Sunday, March 31, 2013

Comments for TWIC Reader NPRM – 3-31-13


Just a little over a week since the Coast Guard published their NPRM to implement the use of TWIC Readers there is a public response on the public docket on the Federal eRulemaking Portal. There are also links to three supporting documents on the site.

Supporting Documents

The three supporting documents are:


The first is an independent verification and validation of the TWIC Reader requirement. There have been more and more calls for this type of peer review of DHS assessments and requirements. It is important for this document to be included in this docket.

Comments

With just a little over a week into the comment period it is not unusual for there to be only a single comment on the NPRM posted. As is to be expected it is from a single individual, not a company or organization; they take longer to formulate their replies. Just as expected, it is a negative comment about the TWIC program and not an actual comment on the NPRM. Even though they will have no effect on the TWIC Reader implementation I expect that we will see more of these types of comments.

CFATS PSP – Only Tier 1 and 2 Facilities Impacted


This is part of a continuing series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at the decision to only apply this ICR to Tier 1 and Tier 2 facilities. The earlier posts in the series are listed below.


While the discussion through much of the ICR notice mentions all CFATS facilities, buried in the discussion of calculating the burden of the ICR is a statement that the ICR will only apply to Tier 1 and Tier 2 facilities.

Testing PSP
One of the suggestions that ISCD received after the last 30-day ICR notice was forwarded to OMB (and subsequently withdrawn) was that ISCD should do the same thing that it had done with most major CSAT tool deployments (excepting the SSP) and test the tool before it was officially deployed. This would allow the bugs to be worked out of the program.

While this probably would have been a good idea two years ago when the PSP was initially proposed (and before the Department started evaluating SSPs), this is no longer a reasonable prospect before the PSP ICR is submitted and approved. Too many facilities are receiving provisional authorizations for their SSP without a method being available to complete the personnel surety terrorist vetting required under RBSP #12.

Besides, even in conducting a test version of the PSP tool with live data (the only type of test that would be really worth while) would still require an approved ICR to collect the data and have it entered into the CSAT application. Thus the ICR must go forward without a live system test.

Limited PSP Implementation

ISCD has worked out a way to test the PSP application and the data collection and submission process from a variety of facilities, as well as evaluate the assumptions underlying the burden estimates in the ICR. They will limit the initial application of the PSP tool to just Tier 1 and Tier 2 facilities. They estimate that this will entail only 552 facilities and about 192,000 individual. This is compared to about 4,000 facilities and over 2 million individuals for a full deployment of the PSP.

Tier 3 and Tier 4 facilities are not being exempted from the PSP. ISCD intends that “ a subsequent ICR would be published and submitted to OMB for approval to incorporate any lessons learned and potential improvements to the CFATS Personnel Surety Program prior to collecting information from Tier 3 and Tier 4 high-risk chemical facilities” (78 FR 17696).

Simatic S7-1500 Security


The Siemens Twitter® feed has been touting the benefits of the newest member of the S7 PLC family the S7-1500. A recent Tweet noted that “S7-1500 provides a security concept that protects investments & contributes to higher plant availability”. It is nice to see that Siemens is actively advertising security in this new product, but a closer look will be needed to see how well Siemens is actually doing with its security work.

Siemens Security Claims

The nice color glossy brochure available through the Siemens web site (but not actually on the site, kind of odd) dedicates a full page (page 4) to the security measures included in the device and the associated TIA portal. It mentions four specific security features:

• Know-how protection;
• Copy protection;
• Access protection; and
• Manipulation protection.

Given the brief explanation provided (it is after all an advertising brochure) it appears that the first two features are principally designed to protect the intellectual property of the user, while the last two are more directed at cybersecurity and protection of the connected process from outside manipulation.

The access protection claims are supposed to protect “against unauthorized project-planning changes”. They include allocation of “rights” to various users based upon permission levels and communications protections via an integrated firewall (in the CP 1543-1). There is no mention of how user identification is assured (passwords? Key authentication? Biometrics?). The issue of command/information encryption is also not addressed.

The discussion of ‘manipulation protection’ is even vaguer. It notes:

“The system protects the data being transmitted to the controller from unauthorized manipulation. The controller recognizes the transmission of engineering data that has been changed or comes from a strange source.”

There is no mention of how that data is protected (one would like to assume encryption) or how ‘changed engineering data’ is recognized. Again this is an advertising brochure, not an engineering document, but one would like to see a little more meat on this very thin bone.

Security Commitment

Siemens is certainly making the effort to talk-the-talk, but we have a ways to go to see how well they are walking-the-walk. We have already seen multiple vulnerabilities (here and here) reported in their TIA Portal; the large group of vulnerabilities seems to have been fixed promptly. The second (and older) vulnerability has just been addressed with a work around (keep it disabled when not in actual use?), apparently no actual fix is planned.

I would be much happier with the Siemens security commitment if I had heard that they had provided some devices to some well-known security researchers to check for vulnerabilities. If Rios & McCorkle, Beresford, Toecker, or Langer (to name just a few of the qualified candidates) were given a chance to have a go at the new product and found nothing, I would be very impressed with the change in engineering at Siemens. If they did find something wrong (and I suspect that all ICS equipment will have readily findable faults for the near term), but the vulnerabilities were rapidly fixed, I would still be impressed. Hell, just making the devices available would impress me.

As it is, time will tell how well Siemens is executing the security responsibility that they are beginning to take seriously in their advertising.

Saturday, March 30, 2013

Responses to NIST RFI – 03-30-13


We are finally starting to see some of the responses that NIST has received from their request for information for the cybersecurity framework that they are developing to support the President’s cybersecurity Executive Order. There are as of today 19 responses on the NIST RFI Response web page. Upon quick review they run a wide gamut of ideas, from very technical presentations on technical security issues to almost political manifestos. And it looks like there is currently about a 10-day delay in getting responses posted to this new web page.

Political Manifesto

One of the most radical proposals comes from Jean C (NIST is not providing contact information with these postings unless it is specifically listed in the document submitted). It begins with the statement “Block all international internet access” and goes downhill from there. I will grant that the suggestions in this document will probably limit the number of successful cyber-attacks (limit not eliminate – Stuxnet attacked isolated systems), but it would also completely isolate important sectors of the US economy from the beneficial aspects of information sharing.

Even with all of the political paranoia inherent in this proposal there are some worthwhile suggestions, though none of them are new. Testing of updates before implementing them on control systems and having appropriately trained cybersecurity personnel are hardly new ideas.

