Tuesday, April 30, 2013

ICS-CERT Publishing Old Updates

NOTE: As of 5-3-13, 19:30 CDT the issues identified in this post with this update have been resolved. The link now takes one to the September 27th, 2012 version updated to the new HTML format.

Yesterday I was kind of surprised when ICS-CERT published an update to the Ruggedcom Advisory that was news before the original advisory was published. Today, I am more than surprised; I am more than a little concerned because ICS-CERT re-published as new an update to the SHAMOON JSAR that was originally published last September.

Now this could just be a problem of updating all of the old .PDF alerts to the new .HTML model, but today’s publication certainly claims that the date for the –A update is April 30th, 2013 not September 27th, 2012.

Now there was a second update to this advisory published last October. As I noted in that earlier blog post the second update was not that impressive, but it did provide some new information. That information is not included in today’s “update”.

Now the links to the ICS-CERT publications in the previous blog posts about the updates are no longer particularly useful. The first update (-A) link now takes you to today’s version of the update (virtually the same as the original outside of some formatting changes and the ‘wrong’ change date). The second update (-B) link now takes you to the original version of the JSAR (again in the new HTML format) with a bogus ‘original release date’ of October 16th, 2012.

I understand that it is easy to make inadvertent changes to documents when you fool with reformatting the documents. This is why historical records do not typically get reformatted; there is no need to put their information integrity at risk.

BTW ICS-CERT: If you need copies of the original .PDF files to correct the historical record, let me know. I have copies of most of the alerts and advisories back to June of 2010. I’ll be happy to ship them to you on a thumb drive….. ;-)

NIST Announces Meeting of ISPA Board 6-12-13

Today the National Institute of Standards and Technology (NIST) published a public meeting notice in the Federal Register (78 FR 25254-25255) of the Information Security and Privacy Advisory Board. The three day meeting will begin on June 12th in Washington, D.C.


The Board will address issues related to the President’s recent cybersecurity executive order (EO 13636) including:

Executive Order 13636, Improving Critical Infrastructure Cybersecurity;
• Development of New Cybersecurity Framework;
• Request for Information (RFI)—Developing a Framework to Improve Critical Infrastructure Cybersecurity (78 FR 13024, February 26, 2013);
• Notice of Inquiry (NOI)—Incentives to Adopt Improved Cybersecurity Practices (78 FR 18954, March 28, 2013),

Additional items on the agenda include:

• DHS Information Sharing Update;
• DHS - investigative discussion on reducing required reporting;
• US-CERT changing reporting categories; and
• Update of NIST Computer Security Division.

Public Participation

There will be a 30-minute period for public comments (limited to 5 minutes each on a first-come, first-serve basis) on Friday morning. Written comments from the public may also be submitted via snail mail (and this is NIST?) to:

ISPAB Secretariat
Information Technology Laboratory
100 Bureau Drive, Stop 8930
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930

Monday, April 29, 2013

ICS-CERT Updates Ruggedcom Advisory

Earlier today the DHS ICS-CERT published an updated version of their advisory from December that reported mitigations in response to the original ICS-CERT alert from August and an update of that alert in September. If that seems confusing, try this; today’s update notes that “ROS Update V3.12 has been produced to mitigate these issues” but the Ruggedcom web site reports that V3.12 became available on December 7th, 2012; eleven days before the original advisory was published. It looks like this update should have been included in the original advisory.

BTW: There is still no word on a more permanent fix for the HTTPS/SSL service beyond disabling the service that is still being reported in this updated advisory.

BTW Again: There is no mention in this updated advisory that Justin Clarke, the researcher who reported the vulnerability in the first place, has had a chance to review the V3.12 update to verify that it mitigates the reported vulnerabilities.

Comments for TWIC Reader NPRM – 4-27-13

This is part of a continuing series of blog posts on the public comments filed in the previous week for the Coast Guard’s TWIC Reader NPRM. The previous posts in the series are listed below.

Half-way through the 60-day comment period on this notice of proposed rulemaking and the Coast Guard has received its first corporate comments. The four comments received in the last week were from:

The comments from the Lake Carriers’ Association were generally positive, supporting the failure to require TWIC readers for Risk Group B and C vessels and facilities. The American Institute of Architects comment was a copy of a slide presentation about TWIC Readers used in a continuing education course. The IBIA comments included a suggestion that the Coast Guard should expand the TWIC Reader requirement to include Risk Group B vessels and facilities. The Passenger Vessel Association comment objected to the use of the TWIC as an access control tool (instead of just a proof of vetting document) and suggested that the recurring access provisions include in the ANPRM should be restored, particularly for passenger vessels and terminals.

The IBIA comments were actually a copy of the prepared remarks that they presented at the TWIC Reader Meeting in Arlington, VA on April 18th. Unfortunately, the Coast Guard has yet to publish the transcripts of the comments from that meeting or the Houston, TX meeting on April 25th (okay, I’ll give them that that was just last week).

I expect that we will be seeing more corporate comments like these as we approach the end of the comment period on May 21st.

CFATS PSP Comments – 04-27-13

This is part of a continuing series of blog posts on the public comments submitted about the DHS 60-day ICR notice for the CFATS Personnel Surety Program (PSP). The other post in the series is:

We are more than half way through the comment period on this ICR notice and we only added one comment in the last week bringing the total to three. I am surprised that there have been no comments to date from any chemical companies, though I do expect that will change as we get closer to the May 21st deadline for comments. We do have our first corporate comment this week, however, from AGL Resources, a natural gas distribution company.

AGL has three specific suggestions for improving the PSP dealing with:

• Vendor PSP certification;
• Bulk data submissions to the PSP; and
• Exemption from PII data sharing rules.

The issue of dealing with vetting vendor employees will be the area that will give high-risk chemical facilities the most problem with the PSP. While facility security managers are certainly going want to restrict vendor access to critical areas of the facility to the largest extent possible, there is still going to be some unaccompanied access required for selected vendors.

I don’t expect ISCD to get too specific about how this should be handled; the §550 rule about specifying security measures hangs heavy over their heads. Generally speaking, I would expect them to address this issue in the ICR by stating that each facility will have to address the issue in their site security plans which will be reviewed on an individual basis.

I really believe that the most effective way to handle this issue for most facilities is that they would require such vendors to have a TWIC that would be verified by a TWIC reader at some centralized location (security company most likely) and then checked against an approved list at the facility entrance. Larger facilities would be able to afford a TWIC reader at the gate.

