request that railroads complete the Top-Screen risk assessment methodology.”

So if the STB rules that this particular facility is ‘transportation by a rail carrier’ then it would not be regulated under the CFATS regulations; DHS would rely on the less stringent and more narrowly focused (in terms of materials covered) TSA security rules. On the other-hand, if STB rules that this is not a railroad operation, then the unofficial TSA exemption for the facility would no longer apply. The facility might then have to submit a CFATS Top Screen to determine if it is a high-risk chemical facility under the definition of that regulation.

Implications for other Facilities

In reading the original petition it does not seem that the petitioners are breaking any ground here in the terms of why they are claiming that the facility should not be regulated by the STB. However, case law frequently pivots on minor changes and interpretations. That being the case this petition could have implications for other transloading facilities around the country that are operating on the boundary between being railroad operations and being some other sort of processing or transportation facility.

Tuesday, January 29, 2013

Cybersecurity Threat Landscape

Cliff Gregory started an interesting discussion yesterday on the Cyber Security in Real-Time Systems group (membership required) on LinkedIn. He asks an interesting question considering that it is the start of the 113th Congress; does the US need a Critical Infrastructure Protection Act? To start off that discussion he gives a pretty good short summary of the history of hacking.

With Cliff’s discussion as a starting point, I think that we can all agree that there has been a significant change in the threat environment over the last decade or so. There are now a wide variety of actors in the cyber-threat space with an even wider variety of motivations, goals and capabilities.

Civil Issues

The first thing that we must realize is that some of these cyber-threats are not issues to be solely resolved by governmental action. A certain level of responsibility for protection of cyber assets rests with the owners and operators of cyber related enterprises. This is going to have to include some sort of minimum standards for the protection of cyber assets, both physical and informational.

These standards are going to be risk-based much the same way that homeowners with pools are required to have more anti-trespassing measures in place than someone with just a patio in their backyard. Higher levels of protection are going to have to be required where the information or systems protected are more valuable.

Another area in the civil realm will be the use of civil courts to allow individuals who are affected by cyber-crimes to look for redress from those entities that were entrusted with the protection of personal information or assets. Class action suits against entities that allow personal information entrusted to their care to be stolen may be the most effective way to ensure that the information handling meets minimum standards of protection.

Law Enforcement Issue

Many of these threat actors are simply law breakers that ought to be dealt with through the criminal justice system. Identity theft, electronic funds theft, computer fraud, web page defacing, and a certain level of hacktavisim are all generally equivalent to offenses in the physical sphere that are routinely handled by law enforcement personnel. The cyber-versions of these crimes should also be handled by law enforcement personnel and the courts.

This is certainly going to require the development of cyber-police capabilities to investigate these simply criminal acts. Legislators at all levels are going to have to review current criminal statutes to ensure that the current definitions of crimes are broad enough to encompass their cyber-equivalents. And the courts will have to establish the appropriate changes to the evidentiary requirements to deal with the prosecution of these criminal acts.

Because of the transnational nature of many of the criminals involved the Federal government is going to have a large role in the law enforcement realm over and above their necessary involvement in enforcing criminal statutes for crimes that cross state boundaries.

Homeland Security Issue

The Department of Homeland Security in the United States was established as an organization in 2002 to deal with threats to the country that fell somewhere between the strictly law enforcement and military realms. These threats include areas such as counter-terrorism, border protection, immigration and large scale disaster relief. It is clear that some of the cyber-threats that we face fall within these areas of operation.

In these areas it is clear that the Congress, DHS and the Federal Courts take similar action with the respect to these cyber-threats as State and local governments will have to take with the purely law enforcement actions described above.

It must not be forgotten that DHS has responsibility, mainly through FEMA, to help State and local officials respond to natural and man-made disasters that are too large, or cross political boundaries. Similar activities must be addressed for the closely related cyber-disasters as seen last year in the aftermath of Sandy. Congress and DHS need to firmly establish the necessity for responding to cyber-disasters and provide the technical and financial wherewithal to provide the appropriate response.

Military Issue

While DHS has border protection responsibilities it is clear that there is a difference between border protection and border defense. The later clearly falls into the military realm. While it may be relatively easy to differentiate between the responsibility for stopping terrorists at the border and stopping an invading army, it will not be as easy to determine which agency has responsibility for preventing, detecting and responding to cross border cyber-attacks.

With Iran reportedly conducting state-sponsored denial-of-service (DOS) attacks against banks in the United States in response to the supposed (no proof or admission at this point) US involvement in the Stuxnet attack, it is clear that we need to have the political discussion about where the line is drawn between homeland protection and national defense in the cyber-realm. It does seem clear that the line will not be clear-cut so that there will have to be more than the usual coordination and cooperation between DHS and DOD in this area.

More Discussion

Now this has clearly been a broad look at the different areas of how these three areas are delineated. I’ll try to look at them in more detail in future posts.

Monday, January 28, 2013

Senate Passes HR 152

This afternoon the Senate passed HR 152, the Disaster Relief Appropriations Act, 2013, by a largely partisan vote of 62 to 36. It had earlier turned back an amendment by Sen. Lee (R,UT) by a similar vote. That amendment would have off-set part of the cost of the bill by imposing an across the board FY 2013 spending decrease of 0.46%.