Another political approach to cybersecurity takes a little more technical approach. Piltz suggests that all IP addresses be protected by VPNs. The proposal then drops back down into political controls; fining personnel via payroll deductions for violations of protocols and ‘timewasting’ online and the blocking all internet connections after work hours round out the political approach.

Technical Proposals

There are a number of technical proposals that I am hardly in position to evaluate, but that’s what NIST is for. They range from interface standards, to NASH hardware encryption (impressive diagram), to software security evaluations. There is a broad suggestion as to what the framework should include and a link to a foreign cybersecurity national standard.

Information sharing is an important part of a number of the proposals. The development of a standard format for disseminating attack information and an international experiment on the development of an information sharing protocol are some of the ideas discussed.

There is an interesting discussion of the Cyber Security Evaluation Tool (CSET) developed by ICS-CERT. While much of the discussion describes improvements that could be made to CSET, it is an interesting proposal for using this type of tool for evaluating the cybersecurity of systems.

One of the most comprehensive documents provided to date comes from a well-known source, IBM Security Systems. It is an interesting bullet-point style list of things that might be included in the NIST framework. Many of the items deserve more detailed discussion (particularly the various metrics suggested) while others are more of the ‘apple pie and motherhood’ variety (Identify your key / most critical business processes.). As to be expected from IBM this is an IT-centric proposal.

What’s Missing

While it is still early in the RFI process (typically most comments come in the closing days of the comment period) it is disappointing to not see comments from people in the control system security community. To my mind most of the serious work in protecting critical infrastructure from catastrophic events must be focused on control systems. I would really like to think that some of the well-known figures in this community are planning on putting in their two-cents worth.

Friday, March 29, 2013

CFATS PSP – Other Information to be Collected


This is part of a continuing series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at what additional information (in addition to the personally identifiable information (PII) previously discussed) ISCD might require a high-risk chemical facility to submit to DHS under the CFATS PSP. The earlier posts in the series are listed below.


While the bulk of the information collection covered under this ICR will be the PII used to vet personnel against the Terrorist Screening Database (TSDB), there is additional information that ISCD will be collecting in its administration of the PSP at the Department level.

Information about the High-Risk Facility

Since the Department envisions that many high-risk facilities will use third-party organizations to submit the PII required for the PSP on it facility personnel, the PSP tool in the on-line Chemical Security Assessment Tool (CSAT) will require information “ that identifies the high-risk chemical facility, or facilities, at which each affected individual has or is seeking access to restricted areas or critical assets” (78 FR 17686). From that wording it would seem that vendors and contractors supporting multiple high-risk facilities will be required to identify which facilities they routinely support as part of their data submissions in the PSP tool.

Additional information may be collected from the facility about its PSP in support of adjudications under Subchapter C of 6 CFR Part 27; in processing requests for extensions,

High-risk chemical facilities will also be required to provide ISCD with a point of contact for the collection of additional information about the facility, its PSP, and individuals who have had their PII submitted for screening.

Additional PII

The previously identified PII will be routinely collected on any individual based upon which submission option the facility chooses to use in their PSP filings. ISCD realizes that from time to time they will have to request additional information about an individual to better confirm or deny potential matches in the TSDB. ISCD and law enforcement agencies might also be expected to contact the facility for further information about individuals that have been identified as matches against the TSDB. The notice makes the point that a “request for additional information from the Department does not imply, and should not be construed to indicate, that an individual is known or suspected to be associated with terrorism” (78 FR 17686).

Additional information may be collected about individuals in the PSP as part of the adjudications under Subchapter C described above. Additionally redress requests by individuals may require facilities to provide additional information about an individual. Unfortunately, this is the only mention of ‘redress’ for individuals who feel that they are wrongly identified as having terrorist ties. This may be because the Department will not necessarily notify the facility if an individual is identified as having terrorist ties and thus individuals are unlikely to know if they are wrongly identified.

The reference in this ICR to redress does mention (in a footnote) a series of Privacy Act documents that the Department issued in June of 2011 as part of the original ICR submission to OMB that was subsequently withdrawn. Those documents will certainly be revised as this new ICR moves forward.

Odd Information

There is one odd paragraph in this section of the ICR; it deals with the collection of what would generally be described as file numbers. The notice states that there will be ‘blank data fields’ in the PSP tool in CSAT that will allow the facility to enter a designation or number unique to an individual so that a facility may better track the data submission. I can’t see any reason why a facility submitting information on their own employees would really need this, but it would sure come in handy for third-party submitters, vendors and contractors who might need to keep track of what facilities are associated with a particular individual.

Coast Guard Changes NMSAC Meeting


Today the Coast Guard posted a notice in the Federal Register (78 FR 19277-19278) announcing that the two day meeting of the National Maritime Security Advisory Committee (NMSAC) previously scheduled for next week in Washington, DC has now been changed to a half-day electronic meeting on April 2nd, 2013. The notice cites ‘budgetary constraints’ (read Sequestration) as the reason for the change.

Agenda Change

While not specifically mentioned as a change, the description of the agenda in the current notice is slightly different than the previous agenda. The new agenda deletes the presentation and discussion on Maritime Domain Awareness and Information Sharing and replaces it with a discussion of the recent TWIC Reader NPRM. Since the NPRM was published after the previous notice was published this addition certainly makes sense.

Public Participation

Public participation is still being solicited. There are provisions for a public comment period at the end of the conference and written comments will still be accepted through today (the same cut-off date as was posted in the original notice). People wishing to participate via teleconference  dial 866-810-4853, the pass code to join is 9760138#. The web conference will be via the Homeland Security Information Network (HSIN) at  https://connect.hsin.gov/r11254182 and follow the online instructions to register for this meeting.

Editorial Comment

I understand that the Sequester is forcing the federal government to cut spending and certainly travel related spending for conferences like would seem to be an obvious way of cutting spending without cutting services. Having said that, making a change like this six days before the scheduled meeting is a blatant slap in the face to the non-federal employee participants. Last minute cancelations of travel plans are disruptive, to say the least, and expensive in that many transportation arrangements do not allow for full refunds upon cancellation.

Having said that, I do commend the Coast Guard for carrying on the conference in an electronic format. This is a cost effective way of sharing the information, both for the government and the private sector attendees. Of course they probably would not have been able to set this up on short notice if they hadn’t already planned on providing for the electronic attendance for the meeting.