Which brings up an interesting question; how long before we have a Tablet Application that scans IDs and compares them to a facility access list?

Sunday, April 28, 2013

Reader Comment – 04-28-13 – West Fertilizer and EPA General Duty Clause

It has been some time since Fred Millar has graced this blog with comments on a chemical safety issue, but today he returned with a comment on one of my recent posts about the West Fertilizer explosion. Fred’s comment was not about anything that I said in the particular post, rather it is a call to action to the US Environmental Protection Agency (EPA) to take action in the case under the General Duty Clause (GDC) of the Clean Air Act {42 USC 7412(r)}.

I suggest that readers take time to read and consider Fred’s cogent arguments favoring the application of GDC in this case. This certainly comes closer to the intent of the law than does using the GDC to mandate the application of inherently safer technology to chemical facility security requirements for high-risk chemical facilities. It comes closer, but it still doesn’t quite get there.

Extremely Hazardous Substance

Fred explains the GDC this way:

The Clean Air Act's General Duty Clause says "the owners and operators of stationary sources [facilities] (sic) producing, processing, handling or storing [any extremely hazardous substance] (sic) have a general duty to identify hazards which may result from releases [including fire, explosion, toxic gas cloud] (sic) using appropriate hazard assessment techniques, to design and maintain a safe facility taking such steps as are necessary to prevent releases, and to minimize the consequences of accidental releases which do occur." 

What the GDC actually says is:

The owners and operators of stationary sources producing, processing, handling or storing such substances have a general duty in the same manner and to the same extent as section 654 of title 29 to identify hazards which may result from such releases using appropriate hazard assessment techniques, to design and maintain a safe facility taking such steps as are necessary to prevent releases, and to minimize the consequences of accidental releases which do occur.

The phrase ‘such substances’ refers to the preceding sentence in the paragraph that reads:

It shall be the objective of the regulations and programs authorized under this subsection to prevent the accidental release and to minimize the consequences of any such release of any substance listed pursuant to paragraph (3) or any other extremely hazardous substance.

Fertilizer grade ammonium nitrate is not one of the listed chemicals nor is it generally recognized as an ‘extremely hazardous substance’ in any regulation or statute that I can find. In fact, DOT regulations classify fertilizer grade ammonium nitrate as an oxidizer (UN 2067, 5.1) in packing group III; the least hazardous level that is still regulated by the hazardous material regulations.

If it is such a low hazard, how did such a large explosion result? The specific answer to that in this instance is still under investigation by OSHA, the ATF and the Chemical Safety Board. I expect that the final report by the CSB will be enlightening and more than a little scary for other communities that contain large ammonium nitrate storage facilities. But, we do know that ammonium nitrate is hard to ignite but it will burn. If the burning ammonium nitrate is confined in some way (by a collapsing storage building for instance) there is a possibility that an explosion could result.


Another problem with Fred’s assessment revolves around the GDC’s use of the term ‘releases’. There is no specific definition of ‘releases’ in §7412, but the GDC does define ‘accidental releases’ as “an unanticipated emission of a regulated substance or other extremely hazardous substance into the ambient air from a stationary source” §7412(r)(2)(A). Thus it hardly seems possible that there was a ‘covered’ release of ammonium nitrate involved in the West Fertilizer explosion even if fertilizer grade ammonium nitrate were specifically covered under the GDC.

Who Could Have Covered West Fertilizer?

If the EPA’s GDC did not apply to the West Fertilizer Facility, does that mean that no agency was responsible for the regulation of the handling of ammonium nitrate at the facility? While there are no specific safety regulations pertaining to the handling of fertilizer grade ammonium nitrate, the Occupational Health and Safety Administration’s (OSHA) General Duty Clause (GDC; 29 USC §654) appears to be a much closer fit than does the EPA’s GDC. The OSHA GDC states that each employer “shall furnish to each of his employees employment and a place of employment which are free from recognized hazards that are causing or are likely to cause death or serious physical harm to his employees” {§654(a)(1)}.

That phrases ‘recognized hazards’ and ‘are likely to cause’ will provide lots of room for lawyers to argue that the West Fertilizer situation does not really come under the coverage of the OSHA GDC.  There may be case law on the books that covers this type situation, but I suspect that any OSHA action under the GDC in this particular case will spend a number of years wending its way through the judicial system.

Who Should Have Covered the West Fertilizer Situation?

In my not so humble opinion it probably should have been OSHA that had regulations on the books that would have covered the safe storage of fertilizer grade ammonium nitrate. The catastrophic potential is clearly understood even if it is not even a remotely common occurrence. But ammonium nitrate fertilizer is an agricultural commodity. As such is falls under the protection of arguably the most powerful lobby in the United States (NO, not the NRA); the agriculture lobby.

Unfortunately neither OSHA nor the EPA is likely to take on the Ag Lobby to regulate the safe storage and handling of fertilizer grade ammonium nitrate. Unless we see a rash of such explosions across rural America, or someone determines that the cause was something other than an accident, I doubt that we will see any change in the way that ammonium nitrate fertilizer is stored in these small retail distribution centers.

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-27-13

This is part of a continuing series of blog posts looking at the responses to a joint request for information (RFI) from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) to support their development of incentives to adopt the improved cybersecurity practices being developed by the NIST as part of the Cybersecurity Framework mandated by the President’s executive order on cybersecurity (EO 13636). The previous posts in the series are listed below.

With Monday being the deadline for filing comments on the RFI there are only four new comments posted on the NTIA site. The comments are from:

Cybersecurity Insurance

The comments from both DCS Corp and Romanosky address the issue of using insurance as part of the incentives package. Romanosky provides a detailed discussion of both the theoretical basis for cybersecurity insurance and how it could be used to incentivize increased cybersecurity protections. The DCS Corp comments focus on how meeting the standards of the Cybersecurity Framework could lessen the cost of such insurance. The Honeywell comments also briefly favorably address using cybersecurity insurance as tool to encourage voluntary framework compliance.

Utility Compliance

The comments from Utilities Telecom Council, not unexpectedly, focus on cybersecurity incentives from a utility perspective. It includes a brief discussion of tax incentives that could be applied to the situation. More importantly, though, it makes the case for centralizing and combining cybersecurity regulations to reduce the regulatory burden of trying to comply with multiple regulatory agencies.