As expected there was no attempt in the Senate to modify the bill to address the issue of the impact of Sandy on the security measures at government regulated facilities. Facilities covered by rules such as CFATS or MTSA will not receive any special assistance to re-establish security measures that were damaged by the storm. Nor were there any requirements laid upon the regulating agencies to determine the extent of potential damage to those security measures.

President Obama is expected to sign HR 152 quickly.

Sunday, January 27, 2013

Congressional Hearings – Week of 1-27-13

The House will not be in Washington this week as they ‘work in their district’ listening to voters and raising money. The Senate will be in  town working on legislative issues and conducting hearings. The one hearing of potential interest to readers of this blog, however, will be held in Charleston, WV and will look at pipeline safety.

Charleston was selected because of its proximity to Sissonville, WV the site of a gas pipeline explosion last December. The hearing will look at the implementation of the Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011 (H.R. 2845). Since that bill was a watered down version of the bill that Chairman Rockefeller introduced (S 275) the Senate Energy and Commerce Committee is sure to take a hard look at the recent accident and an impending GAO report to see if the missing coverage from S 275 could have helped to prevent this type of accident.

In an interesting move for someone that has publicly announced his retirement at the end of this term; Rockefeller has scheduled a resident of Sissonville to present opening remarks to the Committee. Ms. Sue Bonham is an articulate local resident who was personally affected by the recent fire. If this was an election year (and Rockefeller was running) this would be dismissed as a political ploy. Given the political facts, it appears to be a method of personalizing the potential hazards associated with gas transmission or hazardous materials pipelines.

Government witnesses will include a representative from the NTSB, the PHMSA Administrator and a Government Accounting Office representative. The latter is expected to present the latest GAO report on pipeline safety and emergency response capabilities.

The private sector witnesses, beyond Ms. Bonham, will include a pipeline company CEO and the head of the Pipeline Safety Trust. They will almost certainly be presenting opposing views on pipeline safety issues.

PHMSA Clarifies Pipeline Safety Reporting

The Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice (78 FR 5866-5867) in Monday’s Federal Register (available on line yesterday) concerning certain reporting requirements for owner/operators of gas transmission pipelines and gathering lines. The notice extends the deadline for filing last year’s annual reports and notes discrepancies in many of the previously filed reports.

Filing Deadline Extension

PHMSA is extending the dead line for filing the 2012 annual report until June 15th, 2013. This is due to the many recent changes in the reporting requirements and the fact that the new on-line reporting site has not yet been implemented. PHMSA expects to notify owner/operators by March 1st that the new reporting system is operational.

OPID Validation

PHMSA had earlier extended the deadline for most pipeline and LNG owner/operators with Operator Identification Numbers (OPID) established prior to January 1, 2011, to validate their OPID data. They extended the deadline from June 30th, 2012 to September 30th, 2012. As of the end of November PHMSA notes that approximately 16% of those required to provide updated data have yet to do so.

Gas Transmission Annual Reports Discrepancies

Since 2004 PHMSA has collected data on gas transmission incidents in high consequence areas (HCA); first in the pipeline integrity management reports and, starting in 2010 in gas transmission and gathering annual reports. In addition owner/operators have been required to file incident reports and those reports have been required to indicate if the incident occurred in an HCA.

In this notice PHMSA indicates that there are serious discrepancies between the information provided in the incident reports and the annual reports. In only one year (2009) have the number of HCA incidents been the same in both sets of reports. Even then there were mismatches between the OPID of the submitting organizations. As a result, this notice reminds operators that:

“Gas transmission operators who have reported incidents in HCAs from 2004 through 2011 in either gas integrity management performance reports, gas transmission annual reports, or incident reports should submit supplemental reports as needed to correct the data.” (FR 78 5867)

LNG Annual Report Discrepancies

A similar problem exists in the annual reports that LNG operators have been required to submit to PHMSA since 2010. Incidents and safety related conditions (SRC) are required to be reported in the annual report as well as having to submit individual reports to PHMSA. Data from 2010 and 2011 show more incidents (2 vs 0) and SRCs (264 vs 5) reported in the annual reports than there have been individual reports submitted.

PHMSA notes that:

“LNG operators should review their annual reports and SRC reports and submit supplemental reports as needed to correct the data.”


It is sad to see that there are so many discrepancies between regulatory reporting requirements and the actual data submitted to PHMSA. I suppose that it reflects the complexity of the regulatory environment. As such I applaud PHMSA’s publication of this notice rather than moving directly to taking to enforcement action. PHMSA does need the correct information to properly oversee the safety of the pipelines for which it is responsible.

On the other hand it is really sad to see that it has taken PHMSA so long to note some of these discrepancies. Just now trying to correct data inconsistencies that date back almost 10 years calls into question whether PHMSA has actually living up to its regulatory responsibilities. Hopefully this notice reflects a change in the attitude at PHMSA concerning those responsibilities.

FRA Publishes PTC NPRM Extension Notice

The Federal Railroad Administration (FRA) published a notice (78FR 5767-5770) in Monday’s Federal Register (available on line yesterday) that extended the deadline for comments on their notice of proposed rulemaking (NPRM) published in December 2012 that makes changes to the current positive train control (PTC) system requirements. The new deadline for comments is now March 11, 2013.

The notice specifically clarifies some railroad operational questions that it wishes additional comments upon, but any comments on the NPRM will be accepted during the comment extension.

The NPRM would allow railroads to request that certain miles of track be removed from the requirement for the installation or maintenance of a PTC system under relatively low usage rates for carrying toxic inhalation hazard (TIH) chemicals. This could lower railroad costs for handling TIH chemical on those track segments.