I am concerned, however, that they are shortening the meeting from 9-hours (over two days) to just 3-hours. I understand that the electronic format provides some time savings as they don’t have to provide for extended breaks to allow personnel to find and use the utilities, but that doesn’t save 6-hours. The only way to remove that much time will be to cut short the discussions of the important topics to be considered at the meeting, and that is not a good thing.

Thursday, March 28, 2013

Gas Refinery Vulnerabilities



There is an interesting article by Joe Trindal on on DomesticPreparedness.com providing further details about the terrorist attack on the gas refinery in Algeria in January of this year. Readers might recall that Joe was a source of much of the information that I used in preparing my earlier blog post on that attack. He has a lot more detail available in this article.

Joe and I have had an ongoing conversation about the implications of this attack. He is convinced that this attack marks a major change in terrorist tactics in regards to critical infrastructure facilities and directly changes the scope of the threat against similar facilities here in the US. I’m inclined to think that this is more of an incremental change if one considers the frequent attacks on Nigerian oil field facilities. While I do agree that this probably changes the scale of the potential threat against refineries in the US, I don’t expect that we will see complicated, large-scale attacks like that seen Algeria.

Having said all of that, I think Joe’s article provides a valuable look at the lessons learned from the Tigeuntourine Gas Refinery attack. In particular I think that his comments under Prepare Responders for Special Site Hazards deserve special attention. He notes that:

“Unfortunately, the Algerian response forces at the In Amenas Gas Refinery lacked the preparatory experience (sic) needed to cope with the hazards posed by engaging in live-fire interdiction in the areas around pressurized flammable gas processing units at the site.”

He goes on to say:

“Site preparedness planning, careful coordination, and analysis of on-site hazards with law enforcement response teams are all of critical importance well in advance of an incident. Law enforcement response teams must prepare for alternative solutions and/or determine acceptable-risk thresholds for engaging live-fire, pyrotechnic diversionary, and other interdiction assets at or in areas containing special hazards such as volatile and flammable materials and/or toxic-release chemicals. Law enforcement should therefore assess such dangers and consider shifting to the use of frangible (“soft”) ammunition for operations on certain sites. Such operational decisions should be predicated with analysis, training, and decisional procedures well in advance of active operations on relevant sites. The members of law enforcement interdiction units also should be prepared to operate effectively and to use the full ensemble of personal protective equipment needed to cope with the site’s inherent hazards.”

None of this is new to long time readers of this blog. I have made similar comments and recommendations many times over the years. It is heartening to hear the same thing, though, from someone with Joe’s tactical and law enforcement experience.

Refinery owners (in particular, but this applies to all high-risk chemical facilities) owe it to their employees, shareholders and local communities to take this into account in their response planning for not only terrorist incidents but active shooter incidents as well. They are responsible for ensuring that the local responders have a solid understanding of the potential safety consequences of the application of deadly force at chemical facilities.

Cybersecurity Incentives – Notice of Inquiry


Today the National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA) co-published a notice of inquiry in the Federal Register (78 FR 18954-18955) looking for information to support the development of incentives to adopt the improved cybersecurity practices to be developed by NIST as part of the President’s Cybersecurity Executive Order (EO 13636).

According to the notice summary the inquiry is designed to support the Department of Commerce’s incentives effort in three ways:

• Analysis of the benefits and relative effectiveness of such incentive;
• Whether the incentives would require legislation or can be provided under existing law, and
• Whether the incentives could be applied to US industry as a whole.

The Department asked a similar set of questions in 2010 (75 FR 44216) and plans to incorporate the results of that request into their report to the President which will be submitted no later than June 12th, 2013. In this inquiry NIST/NTIA would like respondents to the earlier request to comment on whether or not their earlier comments are still applicable.

The notice also provides a lengthy list of questions to which it would like all interested parties to respond. Those responses may be sent to NTIA (cyberincentives@ntia.doc.gov) and must be received by April 29th, 2013. The short response time is necessitated by the deadline for having a report to the President. Comments will be made available on the Internet Policy Task Force web page. 

Wednesday, March 27, 2013

ICS-CERT Publishes Two Metasploit Updated Advisories


Late this afternoon ICS-CERT published two updated advisories that were issued earlier this year; one for multiple vulnerabilities in CoDeSys Gateway-Web Servers and the other for a single vulnerability in the WellinTech KingView product. Both updates were necessary because the organization initially reporting the vulnerability had recently released a Metasploit module for exploiting the identified vulnerabilities.

Both Exodus Intelligence and Ioactive have produced Metasploit modules for the vulnerabilities that they reported in coordinated disclosures. EI explains on their web page that it is their intention to provide their customers with exploit tools for vulnerabilities that they discover. Apparently Ioactive has the same policy. This is becoming a more common approach as security researchers explore a variety of business models to make their security research worthwhile.

In both of these cases the exploit modules were published well after the ICS-CERT advisories were published. Thus the vendors had time to produce and distribute patches or updates to fix the vulnerabilities before the exploit tools became publicly available. Of course, no one really knows how many of the system owners actually knew about the vulnerabilities or if they did know actually had a chance to update their systems.

TWIC Reader NPRM – Miscellaneous Changes


This is the third in a continuing series of blog posts about the recently published notice of proposed rulemaking concerning the implementation of the use of TWIC Readers at MTSA regulated facilities. This post looks at some of the minor miscellaneous changes to the Coast Guard’s Maritime Security Regulations (33 CFR Subchapter H) included in this NPRM. The earlier blog posts in the series are listed below:


Definitions

The NPRM would add a number of definitions to the §101.105. They include the definition of the following terms:

Risk Group; and

One definition would be removed from the list of definitions; recurring unescorted access. This term is no longer needed because of other changes that would be made in the rule, particularly the minimum crew exemption.

Minimum Crew Exemption

The NPRM would add in the new §101.520  a paragraph that would exempt vessels with crews less than 15 people (“14 or fewer TWIC-holding crewmembers”) from the requirement to use a TWIC Reader {§101.520(e)}. This was included as a response to the Safe Port Act (PL 109-347) requirements to establish a minimum crew size that warrants the use of a TWIC Reader {46 USC §70105(m)(1)}. It also reflects the belief that personal recognition on a vessel of that size is better identification than any credential. Crew members would still be required to possess a TWIC and it would need to be visually checked upon boarding.

The same crew-size exemption does not apply to facilities. The Coast Guard reasons that while only 14 people may work at the facility, there is an increased likelihood that non-crew members would also be requesting access to the facility.