Framework then Incentives

 The Honeywell comments make another important point; it is difficult to talk about incentives to implement the Cybersecurity Framework without knowing what requirements may be included in the Framework. The comments then go on to reiterate comments that we have been hearing associated with CISPA; corporations need immunity from civil suits for sharing cybersecurity information with the government and acting in good faith on government supplied threat information, as well as immunity from anti-trust actions for cooperating and coordinating cybersecurity activities with other companies.

One Day Left

With only a single day left for submitting timely comments, it will be interesting to see how many additional comments will be submitted. So far, there has been no discussion about incentives for control system security incentives for either owner/operators or system vendors. It has been an extremely abbreviated comment period, but that was necessitated by the short time frame the President set forth in the cybersecurity EO.

Saturday, April 27, 2013

ICS-CERT Publishes Two Friday Advisories

On Friday afternoon the DHS ICS-CERT published two advisories for multiple vulnerabilities on MatrikonOPC and a single vulnerability on Galil RIO-47100. Both advisories were based upon coordinated disclosures.

NOTE: Along with a recent change in the ICS-CERT web site format, ICS-CERT has changed their Advisories (and presumably Alerts) from .PDF pages to .HTML pages. They may still be saved as .PDF files, but this should remove some of the complaints heard about ICS-CERT using an ‘inherently vulnerable’ .PDF format for their reports. I’ve even heard some really paranoid individuals complain that ICS-CERT was using the .PDF reports to spread spyware.

MatrikonOPC Advisory

ICS-CERT reports that two vulnerabilities [Link added 4-28-13 07:05 CDT] were reported by Dillon Beresford of Cimation. The vulnerabilities are:

• Path traversal, CVE-2013-0673; and
• Error handling, CVE-2013-0666

(NOTE: CVE links will not be active for a couple of days) [4-28-13 07:05 CDT]

ICS-CERT notes that a relatively low skilled attacker could remotely exploit these vulnerabilities to gain access to system files or crash the configuration utility. They also note that the system must be accessible via the internet for the remote exploitation to be possible.

MatrikonOPC has produced patches that have been verified by Dillon to mitigate the vulnerabilities. The link to the patch page in the advisory does not work [NOTE: As of 04:00 CDT 4-29-13, this has been corrected]. Use this link (http://www.opcsupport.com/ics/support/default.asp?deptID=4590) to the product advisory page instead. Click on the appropriate product and use the instructions on the product page to download the patch.

Galil Advisory

ICS-CERT reports an input validation vulnerability [link added 4-28-13 07:05 CDT] in the Galil RIO-47100 PLC that was reported by Jon Christmas of Solera Networks.

ICS-CERT notes that a moderately skilled attacker could remotely exploit this vulnerability to execute a DoS attack.

A firmware update is available at http://www.galilmc.com/support/firmware-downloads.php and Christmas confirms that it resolves the identified vulnerability. The link in the advisory is good, but it takes you through a ‘You are leaving ICS-CERT’ page which I have always found to be annoying and more than a little mindless. Interestingly the Firmware Release Notes page also explains that the latest release fixes a buffer overflow issue not mentioned in the ICS-CERT advisory.

New Format

As I mentioned earlier, ICS-CERT has changed the format for their Advisories and Alerts. They have gone back and updated earlier alerts (at least through the Clorius Controls Alert from April 1st. Along with changing from a .PDF to .HTML file format, they have significantly modified the typography and slightly modified the lay out. In my opinion (FWIW) the changes have detracted from the readability of the documents. This is especially true when the document is saved in a .PDF format.

The change in format also removes two fixtures of the reports. The recently added ‘Traffic Light Protocol’ (TLP) markings have been removed from the documents; a good move in my opinion. The product warranty box at the bottom of the first page of the old format has also been removed. This was one of those legal disclaimer things that we are seeing in too many areas of our public lives and the world would be a better place without them.

Bills Introduced – 4-26-13

With only the House in session yesterday there was only a single bill introduced that might be of specific interest to the chemical security and emergency response communities. That bill was

HR 1791 Latest Title: To amend the Homeland Security Act of 2002 to codify authority under existing grant guidance authorizing use of Urban Area Security Initiative and State Homeland Security Grant Program funding for enhancing medical preparedness, medical surge capacity, and mass prophylaxis capabilities. Sponsor: Rep Bilirakis, Gus M. (R,FL)

BTW: The House and Senate will be working in their Home districts next week, not Washington. Yes, keeping in touch with the voters and their supporters checkbooks is an important part of their legislative duties.

Friday, April 26, 2013

DHS Updates Chemical Security Web Page

This afternoon the folks at DHS Infrastructure Security Compliance Division (ISCD) updated the Critical Infrastructure – Chemical Security web page. The old page had a link to information on reporting security concerns. The new page has the following contact information right on the page:

• CFATS Chemical Facility Security Tip Line: 877-394-4347
• National Infrastructure Coordinating Center (NICC): 202-282-9201

Calls to the Tip Line should “involve the CFATS regulation at your facility or another facility”. In light of the recent news about the failure of the West Fertilizer facility to file a Top Screen, one would expect that failure of a facility to complete a Top Screen would be something that ISCD would like to hear about.

The DHS NICC should be contacted if “a potential security incident has already occurred”. Security emergencies or in progress terrorist attacks should be reported to 911 or your local FBI field office.

The only other changes on the pager are some minor changes to the wording describing the Ammonium Nitrate Security Program that makes it clearer that the program is still under development.

Bills Introduced – 4-25-13

Yesterday saw the introduction of just one bill in the Senate that might be expected to be of specific interest to the chemical security community. That bill was:

S 814 Latest Title: A bill to provide stronger penalties for violations of the Chemical Facility Anti-Terrorism Standards. Sponsor: Sen Lautenberg, Frank R. (D,NJ) 

While a copy of the bill is not yet available a press release by Lautenberg’s office notes that the bill would establish additional civil penalties and add criminal penalties for facilities and their officers that fail to file a Top Screen report when they have inventories of DHS chemicals of interest (COI) at or above the screening threshold quantities (STQ) established in the CFATS regulations.

The press release makes it clear that this bill was introduced in response to the news that the West Fertilizer facility that exploded last week had not filed a Top Screen for either the anhydrous ammonia or ammonium nitrate stored at the facility.

