Saturday, November 30, 2013

Publishes HSINAC Meeting Notice – 12-17-13

Yesterday the DHS Office of Operation Coordination and Planning published a meeting notice in the Federal Register (78 FR 70631-70632) for a teleconference to be held by the Homeland Security Information Network Advisory Committee (HSINAC) on December 17th. The meeting will be open to the public either by telephone or via HSIN Connect, an online web-conferencing tool.

The agenda for the meeting includes:

HSIN Program Update, including:

• New hires;
• New development contract;
• New outreach contract, and
• Budget/Investment requirements.

• Improving system performance and service operations;
• Interoperability and Federation;
• Large list user validation;
• New development environment; and
• DHS suspicious activity reporting.

The Committee is expected to vote on:

Public participation is being solicited. A public comment period will be held at the end of the conference. Written comments on the topics outlined above may be submitted via the Federal eRulemaking Portal (; Docket # DHS-2013-0037) and should be submitted by December 13th.

NPPD Withdraws Troubled PCII ICR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that the DHS National Protection and Programs Directorate (NPPD) had withdrawn their information collection request (ICR) for a questionnaire to be used by State Protected Critical Infrastructure Information (PCII) Officers to conduct a self-assessment of the protections applied to PCII at the State level.

NPPD has been having a number of administrative problems with this ICR since it was initiated last year. I noted back in May that they ignored a public comment posted in response to their 60-day ICR. Then OIRA rejected their initial submission of the ICR in July as being ‘improperly submitted’.

The actual questionnaire being proposed for the self-assessment program (down-loadable here) seems to address the issues that one would expect that someone conducting a compliance audit of the program would be looking at. Too many of the questions, however, solicit ‘Yes’ or ‘No’ answers and the wording of the question usually indicates the ‘proper’ response. Since only an inappropriate response requires an explanation, a cursory appropriate response is encouraged when filling out the form. This is a typical problem with a self-assessment program.

As I have repeatedly noted in the earlier posts about this ICR, I have concerns about the use of a self-assessment questionnaire in evaluating the protections put in place for the State level PCII programs. Critical infrastructure organizations are relying on NPPD and the Federal Government to ensure that the critical information that they are voluntarily submitting is properly protected.

Since that PCII must, in most cases, be shared with State and local agencies to ensure that those critical infrastructure facilities are appropriately protected, NPPD has an overarching requirement to ensure that the PCII programs are being properly administered at the State and local levels. Simply requiring that a self-assessment form be completed is not adequately ensuring that the protections are in place.

I wonder, how long has it been since Congress has exercised their oversight responsibility of this important information sharing program? I don’t recall the last time any committee has held hearings on the PCII program. With Congress interested in encouraging information sharing about cybersecurity matters, may be they ought to take a look at how well the government is protecting information already being shared by the same organizations.

Friday, November 29, 2013

OMB Publishes Fall 2013 Regulatory Agenda

On Wednesday the Office of Management and Budget published the Fall 2013 Unified Agenda. This is a twice yearly exercise undertaken by each administration to outline the status of current and planned rulemaking actions. Since I have been watching it in this blog it has been pretty much an exercise in futility as the projected dates of action on the listed rules is usually nothing more than a pretty fairy tale.

DHS Rulemakings

As I usually do I initially look at the proposed regulatory actions listed by DHS. The table below shows the currently planned rulemaking activities that I think may be of potential interest to readers of this blog. Please note that there is no mention of any cybersecurity activities in this list.

Petitions for Rulemaking, Amendment, or Repeal
NPRM 06-14
Ammonium Nitrate Security Program
Final Rule 03-14
Classified National Security Information
Final Rule 12-13
Updates to Maritime Security
NPRM 09-14
Transportation Worker Identification Credential (TWIC); Card Reader Requirements
Final Rule 04-14
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
Interim Final Rule 03-14
General Aviation Security and Other Aircraft Operator Security
NPRM 8-14
Security Training for Surface Mode Employees
NPRM 8-14
Freight Railroads and Passenger Railroads--Vulnerability Assessment and Security Plan
NPRM 9-14
Standardized Vetting, Adjudication, and Redress Services
NPRM 8-14
DHS 2013 Unified Agenda Items of Interest

This is pretty much the same list I described last July when the Spring 2013 Unified Agenda was published. DHS has not changed the status of any of these rulemakings other than revise the expected dates of action. All of these dates, with the possible exception of the one for the Classified National Security Information rulemaking fall under the category of “the check’s in the mail”. As I noted earlier this week the CNSI rulemaking has been forwarded to OMB for review so there is a remote possibility that the Final Rule may actually get published next month; January is more likely and it could be February or March depending on the sensibilities of OMB.

I did add one new item to my list, though it has been on the DHS Agenda since 2009. That is the first item; Petitions for Rulemaking, Amendment, or Repeal (1601-AA56). Federal law requires that each “agency shall give an interested person the right to petition for the issuance, amendment, or repeal of a rule” {5 USC 553(e)}. This rulemaking would set out the procedures for exercising that right and delineate the process by which DHS would respond. Don’t worry; I expect that this rulemaking will be completed by the end of the century (pardon the sarcasm).

Long Term Actions

There is a separate section of the Unified Agenda that lists. If the actions listed in the active portion of the Unified Agenda are slow to happen, then I don’t consider the listing of anything on the ‘Long Term Actions’ list to be anything more than a political wish list. Things move on and off this list with wild abandon. The current list includes:

Protection of Sensitive Security Information (SSI)
Drivers Licensed by Canada or Mexico Transporting Hazardous Materials To and Within the United States

For the first TSA has been operating off of an interim-final rule since 2004. This keystone of the critical infrastructure information protection program certainly needs to be finalized. I’m afraid that the second is kind of waiting on the completion of a DOT pilot program for allowing Mexican trucking companies to haul cargos into the United States beyond the border region. Beyond the safety aspects being addressed by DOT, I think that the main holdup for this rule is concerns about the background vetting process in Mexico.

There is one item that is missing from the wish list this time and that is a rule concerning Top Screen Information Collection From MTSA-Regulated Facilities Handling Chemicals. That little bit of chemical security harmonization has apparently dropped of the Administrations list of things to think about doing.

I also admit that I kind of hoped to see a listing on the Long Term Agenda list for the update of the Risk Based Performance Standards Guidance document. While not strictly a regulatory document, it is a key part of the CFATS enforcement process and deserves to be updated with the lessons learned to date in that program.