Sen. Rockefeller’s Cybersecurity Joke

As I noted in an earlier blog posting, Sen. Rockefeller (D,WV) introduced S 21, the Cybersecurity and American Cyber Competitiveness Act of 2013. A copy of the bill has finally become available, and it is, unfortunately, a replay of last session’s S21, a poor joke of cybersecurity legislation if there ever was one.

As happened two years ago when Sen. Reid (D,NV) introduced S21, I (and much of the political press) initially thought that this would be a serious attempt at bringing cybersecurity legislation to the floor of the Senate. When the actual legislation was made available by the GPO it became clear that this statement of the cybersecurity problem was nothing more than a publicity gimmick.

I am severely disappointed in Rockefeller’s participation in this legislative farce. The only good thing I can say about his version of the bill is that it is not a straight copy/paste of last session’s bill. Someone on his staff (Senator’s don’t actually write bills) actually accepted the drafting of this bill as a creative writing assignment and made several non-substantive changes to the wording.

So, enough of the practical jokes; let’s see some real legislative proposals on cybersecurity.

Thursday, January 24, 2013

ICS-CERT Advisory for Beijer Electronics Products

Today the DHS ICS-CERT published an alert for products from Beijer Electronics. The buffer overflow vulnerability that was reported by Kuang-Chun Hung of Information and Communication Security Technology Center (ICST) in a coordinated disclosure.

ICS-CERT reports that the vulnerability requires direct access to the system and that it would be difficult to craft “a working exploit for this vulnerability” (pg 3). Beijer Electronics has produced updated versions of the affected software and Kuang-Chun has verified that they correct the vulnerability.

Congressional Bills Introduced 01-23-13

Yesterday there were 62 bills introduced in the Senate and 66 bills introduced in the House. Of those 128 bills only two were potentially of specific interest to readers of this blog; both dealt with chemical facility security matters.

Chemical Security at Water Treatment Facilities

S 67 was introduced by Sen. Lautenberg (D,NJ). It would establish regulations for the security of chemicals at water treatment facilities. I’m assuming that it will be patterned after last sessions S 711. This bill was referred to the Senate Committee on Environment and Public Works. Last session there was one hearing at that Committee that addressed S 711, but no action was taken.

CFATS Modification

S 68 was also introduced by Lautenberg and it would modify the current CFATS program, probably along the lines of last session’s S 709. This bill was referred to the Senate Homeland Security and Governmental Affairs Committee. That Committee took no action on S 709 last session as they only addressed the bill by Sen. Collins. I expect that Sen. Carper will have a CFATS bill introduced this session that this Committee will deal with instead of Lautenberg’s bill.

Wednesday, January 23, 2013

Congressional Bills Introduced 01-22-13

No, I haven’t forgotten my intent to report briefly on interesting bills as they are introduced. There just hasn’t been anything of interest until today. The first day that the Senate has been allowed to introduce bills gives us what will probably be the cybersecurity bill for consideration in that body.

Cybersecurity Legislation

S 21, A bill to secure the United States against cyber attack [that’s not the final title; we won’t know that until the bill is published], was introduced by Sen. Rockefeller (D,WV). It will be a couple of days before we will see an actual copy of the bill to be sure what it contains, but I suspect that it will be based upon something like S 3414 from last session. It will be interesting to see what changes will have been made to make it easier to get the bill to the floor of the Senate. That’s further down the road; I’m sure we will be seeing some hearings before we get there.

It is strange to look at the list of co-sponsors to the bill and not see the names Lieberman or Collins on the list. It will be interesting to see who becomes the cybersecurity broker in the Senate now that that team is no longer around.

Disappointing Bill Introductions

The 113th Congress seems to be going a little slow in introducing legislation. The Senate only introduced 53 bills on their opening day and the House is only up to HR 350 as of yesterday. It just doesn’t seem as if their heart is in it.

9th Coast Guard District Extends CDC Barge Reporting Suspension

The Coast Guard published a notice in today’s Federal Register (78 FR 4788-4790) that the 9th Coast Guard District was extending the suspension of the Regulated Navigation Area (RNA) reporting requirements for barges carrying certain dangerous cargo (CDC) through September 30th, 2013. This is an almost identical notice to the one published by the 8th Coast Guard District Commander earlier this month upon which I have already reported.

The 9th CG District covers the Great Lakes region.

This notice is actually a little more than a week late since the ‘current’ suspension expired on January 15th, a little over a week ago.

ICS-CERT Publishes 2 GE Proficy Advisories and Updates ICS TIP

Yesterday the DHS ICS-CERT published two advisories for GE Proficy products and updated for a second time their TIP sheet about “Targeted Cyber Intrusion Detection and Mitigation Strategies”. I know that the Control System Security Program web page shows three GE advisories issued today, but a closer look shows that two of them are for the same advisory. [NOTE: As of 13:00 EST on 1-23-13 this has been corrected.]


Back in May of last year, ICS-CERT issued the first of their technical information papers (TIP) concerning actions to be taken when corporate networks are thought to have been attacked. ICS-CERT updated the TIP in July by adding a section on Credential Management. This latest update makes revisions to the same section; based largely in differences in new versions of Windows® software. Some of the specific changes include:

• Added a link to recent Microsoft guidance on protecting user credentials;

• Expanded the discussion about privileged accounts; and

• Removed the discussion about cached credentials;

GE Information Portal Advisory

In this advisory GE has self-reported two information disclosure vulnerabilities in its Proficy Information Portal application. ICS-CERT reports that a relatively low skilled attacker could remotely exploit either of these vulnerabilities and acquire configuration information about the system including potentially user names and passwords via calls to Port80/TCP.