MARSEC 2 and MARSEC 3

I have already noted that increased MARSEC levels will require an increased frequency of checking the Canceled Card List (CCL) going from once a week (“no more than 7 days old”) to daily (“no more than 1 day old”). The actual requirement will be a bit more complicated than that. Any time that there is an increase in MARSEC level the CCL must be updated within 12 hours of the increase {§101.520(c)}.

Just to make it absolutely clear, the new language specifically requires that only “the most recently obtained CCL information shall be used to conduct card validity checks” {§101.520(d)}.

COPT Temporary Exemptions

The crafters of the rule understood that under some conditions, requiring a full biometric identity check, card authentication and validation could impede the flow of personnel into a facility to the extent that the back-up of traffic could be its own safety or security hazard. In these exceptional cases the COPT is authorized to “to temporarily suspend TWIC reader requirements at that facility” {§101.520(f)}. During that suspension the TWIC would still need to be visibly inspected.

Special Circumstances

This proposed rule also provides exceptions for ‘special circumstance’ {§105.535}; those times when things happen to TWICs or their owners that make it impossible to use the TWIC Reader. Those circumstances include:

• Lost, stolen or damaged TWIC {§105.535(a)};
• Fingerprints cannot be read {§105.535(b)}; or
• TWIC Reader malfunctions {§105.535(c)}.

Alternative procedures are spelled out for each of these special circumstances. Common to all of those procedures is the requirement that the individual be known to the owner/operator and has been previously granted unescorted access.

Earth First vs Security Cameras


It seems that the lowly but ubiquitous security camera has attracted the ire of the loosely knit environmental activist organization Earth First. They recently announced a year-long contest to see who could disable the most security cameras. It doesn’t appear that there is any specific environmental complaint linked to this contest; just a general anarchistic response to a sense of lost privacy. Or maybe the cameras are interfering with the successful completion of other Earth First related environmental actions.

The organization (a very grand term for this loosely organized collection of activists) seems to have spent some time and effort on this contest. They have posted a very interesting article on their news site providing some details on various techniques that can be used to attack these cameras. Particular attention has been targeted at traffic cameras.

There was a brief post last week over on the Association of  State Drinking Water Administrators (ASDWA) blog about this contest.  Reprinted from the WaterISAC Pro Weekly newsletter, the author notes:

“Locations that have experienced higher levels of environmental activism or violence should evaluate the potential threat posed by this contest and the actions of other ideologically similar groups. In addition, areas where new development is taking place, such as the controversial Key Stone Pipeline, or that may otherwise be considered environmentally sensitive may be at greater risk.”

The cameras at greatest risk, of course, are those that exist outside of a security perimeter. They would certainly be more susceptible to attack than those on the protected side. In fact, I would suggest that any camera attacked within the perimeter indicates a major security breach and may be an indicator of an insider with sympathies with Earth First or one of its related radical environmental organizations.

Any such ‘attacks’ should be reported to the local police, but efforts should be made to stop news organizations from writing about specific attacks to deny the perpetrators gaining credit in this contest.

CG Announces TWIC Reader Meeting – 4-18-13


Today the Coast Guard published a meeting notice in the Federal Register (78 FR 18534-18535) for a public meeting on April 18th, 2013 in Arlington, VA concerning the recently published TWIC Reader NPRM. According to the notice “provide an opportunity for oral comments. Coast Guard personnel will accept written comments and related materials at the public meeting as well.”

There is nothing in the notice that would indicate that the Coast Guard is intending to provide a presentation about the NPRM. It appears that this is just an opportunity for public comment. This probably explains why there is no mention in the notice of the electronic sharing (web cast or telephone bridge, for instance) of this meeting that we have come to expect from Coast Guard sponsored meetings. A written summary of the meeting and the oral comments will be posted to the rulemaking docket (www.Regulations.gov; Docket # USCG-2007-28915).

It does not appear that the Coast Guard intends to engage in a discussion about the publicly received comments at this meeting. Any official response to the comments will be found in the preamble to the final rule when it is published.

The notice does mention that there is a possibility that the Coast Guard may hold another public meeting on the NPRM before the comment period ends on May 21st, 2013. A separate Federal Register notice would be published if that occurs.

Tuesday, March 26, 2013

CFATS PSP – Who Submits Information?


This is part of a continuing series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at how ISCD expects facilities to organize the submission of the required personally identifiable information (PII). The earlier posts in the series is listed below.


Facility Responsibility

The individual high-risk chemical facility covered under the CFATS program is responsible for implementing the Personnel Surety Program (PSP) as part of their facility site security plan (SSP). That does not mean, however, that they will be submitting the personal information on all of the people that work at the facility or will have unescorted access to critical areas of the facility as visitors, contractors or vendors. DHS has provided for a number of different options for the facility to use as part of its PSP. The four basic options are:

• The facility submits information on all affected individuals for the facility;
• The parent company submits information on all affected individuals for the facility;
• Either the facility or the parent company designates a third-party to submit the information; or
• The PSP includes some combination of the three for different classes of affected personnel.

The notice explains that vendors and contractors would have essentially the same options available for vetting their personnel that would have unescorted access to critical areas of high-risk chemical facilities. What is not made clear is how the vetting done by vendors and contractors would be communicated to the facility security manager and how those records would be made available to ISCD Chemical Facility Inspectors conducting compliance inspections. Would facilities have to submit the same type of abbreviated information that it does for personnel that had already undergone a TSA security threat assessment?

CSAT Application

Anyone that is familiar with the various roles defined in the current CSAT applications will quickly realize that only one of the options outline above could be directly rolled into the current CSAT roles of Authorizer, Submitter, Preparer and Reviewer. With this in mind the notice mentions a new role for the CSAT process; the Personnel Surety Submitter (PSS). As we saw when ISCD allowed for multiple submitters with the advent of the SSP tool, the notice makes clear that they expect that many facilities will use multiple PSS.

There is not a great deal of information in the notice about the PSS, but we can expect that the PSS will have to go through a similar process of identifying and notifying ISCD of the appointment of PSS. One would also expect that when an individual is logged into CSAT in a PSS role, they will only have access to facility PSP information. What is not so readily apparent is whether or not personnel with current access to the CSAT application in existing roles will be able to access the PSP information as well. Privacy issues may require limiting access to that information.

Another thing that is not immediately clear from this discussion in the PSP notice is the CVI status of the submitted information. Currently the Registration application and the Top Screen application do require that someone with access to those CSAT applications have completed the Chemical-Terrorism Vulnerability Information (CVI) training program. The two remaining CSAT applications (Security Vulnerability Assessment – SVA – and the Site Security Plan – SSP) do require the possession of a CVI training certificate to be able to access the applications. If it is determined that PSP information is not CVI, then it is likely that ISCD will not require CVI training for personnel performing PSS duties.