Missing Items from the EO

I am more than a little disappointed that some of the items mentioned in the President’s Chemical Safety and Security Executive Order (EO 13650) did not make it into the regulatory agenda or at least the Long Term Actions List. I’ll look at EPA and OSHA actions in a separate look at their Unified Agenda’s, but here are some things that probably should have made it into the DHS list:

The Secretary of Homeland Security shall assess the feasibility of sharing Chemical Facility Anti-Terrorism Standards (CFATS) data with SERCs, TEPCs, and LEPCs on a categorical basis.

The Secretary of Homeland Security, the Secretary of Labor, and the Secretary of Agriculture shall develop a list of potential regulatory and legislative proposals to improve the safe and secure storage, handling, and sale of ammonium nitrate and identify ways in which ammonium nitrate safety and security can be enhanced under existing authorities.

The Secretary of Homeland Security shall identify a list of chemicals, including poisons and reactive substances, that should be considered for addition to the CFATS Chemicals of Interest list.

I will admit that I am not surprised by the lack of the first two, but the last item has been on the ISCD internal discussion agenda for a couple of years now with more than a few discussions with industry representatives. An update of Appendix A should certainly be on the Long Term Agenda list (even ignoring my pet peeve; the methyl bromide issue).

Thursday, November 28, 2013

S 1768 Introduced – Pipeline Repair Funding

As I noted earlier, Sen, Markey (D,MA) introduce S 1768, thePipeline Revolving Fund and Job Creation Act. The bill would provide the Pipeline and Hazardous Material Safety Administration the authority to provide grant monies to States to establish revolving loan funds for the repair and replacement of the aging natural gas pipeline network.

The Revolving Loan Program

Each State would be required to establish a revolving loan/loan guarantee program where the grant money from PHMSA (along with a 20% matching state grant) would be loaned out, or used to guarantee loans, to natural gas pipeline operators to repair or replace existing gas lines. Repayment of those loans (along

There are a number of pretty standard stipulations:

• It includes “Buy American” language {§3(b)(2)(B)};
• Each state will establish (through a publish and comment process) a plan that outlines what types of projects will be funded, how the projects will be selected, and how the projects will be funded {§3(c)};
• Once obligated the funds will remain in program for the authorized life of the program (NOTE: there is nothing about what happens to the monies once the federal program is terminated) {§3(d)};
• Up to 4% of the federal grant funding may be used to pay program administrative costs {§3(f)(1)};
• The PHMSA Administrator will issue such guidance and regulations to govern these programs as necessary {§3(f)(2)};
• The State programs will provide a report to the Administrator every two years {§3(f)(3)} and the Administrator will audit those programs ‘periodically’ {§3(f)(4)}; and
• Various federal labor standards will apply to projects funded under this program {§3(g)}.

The bill does note that the repair and replacement of lines “that have been identified as leak-prone” (§3(b)(2)(A) is a priority, but leaves wide latitude to the determination of the PHMSA Administrator {§3(b)(2)(A)(i)} and the plans established by the State.

The bill does not provide any specific authorization level for the grant program (that normally has to be provided by a House bill), but §4 provides program authorization through 2024. It does restrict PHMSA spending on these grants to the amount specifically authorized for the program.

Moving Forward

Bills like this with creative funding for infrastructure repair/replacement are going to become more common. This use of a revolving loan fund will probably attract some favorable attention, as Congress moves into an election year. I would be very surprised if it gets any attention in the limited time left this year.

Next year I expect that this will move through the Senate Transportation Committee rather quickly. Then it will just be a case of whether this moves directly to the floor as one of those unanimous consent bills or whether it gets rolled up in the transportation authorization bill.

Wednesday, November 27, 2013

OMB Receives DHS Rule on Classified Information

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from DHS a copy of their proposed final rule on classified national security information. According to the information in the most recent Unified Agenda the purpose of this rule is:

“The Department of Homeland Security (DHS) is revising its procedures for managing classified national security information. DHS is updating its regulations to incorporate new and revised procedures pursuant to Executive Order 13526, ‘Classified National Security Information.’ Further, DHS is delegating to the Chief Security Officer of DHS the responsibility of serving as the "Senior Agency Official" pursuant to Executive Order 13526.”

It will be interesting to see the justification for going directly to a final rule without publishing a notice of proposed rulemaking.

The EO referenced dates back to 2009 so this is another real quick response to an executive order.

My guess is that this rule will not have a great deal of effect on most folks outside of DHS since most organizations are not set up to received classified information from DHS. Probably the most affected organizations outside of DHS proper will be the various fusion centers around the country.

There is no telling how long it will take OMB to approve this rule. I would be surprised if we see any action before the end of the year.

Tuesday, November 26, 2013

Pipeline Safety Advisory Committees Teleconference – 12-17-13

The Pipeline and Hazardous Material Safety Administration (PHMSA) published a meeting notice in today’ Federal Register (78 FR 70623-70624) for a teleconference of a joint meeting of the Gas Pipeline Advisory Committee (GPAC) and the Liquid Pipeline Advisory Committee (LPAC) (Shared Web Site) on December 17th, 2013.

The joint meeting will consider a proposed rule to incorporate by reference two new standards and 21 updated editions of currently referenced standards in 49 CFR Parts 192, 193, and 195. This is apparently the “Periodic Updates of Regulatory References to Technical Standards and Miscellaneous Amendments” NPRM that according to the Spring 2013 Regulatory Agenda is supposed to be published in December. Obviously, that date won’t be met as this meeting is part of the regulatory review process at PHMSA before that NPRM would be published. I suspect that the earliest this will go to the Office of Management and Budget for their final review will be sometime in January.

One of the topics that should come up in this discussion will be how these updates will be made while complying with the congressional mandate {§24 of the Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011 (PL 112-90)} to reduce reliance on such incorporation by reference documents. That requirement prohibited PHMSA from using such documents unless they were available without charge to the regulated community. There are on-going discussions in PHMSA about this issue and Congress modified the requirements earlier this year (PL 113-30).

The public is invited to follow the teleconference (there is no mention in the notice of allowing public comments during the discussion) either via telephone or in person (in Washington, DC). The teleconference number will be made available on the PHMSA web site at some future date (though the PHMSA web site is circuitous at best). There is a link to the meeting page where you are supposed to be able to register for the in-person option, but as of 05:30 CST this morning there is no sign-up information on that site.