GE has published two security advisories (GEIP12-14 and GEIP12-15) that explain how to make the necessary configuration changes to address these vulnerabilities.

GE Cimplicity Advisory

In this advisory GE has self-reported two vulnerabilities in its Cimplicity products. The two remotely exploitable vulnerabilities are:

• A directory traversal vulnerability; and

• An improper input validation vulnerability.

ICS-CERT reports that either vulnerability could be remotely executed by a relatively low skilled attacker. The directory traversal vulnerability could allow the attacker to view or download files from the server. The input validation vulnerability could allow the attacker to execute arbitrary commands.

GE has created patches and developed configuration changes to address these vulnerabilities. Information is available in security advisories GEIP12-13 and GEIP12-19.

Additional Information

As is usual in producing these advisories, ICS-CERT provides additional generic information about the protection of control systems. Among the standard items listed is a reference to their TIP “Targeted Cyber Intrusion Detection and Mitigation Strategies” that I mentioned earlier in this post. Interestingly, both of these GE advisories reference the July 2012 version of the TIP, not the version released yesterday. To be fair they were both issued earlier in the day than was the newest version of the TIP, but a little bit better internal coordination could have provided more up-to-date information.

Tuesday, January 22, 2013

House Passes HR 307 – Medical Preparedness

This afternoon the House passed HR 307, the Pandemic and All-Hazards Preparedness Reauthorization Act of 2013, by a bipartisan vote of 395 to 29. In fact, the 29 votes against were all Republicans. The forty minutes allocated for debate only took 17 minutes. I expect that when it comes to a vote in the Senate, it will pass with similar results.

Unfortunately, this consensus on the current language will insure that there will be no attempt to amend the bill to correct the lack of a requirement for chemical facilities with reportable quantities of toxic inhalation hazard (TIH) chemicals to report those chemicals to local medical treatment facilities. It would only be through such reporting that the medical staffs could be prepared to treat mass casualties in the event of a terrorist attack or accident that resulted in a catastrophic release of those chemicals into the community.

BTW: Apparently PETA and other animal rights groups have still not noticed the animal testing provisions included in the bill.

LinkedIn Comment – 1-22-13 – Could it happen here?

This morning Martin Masiuk posted a comment on the DomPrep discussion group on about Saturday’sblog post about the Algerian terrorist attack. He asks a very appropriate question; could this happen here? The short answer is yes, but…..

Hostage Situation

Most news reports have described this as a hostage taking attack that was only partially successful. The exfiltration of the hostages to a base in Mali did not happen, so the apparently al Qaeda related terrorists ended up with a hostage stand-off that ended badly. A hostage taking situation of this sort is less likely (but hardly impossible) to occur in the United States as there is a much lower possibility of the exfiltration of the hostages to an out-of-country secure area.

Having said that, a hostage taking situation at a high-risk chemical facility is far from being a totally unlikely scenario. As long as the attackers were not concerned about walking away from the situation, it might be the best way to carry out a high-profile attack on such a facility. Such an attack could serve two purposes; it would serve to keep the attackers in the public eye for the length of the attack (great publicity) and it would allow demolition teams the time necessary to properly emplace a large number of explosive devices in just the right spots for the most effective destruction of the facility.

Public Exposure

The longer that the hostage takers could keep negotiating with the FBI (certainly the action agency for an attack like this) the longer the story would stay in the world-wide press. Until it became obvious that there were going to be large numbers of hostages killed (the definition of ‘large’ would depend on the size and type of facility being attacked) or that the attackers were prepared (both mentally and physically) to destroy the facility at any moment, negotiations would certainly continue.

Now the only thing that the attackers could expect to gain from such negotiations would be a guarantee of free passage to jail. No administration would long survive allowing any kind of deal that provided for any other sort of result. But the longer the discussion toward the FBI’s goal of total surrender of the attackers took, the better it would be for the terrorists from the view of free publicity.

End Game

It is unlikely that any committed terrorist would actually surrender at the end of the day. The most likely end to the situation would be a government led assault on the facility to free the remaining hostages and prevent the destruction of the facility, or the terrorists destroying the facility, the hostages and becoming martyrs to their cause. Either situation would ultimately serve the terrorists cause of striking terror into the populous and gaining publicity for their cause.

Prevention is the Only Good Solution

Since neither end-game is desirable, the best way to handle this situation is to prevent it. A hostage taking attack like this is not going to be conducted on the spur of the moment. It would require a great deal of preparation, reconnaissance and practice. All of these activities lend themselves to the detection and disruption of the attack well before it happened.

This is the type thing that the FBI and law enforcement agencies have shown themselves to be well versed in, but they do require a certain amount of cooperation from facility management and the local public. As much as one might think that the DHS “See something, say something” campaign is simplistic it is exactly the type of information that one receives from such programs that provides the needed intel to prevent attacks like this.

Insider Information and Assistance

Recent news reports indicate that at least some of the attackers were BP employees and were thus able to provide the attack planners with key information about facility security. This would be an important aspect of any planning for this type of operation. Inserting people into the facility either as employees or contractors provides for the best type of reconnaissance information.

