Sunday, January 19, 2014

Short Takes – 1-19-14

In a week that was dominated by news out of West Virginia or budget talk, there were a number of items that slipped through the cracks of my blog. Here is a quick look at some of the thing that I missed discussing:

Crude Oil Trains

There was lots of talk about the ongoing issue of burning and exploding train cars in crude oil train derailments.

The Canadian government is proposing new regulations that deal with crude oil trains. There are a couple of news articles (here and here) and text of the proposed regulations.

There was more discussion about the hazard classification of crude oil from the Bakken Shale fields. Of particular interest was a discussion of what the industry knew about mis-identification of the hazards along with an industry slide presentation. We are still waiting on the final word on the PHMSA testing.

More information on the New Brunswick derailment from the previous week indicates that the new DOT 111 cars held up better than the older ones; not really news, but it does confirm previous research.

There was a nice article about why the crude trains are going to remain in operation and others (here and here) about what industry is talking about doing to make them safer.


With the S4x14 control system security conference in Miami this last week there was lots of cybersecurity stuff in the news.

I stumbled into the SANS Reading room and found an interesting (but very lengthy) article on physical breaches of cybersecurity sites. This is very important because almost all cybersecurity researchers note that if you can touch a control system, you can almost certainly own it.

There was another lengthy article this week about security of embedded devices.

Then there was the article about firmware upgrades to the Tesla electric car that completely failed to mention security concerns associated with remote firmware updates.

A British research institute (with government backing) is apparently looking at ways to increase the security of control systems. It will probably be ineffective, but it might contribute to the knowledge base.

The S4x14 conference produced its expected level of controversy. Dale has not yet begun posting videos of the key presentations, but two sets of authors have posted copies of the slide they used in their presentation. Crain-Sistrunk detailed their DNP3 research and Luigi-Donato looked at protecting control systems, even without vendor support. The Luigi-Donato slides include their Ecava vulnerability announcement.

If it is actually possible, remote access to control systems became even more insecure this week when it was noted that an Android vulnerability allowed attackers to bypass VPN security measures.

And, as if we hadn’t heard enough nasty news about the capabilities of the NSA, there was an article from that tech leader, the New York Times, about how NSA has inserted devices into a handful (85,000 to 100,000) of computers that would allow the NSA to communicate with them even if they are not hooked up to the internet; so much for the air gap thing.

CSB Funding

The week he convinced the CSB to take up the investigation of the Freedom spill (even though there was no fire/explosion or people killed) and Sen. Rockefeller (D,WV) asked the Senate Appropriations Committee to increase the funding for the Chemical Safety Board. Rockefeller has long been a supporter of the Board and its chemical safety efforts in West Virginia (and the rest of the country) and as the Chair of the Senate Transportation and Infrastructure Committee he has a clear legislative interest in the Board, but the timing of his letter does smell just a tad bit.


The latest version of the Congressional Research Service (CRS) report on the CFATS program and the legislative issues surrounding it has been published. Once again we have to get a copy of it from the Federation of American Scientists. I will have more on this one in later posts.

Click on first link for the conversation. Follow me on TWITTER at pjcoyle.

@pjcoyle @mikko @MrMeritology "World's trust" is a tad bit overboard. NSA job was always to spy on the rest of the world.

‏@pjcoyle @i_defender In either case the consumer ultimately pays through higher prices, reduced services, more complex transactions

@Kenwardjr BTW ... Obama EPA is still refusing to provide anyone from their end to discuss the WV chemical spill ... very typical for EPA I'm afraid.

@pjcoyle @isssource @SCADAhacker I hope some university industrial hygine program doess a health study of the folks in Charleston for MCHM exposure

@PatrickCMiller NEWSFLASH: Critical Infrastructure [will always] have a very high target value. Act accordingly.

@pjcoyle @techreview This is the Edison approach to chemical engineering.

@pjcoyle @Phil_Radford @ilyseh @dhlovelife It was more than a little late, but """probably""" won't cause any long term effects.

@pjcoyle @PatrickCMiller I'll bet NSA is jealous..

@pjcoyle @kgcrowther @ProfCharlesHaas While imprecise to say the least, CDC had to do something or WV would still be without water.

@pjcoyle @kgcrowther @ProfCharlesHaas If MCHM use is widespread in coal industry, maybe they should fund additional study?

@isssource Microsoft will extend support for its antimalware software for Windows XP into 2015.

@socma Today in @ICISnews: Market outlook: US chemical industry seeks regulatory action in 2014. 

@pjcoyle @selil @johnmccumber And you're almost always going to be wrong in hind sight, either too aggressive or not aggressive enough

@pjcoyle @DoubleJake @JimGilsinn Or will ask "Have you updated your AV?"

@Hfuhs NIST drops privacy appendix from cybersecurity framework - 

@pjcoyle An Introduction to Cyber Intelligence -  - Robert Lee article - PJC Good opening discussion of cyber intelligence -

No comments:

/* Use this with templates/template-twocol.html */