Public comments are being solicited but there is some confusion about where to send the comments. There are two different docket numbers referenced in the notice for use on the Federal eRulemaking Portal (  The first docket number PHMSA-2009-020 is the generic docket number for the meetings of these two advisory committees. Since it contains a copy of today’s FR notice it is probably the proper place to post comments. The second docket number reference (PHMSA-2013-2003) is almost certainly a bad misprint as there have not been 2002 PHMSA docket entries this year.

Monday, November 25, 2013

ICS-CERT Publishes Triangle Research PLC Advisory

Today the DHS ICS-CERT published an advisory for an improper input validation vulnerability in the Nano-10 PLC firmware from Triangle Research. The vulnerability was reported by Wei Gao of IXIA in a coordinated disclosure.

ICS-CERT reports that the vulnerability could be remotely exploited by a moderately skilled attacker to create a denial of service condition in the PLC. TRI has produced a firmware upgrade that fixes the problem (and its efficacy has been verified by Wei), but it cannot be upgraded in the field. It needs to be returned to the manufacturer for the upgrade . (Now what does that do to system availability?) Oh, well ICS-CERT recommends protecting the control system with a firewall “used to deny Port 502/TCP traffic from traversing business/corporate networks to the control systems networks”.

Now this is not a DNP3 system so this is not exactly the same type of improper input validation vulnerability reported by Crain-Sistrunk, but this does sound very similar except that it is in a Modbus system. I’m wondering if this is what Adam and Chris are going to be going hunting for with their new Modbus tool that will be released next year after their DNP3 fuzzer is released.

Slow SSP Approval Rate – Alternate Explanation

Last Thursday I took the folks at ISCD to task for the very small number of facility site security plans they had approved since the end of the Federal Funding Fiasco. I questioned whether it was due to a disconnect between HQ approvers and Chemical Security Inspectors (CSI; I still hate that acronym) on the ground. Well I had a very interesting discussion today with a DHS official that pointed out another very reasonable cause for the reported SSP approval numbers; fall-out from the FFF.

Rescheduling Visits

When Congress failed to pass an interim funding bill on September 30th the inspection staff at the Infrastructure Security Compliance Division (ISCD) had a full slate of SSP approval inspections (okay they are called ‘visits’ not inspections until the facility site security plan is approved) planned for the first half of October. Since everyone working at ISCD was sent home on October 1st for the duration, all of those visits had to be canceled.

On October 17th when ISCD and the rest of the federal government came back to work, all of those visits had to be rescheduled. Remember the purpose of these visits is not compliance assurance (that comes after the SSPs are approved), but a cooperative effort between the CSI and the covered facility. This means that the facility has to have a reasonable chance to make sure that everyone involved in the SSP development process is available when the CSI arrive.

So, instead of starting inspections (er visits) on October 21st, the teams were forced to look for other things to do. Well actually, headquarters had a better idea, they took the time to have some good communication time with the field folks to iron out all of those little nit-picking SSP problems that have been accumulating over the last six months of running around the country looking at chemical facilities. Hopefully, this took care of some of the issues that I discussed in other blog posts (here and here).

Contractors Were Not Furloughed

Now the above explanation certainly sound good, but I asked the DHS official why then did ISCD get so many SSP authorizations done in the same circumstances. Part of the reason, it was explained to me is that the bulk of the authorization process is now a paperwork review with more reliance on telephone calls instead of site visits to clear up questions about the submitted data.

Now ISCD employees could not make these telephone calls or review the data, they were prohibited from doing any work during the government shut down. Fortunately, it seems, the subject matter experts doing this work were not government employees, they were contractors. And apparently contractors could work during the FFF.

When the ISCD staff that is responsible for reviewing the contractor work and actually authorizing the SSPs came back to work on the 17th, they had large stacks of perused paperwork and analysis sitting waiting for action. And action was taken; the highest daily authorization rate since reporting started.

Next Month

Okay, what will happen with next month? Will it get better, get worse or stay the same? It looks like it will get some better, but it still won’t look as good as the October report for the period before the FFF. There are still some scheduling holes in the first part of the period, but more importantly the holiday period will seriously cut into the numbers. ISCD does not expect to be back up to full schedule until January.

But, I was assured by the DHS official that ISCD expected to approve at least twice as many SSPs as they did/do in 2013.

BTW: I suggested that ISCD should do a better job of explaining the ups and downs they encounter in the SSP authorization and approval process. Instead of including the boilerplate information in the November report, they would have been better served if they had included an explanation of their post-FFF activities.

Sunday, November 24, 2013

Reader’s Comment – 11-24-13 – Vulnerability Disclosure

Jake Brodsky, a long-time reader, commentor and utility cybersecurity owner (he owns the system not the utility) left a comment on this morning’s blog post about ICS-CERT and the secure portal. Jake’s lengthy comment is worth reading as he defends withholding information about utility vulnerabilities from the public.

Jake makes some very important and legitimate points about the difficulties utilities have shutting their systems down to install patches. While I have no personal experience with utility systems, I do know that 24/7 manufacturing facilities have similar problems. So, any debate about vulnerability disclosures should certainly take this into account.

That, however, is a continuing debate for another day. Still being restricted by disclosure rules, that is not what I was talking about. The two instances that I was addressing deal with:

• A publicly available set of exploits that have already been discussed by a prominent cybersecurity blogger, and
• A discussion about a widely used attack methodology specifically relying open source comments by another well respected security researcher.

Both of these instances address attack methodologies that are already in place and are being used. Neither Jake’s utilities nor my manufacturing facilities are being protected by keeping the discussion about these exploits behind closed doors. ICS-CERT is making it easier for attackers to exploit these vulnerabilities and tools by keeping the problem under wraps.

In a perfect world ICS-CERT would have contact information for every cybersecurity manager at every public and privately owned control system installation in the country. They would have contacted these individuals and ensured that they were part of the discussion of these vulnerabilities on the Secure Portal. Unfortunately (to my thinking, though several of my friends would vehemently disagree) they don’t and haven’t; not by a wide margin.  So the only way we can even hope to keep a small portion of the potential victims involved in the discussion it to conduct it in public.