In light of this, it is very disappointing that DHS ISCD has still not published their plan for vetting high-risk chemical facility employees against the Terrorist Screening Database (TSDB). While this wouldn’t necessarily catch all would be terrorists, it would catch some. Not having this in place with the 5th anniversary of the establishment of the CFATS program fast approaching is the height of bureaucratic silliness.

BTW: A hostage taking scenario is not one of the terrorist attack scenarios used by DHS to evaluate CFATS site security plans.

Monday, January 21, 2013

Spear Phishing Threat

There are two interesting blog posts today (one from DigitalBond and one from the New York Times) about a presentation made last week at the S4 Conference is Miami, FL concerning an experiment to see how hard it would be to gain access to computers owned by people who had access to control systems. The short answer is toooooo easy.

Spear Phishing Experiment

I’m not going to go into details about the experiment, Dale Peterson and Nicole Perlroth both do excellent jobs in their posts, and I seriously recommend reading both. I will mention the following, the 26% of control systems personnel clicking on the ‘malware’ links in the phishing emails included job titles of:

• Control System Supervisor

• Automation Technician

• Equipment Diagnostics Lead

• Instrument Technician

• Senior VP of Operations and Maintenance

These are people that are very likely to have direct access to control systems through the computers that they used to read the spear phishing emails. So malware dropped onto their computers could be expected to make contact with the control systems.

Social Engineering

I have written about a significant number of ICS-CERT advisories that point out that the vulnerability would require a ‘social engineering’ attack to be successful. Spear phishing is one of the more popular social engineering methods that attackers use when they want to gain access to specific areas of networks; areas like control systems that have some perimeter protection.

Even air-gapped systems can usually be reached via a spear phishing attack since many of the people targeted, or someone they are linked to on the enterprise network, will use a USB drive to transfer data to or from the air-gapped system. It is extremely easy for a moderately skilled attacker to download a virus program to each USB drive attached to an infected computer.

Education or Isolation

Dale makes a very interesting point at the end of his blog post:

“The right lesson is to treat the corporate network as an untrusted network and prevent inbound access to the ICS except for emergency situations — as well as get working on your spear phishing portion of the security awareness program and incident response capability.”

I’m afraid, however, that Dale’s advice is going to be ignored in one important aspect, there are too many devices that are being used to bridge the gap (actually I think “ferry the gap” would be a more appropriate analogy since the device is only connected to one side at a time) between the IT and ICS systems. The lap top that the control system engineers and technicians use to access/program/monitor the system will almost certainly be plugged in to the corporate network from time to time. The USB devices that are used to transfer data and updates to and from the control system will be plugged into devices on the network. And, of course, we cannot forget the wide variety of smart phone applications and wifi devices that the manufacturers are pushing to the field.

In the first instance, I think that any attempt at restricting the use of the engineering lap top on the corporate network or internet will flatly ignored by the engineering/maintenance staff. There are too many legitimate needs to download tools and updates from vendors for these people to ignore. Even if you use a separate computer to download the information, you still have to ferry it to the system; no matter how many cutouts you use, the malware can still ride with the information.

Complex Solutions for Complex Problems

No, I’m afraid that we are going to have to come up with complex solutions to this problem. But remember, not every facility is going to the legitimate target of a spear phishing/control system attack. Dale’s solution will work adequately (with the expectation of the exceptions that I discussed above) for a large number of control systems.

Higher risk systems are going to have to look at establishing, practicing, and verifying a number of different controls on the transfer of information between networks. You are going to have to start with the education of every member of the staff with access to the IT network; if one person falls for a phishing or spear phishing attack the network security can be compromised. This is going to have to include a reporting and investigative component as well.

Then there are going to have to be periodic tests of that training with actual phishing and spear phishing attempts made on personnel with network access. Publicize the failures, share with the entire staff how and why the individuals fell for the attacks. Let people learn from other people’s mistakes.

Then the IT and control system networks are going to have to be segregated to the maximum extent possible; the higher risk the facility, the more rigorous that separation will have to be. The facilities with the highest risk, those that can affect lives or national security, are going to have to be air gapped.

Finally, there are going to have to be specially designed controls put into place that govern the ferrying of data and software between the two networks. Some way of verifying that only the information that is supposed to make the crossing gets on the boat is going to have to be established. Again, the higher the risk, the more rigorous the verifying must be. And audits, checks and challenges to the controls are going to be required for the highest risk systems.

Oh yes, and remember something will get through. You better have a plan in place for detecting and removing the malware. And have it in place before you need it. The longer it takes to fix, the more embarrassed you’re going to be.

Sunday, January 20, 2013

Congressional Hearings – Week of 01-20-13

The House and Senate will both be in town this week in honor of the inauguration of President Obama. There will be some work done this week, but it will be mostly organizational. Three House committees of interest to readers of this blog will hold their organizational meetings. Since two of the three have new chairmen, this could be interesting (probably not though). Those three committees are:

Health System Preparedness

According to the House Majority Leader’s web site there are only two bills on the agenda for this week to be considered on the floor. One of those will be of peripheral interest to readers of this blog, HR 307, the Pandemic and All-Hazards Preparedness Reauthorization Act of 2013. An official copy of this bill is not yet available through the GPO, but the House Rules Committee web site does have a link to the draft submitted by Rep. Rogers (R, MI) who authored the bill.