The CSAT User Roles and Responsibilities section of the notice does not address how vendors and contractors that will be submitting the information on their employees fit into this CSAT application process. Will their PSS have to be appointed by the Authorizer of the supported high-risk chemical facility or will a management member from the vendor or contractor be able to appoint their own PSS?

Realistically, these details will be more suited to explication in the inevitable revision of the CSAT Registration Manual that will be necessitated by the addition of the PSS to the list of positions that require CSAT Registration.

HR 1204 Introduced – Aviation Security


As I mentioned earlier Rep. Thompson (D,MS) recently introduced HR 1204, the Aviation Security Stakeholder Participation Act of 2013. This bill would require the DHS Assistant Secretary for TSA to formally establish an Aviation Security Advisory Committee (ASAC) to advise the Department on “aviation security matters, including on the development and implementation of policies, programs, rulemaking, and security directives pertaining to aviation security, while adhering to sensitive security guidelines”{added in 49 USC §44946(b)(1)}.

According to a press release from Thompson, the ASAC was actually formed in 1989 but became inactive until it was reinstituted by TSA Administrator Pistole in 2011. What this bill would do is to require the Administrator to consult with the ASAC on the items listed above. Rep. Thompson noted that he hoped that such consultation would help to prevent actions like the recently announced TSA policy change to allow small knives to be carried by passengers aboard commercial airplanes.

The ASAC would not be just focused on passenger security issues. The bill would require the establishment of subcommittees to address:

• Air Cargo Security {§44946(d)};
• General Aviation Security {§44946(e)};
• Perimeter Security {§44946(f)}; and
• Risk-Based Screening of both passengers and cargo {§44946(g)};

Over the years many activist organizations have objected to the formation and activities of various federal advisory committees, complaining that they provide big business with too much influence over the regulatory process. Thompson’s bill seeks to pre-empt many of these types of complaints by mandating that labor unions, privacy organizations, minority owned small businesses and advocacy groups all have some representation on the Committee.

This is a motherhood and apple pie bill that will certainly pass with bipartisan support if it reaches the floor in both houses of Congress. The problem will be in ensuring that the leadership actually brings it to the floor. That problem may be avoided if this bill gets tacked onto an authorization bill. The most likely candidate would be the TSA authorization, but it could also end up attached to a DOT authorization bill.

DOT Announces Connected Vehicle Workshop


Today the Department of Transportation’s Intelligent Transportation System Joint Program Office (ITS JPO) published a notice in today’s Federal Register (78 FR 18415-18416) that they would be conducting a public workshop on Connected Vehicle Reference Implementation Architecture (CVRIA). The two day workshop (April 30th thru May 1st) in San Jose, CA will look at preliminary architecture viewpoint drafts. DOT is soliciting feedback from the stakeholders who will be involved in manufacturing, developing, deploying, operating, or maintaining the connected vehicle technologies and applications.

Since most modern vehicles already contain extensive mobile control systems, security of those control systems should be an obvious concern. It would seem that expanding the connectivity of those systems to more outside communications increases their vulnerability to unauthorized manipulations and increased concerns about privacy issues.

It appears that DOT has not entirely ignored the security implications of the expanded connectivity of these systems. The program web site provides links to two existing communications security related documents (here and here), but it seems to me that involvement of ICS security professionals early on in the development process would be beneficial in the long run.

Monday, March 25, 2013

ICS-CERT Publishes Another Siemens Advisory


Today ICS-CERT published an advisory for an improper access control vulnerability in the Siemens’ interface cards used to connect workstations to PROFINET IO. The vulnerability was reported by Christopher Scheuring and Jürgen Bilberger from Daimler TSS GmbH in a coordinated disclosure.

This Vulnerability

ICS-CERT notes that a relatively low skilled attacker could remotely exploit this vulnerability to execute a DoS attack or execute arbitrary code. The Siemens security advisory for this vulnerability notes that the vulnerability is exploited by sending specially crafted packets to network port 17185/UDP. They recommend that the devices only be deployed on trusted networks.

Siemens has developed a firmware patch that closes the default debugging port that underlies the vulnerability. Once again ICS-CERT does not provide a comment that the firmware patch efficacy has been evaluated by the original researchers or ICS-CERT. Again, we are left to wonder if this is an editorial oversight or if there are questions about the effectiveness of the patch.

Siemens ProductCERT published an advisory on this vulnerability on February 13th and last updated it on February 18th. Here it is more than a month later and ICS-CERT is just now getting around to publishing their advisory.

Another Siemens Vulnerability

I don’t routinely check the Siemens ProductCERT web site unless there is an ICS-CERT report on a Siemens product; there are just too many web sites and so little time. Today I found another vulnerability reported bySiemens back in February that has yet to be acknowledged by ICS-CERT. This one has to do with multiple stack-based buffer overflow vulnerabilities in the OZW and OZS web servers for the Siemens building control systems. The vulnerabilities would allow DoS attacks and remote code execution.

These vulnerabilities wer reported by HD Moore of Rapid7. Actually the vulnerabilities exist in a third-party library (libupnp) for the UPnP protocol. Rapid7 has produced a Metasploit modules for some of the vulnerabilities. This is a standard procedure for Rapid7 to publish exploit code for the vulnerabilities that they identify after the vendor has had a chance to publish a fix for the vulnerability.

Since these vulnerabilities exist in a third-party application they may affect a large number of other products that use the UPnP protocol and the libupnp library.

Where is the PSP Update on the CFATS Knowledge Center?


Last Friday DHS published one of the most important CFATS documents in the last year in the Federal Register; the 60-day ICR notice for the Personnel Surety Program. Just now the CFATS Knowledge Center still has “No current news” posted in its latest news section. One would like to think that ISCD would be actively pushing information about the proposed PSP to the regulated community and that the CFATS Knowledge Center would be one of the prime conduits for information. But no, it looks like it is just passively sitting back and waiting for the world to notice.

Improvised Chemical Weapons


There have been a number of news reports over the weekend about the possible use of chemical weapons by Syrian opposition forces. Nothing has yet been confirmed by independent investigators, but most news reports concern the use of a single round of undetermined size that contained some sort of chlorine based chemical.