Restricted Cybersecurity Information

I am loosely affiliated with a couple of different organizations that are able to provide me with information about government issued cybersecurity reports that have restricted distribution markings on them; not classified just a variety of sensitive but unclassified markings. Of course, part of the condition of my receipt of copies of this is that I am not able to publicly disclose the information contained in those reports. So, the following discussion will be a tad bit vague as I describe a disturbing trend in such information sharing activities.

We all know that US-CERT  provides a limited distribution web site where adequately vetted members of the various affected private sector organizations (this does not include me) can get up-to-date unclassified information about trends and issues in the cybersecurity realm. ICS-CERT has a portion of that portal that they use to discuss vulnerabilities in control systems and attacks on those systems that they don’t want widely disseminated so as to not allow control system adversaries to know what we know about their activities. This also includes information about specific vulnerabilities and fixes for those vulnerabilities that are being disseminated to system owners that will subsequently be publicly released on the ICS-CERT web site.

Now all of the above is clearly a good thing. Critical infrastructure organizations can get up to the minute information (okay day or week, not minute) about vulnerabilities that might affect their operations while the bad guys don’t know how much the good guys know about what is going on. On a number of occasions I have recommended that every control system owner apply for access to this portal.

It has come to my attention that in the last couple of weeks there have been two restricted access advisories published on the ICS-CERT portion of this portal that have dealt with vulnerabilities that have been publicly disclosed and discussed in the open press (including this blog). Now I have not seen the actual advisories, but the discussions about them on the Portal do not seem to fall into the realm keeping the bad guys in the dark while the good guys fix the problem. The advisories sound more like the ‘see how special we are because we know sensitive stuff’ types of advisories.

Now a certain amount of that is going to go on in any organization, even a very loose organization like this portal; membership becomes as important as the purpose of the membership. But, this portal serves an important purpose and US-CERT and ICS-CERT have a special obligation to ensure that information gets to the general cybersecurity community (not just this subset of it) as soon as practically possible. Playing ‘see how important you are because you belong to this group’ games does not serve well the purpose that group or the safety of the larger society.

If US-CERT and ICS-CERT are really interested in information sharing, and that is their mandate, then they need to keep a close eye on how they manage their information sharing tools. Some things need to more tightly held than others, but the widest dissemination of vulnerability information to the affected community must be a very high priority for these two organizations. And limiting discussions to a limited few must only be done when there is a real security reason for that limitation.

Saturday, November 23, 2013

Cybersecurity Framework Update – 11-23-13

This week the folks at NIST’s Information Technology Laboratory (ITL) got around to posting some of the comments that they have received on the Preliminary Cybersecurity Framework (PCSF); at least I am hoping that the six comments are only ‘some’ of the ones received. There is nothing earth shattering in any of the comments posted to date, but there are some thoughtful and helpful suggestions.

The most ‘radical’ comment comes from Secuilibrium. David Ochel suggests that the current PCSF be scrapped in favor of the proposal from Phil Agcaoil described in Anthony Freed’s article at Apparently David had some other comments in the NIST spread sheet format, but they did not make it to this comments section.

John Guzman had an interesting point in his comments. He asked why PII gets its own appendix when no other type of data protection does. I would add that control system security deserves as much special attention in the PCSF as does privacy.

Interestingly only three of the commentors (if we count the missing data from the Secuilibrium comment) used the NIST spreadsheet for submitting comments. None of the others are really complicated or long winded so they should not be a problem for the NIST reviewers, but I hope that the corporate lawyers that submit the typical last minute comments will use the spread sheet. The NIST folks do deserver to get some holiday time with their families while they are reviewing and responding to the comments submitted. There is still a January deadline for the publication of the final CSF.

We are now half-way through the comment period. In the remaining three weeks I expect that we will see a much larger number of comments submitted.

Friday, November 22, 2013

Canada Requires Community Notification of Hazmat Rail Traffic

On Wednesday the Canadian Director General of the Transport Dangerous Goods Directorate (TDGD) of Transport Canada issued a new Protective Direction (#32) requiring that railroads notify communities of the hazardous goods that are transported through those communities. A little noted provision of that PD is the requirement for hazardous goods shippers to provide similar information to each transited community and to provide contact info to Transport Canada for the individual who will be liaising with those communities.

Paragraph 2 of the direction specifically applies to “Any person who transports dangerous goods by railway vehicle”. It requires such persons to contact “the designated Emergency Planning Official of each municipality through which dangerous goods are transported by railway vehicle” and to provide that EPO with “yearly aggregate information on the nature and volume of dangerous goods the person transports by railway vehicle through the municipality”. Additionally it requires that EPO to be notified “as soon as practicable” if any “significant change” is made to that information.

Paragraph 4 requires shippers of dangerous goods to provide Transport Canada, through the Canadian Transport Emergency Centre (CANUTEC; the contact information for the person who will be liaising with the local EPO’s.

Paragraph 5 provides that copies of all of the required communications with local EPO’s will be shared with Transport Canada through CANUTEC.

As the crude oil derailment in Quebec last July demonstrated, there is a significant amount of hazardous material from the United States transported across Canadian railways. American shippers whose hazardous materials transits Canadian rail lines will be affected by this Protective Direction.

The provisions of this Protective Direction went into effect on Wednesday.

Bills Introduced – 11-21-13

As Congress gets ready to take its Thanksgiving Day recess a total of 83 bills were introduced yesterday. Most of these are not intended to actually be considered or passed. They are intended to provide the congresscritter with bragging rights before specific home audiences. None the less, two of the bills may be of specific interest to readers of this blog; both dealing with pipeline safety.

S 1767 Latest Title: A bill to amend title 49, United States Code, to require gas pipeline facilities to accelerate the repair, rehabilitation, and replacement of high-risk pipelines used in commerce, and for other purposes. Sponsor: Sen Markey, Edward J. (D,MA)

S 1768 Latest Title: A bill to establish State revolving loan funds to repair or replace natural gas distribution pipelines. Sponsor: Sen Markey, Edward J. (D,MA)

Thursday, November 21, 2013

S 1197 Cloture Vote Fails

The bipartisan spirit that allowed a unanimous vote to start considering the DOD spending bill, S 1197, fell apart this afternoon when an attempt was made to end debate on the endless amendments and start voting on amendments and the bill. The Cloture vote failed 51 – 41 (60 ayes required for passage) along party lines.