Thursday, April 25, 2013

S 763 Introduced – Underground Storage Facilities

As I noted last week, Sen. Roberts (R,KS) introduced S 763, the Underground Gas Storage Facility Safety Act of 2013. This bill establishes limited State authority to establish and enforce regulations concerning the safe construction and operation of underground reservoirs for the storage of gas or hazardous liquids.


Section 2 of the bill amends the definitions found in 49 USC 60101(a). First it re-orders subparagraphs 20 thru 25 so that the terms are in standard alphabetical order. It then adds definitions for the following new terms:

• Underground gas storage wellbore; and
• Underground hazardous liquid storage wellbore.

State Authority

Section 3 amends 49 USC 60104(c) dealing with preemption. It rewrites paragraph (c) into three sub-paragraphs and adds 49 USC 60104(c)(3)(B) that specifically allows a State authority to “enforce a State requirement for the safe construction and operation of underground gas storage wellbores and underground hazardous liquid storage wellbores” under two conditions. The first condition is if the Federal Energy Regulatory Commission (FERC) specifically approves the requirement. The second condition is if FERC fails to act on a State petition for approval of a requirement within 30 days of the request being submitted.

Moving Forward

This is a new piece of legislation without a history in either the Senate or House. This makes it difficult to predict what actions will be taken in either body. The bill has been referred to the Commerce Science and Transportation Committee for consideration, but neither Roberts nor his co-sponsor Sen. Moran (R,KS), serve on that Committee so it will be difficult for them to convince Chairman Rockefeller (D,WV) to schedule the required hearings to move the bill forward.

TSA Publishes Final Rule on STA Fees

Today the Transportation Security Administration (TSA) published a final rule in the Federal Register (78 FR 24353-24360) removing from the Code of Federal Regulations (CFR) the specific amount of fees collected for the processing of security threat assessments (STA) for both the Transportation Worker Identification Credential (TWIC) and the Hazardous Material Endorsement (HME) for the State administered Commercial Driver’s License (CDL) program. This change will make it easier for the TSA to adjust the fee to cover actual program costs as required by 6 USC 469.

The final rule amends 49 CFR §1572.403, §1572.405(a) and §1572.501(b) to “to remove references to specific fee amounts, continue to use the existing fees to support the programs, and publish as a Notice any revisions to fee schedules in the Federal Register”. No changes were made in the adoption of this final rule from the notice of proposed rulemaking from June 2012.

This rule has an effective date of May 28th, 2013. 

Wednesday, April 24, 2013

HR 1584 Introduced – Counterterrorism Training

As I noted in an earlier blog post Rep. Clarke (D,NY) introduced HR 1584, the Empowering Local Partners to Prevent Terrorism Act of 2013. The bill would limit the availability of homeland security grant funds to pay for “any training, programs, presentations, and speakers regarding counterterrorism that includes information about violent extremism, homegrown violent extremism, or domestic violent extremism that is acquired from an entity other than the Department” {6 USC §344m (the bill actually calls this §899M added to the 2002 Homeland Security Act but it will be §344m in the USC when it is published)}.

Section 344k of the bill would require DHS to “develop guidance, outreach, training, and programs in furtherance of national counterterrorism policy” {§344k(a)}. Within one year of the passage of this bill the Department will be required to “develop and distribute to State, local, and tribal authorities courses and materials that comply with the ‘Grant Programs Directorate Information Bulletin No. 373’ [link added] or successor bulletin for integration into the curricula for recruits and recurrent training for experienced law enforcement officers” {§344k(b)}.

Any counterterrorism training about violent extremism, homegrown violent extremism, or domestic violent extremism to be funded by homeland security grants under 6 USC §604 and §605 that uses materials other than those describe above will have to be pre-approved by the “Chief Privacy Officer and the Office for Civil Rights and Civil Liberties” {§344m}.

Section 344n would require the Department IG to be responsible for overseeing this program. An oversight program would be established to regularly review “expenditures of homeland security grant programs by State, local, and tribal authorities on training, programs, presentations, and speakers that are not acquired through the Secretary. The IG would be required to evaluate “whether such expenditure is consistent with constitutional civil rights and civil liberties, including prohibiting racial, ethnic, and religious profiling” {§344m(a)(2)}.

Surprisingly there are no provisions included in the bill that would specifically require the DHS IG to submit reports to Congress on the efficacy of the program.

Because of its focus on preventing “racial, ethnic, and religious profiling”, I would be very surprised if this bill is ever marked up in the House Homeland Security Committee where it was referred. The bill certainly would not be able to pass in a vote on the floor of the House in the current session for the same reason.

FCC Publishes FirstNet NPRM

Today the Federal Communications Commission published a notice of proposed rulemaking (NPRM) in the Federal Register (78 FR 24138-24147) to “implement provisions of the Middle Class Tax Relief and Job Creation Act of 2012 (Public Safety Spectrum Act) governing deployment of a nationwide public safety broadband network in the 700 MHz band under a nationwide license issued to the First Responder Network Authority (FirstNet)”.

• Technical service rules for the new public safety broadband network to be established pursuant to the Public Safety Spectrum Act;
• The Commission's statutory responsibilities as they relate to oversight of FirstNet; and
• The different classes of incumbents now occupying portions of the spectrum licensed to FirstNet.

The FCC is soliciting public comment on this NPRM. Comments need to be submitted by May 24th, 2013 and replies to submitted comments need to be submitted by June 10th. There is nothing in the NPRM that tells how the comments/replies are to be submitted beyond giving an email address for the point of contact Gene Fullano (genaro.fullano@fcc.gov). Nor is there any mention of where the public can see the submitted comments in order to prepare replies to those comments.

I have not covered much about the FCC’s work over the years, but I have to say that this is the worst written, least informative NPRM that I have ever reviewed. There are extensive changes proposed to 47 CFR parts 1, 2, 27 and 90, but nowhere is there a coherent description of what those changes entail or what the FCC is specifically attempting to do with those changes.  

Bills Introduced – 4-24-13

Yesterday there was just one bill introduced in Congress that would probably be of interest to the chemical security community. It was:

S 792 Latest Title: A bill to strengthen the enforcement of background checks with respect to the use of explosive materials. Sponsor: Sen Lautenberg, Frank R. (D,NJ)

The ATF already does background checks on people that it licenses to handle explosives so it will be interesting to see what Sen. Lautenberg is proposing to add to the mix.