The third hand descriptions do not sound like chlorine gas, but rather some sort of chlorine bleach based munition. This does not make a lot of sense on a number of levels. While chlorine bleach (sodium hypochlorite) is a corrosive when dissolved in water, significant amounts would have to be splashed on someone to cause militarily significant wounds. Highly concentrated bleach does readily decompose to give off chlorine gas, but the amounts present in a single artillery warhead would not produce enough chlorine gas to be lethal or even incapacitating in all but the most limited confined area.

To have an improvised chemical munition that could be delivered by tube or even rocket artillery requires a shell that is designed to be filled with a liquid, and can withstand the shock of launch without leaking. It must also be equipped with a burster charge and fuse combination that will make it detonate and disperse the chemical agent upon impact. Finally the whole thing must be properly balanced and weighed so that the flight characteristics will produce an adequate level of accuracy to allow delivery to the target area. This is not something that can be whipped up in a casual machine shop.

Syria probably has significant stocks of properly constructed chemical weapon shells waiting to be filled; they reportedly have a significant chemical weapons capability and inventory. Rebels may have gotten their hands on some quantity of these empty shells. They may even have been able to buy such shells on the black market from the defunct weapons programs in Libya or Iraq or any number of old Soviet bloc countries.

If they had access to the empty chemical munitions, it makes no sense for them to fill even one of their almost certainly limited supply with bleach since it is such an ineffective chemical weapon. If one were going for just the contact corrosive effect there are any number of commercially available corrosives which would have produced much nastier chemical burns. If they were going for a toxic effect, there are other more lethal industrial chemicals or pesticides which would have been more effective.

What is much more likely is that a conventional artillery shell hit a storage container containing bleach. Sodium hypochlorite in concentrations as high at 60% is a fairly common chemical in a number of industrial operations and is used as a disinfectant in drinking water systems and many cooling systems. Breaching an industrial scale bleach storage tank would produce a chemical effect over a much larger area than a single chemical shell.

This is one of the problems with conducting military operations on urbanized terrain (MOUT the then current term when I last professionally studied the subject low many years ago). Industrial areas contain storage containers of various sizes of nasty chemicals. When an artillery round or even a rocket propelled grenade punctures such a container, the chemical is released into the environment. The tactical effects may be virtually indistinguishable from a chemical attack.

On a strategic level politicians have to be very careful to ensure that they can distinguish between accidentally released industrial chemicals and the deliberate attack with chemical munitions. While both may cause death and disfigurement to innocent civilians the latter may require a formal military response while the former may just merit a call for a cease fire to allow the dead and wounded to be evacuated and treated.

The situation calls for a very careful and thorough investigation by people who know their business. I am glad to hear that the OPCW has been brought into the process by the UN.

CFATS PSP – Who Gets Screened


This is the second in a series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at who ISCD expects facilities to screen via the PSP and who is not required to be vetted. The earlier post in the series is listed below.


Regulation Requires Screening

The notice explains that there are two broad groups of individuals that are covered by the Personnel Surety Program vetting requirements:

• Facility personnel who have access, either unescorted or otherwise, to restricted areas or critical assets, and
• Unescorted visitors who have access to restricted areas or critical assets.

In the earlier release of the PSP ICR there were numerous industry objections to the requirement that facility personnel who only have escorted access should be vetted through the PSP. The ISCD response then was that this definition comes straight out of the CFATS regulations {6 CFR 27.230(a)(12)} so the Department’s hands are tied; changing the requirement would entail a rule change which is outside the scope of an ICR.

Contractors and Vendors

The question also came up concerning how facilities should deal with contractors and vendors; are they ‘facility personnel’ or are they visitors?

The ISCD response to the earlier ICR submission was:

“Individual high-risk facilities may classify particular contractors or vendors, or categories of contractors or vendors, either as “facility personnel” or as “visitors.” This determination should be a facility-specific determination, and should be based on facility security, operational requirements, and business practices.”

How facilities deal with contractors and vendors will have to be addressed in the facility site security plan. The more complex the rules set up in the SSP for dealing with this issue the harder it is going to be to justify to ISCD during the SSP authorization and approval process.

Screening Not Required

During the previous ICR review process ISCD had to answer questions about how emergency response personnel and government inspectors would have to be dealt with in the PSP. Instead of waiting for the inevitable questions to arise, this ICR notice specifically addresses the situation. It broadly defines three classes of personnel that the facility will not need to vet through the PSP:

• Federal officials that gain unescorted access to restricted areas or critical assets as part of their official duties;
• State and local law enforcement officials that gain unescorted access to restricted areas or critical assets as part of their official duties; and
• Emergency responders at the state or local level that gain unescorted access to restricted areas or critical assets during emergency situations.

There is a major difference in the way that federal officials and State and local officials are treated in this rule. The wording for federal officials is not limited to law enforcement as are the State and local officials. Thus federal regulatory personnel could be allowed unescorted access while State and local regulatory officials would have to be escorted.

The notice acknowledges that there might be emergency or exigent circumstances that require allowing other classes of people unescorted access to the to secure areas or critical areas of the facility without being able to go through the PSP vetting process. The Department notes that these situations should be addressed in the facility site security plan:

“If high-risk chemical facilities anticipate that any individuals will require access to restricted areas or critical assets without visitor escorts or without the background checks listed in RBPS 12 under exceptional circumstances, facilities may describe such situations and the types of individuals who might require access in those situations in their SSPs or ASPs. The Department will assess the appropriateness of such situations, and any security measures to mitigate the inherent vulnerability in such situations, on a case-by-case basis as it reviews each high-risk chemical facility's SSP or ASP.”

This could be used if there are State or local requirements for unannounced inspections of facilities by regulatory agencies or other State or local government regulations that require inspectors be allowed unaccompanied access to the facilities. Including these requirements in the facility SSP would allow ISCD the opportunity to make the decision as to whether or not their vetting rules pre-empted the State or local laws or regulations.

Sunday, March 24, 2013

Pentagon Updates Homeland Security Strategy


On Friday there was a brief article posted at NTI.org about the newest version of the DOD’s Strategy for Homeland Defense and Defense Support of Civil Authorities. This is a relative short document that outlines in a broad sweep the rolls and capabilities of the Department of Defense to support federal, state and local governments in homeland security and disaster response missions.

While I know that there are many people that have serious concerns about the physical capability of the military to project power in the domestic arena to support unpopular government actions or to cancel constitutionally guaranteed civil liberties, this document does not provide support for those extreme views. Rather it outlines how the military would be able to utilize its transportation, equipment and planning expertise to aid civilian agencies in responding to “the range of current and emerging threats to the homeland and natural and manmade hazards inside the United States” (pg 2, Adobe).