While there had been some disagreement on the number of amendments that would be considered, it was the move by Sen. Reid to change the voting rules on the consideration of appointments that sealed the fate on the chance to get this bill to a final Senate vote before the Thanksgiving recess.

In a common parliamentary move, Reid actually voted against the bill. This will allow him to ask for reconsideration of the cloture vote. A successful vote then would allow the Senate to move forward on the voting process. This move is unlikely to be used this week as it is unlikely that the Republicans will be cooled down enough to accept cloture.

Failure to pass this bill before the Thanksgiving break makes it very difficult to get it passed and into conference with the House and then back to the floor for votes before the end of the year. As December advances, more effort will be made to get the consolidated spending bill complete, putting this DOD bill on the back burner. It isn’t yet impossible; it’s just getting more unlikely.

ICS-CERT Updates Master DNP3 Implementation Vulnerability Advisory

Just a little over a month ago ICS-CERT took the unusual step of posting a master advisory covering 9 separate advisories for essentially the same input validation vulnerability in different systems. Anyone with rudimentary prognostication skills could have predicted that when ICS-CERT published two more advisories in the series, they would be morally required to update the list of included advisories. They did that today; published the –A version and added Catapult Software and GE to the list.

There are going to be at least 14 more advisories according to the Project Robus web site and Adam Crain admits they stopped counting, so it may be 15 or more yet to come. That ‘or more’ comes from the fact that multiple vendors have used the library identified in the Triangle Microworks advisory and they may/should self-report the vulnerability after they apply the fix developed by Triangle Microworks.

Oh yes, and Crain-Sistrunk are supposed to be presenting at Digital Bond’s S4x14 and will be discussing the fuzzing technique they’ve used to identify these vulnerabilities, so who knows how many other people will start looking for, finding and reporting these vulnerabilities.

We just might get to a –AA or –BB version of this advisory yet.

Senate to Close S 1197 Debate Friday

A cloture motion to end debate on S 1197, the National Defense Authorization Act for Fiscal Year 2014, was filed yesterday and there will be a vote on the motion on Friday. This raises the possibility that a final vote on the bill could take place before the Thanksgiving recess.


As part of the unanimous consent motion to continue debate today on the bill, a deadline for 1 pm today was established for the filing of first-degree amendments to the bill. Yesterday there were again a large number of amendments offered to S 1197. This time there were a number of cybersecurity related amendments. Four of those were minor wording changes to existing cybersecurity provisions (SA 2352 – SA 2355) offered by Sen. Landrieu (D,LA).

The only other cybersecurity related amendment was offered by Sen. Moran (R,KS) would modify the wording of §945 concerning the use of National Guard personnel in a cybersecurity role. I have not had a chance to review all of the substitute wording but the significant provisions that I described in the original bill are still there.

DHS Updates CFATS SSP Status

Last weekend I complained about the CFATS Update being late. It turns out that I may have been a little unfair in that assessment. Yesterday the folks at the DHS Infrastructure Security Compliance Division (ISCD) posted their November CFATS Update Fact Sheet to the Critical Infrastructure: Chemical Security web site. The reason for the ‘delay’ is that they changed the ‘as of date’ from the first of the month to November 19th to provide a full month of regulatory activity instead of reporting the calendar month that was half ate up due to the federal funding fiasco. That change in reporting period may have ended up being a political miscalculation. It turns out that there was a dramatic drop in the SSP approval rate and with the changed effective date it can’t be blamed on Congress.

The Data

To see what I mean just look at the Total Number of SSPs Authorized/Approved graph below. The number of Authorized plans continues to grow nicely, but there is only a small growth in the number of Approved plans.

The true extent of the problem can be better seen in the SSPs Authorized/Approved per Day graph below. This shows that the SSP daily approval rate is the lowest since ISCD started providing these updates in April.

In fact, if you look at the total number of facilities yet to be approved and allow ISCD a 50 week work year at 5 days per week, it will take ISCD 27.1 years to complete the remainder of the SSP approvals at the daily rate exercised in the latest period.

The Problem

Two weeks ago I reported a potential reason for this drop in approval rates. I had heard from the field that there has been an increasing number of instances where the subject matter experts at ISCD Headquarters were over ruling the recommendations from the chemical security inspectors (CSI, again PLEASE lets change their title to get rid of that acronym) on the approval of the site security plans at the smaller chemical facilities. These are the facilities that are now typically being visited in the SSP approval/authorization process.

The whole point of the tiering process in CFATS was to ensure that the lower risk facilities only had to have security measures commensurate with the risk they faced. A realistic security program has to take into account that smaller facilities (usually from smaller companies) also will not have the expertise and resources (manpower and money) to have as elaborate a security system as larger facilities. But, they also have the advantage of having fewer people on site who all know each other and know more about the facility details than would the employees and contractors at a larger facility. Security anomalies will be caught faster at these smaller facilities than would similar situations at the bigger, more anonymous chemical plants.

We should be seeing an increase in the rate of authorizations and approvals for site security plans now that the bulk of the large, complex facilities have been taken care of. It should be taking a smaller team of CSI to visit each facility. The inspections should be taking less time as there is less stuff to look at. The CSI proficiency at conducting the inspections should be increasing and the contractors supporting the facility security plans should have a better understanding of the SSP authorization and approval process. All of this means that we should be seeing an acceleration in the rate of authorizations and approvals, not a slowdown.

The Alternative View

Now there may certainly be another explanation for the delay. The FFF may have caused a number of CSI to quit, for instance (I have not heard of any such reports, but it is possible). As always, I freely offer to provide ISCD Director Wulf, or any of his staff, open access to this forum to provide another explanation for the change in the SSI approval rate.

In any case, we will be hearing an explanation when he goes back before Congress. Any one of three House committees and the Senate Homeland Security Committee are all about due to hold CFATS oversight hearings again in the near future. And they are notoriously less likely to actually listen to the response.

NOTE: Graphs were added at 11:15 CST on 11-26-13

Wednesday, November 20, 2013

Reader Comment – 11-20-13 –

Readers might remember that in a piece I wrote yesterday about the Chemical Safety and Security listening sessions I described my experience with the web site that DHS is now using for the registration for these listening sessions. I also sent off a quick email to the site management and got a very nice reply back from Kerry Rea, President Today, she also posted a very nice response to my comments on the blog.