This bill was virtually identical to HR 6672 that was passed in the House last month. I discussed the chemical preparedness provisions of that bill then and they still apply to the current bill, so I won’t belabor the point other than it would have been nice to see a requirement for chemical facilities containing reportable quantities of toxic inhalation hazard chemicals to report those chemicals to local treatment facilities that would respond to a mass casualty event due to a release at the covered facility. That would be the only way those medical facilities would have a chance to be prepared to effectively treat those casualties.

The only significant change in the current version of the bill (other than the ‘2013’ in the title) is found in § 402. Biomedical Advanced Research and Development Authority. Section 402(e) was changed to add §402(e)(2):

“EFFECTIVE DATE.—This subsection shall take effect as if enacted on December 17 [should probably read 19], 2012.”

This was necessary because the limited anti-trust exemption provided in §405(b) of the Pandemic and All-Hazards Preparedness Act (42 U.S.C. 247d-6a) expired on December 19th 2012. Without this new provision, any covered actions taken between that date and the date the bill is signed (if passed; not a completely forgone conclusion) would not be protected by that exemption.

I really do expect that this bill will pass in both Houses this week with the same bipartisan support seen last month in the House.

Algerian Situation and Chemical Security

I had an interesting phone conversation yesterday with an individual who helped standup the CFATS program. He wanted to talk about how the terrorist attack on the Algerian gas production facility was a potential game changer for chemical facility security managers in the United States. He thinks that this marks a change in terrorist tactics and points out the vulnerability of chemical facilities in general.

Lessons for State-Side Chemical Facilities?

While it will be some time before we see any details about the Algerian attack (and more importantly the counter-attack by Algerian security forces, more on that later in the post), I’m not sure that this is a major shift in tactics by radical Islamic terrorist. We have seen attempted attacks on Saudi production facilities and successful attacks on Nigerian facilities (though they weren’t really jihadists), so the target wasn’t all that new. Hostage taking is not a new tactic either, though this is probably the first at a petro-chemical complex.

While this certainly points out the need for increased security protection at chemical facilities in North Africa, I’m not sure that any state-side security manager is going to do much to increase their security measures based upon the success of this attack. After all, that is in Africa, not Texas or New Jersey or California. That kind of stuff just doesn’t happen here (just a small touch of sarcasm).

To be fair, you are just not going to be able to harden a major petrochemical complex enough to prevent a determined commando-style assault on the facility. They are just too big, too complex, and too vulnerable to physical disruption. The only successful way to deal with this type of attack is to detect it and disrupt it before it gets anywhere near the facility perimeter. Fortunately, we haven’t seen this style of attack even suggested here in the United States.

Algerian Response

We have already seen a fair amount of ink (mostly electronic) spent here in the United States and in Europe complaining about the number of hostages and terrorists that were killed in the Algerian responses to this terrorist attack. Until (if) we see any of the details about the methods and tactics that the security forces used, it is premature to complain about the results. Rescuing hostages is always a risky business. In the words of John Ringo; it sucks to be a hostage.

No, I am much more interested in the apparent lack of significant damage to the production facilities through the initial terrorist attack and two counter-attacks by security forces. Don’t get me wrong, protecting human lives is more important that protecting facilities, but in this case the death toll could have been much higher if the production facilities had received significant damage. Fires, explosions and toxic chemical releases have a way of doing that.

Potential Dangers of Counter-Attacks

Military grade small arms fire can easily damage storage tanks, piping and ancillary equipment enough to cause leaks of flammable and toxic chemicals. And most people fail to realize that bullets keep going until they hit something. In the heat of battle few people take any interest in what is in the line of sight beyond their target when they engage with their weapons. In areas where there are large volumes of flammable gasses and liquids, this can have catastrophic consequences.

Even in standard operations there may be areas within the production facility that see transient periods where flammable-atmosphere situations exist outside of production vessels. This is why the industry works so hard to control the use of heat or spark producing equipment in production areas. In areas where an explosive atmosphere exits, the muzzle flash from a firearm can certainly set off a catastrophic fuel air explosion.

Why is the Facility Still Standing?

Given all of the potential dangers involved, I am amazed that the production facility is still standing and any of the people involved are still alive. I can think of a couple of reasons that this catastrophic result did not happen;

• The attacks were conducted in administrative areas separate from the production facilities;

• Special weapons and tactics were used to avoid collateral damage; or

• They got damned lucky.

When all is said and done I think we will probably find that it is the first possibility that is responsible for the outcome in this attack. If not, then I think the press owes a major apology to the Algerian forces; an armed assault on an actual gas production facility that does not destroy the facility is a major accomplishment. An attack like that would be studied for years in military academies around the world, trying to extract all of the lessons that would guide future combat operations in such environments.

Share the Information

The public will probably never see the details about the operation that rescued the hostages in this case. Hopefully, however, the US government will share some of the lessons learned with security managers at high-risk chemical facilities and the security response forces that would conduct similar operations here. It is always better to learn the lessons from someone else’s operation than have to learn them on the fly in your own.

Saturday, January 19, 2013

OSHA Address Laboratory Security

The Monday Federal Register (available on-line today) will contain (78 FR 4324-4331) an OSHA technical amendment to their laboratory safety standard (29 CFR 1910.1450). That amendment revises Appendix A, the National Research Council Recommendations Concerning Chemical Hygiene in Laboratories (Non-Mandatory).

According to the Background section of the technical amendment:

“This new revision addresses current laboratory practices, security, and emergency response, as well as promoting safe handling of highly toxic and explosive chemicals and their waste products.”