Tuesday, April 23, 2013

HR 1583 Introduced – TSDB Redress Procedures

As I noted earlier, Rep. Clarke (D,NY) introduced HR 1583, the  Fair, Accurate, Secure, and Timely (FAST) Redress Act of 2013. This bill would provide procedures for the appeal and redress for being wrongfully identified as a terrorist threat because of listing on a terrorist watch list. This bill is virtually identical to HR 1007 that was introduced early in the 112th Session and I’ve discussed the provisions in some detail in the link above.

Passenger Screening

The bill adds §469b to 6 USC  Subchapter VII, Part H (again the bill uses the standard convention of adding §890A to the 2002 Homeland Security Act, but I find that convention to be confusing and difficult to track). The bill specifically applies to “individuals who believe they were wrongly delayed or prohibited from boarding a commercial aircraft” but has a vaguely worded coverage that applies to anyone who was “denied a right, benefit, or privilege by the Department” {§469b(a)} when they were inappropriately identified as being on the Terrorist Screening Database (TSDB) list.

The bill also repeals 49 USC §44926 {§2(d)} which currently requires similar procedures to be developed. The requirements for the various TSDB vetting programs run by the TSA are scattered all over the USC and CFR, so consolidating them in one location makes a certain amount of sense. Making the changes piecemeal, however, will just add to the confusion.

Other TSA Security Threat Assessments

As I said according to the ‘General’ provisions of the bill the proposal would seem to apply to other TSA administered threat assessment programs, but the procedures outlined would not be practical for either the Transportation Workers Identification Credential (TWIC) or the Hazardous Material Endorsement (HME) for the State administered commercial driver’s license (CDL) program. Those programs already have a redress process outlined in 49 CFR 1515.5(b) that applies to being misidentified as being on the TSDB, but that procedure is not required by law. It would be helpful if the current bill would provide a legal requirement for that procedure.


The current proposal for the CFATS personnel surety program will require the TSA to conduct the TSDB check for that program. Neither the procedure outlined in this bill nor the §1515.5(b) process will be applicable to that program. That is because the folks at ISCD do not currently plan to deny anyone access to high-risk chemical facilities based upon their appearance on the TSDB. Instead they vaguely plan on initiating a criminal/security investigation of the individual. Presumably, if there is no criminal conduct noted there will be no adverse consequence to be appealed. Of course that completely discounts the possibility of an inappropriately identified individual being prematurely arrested and then released when not convicted by a court of law.

Moving Forward

This bill was introduced about this point in the 112th Congress and never saw any discussion in committee, much less making it to a committee mark-up or floor vote. Since there is already a redress process in place (regardless of its adequacy or lack thereof) it is unlikely that this bill will be considered in committee; Congress usually works on an ‘if it ain’t broke don’t fix it policy’.

PHMSA Publishes Pipeline Safety ICR Change Notice

Today the Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice in the Federal Register (78 FR 23972-23974) that they intend to submit to the Office of
Management and Budget (OMB) a change to the current information collection request (ICR) supporting their hazardous liquid pipeline accident reporting program. The ICR revision would also incorporate the current ICR on the incorporation by reference of the infantry standard on leak detection.

The changes to the current ICR would reflect proposed changes to the PHMSA form F 7000-1 Accident Report—Hazardous Liquid Pipeline Systems. The change would require additional fields on the form to be completed for releases of “at least 5 gallons but is less than 5 barrels with no additional consequences” where property damage is less than $50,000 and there are not deaths or injuries involved. Based upon recent history, PHMSA estimates that this would affect almost half of the submitted accident reports.

Small Spill Changes

The form revision would require completion of the following areas on the form that are currently not required for these small spills:

• Part C—pipe characteristics and specification;
• Part D—consequence information;
• Part E—operating information;
• Part F—drug and alcohol testing information; and
• Part G—details of the cause

PHMSA estimates that the change would double the time (from five hours to ten) it takes to fill out the accident report on the approximately 200 accidents per year that are currently exempted from providing this additional data.

Form Instruction Changes

Additionally, PHMSA is proposing changes to the instruction included on the form to revise how certain data is reported. Those changes would affect:

Volume Spilled (Part A9);
Volume Recovered (Part A11);
Time sequence (Part A18);

Public Comment

PHMSA is soliciting public comments on these proposed changes. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # PHMSA-2013-006). Comments should be submitted by June 24th, 2013.

Monday, April 22, 2013

Congressional Hearings – Week of 4-21-13

With a terrorist attack and a catastrophic chemical accident still dominating the domestic news Congress returns to Washington to look at more mundane matters including freight transportation and the FY 2014 budget. Two security related hearings will be held looking at cybersecurity and weapons of mass destruction.

Budget Related Hearings

Federal Railroad Administration Budget, House Appropriations, 4-25-13;

Freight Transportation

On Wednesday the Panel on 21st Century Freight Transportation (not a subcommittee, maybe a temporary subcommittee) will hold a hearing on the Overview of the United States’ Freight Transportation System. According to a Panel document, they will be looking at the ‘system’ from an intermodal perspective. There is no specific mention of hazardous material shipping in that document, nor shipping security, but the topics may come up

The witness list includes:

• Fred Smith, FedEx Corporation
• Charles W. Moorman, Norfolk Southern Corporation
•  James Newsome, South Carolina Ports Authority
• Derek Leathers, Werner Enterprises
• Edward Wytkind, Transportation Trades Department, AFL-CIO

Weapons of Mass Destruction

The Counterterrorism and Intelligence Subcommittee of the House Homeland Security Committee will be holding a hearing on Counterterrorism Efforts to Combat a Chemical, Biological, Radiological, and Nuclear (CBRN) Attack on the Homeland. This hearing was originally scheduled for April 11th. The witness list remains the same as I reported earlier.


The Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee of the House Homeland Security Committee will be holding a hearing on Thursday on Striking the Right Balance: Protecting Our Nation's Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties. It is odd that this hearing is coming after the House passage of CISPA, but that doesn’t appear to be the end of cybersecurity legislation. No witness list is currently available.

Action on the House Floor

There is only one bill that is currently scheduled to come to the floor of the House this week that even remotely concerns chemical safety matters (much less security of any kind) and that is H.R. 527, the Responsible Helium Administration and Stewardship Act. It will be debated under a Rule on either Thursday or Friday. I haven’t covered this bill and I probably won’t mention it again.