Apparently this web site was set up as a means for military, government employees, and contractors to keep track of, and sign-up for, on-line and face-to-face, training and policy discussions. I would assume that Ms Rea’s company receives some sort of government compensation for this service. For her sake I hope that it isn’t some sort of flat fee arrangement if DHS is going to continue to expand their use of the service for public sign-ups for meetings.

Ms. Rea did mention in her comments that under the current set up, the best way to complete the registration process for the average person would be to make the same selection that I did; ‘government employee/military’.

BTW: I think Ms. Rea’s prompt response to my email and her extra-step comment to my blog post are the sign of an individual (and company) that understands the value of customer service. I suspect that her company will go far.

New FRA-PHMSA Railroad Safety Advisory

Today the Federal Railroad Administration (FRA) and the Pipeline and Hazardous Material Safety Administration (PHMSA) published a new Joint Safety Advisory in the Federal Register (78 FR 69745-69746) concerning safety and security plans for shipping Class 3 (flammable/combustible) hazardous materials by rail. This is a follow-up advisory to the one issued in July and the FRA Emergency Order 28 that was issued as a result of the “catastrophic railroad accident [that] occurred in Lac-M├ęgantic, Quebec, Canada” on July 6th.

Reiterate Old Guidance

There is really no new guidance offered in this Advisory. The FRA and PHMSA are reiterating the requirements for:

• The proper characterization, classification, and selection of a hazardous materials packing group as required by the Federal hazardous materials law (49 U.S.C. 5101-5128) and Hazardous Materials Regulations (HMR; 49 CFR parts 171-177); and

• The requirement that offerors of hazardous materials by rail and rail carriers should have reviewed and revised, as appropriate, their safety and security plans required under Subpart I of Part 172 of the HMR, including the required risk assessments, to address the safety and security issues identified in EO 28 and the First Joint Advisory.

Compliance Auditing

The only new information in this advisory is in the final paragraph describing the enforcement activities that FRA and PHMSA are undertaking in support of this and the earlier safety advisory and Emergency Order. Those activities include:

• ‘Operation Classification’ - unannounced inspections and testing by PHMSA and FRA to verify the material classification and packing group assignments selected and certified by offerors of petroleum crude oil;
• PHMSA-FRA joint audits to evaluate safety and security plans and to determine whether the plans address vulnerabilities highlighted in EO 28 and the First Joint Advisory; and
• FRA inspections to determine compliance with EO 28.

Ignores Alabama Derailment

It is interesting that there is no mention in this Advisory of the FRA investigation into the recent derailment of a crude oil unit train in Alabama. While that accident did not result in the loss of life or the destruction of non-railroad property seen in Canadian derailment, it is the first such incident being actively investigated by FRA. Or at least should be being investigated by FRA, there has been no public announcement of any such investigation.

Tuesday, November 19, 2013

Identical Twin ICS-CERT DNP3 Advisories Published

Today the DSH ICS-CERT published two virtually identical DNP3 advisories for twin improper input validation vulnerabilities in Catapult Software DNP3 Drivers and GE Proficy platform. The reason that they are nearly identical is because the Proficy vulnerability is due to the use of the Catapult Software drivers. Since these are familiar DNP3 vulnerabilities, it should come as no surprise that they were first reported by the team of Crain and Sistrunk. Technically, GE self-reported their vulnerability when notified of the problem by Catapult Software.

These are the same IP-based and serial-based validation vulnerabilities that we have seen before in similar Crain-Sistrunk based advisories. ICS-CERT reports that the IP-based vulnerability has a higher CVSS v2 base score (7.1 vs 4.7) but that reflects the fact that the IP-based vulnerability can be more easily exploited remotely. Many cybersecurity commentators (though certainly not all) note that physically accessing the serial connection may actually be easier at remote, low-security sites.

Catapult Software has produced updated software that mitigates both their system vulnerabilities and the Proficy vulnerabilities. The Catapult advisory does report that Crain and Sistrunk have validated the efficacy of the new software version. While that is not specifically mentioned in the GE advisory, I would assume that the same validation applies to the Proficy issues.

The Automatak web site reports these vulnerabilities as numbers 10 and 11 of the 25 vulnerable systems that they have discovered. I wonder how many of the remaining 14 are also based upon either the Catapult system or the earlier Triangle Microworks library. Both have obviously been made available (sold) to other vendors. Of course, it is also possible that Crain and Sistrunk have not yet found all of the system vulnerabilities since they have apparently stopped looking for these vulnerabilities; no challenge left I suppose.

Hopefully, any unidentified DNP3 vendors will take the leads posted by these two and self-correct and self-report their problems without being identified by Project Robus.

NOTE: A quick update from an Adam Crain Tweet® - None of the remaining vulns are catapult related. Should probably read 11/26 now, but we've kinda stopped counting.

Senate Moves to Debate S 1197, FY 2014 DOD Spending

As I noted in yesterday’s blog post, the Senate voted on the cloture motion to allow the Senate to proceed to the consideration of S 1197, the National Defense Authorization Act for Fiscal Year 2014. The cloture motion passed by a vote of 91 – 0; clearly a bipartisan vote. A large number of amendments were also offered, but none had anything to do with cybersecurity or chemical safety.

As I noted earlier, this bill has a number of cybersecurity provisions that are missing from the House bill, HR 1960, passed in the House back in June.

Actual debate on the bill started today, and there will be additional amendments offered. Debate on this bill is never short. A final vote is not really expected until after Thanksgiving.

NPPD Publishes Chem EO Listening Sessions Notice – 11-19-13

The DHS National Protection and Programs Directorate (NPPD) published a notice in today’s Federal Register (78 FR 69433-69434) announcing the next two public listening sessions being held jointly with OSHA and EPA concerning the President’s Chemical Safety and Security Executive Order (EO 13650). It also lists the dates for two webinars that will serve a similar purpose.

The notice provides addresses for the previously announced listening sessions in Springfield, IL (today, kinda late huh?) and Orlando, FL (December 11th). The later sessions are not listed.

The notice lists a new (to me anyway) on-line service for registering for federal government events; The notice states that:

“If you wish to attend any public listening session and/or a Webinar and/or make an oral comment/presentation at both the in-person and Webinar listening sessions, you must register at “

As of this writing (06:05 CST) today’s meeting is listed (on page 2) but the December 11th session is not. The November 25th webinar is listed, but the December 16th webinar is not listed. The registration process is relatively painless.