Domestic CBRN Incidents

I have long maintained in this blog that in the event of a large-scale release of toxic inhalation hazard (TIH) chemicals, either as the result of a terrorist attack or an industrial accident, that the only agency that would be able to organize a sizeable response force capable of working in a chemically contaminated environment; conducting search, rescue and evacuation; doing preliminary decontamination work; and providing bed space and medical care for a large number of chemical casualties would be the US military.

This strategy document addresses this in Objective 2a: Maintain defense preparedness for domestic CBRN [Chemical, biological, radiological, or nuclear] incidents. It notes that DOD has made ‘significant capability investments’ to “respond to multiple, simultaneous attacks or incidents involving CBRN materials in the homeland” (pg 18, Adobe).

The document outlines the units that DOD had assigned to the CBRN response mission:

• 54 Weapons of Mass Destruction-Civil Support teams (WMD-CST) – National Guard;
• 17 CBRN Enhanced Response Force Packages (CERFP) – National Guard;
• 10 Homeland Response Forces (HRF) – National Guard;
• Defense CBRN Response Force (DCRF) – Reserve-Active;

The Strategy does not distinguish between the different types of CBRN materials that might be encountered in the homeland defense role. It does not make any specific mention of industrial chemical accidents or attacks against industrial chemical facilities in its discussion of CBRN incidents. Industrial chemical incidents are discussed later in the document where it mentions the “challenges associated with industrial accidents, environmental mishaps [emphasis added] violent extremists, transnational organized crime and malicious cyber actors” (pg 27, Adobe).

Disaster Response Planning

DOD participates in the FEMA disaster response planning process through the Defense Coordinating Elements assigned to each FEMA region. This allows DOD to bridge “the gap between State-level planning conducted at a National Guard’s Joint Force Headquarters (JFHQ)-State and DoD  and DHS national-level planning” (pg 26, Adobe).

Additionally, the 10 National Guard HRF units, one in each FEMA region, are already providing critical regional planning activities across State lines. Their communications capabilities would provide essential coordination in the event of any follow-on Federal forces were needed for the response to a CBRN incident.

Need for Specific Industrial Response Planning

Unfortunately, there is nothing in this document that clearly identifies the realization by DOD that large chemical facilities pose a specific potential CBRN danger to large population centers and that the potential response requirements for incidents at these facilities would require specific planning requirements.

For instance, a large scale release of a TIH chemical like chlorine near a large population center could result in a very large number of casualties requiring specific breathing support equipment to survive. Early identification of where that equipment, and trained personnel to operate it, would come from and appropriate transportation planning for its movement would be critical to reducing the number of fatalities from such an incident.

Strategy vs Operations

This is an important look at the strategy involved in DOD reaction to homeland security missions. There is, however, a long way to go from strategy to actual operations. The military has a great deal of experience in making that transition, if they are provided the funding and prioritization necessary. Both of these are things that should be addressed by Congress in the next DOD authorization bill.

Coast Guard Publishes TWIC Reader NPRM


On Friday the Coast Guard published a notice of proposed rulemaking in the Federal Register (78 FR 17781-17833) regarding the requirements for the use of a TWIC Reader at MTSA covered vessels and facilities. Public comments on the NPRM are being solicited.

Risk-Based Deployment

The Coast Guard is taking a risk-based approach to targeting the required deployment of TWIC Readers. Coast Guard and TSA experts conducted a risk-based analysis of MTSA-regulated vessels and facilities to assess the risk of a transportation security incident (TSI). That analysis assessed three factors:

• Maximum consequences to that vessel or facility resulting from a terrorist attack;
• Criticality to the nation's health, economy, and national security; and
• Utility of the TWIC in reducing risk.

Based upon this risk analysis the Coast Guard developed three risk groups (Risk Group A, Risk Group B, and Risk Group C) that it would use to manage the requirements for deployment of TWIC Readers. In this NPRM the Coast Guard is only considering mandating TWIC Reader deployment to vessels and facilities falling under the criteria for Risk Group A. Future rulemakings may be used to expand that requirement.

Risk Group A

The Coast Guard has developed fairly simple operational definitions of what vessels and facilities fall into Risk Group A. For vessels this definition is based upon the hazardous nature of the cargo carried or the number of passengers carried. Similarly, for facilities the definition revolves around the nature of the hazardous materials (Certain Dangerous Cargo- CDC – 33 CFR 160.204) handled or the number of passengers accessing the facility.


• Vessels that carry CDC in bulk;
• Vessels certificated to carry more than 1,000 passengers; or
• Vessels towing one of the above.


• Facilities that handle CDC in bulk;
• Facilities that receive vessels certificated to carry more than 1,000 passengers; or
• Barge fleeting facilities that receive barges carrying CDC in bulk.

Use of TWIC Reader

Risk Group A vessels and facilities would be required to use TSA approved TWIC Readers to verify identity and to authenticate and validate the TWIC. For vessels this would be required upon boarding the vessel. For facilities it would be required before being granted unescorted access to secure areas.

Identity would be verified by comparing the individual’s fingerprint against one of the two fingerprint exemplars encoded in the TWIC. For facilities that are using a Physical Access Control System (PACS) that utilizes an alternative biometric identification (retina scan, for instance) “the TWIC would need to be read and the stored biometric identifier matched against the TWIC-holder's fingerprint at least once, when the individual's information is entered into the PACS” (78 FR 17792).

Card validation would be done by the TWIC Reader comparing the TWIC data against the Canceled Card List (CCL), thus requiring the TWIC Reader to periodically download the CCL. While at MARSEC level 1, this would need to be accomplished on a weekly basis. At MARSEC levels 2 and 3 daily updates would be required.

Public Comments

The Coast Guard is planning on holding at least one public meeting on this NPRM, but a date and location have yet to be determined. An announcement of the meeting will be published in the Federal Register.

The Coast Guard is soliciting public comments on the NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2007-28915). Comments should be submitted by May 21st, 2013.

Saturday, March 23, 2013

Bills Introduced – 03-22-13


While the House had already left town for their Easter Recess, the Senate was still at work on their budget bill. They also had time to submit a number of new bills including just one that will probably be of interest to the cybersecurity community:

S 658 Latest Title: A bill to amend titles 10 and 32, United States Code, to enhance capabilities to prepare for and respond to cyber emergencies, and for other purposes. Sponsor: Sen Gillibrand, Kirsten E. (D,NY)

As with any other type of security, one must assume that cybersecurity protections for critical infrastructure are, at some point, going to fail. One would like to think that cyber emergency response procedures are in place before that happens. Maybe this bill will help to ensure that; we’ll have to see bill to see if that may be the intention here.