Sunday, April 21, 2013

HR 1542 Introduced – WMD Intelligence

As I mentioned last week, Rep. Meehan (R,PA) introduced HR 1542, the WMD Intelligence and Information Sharing Act of 2013. This bill would amend the Information Analysis and Infrastructure Protection subchapter of 6 USC by adding §124n (§210G; see note below) which would add specific weapons of mass destruction intelligence and information sharing requirements. This bill is virtually identical to HR 2764 that was passed in the House in the last session.

NOTE: The bill uses the standard convention of amending the Homeland Security Act of 2002 and bases its section numbering scheme on that document. I have converted these to references to 6 USC as that is easier to find and link to.

General CBRN Focus

This bill would provide for a general focus on CBRN intelligence by requiring the DHS Office of Intelligence and Analysis (OIA) to “support homeland security-focused intelligence analysis of terrorist actors, their claims, and their plans to conduct attacks involving chemical, biological, radiological, and nuclear [CBRN] materials against the Nation” {§124n(a)(1)} and to “leverage existing and emerging homeland security intelligence capabilities and structures to enhance prevention, protection, response, and recovery efforts with respect to a chemical, biological, radiological, or nuclear attack” {§124n(a)(4)}.

The information sharing requirement for this intelligence only requires OIA to “share information and provide tailored analytical support on these threats to State, local, and tribal authorities” {§124n(a)(4)}. There is no specific requirement to address sharing of this intelligence information with potentially affected private sector entities.

Increased Biosecurity Focus

There is also a more tightly focused concern on biological weapons. While biological attacks are clearly included in the general focus of legislation, the bill goes on to specifically require “homeland security-focused intelligence analysis of global infectious disease, public health, food, agricultural, and veterinary issues” {§124n(a)(2)}. This is clearly intended to provide the Department with potential early warning of a bio-based attack.

Continues to Ignore Industrial Chemical Attack

As with every WMD related bill that I have seen to date, this bill continues to ignore the fact that the easiest WMD attack to execute against this country would be an attack on the storage or transportation of toxic, flammable or explosive industrial chemicals. While there are security programs in place to address the security side of the infrastructure protection equation, there is no one that is specifically tasked with providing the intelligence development and dissemination that those programs need to be most effective.

I would like to see an additional sub-paragraph added to §124n(a) that would read:

“(x) support homeland security-focused intelligence analysis of risks associated with potential attacks on dangerous industrial chemical manufacture, storage, distribution and transportation; with particular emphasis on the potential attempts to steal or divert industrial chemicals that could be used in the manufacture of improvised explosives or chemical weapons;”

Moving Forward
This bill will probably see quick action within the House Homeland Security Committee, particularly since Meehan is the Chair of the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. When the bill makes it to the floor of the House it will almost certainly pass with significant bipartisan support. If it makes it to the floor in the Senate it will also be very likely to pass.

HR 1535 Introduced – Port Security

As I mentioned a week ago, Rep. Hahn (D,CA) introduced HR 1535, the Gauging American Port Security (GAPS) Act. This bill would require the DHS Inspector General to prepare a classified report on the “remaining gaps in port security in the United States” {§2(a)(1)}. This bill is nearly identical to HR 4005 that was passed in the House in the last session, but was never acted upon in the Senate.

The only difference between this bill and the previous version is that the previous bill required the Secretary of DHS to produce the GAPS report not the IG. The change to requiring the IG to conduct the study is odd in that the bill also requires the report to address the “prioritization of such gaps and a plan for addressing them” {§2(a)(2)}. This is an inherently political decision and thus not normally under the purview of the IG.

Classified Report

Requiring the report to be made in classified form with an unclassified annex {§2(b)} will make sharing of the information problematic with the people at the local level that will most likely be responsible for fixing the identified problems. Section 3 of the bill attempts to address this by requiring the Secretary to “help expedite the clearance process, as appropriate” for ‘designated’ points of contact. Beyond the generic “Federal agencies and State, local, or tribal governments, and port system owners and operators” the bill does not define ‘designated’.

The one point that this bill (and to be fair most bills requiring the sharing of classified information) fails to recognize is that a person receiving classified information also has to have specially approved methods of storing the classified information. Obtaining the approval of the storage can be as time consuming as, and much more expensive than, obtaining a security clearance.

Additionally, State and local governments will inevitably have to go through a public funding process for any improvements that they will have to make to port operations. Having to rely on a classified report to justify those expenditures will make that funding process much more difficult.

Moving Forward

In the last session, HR 4005 passed with overwhelming bipartisan support (the vote was 411 – 9) in the House, but was never addressed in the Senate. That was due, at least in part, to its late introduction and passage in the House. When this bill gets to the floor in the House and if it gets to the floor in the Senate, it will pass without significant opposition.

HR 1534 Introduced – Port Security Grant Authorization

As I mentioned last week Rep. Hahn (D,CA) introduced HR 1534, the Port Security Grant Act of 2013. This very simple bill (effectively one operational sentence) would extend the current $400 million dollar per year authorization for port security grants under 46 USC 70107 until 2017. This bill, it turns out, bears no similarity to HR 4005 in the last session.

If this bill makes it to the floor of the House (or Senate for that matter) it will almost certainly pass with significant bipartisan support. I suspect, however, that this will be folded into a Coast Guard authorization bill. Ms. Hahn represents at least a portion of the Port of Los Angeles so I suspect that the introduction of this bill was intended for inclusion in campaign literature as much as actual consideration in Congress.

Saturday, April 20, 2013

Comments on Incentives to Adopt Improved Cybersecurity Practices – 04-20-13

This is part of a continuing series of blog posts looking at the responses to a joint request for information (RFI) from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST) to support their development of incentives to adopt the improved cybersecurity practices being developed by the NIST as part of the Cybersecurity Framework mandated by the President’s executive order on cybersecurity (EO 13636). The previous post in the series is listed below.

This week there were only two responses to the RFI. They came from a lawyer, Gary Fresen, and from the Advanced Cyber Security Center (ACSC).

Private Sector Information Sharing Centers

 The ACSC response proposes the establishment of four regional private sector entities to provide a forum for the discussion and dissemination of cybersecurity information including threat and response information. It notes that these regional information sharing centers would be patterned on their organization which has successfully set up a forum in the Boston area for this type of information sharing with weekly meetings allowing face to face exchanges.

Privileged Communications

Mr. Fresen proposes setting up a new class of privileged communications that would allow for the internal collection and analysis of cybersecurity information in critical infrastructure organizations and the privileged sharing of that information with the appropriate ISACs and CERTSs. The detailed proposal includes legislative language for the establishment of that new class of privileged communications.