NOTE: This site requires registration, but it has some peculiar rules. Unless you belong to a listed government agency or contractor you have to select ‘government employee/military’ to get through the registration process. They really need a ‘private citizen’ listing if they are going to require the use of this site for meeting registrations. Once registered in their system you can sign in via LinkedIn or Facebook accounts.

CG Publishes Direct Final Rule on TWIC Use

Today the Coast Guard published a direct final rule in the Federal Register (78 FR 69292-69296) correcting references in 33 CFR 141 stating that the Transportation Workers Identification Credential (TWIC) “alone may be accepted by an employer as sufficient evidence of the TWIC holder's status as a U.S. resident alien”; allowing such individuals to work at Outer Continental Shelf activities.

Section 141.30(d) lists the TWIC as one of four documents that an employer may accept as stand-alone evidence of an individual’s status as a resident alien. However, 49 CFR 1572.105(a) lists a number of types of  non-resident aliens that are authorized to be issued a TWIC. This means that a TWIC is not sufficient proof that an individual is either a citizen or a resident alien.

The preamble to this rule notes that §141.30(d) was added to the regulation in 2009 without any specific mention of why the sub-paragraph was added. There is no explanation (not unexpectedly) of why it has taken four years to find and correct the error.

The Coast Guard is using the unusual technique of issuing a direct final rule in this instance because there would be no purpose served by publishing an NPRM and receiving public comments on that document. This is clearly a legal error in the regulation that must be corrected and no public comments to the contrary will change that.

It would be interesting to see a report by the DHS IG’s office looking at how many people were actually incorrectly allowed to work at the affected Outer Continental Shelf activities as a result of the application of this incorrect standard.

Monday, November 18, 2013

CFATS Knowledge Center Update – 11-18-13

This afternoon the folks at DHS Infrastructure Security Compliance Division (ISCD) updated the CFATS Knowledge Center, revising the response to one of the large number of frequently asked questions (FAQ). According to the ‘Latest News Entry’ for CFATS Knowledge Center:

The answer to FAQ 184, “What is a thermal radiation zone?” was updated to provide greater clarity and include links to additional resources.

Getting There

Entering ‘184’ (don’t waste your time with ‘FAQ 184’, ‘FAQ #184’ or ‘FAQ Number 184’; they won’t get you there) into the search block on the CFATS Knowledge Center page and then clicking through the question “What is a thermal radiation zone?”, you get taken to the FAQ 184 page (Sorry, I can’t give you a link, there are no permanent links to FAQ responses).

Once there you get informed that the term is used in “Section 6.0 of the Department of Homeland Security, CSAT Top-Screen Survey Application User Guide” and are provided with a printed copy of a link (not actually a real link, just a cut and paste copy of a link. I don’t understand why, but that is the way they do it in all of the FAQ responses). Actually, sections 6.2 and 6.3 (pgs 31 and 32) refer to questions about thermal radiation zones for liquefied natural gas facilities.

The Answer

The new response explains:

“Thermal radiation refers to the radiation emanating from a fire burning above a liquefied natural gas (LNG) spill. Thermal radiation from on-site fires fed by an evaporating pool of spilled LNG can cause first, second and third degree burns. The CSAT Top-Screen Survey Application User Guide references U.S. Department of Transportation regulations 49 C.F.R. § 193.2057 (2010) and 49 C.F.R. § 193.2059 (2004) [Links added], which provide modeling and parameters information for a thermal radiation zone,”

It also goes on to provide a copy of link to Part 193 of 49 CFR in the Electronic Code of Federal Regulations. In the quote above I have added actual links to the sections referenced. Again I am not sure why ISCD doesn’t go that one extra step to make it just a little bit easier for most folks that are not used to navigating the CFR.

This is an improvement of sorts over the earlier answer that was put into the FAQ Response list back in August of 2007. That earlier answer was more technically correct, but decidedly unhelpful to anyone searching for information. It simple stated that:

“Thermal radiation occurs from a fire burning above a liquid spill on the site. Thermal radiation from on-site LNG fires fed by an evaporating pool of spilled LNG can cause first, second or third degree burns to the skin of humans exposed to the radiation, depending upon the intensity of the radiation. For a given fire, this intensity decreases with distance from the fire. Under FERC rules, the allowable exposure is 5 kilowatts per square meter, an amount that produces second degree burns after only thirty seconds exposure. FERC allows thermal radiation beyond the site boundary as long as its level is below 5 kilowatts per square meter. This is the thermal radiation zone.”

More Information

Neither of these answers would be particularly helpful in providing guidance on how to answer the one Top Screen Questions related to the ‘thermal radiation zone’. That question is:

“Provide the distance (in feet) of the 5kW/m2 thermal radiation zone using the 49 CFR Part 193 site requirements (§193.2057).”

To find out how to do this calculation you have to go to §193.2057(a) to find out that you have to use a computer model from the Gas Technology Institute; GTI–04/0032 LNGFIRE3. This computer model is available from the Gas Technology Institute for the paltry sum of $500. Now I suspect that most LNG storage facilities already have someone on staff that has access to LNGFIRES3. That means that it isn’t quite the financial burden that it would seem at first.

Still, it would have been helpful to have the information about the LONGFIRE3 software available in this FAQ instead of making people dig through the CFR entry and then go searching for the program. Of course it would be even more helpful if there had been a link provided to a no fee copy of the software, even an abbreviated version of the software that would just allow the calculation of the 5kW/m2 thermal radiation zone.

Cyber Attack Emergency Services

There is an interesting article over at about the establishment of an emergency response service for cybersecurity events. It isn’t really a unitary service, but rather a certification process for private sector organizations that provide the service. This “service” is for organizations in the UK, but there is no reason that such a service couldn’t be established here. This is a quick look at some of the thing that would have to be included in the certification process for such a service here in the US.

CFATS Customers

There are two different types of regulated organizations that might use this service that would require additional certification verifications before they could use the offered services; chemical facilities regulated under CFATS and defense industrial base organizations. Both types of organizations would almost certainly require personnel surety vetting of any investigators allowed access to covered computer systems.

Any computer system that has been identified as a critical system under a chemical facility’s site security plan {and this would almost certainly include any control system used in the manufacture or handling of DHS chemicals of interest (COI)} would be covered under the requirement for a background check. CFATS rules require that anyone with unaccompanied access to a critical system has to undergo a background check including vetting against the Terrorist Screening Database (TSDB).