CFATS PSP – Data Submission Options


This is the second in a series of blog posts about the CFATS Personnel Surety Program that was described in a 60-day information collection request (ICR) notice in Friday’s Federal Register. This post will look at the data submission options for vetting personnel against the Terrorist Screening Database (TSDB). The earlier post in the series is listed below.


The PSP Requirement

The CFATS program regulations require facilities to establish a personnel surety program (PSP) vetting process {6 CFR 27.230(a)(12)}. That program is required to perform four types of background checks on “facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets”. Those required checks are:

• Measures designed to verify and validate identity;
• Measures designed to check criminal history;
• Measures designed to verify and validate legal authorization to work; and
• Measures designed to identify people with terrorist ties.

Facility management has a wide degree of latitude in establishing the methodology for conducting the first three types of checks. The last measure “is an inherently governmental function and necessarily requires the use of information held in government-maintained databases that are unavailable to high-risk chemical facilities” (FR 17681). It is this vetting requirement that is addressed in this ICR notice.

Data Submission

The DHS Infrastructure Security Compliance Division (ISCD) has plans to introduce a new data collection application in the Chemical Security Assessment Tool (CSAT) to allow facility security managers or their designees to submit information to ISCD to complete the vetting process. This ICR, if/when approved by the Office of Management and Budget (OMB), serves as the approval of that application to collect the required information.

DHS outlines in this notice three different options that facilities will have for conducting the vetting of personnel against the government’s TSDB. Facilities will be able to use almost any combination of the three options in the establishment of their PSP that will be outlined in the facility site security plan.

The three options are:

• Option One - Direct Vetting
• Option Two - Use of Vetting Conducted Under Other DHS Programs
• Option Three - Electronic Verification of TWIC

Option One

Option One requires the most comprehensive submission of information to ISCD via the PSP application. The following information would be required for each individual vetted under Option One:

• For U.S. Persons (U.S. citizens and nationals as well as U.S. lawful permanent residents):
• Full Name
• Date of Birth
• Citizenship or Gender
• For Non-U.S. Persons:
• Full Name
• Date of Birth
• Citizenship
• Passport information and/or alien registration number

Interestingly, there is no requirement to supply biometric information (finger prints for instance) to verify the identity of the individual. Apparently ISCD believes that the identify verification requirements that the facility is already required to perform under other provisions of its PSP will be adequate to ensure that the information required above will be adequate to the task of vetting against the TSDB.

The PSP CSAT application will also allow the submission of the following information under Option One to help avoid misidentification of individuals:

• Aliases
• Gender (for Non-U.S. Persons)
• Place of Birth
• Redress Number

TSA has a program to allow people who believe that they have been improperly identified as having potential terrorist ties to have a more thorough investigation completed to correct the record. The ‘Redress Number’ provides a reference to that investigation to ensure that the same mistaken identification is not made again. This ‘Redress Number’ is probably the only item of information that the high-risk chemical facility is not already collecting in support of its personnel surety program.

Option Two

There are already a number of DHS programs that vet various people against the TSDB. Those programs include:

• Transportation Worker Identification Credential (TWIC) Program;
• Hazardous Materials Endorsement (HME) Program;
NEXUS;
Free and Secure Trade (FAST); and


If individuals have already been vetted under one of these programs DHS does not need to complete the same level of investigation to ensure that they are not listed on the TSDB. All ISCD needs to do is to verify that the previous vetting is still current and valid. To do that the following information would need to be submitted via the PSP application:

• Full Name;
• Date of Birth; and
• Program-specific information or credential information, such as unique number, or issuing entity (e.g., State for Commercial Driver's License (CDL) associated with an HME).

Again, there would be provisions for submitting additional information to help to avoid misidentification of personnel. For Option 2 these include:

• Aliases
• Gender
• Place of Birth
• Citizenship

Option Three

When the original PSP ICR was submitted a couple of years ago one of the main industry complaints was having to submit information on personnel that had a TWIC. At the time ISCD maintained that they needed to collect the information to ensure that the TWIC was still valid. While this is still the justification for the use of Option 2, the availability of TWIC readers that have been validated by TSA provides a new alternative.

Option 3 would allow a “high-risk chemical facility (or others acting on their behalf) electronically verify and validate the affected individuals' TWICs through the use of TWIC readers (or other technology that is periodically updated using the Canceled Card List)”. It is not clear from the description in the notice whether this would require daily presentation of the card at the facility or whether it could be accomplished on a less frequent basis as a personnel action.

Option Four

While there is no official Option Four the notice does mention some ways that the high-risk chemical facility can limit the number of people that have to be vetted under the PSP. This discussion in the notice does not specifically state that it applies only to visitors (and perhaps contractors) since all facility employees are required by the CFATS regulations {6 CFR 27.230(a)(12)} to be vetted, whether or not they have unescorted access to restricted or sensitive areas of the high-risk facility.

The options outlined in the notice include:

• Restricting the numbers and types of persons whom they allow to access their restricted areas and critical assets, thus limiting the number of persons who will need to be checked for terrorist ties;
• Defining the restricted areas and critical assets in the SSPs or ASPs, thus potentially limiting the number of persons who will need to be checked for terrorist ties; or
• Choosing to escort visitors to restricted areas and critical assets in lieu of performing the background checks required by RBPS 12.

Combining Options

There is nothing in the notice that would even appear to suggest that a high-risk chemical facility is limited to just one of the options in establishing the terrorist link vetting portion of their PSP. In fact there are a number of areas where it is suggested that different classes of employees or visitors may be better covered by different options.

All a facility has to do in their site security plan (or alternative site security plan) is to outline how they will determine which class of employees will be addressed by each of the three options provided by the ISCD program. It will also have to address how it will ensure that all employees, and the contractors and visitors with unescorted access to restricted or sensitive areas are vetted through at least one of the options provided.

NOTE: I have taken the liberty of lumping ‘contractors’ with visitors in the above statement. The CFATS regulations do not specify how contractors will be treated in the vetting process. An argument could certainly be made that at many high-risk chemical facilities contractors are essentially employees since they will be working at the facility on a daily basis for long periods of time. Legalistically, however, a contractor is not an employee of the facility. The distinction should be clearly made in the facility site security plan to avoid possible repercussions down the line.
 
/* Use this with templates/template-twocol.html */