Moving Forward

As I noted in my post about the RFI the short deadline for this RFI is necessitated by the time constraints set forth in the Executive Order. It may be disappointing to see only a total of three comments submitted to date, it usually takes at least a month for corporate type responses to these RFI. With only nine-days left in the comment period, I suspect that we will be seeing a number of comments coming in the next week.

Responses to NIST RFI – 04-20-13

This is the final post looking at the responses that the National Institute of Standards and Technology (NIST) has received in response to its request for information (RFI) in support of the development of the Framework for Reducing Cyber Risks to Critical Infrastructure as outlined in President Obama’s Executive Order on critical infrastructure cybersecurity (EO 13636). The earlier posts in the series are:

There were only five new responses added in the last week and it seems clear that NIST is no longer adding to the list; it was last updated on the 16th. There is no new information concerning control system security or chemical-specific cybersecurity in the new posts.

Second NIST Meeting on Cybersecurity Meeting

This week the NIST Cybersecurity Framework web site added a link to a notice about a second public meeting to be held in Pittsburg, PA starting on Wednesday, May 29th. The three day meeting will include:

• A discussion of the comments received by NIST for their RFI;
• An extended public comment period where views can be submitted in person; and
• A discussion of where NIST is going with the information it has.

It is not clear from the agenda currently available if there will be a chance for the public to discuss the proposals being presented. As the date for the meeting gets closer, I would not be surprised to see the current agenda being fleshed out, at least a little.

No Bleve at West Fertilizer

While I didn’t actually think that a bleve was responsible for the explosion at West Fertilizer this week (though I did discuss the possibility) I now have visual evidence that one was not involved (at least not an anhydrous ammonia bleve). A Reuter’s photo in a story on the Toronto Sun web site shows investigators (look real close) walking through the rubble around the anhydrous ammonia tanks. All five tanks that I identified earlier as probable anhydrous ammonia tanks are still present and intact.

West Fertilizer CFATS Status

It is interesting that the Department of Homeland Security has been telling just about anyone that has asked (I received the same information from a Department spokesman) that the West Fertilizer facility that blew up this week is not covered under the Chemical Facility Anti-Terrorism Standards (CFATS) because the facility had never filed a Top Screen which would have initiated a review of their terrorism risk by the Infrastructure Security Compliance Division (ISCD). The Department is usually very reluctant to talk about such matters since it would violate the CFATS regulations if they discussed the status of a facility that was regulated.

Of course part of the reason for the different approach in this case is that DHS is the only organization at the federal level that currently has a legal mandate to regulate facilities that store ammonium nitrate fertilizer and they don’t want any part of the responsibility for the situation in West, TX. Which is kind of silly since their mandate has nothing to do with safe storage; they are responsible for overseeing the secure storage of the material under the CFATS program. Okay, and their much delayed ammonium nitrate security program would also regulate the sale and transfer of ammonium nitrate, but that isn’t involved here either.

What is a Top Screen

The CFATS program was designed to regulate security at chemical facilities that are at high-risk of being attacked by terrorist. It was set up so that any facility that has an inventory of certain DHS chemicals of interest (COI; chemicals that could cause a catastrophic incident if released or detonated at the facility or could be used to make improvised explosives or chemical weapons) at or above a certain screening threshold quantity (STQ) is required to submit an online report called a Top Screen. This report provides DHS with information about the quantities of COI stored at the facility and some basic information about the facility (including its location).

DHS takes this Top Screen information and reviews it to make a preliminary determination if the facility is at high-risk of a terrorist attack. There is a lot of discussion going on right now about how ISCD makes that determination (see here and here) and DHS isn’t publicly discussing the details of their review process for security reasons. Having said that it doesn’t take a lot of insider knowledge to guess that for a local fertilizer distribution facility like West Fertilizer, that review would probably concentrate on the size and location of the surrounding community for determining the release threat (detonation of stored material on site). My guess is that ISCD would conclude that a small town like West, TX, lacking some sort of iconic international claim to fame, would not be considered to be a serious terrorist target.

Facilities that submit a Top Screen and subsequently determined not to be at high-risk of a terrorist attack are told they are not covered under the CFATS program and reminded that if their situation changes significantly they should re-submit a Top Screen.  Then the folks at ISCD forget about them. The Department has received over 40,000 Top Screens since the program started in 2007 and less than 4,000 facilities are currently covered under CFATS. Most places are just not realistic terrorist targets.

Why no Top Screen in this Case

I have not talked to anyone from West Fertilizer; they don’t need gadflies bothering them now. They have lost their livelihood, friends, family and neighbors; they have more important things to do than talk to folks like me. I can, however, make an educated guess about why a facility like West Fertilizer might not have submitted a Top Screen.

First off, the company is a small company; news reports say 10 employees. It is owned and operated by a local man who set up shop in 1962. He probably has a lady working in the office that takes customer orders, opens the mail, makes bank deposits and writes out the checks for suppliers and payroll. He certainly does not have an environmental health and safety professional on staff. Like the vast majority of people in this country he has probably never heard of the Federal Register and has certainly never read it.

When the EPA’s risk management program came into being he was probably not aware of it and would have been grandfathered out of its coverage because of his size and location. In 2006 when that grandfather clause expired he wasn’t aware of it and was subsequently fined for not having a risk management program in place. He has reportedly made all of the required program filings since then.

In 2007 when the CFATS program became operational, it is very likely that he did not hear anything about it. Even if he did, he wouldn’t have considered his fertilizer distribution operation to be a chemical facility. I would even bet that the discussions within the fertilizer industry were ignored because of the relatively small size of his operation and the fact that no one would expect to see terrorist in West, TX.

Now, how many other fertilizer distributors across the country have not submitted Top Screens? I don’t know and I don’t think anybody does. I would bet that there are a couple of people in ISCD that are currently trying to find out. I would guess that there are hundreds, maybe as many as a couple thousand, of similarly sized distributors in small towns across this country. If there are farmers there will be fertilizer and anhydrous ammonia and ammonium nitrate are two of the cheapest and most effective methods of increasing soil nitrogen content.

Would West Fertilizer have been Regulated

Before I go down this road, let me make it absolutely clear; if West Fertilizer had been a CFATS covered facility, DHS would still have had nothing to do with preventing the current incident since it looks like an industrial accident not a terrorist attack. CFATS is a security program not a safety program. If CFATS inspectors saw a grossly unsafe situation, they might mention it to the owner, but they couldn’t do anything about it. They probably couldn’t even report it, legally, to OSHA because of the information security provisions of the CFATS regulations.