I would argue that any access to a covered control system (or information system for that matter), especially the level of access required for an emergency response to an attack on such a system, would have to be considered ‘unaccompanied’ even if a control system engineer was sitting right beside the cyber-responder the whole time he had access to the system.

Access to an information system at a CFATS facility that contained information about the CFATS program implementation would also require that anyone given access to that system would have to be certified by DHS for access to Chemical-Terrorism Vulnerability Information (CVI). This could be avoided if all CVI information were held on a non-networked computer.

DIB Customers

Many defense industrial base organizations store or have access to classified information. Any computer systems that house such information would require a security clearance to access. It could also be argued that systems that contained sensitive unclassified information would require special vetting of personnel before they were given access to such systems.


For the control system side of things, this is the type thing that the ICS-CERT flyaway teams routinely do. Of course there are a number of private organizations that do similar work and I am not sure that we can continue to justify this work by ICS-CERT in view of that fact. I know that there have been some objections raised about the ‘unfair’ competition provided by ICS-CERT. Additionally, the ICS-CERT team is relatively small and I doubt that it could handle any significant increase in taskings for this type of response.

I would assume that ICS-CERT teams do have the requisite clearances to handle the DIB cases, though I would suspect that there is a DOD team that would handle this type of activity for DOD associated organizations.

I would be surprised if the ICS-CERT people were not already vetted in a manner that would be acceptable to the folks at ISCD for CFATS covered facilities. For CFATS related organizations I might suggest that ISCD and ICS-CERT establish an MOU that would specifically allow CFATS facilities to contact ICS-CERT for suspected control system attacks without the need for worrying about vetting the flyaway team for unrestricted access to those control systems.

Existing Private Vendors

It would be interesting to hear from any vendors currently working in the emergency cyber response business to see what they are currently doing in regards to documenting the vetting of their personnel for customers or potential customers in the CFATS program of the DIB program.

Congressional Hearings – Week of 11-17-13

Both the House and Senate will be back in session today. While there are a number of hearings scheduled for this week only three appear to be of specific potential interest to readers of this blog: they include medical software, FirstNet and DHS confirmation hearings. And it looks like the Senate may actually consider the 2014 National Defense Authorization Act, S 1197.

Medical Software

The Health Subcommittee of the House Energy and Commerce Committee will be holding a hearing tomorrow looking at “Federal Regulation of Mobile Medical Apps and Other Health Software” and HR 3303. As I mentioned in my blog post about that bill, there is nothing currently in the bill that would extend FDA regulatory authority to software security issues. There is an outside chance that this will come up during this hearing.

BTW: There is a nice background document on the hearing web site, but no mention of software security issues.


The Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold an oversight hearing on FirstNet and the Advancement of Public Safety Wireless Communications. No witness list is currently available.

DHS Confirmation

The Senate Homeland Security and Governmental Affairs Committee will vote tomorrow on the nomination of Jeh C. Johnson to be the Secretary of DHS. While there has been some controversy about the background of Mr. Johnson, this vote coming so soon after his appearance before the Committee probably means that a favorable vote will be forth coming.

S 1197

According to the Congressional Record, the Senate is scheduled to vote on a cloture motion to allow the Senate to proceed to consideration of S 1197. As I noted earlier this bill has a number of cybersecurity provisions. It’s original consideration was held up by the general disagreement between the Republicans and Democrats on spending issues. I’m not sure what has changed, but it would seem that Sen. Reid (D,NV) thinks that he has enough votes to move this bill forward.

If it passes (and it probably will if the cloture vote succeeds) it will then be tacked onto the House Bill (HR 2397) which probably means another spending conference committee. Many of the same folks will be on that conference as are on the budget conference that is trying to iron out differences between the Senate (read Democrats) and House (Republicans) so that a final 2014 spending bill can be put together.

This move by Reid may signal that there is at least some agreement between the conferees on defense issues.

Sunday, November 17, 2013

Cybersecurity Framework Update – 11-16-13

This week saw an interesting update of the NIST Cybersecurity Framework web site. The main portion of the page was significantly truncated, removing all of the information about the processes leading up to the publication of the Preliminary Cybersecurity Framework. Links to this information are provide in the ‘Additional Information’ section in the right-side column on the site.


Another interesting change was the addition of a link to an e-book version of the Preliminary Cybersecurity Framework. This is part of an NIST experiment in the publication of e-book versions of important documents. There is not yet an e-book standard format and NIST notes that their format will not work on all combinations of applications and devices. They have been successfully tested on “ iBooks app on an iPad2, and the Kobo and Moon+ readers on a Samsung Galaxy Tab and ASUS Nexus 7” but there may be problems on some Kindle’s®.

CSF Comments

Almost a month ago, NIST established the web site where they will be publishing comments. To date there is nothing posted to that site. I do not think that that is because there have been no comments submitted (sorry about the double negative), but rather due to the way that NIST will be analyzing the comments. As I noted in my earlier post on the publishing of the CSF in the Federal Register, the format for submitting comments will make it very easy to compile and analyze the comments, but it would make it rather tedious for outside readers to look through all of those forms to get an idea of how the public is responding to the Cybersecurity Framework.

Personally I would rather have a chance to peruse them as they are submitted so that I could do a weekly take on what is being said, rather than have to go through them all at once at the end of the submission process. This apparent methodology of delaying the printing of the comments also limits the possibility for people to respond to previously published comments.

5TH Workshop

For those of us who could not get to this week’s workshop in North Carolina, NIST has posted links to web casts of the morning sessions made by North Carolina State University (Note: The audio portion of the presentations is poor in many places). These were mainly panel discussions, which included

• Preliminary Cybersecurity Framework Overview (Day 1; 0:22);
• Privacy and Civil Liberties (Day 1; 1:50);
• ISA Presentation (Day 2: 0:01)
• Perspectives from Telecom Sector (Day 2; 0:11);
• Adoption Considerations for the Framework (Day 2; 1:28); and
• Next Steps (Day 2; 2:21)

The only place where there is any significant mention of industrial control system security is during the ISA presentation. It focuses on the work of ISA99 Committee developing standards for cybersecurity for industrial control systems.

It would have been nice to have a web cast of the break out groups, but that would not have been practical. The problems with getting releases from all of the participants and difficulties of getting good sound from those discussions would have been problematic.
/* Use this with templates/template-twocol.html */