Appendix A

This appendix to the OSHA lab safety standard is based upon the National Academy of Sciences publication entitled, “Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards”. This technical amendment is based upon the latest version of that publication, the 2011 edition.

The summary of the technical amendment contains a misleading statement about this revision. It states that: “All revisions being made are minor and non-substantive.” Since this is a complete re-write of Appendix A, I can only assume that it means that changes being made from the 2011 NAS publication are minor and non-substantive.

Laboratory Security

For the first time, Appendix A addresses lab security issues (78 FR 4331). It is not an attempt to provide specific guidance on security procedures, but rather a broad overview of security issues that should be taken into account when establishing a laboratory security plan. For example it provides a brief list of security risks:

• Theft or diversion of chemicals, biologicals, and radioactive or proprietary materials, mission-critical or high-value equipment;

• Threats from activist groups;

• Intentional release of, or exposure to, hazardous materials;

• Sabotage or vandalism of chemicals or high-value equipment;

• Loss or release of sensitive information; and

• Rogue work or unauthorized laboratory experimentation.

It notes that a good lab security program will achieve three goals:

• Increase overall safety for laboratory personnel and the public;

• Improve emergency preparedness; and

• Lower the organization's liability.

Given the short coverage (210 words) to lab security and the wide variety of organizations potentially affected by the Appendix, this is not a bad overview of the topic. And since it is the first time that the lab safety standard actually addresses the topic, it is a good introduction to the topic.

Effective Date

This technical amendment goes into effect upon publication on Monday without any provisions being made for public comments and agency response. OSHA notes that this is possible because “the amendment does not modify or revoke existing rights or obligations, and does not establish new rights or obligations”, making it ‘unnecessary’ under 5 USC §553(b)(3)(B).

Friday, January 18, 2013

ICS-CERT Publishes Another Schneider Vulnerability Report

It’s been a bad week for Schneider Electric and their customers. As of late this afternoon there have been two ICS-CERT advisories and one alert published for industrial control systems from Schneider. The latest is an advisory covering a buffer-stack overflow vulnerability in their Interactive Graphical SCADA System (IGSS) application reported by Aaron Portnoy of Exodus Intelligence in a coordinated disclosure.

According to the advisory a moderately skilled attacker could remotely exploit this vulnerability and potentially execute arbitrary code. Schneider has separate patches for the two latest versions of IGSS (V9 & V10) and Portnoy has validated these patches. For older versions of the application Schneider recommends either:

• Upgrade to a newer, mitigated version; or

• Filter communications over Port 12397/TCP to “only allow access from the specific IP addresses for the devices being controlled or monitored” (page 3).

Interestingly a tweet by Exodus Intelligence notes that “Schneider Electric has patched one of the [emphasis added] RCE vulnerabilities we reported in their IGSS SCADA product”. Do we wait for the other shoe to drop until the ICS-CERT 45-day limit expires? Oops, the 45-day ICS-CERT limit passed on November 15th of last year (See the Schneider Electric Vulnerabilities page).

ISCD Blog Post

Yesterday afternoon David Wulf, Director of the DHS Infrastructure Security Compliance Division {the CFATS/Ammonium Nitrate Security Program (ANSP) people} provided the folks at SOCMA with a post on their blog site. It was a brief and positive update on the progress that his folks have been making on improving the CFATS program, both accomplishments to date (200 SSPs authorized and 22 approved) and future actions.

SOCMA is to be commended for offering Mr. Wulf the opportunity as is the Director for taking advantage of the offer. Communications between the regulators and the regulated are always a good thing.

Missing Information

Now I fully understand that a single blog post is not the best way to communicate complex information (I have heard complaints about the length of some of my posts). And, the problems at ISCD are certainly complex and cover a wide range of areas. But there were a number of things not addressed in David’s post. They include (in no particular order of importance) the status of:

• The publication of the Personnel Surety Program;

• The MTSA harmonization effort;

• The update of the COI list;

• The update of the CVI rules for the Controlled Unclassified Information Initiative

• The temporary agricultural facility Top Screen exemption; and

• The publication of the Ammonium Nitrate final rule.

Personnel Issues

There are also more than a few issues dealing with personnel matters within ISCD that I would have liked to have seen addressed. I understand the reluctance to talk about internal problems, but they do affect the operations of the Division and have at least some impact on the SSP approval process. There are three that I specifically wish to see ISCD discuss in public:

• Branch Chief Status (conversion of ‘temps’ to ‘permanent’);

• Turnover in the Chemical Security Inspector ranks; and

• Training program for CSI.

Now I understand that there is some concern within the National Protection and Programs Directorate (NPPD) about the number of their employees that have been unofficially (and anonymously) contacting me about these personnel issues. I have heard rumors that Deputy Undersecretary Spaulding has directed ISCD to reach out to me about this ‘problem’.

So, I would like to take this opportunity to offer to Mr. Wulf or any of his Branch Chiefs the unrestricted opportunity to post information in my blog about any of the issues identified above (or any other of their choosing really). It can take the form of a blog post or even written responses to questions submitted by me. If anyone at ISCD thinks that they have appropriately addressed these issues in some other public venue, please point me at the links and I will publish those.

Thursday, January 17, 2013


Rich Roth at LinkedIn’s ASIS Supply Chain & Transportation Group pointed me (well, all group members) at an interesting article over at about the military announcement that it will no longer accept the use of Transportation Workers Identification Credentials (TWIC) for access to DOD systems. The article by Steve Elwart actually refers back to a December 10th, Federal Register notice (77 FR 73455).