So, if West had submitted a Top Screen, would they have been given a preliminary designation as a high-risk chemical? As I mentioned earlier ISCD isn’t discussing the details of the methodology they use to evaluate the Top Screen data, but for a release type chemical it would mainly have to do with the number of people that would be directly affected by a worst case release (and the plant blowing up would certainly qualify as that). While the community in West, TX is certainly devastated, I’m believe that their small size would have caused ISCD to say that there wasn’t a significant risk of a terrorist attack on the facility.

Now ammonium nitrate is not just a release risk. Since it can be used to make a real explosive (and no, the stuff that blew up so spectacularly this week is not really an explosive; conditions had to be just right for it to explode) and is an internationally preferred component for IEDs, ISCD also considers ammonium nitrate to be a theft/diversion risk. But West apparently handled and shipped their ammonium nitrate in bulk (big trucks or medium sized trailers), so they probably would not have made the cut for that risk either.

Should Fertilizer Distributors be Covered

An interesting question now arises. Does the spectacular explosion in West, TX change that calculus? There has been a huge amount of press coverage of this incident and there would have been even more if the fools in Boston were not still running around playing at being terrorists. While the Boston attack was smaller and produced fewer casualties and damage, it caught more news coverage. But even with Boston and a couple of ricin letters, the explosion in West made national and international news. In a slower news cycle the coverage would have been much larger.

Since one of the things that terrorists crave is publicity, the coverage of this incident may make the terrorist’s calculation of desirable targets slide towards favoring attacks on fertilizer distributors. It will be interesting to see if the folks at ISCD re-look at how they assess the release risk at these types of facilities. I think that facilities where there are things like apartment buildings, nursing homes or schools (all three in West, TX) within the potential 2 psi overpressure zone (a measure of blast effects) of the facility should have their terrorist risk potential raised to at least the Tier 4 level.

Friday, April 19, 2013

Two Reader Comments – 04-19-13 - West Fertilizer Explosion

There have been two comments about to my post from last night about the explosion at the West Fertilizer facility in West, TX (which is actually in the east-central portion of the State between Dallas and San Antonio). Those comments and my replies provide some additional information about the potential cause of the incident.

Ammonium Nitrate Decomposition

Jim avoids giving us a specific chemistry lesson but comments:

“There is not enough space for a chemistry lesson but AN will decompose into oxides of N2 and water when heated. This reaction is very exothermic. In bulk storage situations the heat cannot dissipate faster than it is being produced and a runaway decomposition can occur.”

If you are interested in a brief chemistry lesson on the decomposition see this at Yahoo.com.
To understand how this impacts storage of ammonium nitrate see this Canadian government site. Three things to note:

• Each mole (80.0 g) of ammonium nitrate produces 3.25 moles of gas. Combined with the exotherm produced by the reaction this provides for a rapidly expanding shell of gas which produces the devastating shock wave.
• The reaction also produces oxygen (O2) that promotes additional combustion of the already existing fire that would have started the heat rise in the first place in this instance.
• Fires frequently cause the collapse of storage tanks. This could provide the confinement to change the burning ammonium nitrate into exploding ammonium nitrate.

Probably not a Bleve

Ed Clarke doesn’t believe that the explosion was caused by an anhydrous ammonia bleve based upon the shock wave seen in various videos. He notes:

“Under intense heat form the fire, in a confined space, the AN in the storage bins pictured in the GE imagery (BTW, Bing birds eye view [here’s a link; click on Birds Eye] provides much better perspective) would have exploded.”

He does have questions about the source of the fire seen in the videos and suggests possible propane storage tanks. I suspect either that or some of the open top transport containers for ammonium nitrate could have been the fuel source, or even some of the other storage tanks that I mentioned in the original post.

A Potential Terrorist Target?

In any case, we will need to watch for the CSB reports on this investigation. Also note that the fire and explosion (and its extensive media coverage) show that an attack on small, out-of-the-way facilities like this could still bring the notoriety that terrorists crave. How much security do you see in the aerial view of the facility? Not even a fence.

ISCD – How many of these facilities have not been reviewed because no Top Screen was submitted? How many facilities like this that did submit Top Screens received a pass because they were in small towns?

More on Amendments to HR 624

Yesterday I noted that there had been a modification made to the amendment offered by Rep. Sanchez (D,CA), but from the information available at the time it was not clear what that amendment was. The Congressional Record for yesterday provides the expected details:

Insert ‘‘Security’’ after ‘‘Homeland’’ in the second instruction.

Two pages earlier in the Congressional Record (same link as above) there is also a notice that a 13th Amendment had been added to the Rule for the consideration of HR 624. This new amendment, submitted by Chairman McCaul (Homeland Security) would make DHS and the Justice Department the action agencies for receiving shared information by amending §1104(b)(1)(A)(ii) and §1104(b)(1)(A)(ii) by replacing the words “Federal Government” with “entities of the Department of Homeland Security and the Department of Justice designated under paragraphs (1) and (2) of section 2(b) of the Cyber Intelligence Sharing and Protection Act”. This amendment also passed in a voice vote of 409 – 5.

This last change was made to mollify some of the critics of the bill that were afraid that NSA and the military would become the action agencies for receiving this information. It is not clear at this point if this change would overcome President Obama’s intention to veto the bill.

The bill will now move to the Senate where, if it is actually brought to the floor of the Senate by Sen. Reid (D,NV), there is a good chance that a similar bipartisan vote would send the bill to the President.

Bills Introduced – 04-18-13

Out of 63 bills introduced in the House and Senate yesterday there were two that may be of potential interest to readers of this blog as they concern pipeline safety and cybersecurity response. The bills are:

HR 1640 Latest Title: To amend titles 10 and 32, United States Code, to enhance capabilities to prepare for and respond to cyber emergencies, and for other purposes. Sponsor: Rep Israel, Steve (D,NY)

S 763 Latest Title: A bill to authorize States to enforce pipeline safety requirements related to wellbores at interstate storage facilities. Sponsor: Sen Roberts, Pat (R,KS)

I think that HR 1640 will be similar in nature to S 658 that would authorize the formation of cybersecurity response units within the National Guard.
/* Use this with templates/template-twocol.html */