The Background

The summary for that notice states:

“To implement DoD Instruction 8520.2, dated April 1, 2004, SDDC required all commercial accounts accessing transportation systems and applications to use a commercial PKI certificate or Transportation Workers Identification Credential (TWIC). TWIC does not meet DOD security standards and cannot be used as of January 29, 2013.”

In an earlier blog post I noted that the Surface Deployment and Distribution Command (SDDC) would require either a commercial PKI certificate or a TWIC to access SDDC ‘transportation systems and applications’. This notice would revoke the TWIC portion of that earlier Federal Register notice (76 FR 126-127).

The Security Standard

The December notice explains that:

“The DoD PKI office has determined that the Transportation Workers Identification Card [Credential] (TWIC) PKI certificate cannot be used to authenticate users for access to DoD systems. The DoD PKI office has not established a trust relationship with Homeland Security/TSA.”

So apparently DOD has not been able to verify the certificate issued by TSA for the TWIC program (actually four separate certificates)

What is the Real Problem?

Now I don’t think this is the type thing we see in the competition between say Microsoft® and Google®. One would like to think that two different departments in the Federal government that are working hand-in-hand on so many issues could get their IT-Security folks together on sharing PKI certificate information. No, as I wrote in the LinkedIn discussion on this topic, I think there is a more basic problem:

It sounds like maybe someone found out that there are TWICs out there with fake DHS credentials. Those would be worth good money to truck drivers with some 'bad' convictions on their records who would be ineligeble to receive a legitimate TWIC. Or worth a whole lot more to a terrorist or criminal wanting access to an MTSA facility for some nefarious deed.”

Even this type of issue should be more of a communication issue between the two Departments rather than a real security issue. Unless, of course, someone in DHS refused to accept the DOD complaints about forged PKI certificates. Or, if someone in DHS were trying to cover up the problem and the DOD investigators just got tired of trying to work the issue. Whichever, I doubt that we will ever get the true story behind this.

The Consequences

Of course, the people getting stuck with this whole thing are the ‘unimportant’ people in and around SDDC who come to work every day trying to make sure that the DOD’s material gets to where it is supposed to go. The ones that already had TWICs for other parts of their job (physical access to MTSA covered facilities) so they did not have to pay for their own separate PKI certificate. Now they are going to have to go out and spend their money (before the January 29th DOD deadline) so that they can continue to access the software and hardware systems they need to do their jobs.

Congressional Action?

With various House committee chairs pushing ISCD to adopt the TWIC as part of the credentialing program for the CFATS program, maybe it is time for them to start asking DOD and TSA program people what the problem is with this PKI certificate problem between TWIC and DOD. If DOD doesn’t trust the security of TWIC information, why should a chemical plant owner or even the operator of an MTSA covered facility where TWIC use is mandated by DHS.

Will it happen? Not soon; too much financial stuff going on and not enough interest in security. Congress won’t pay attention until there is a significant security event that is directly and clearly linked to the PKC certificate issues. Then there will be a clarion call for action by DOD and DHS and a demand for heads to roll.

ICS-CERT Publishes another S4 Alert and an Advisory

I should have waited a little longer before posting yesterday since just before 5 pm EST ICS-CERT published another S4 related alert (Siemens) along with a Schneider advisory. Arguably the Schneider advisory is of more concern.

Siemens Alert

This alert addresses a brute force password tool that could allow an attacker to the challenge-response data extracted from TCP/IP traffic file off-line to expose credentials used for communications with Siemens S7 PLCs. The tool was introduced at the S4 conference by Alexander Timorin and Dmitry Sklyarov of SCADA Strangelove.

The ICS-CERT advisory notes that an attacker using the tool must have access to an ‘adjacent network’ to acquire the information necessary to use the tool. They also note that the “possibility exists that this code may be modified to be used against other vendor products” (page 1).

NOTE: This was an extremely fast response from ICS-CERT as Dale tweeted about this presentation at about 2:00 pm EST yesterday. Okay the SCADA Strangelove blog post came a bit earlier than that, but it was still a pretty impressive response.

Schneider Advisory

This advisory outlines an authentication communication risk vulnerability in the Schneider Electric software update (SESU) utility used by a number of Schneider products. According to the advisory a moderately skilled attacker could exploit the lack of authentication of update messages to execute arbitrary code on the system.

Schneider has updated their SESU server to support both HTTP and HTTPS communications (HTTPS does ensure signed communications). The SESU client will be updated this month using the existing HTTP protocol. Schneider will not completely switch to using the HTTPS protocol until May 2013. (NOTE: There is an interesting typo – I think – in the advisory that notes that this “means that only HTTP [emphasis added] will be supported during SESU client updates from that time forward” I think that should read “only HTTPS”.

Product updates are an important part of any software support system and there must be a method to verify that the updates are coming from the actual vendor. It is very disturbing that this very basic security procedure has not already been in place.

I do understand that the delay until May to completely implement this change on the client side of the SESU system is driven by an effort to ensure that all systems in place are updated with the changed communications protocol before eliminating the HTTP-based updates, but that is a very big window of opportunity for the exploitation of this vulnerability. At the very least, I would expect that many systems could have backdoor access installed via this mode to allow future access to the systems.
/* Use this with templates/template-twocol.html */