Saturday, August 30, 2014

WeAreTheArtillery

I have been seeing a new cybersecurity ‘organization’ mentioned frequently on Twitter here recently. Today I found their blog ‘Firing for Effect’ and it looks like an interesting concept. I’ve added their blog to the list on this page. I don’t know how much they will concentrate on ICS security issues, but I certainly applaud their disclosure policies.

Reconfigurable Industrial Control Systems Cybersecurity Testbed RFQ

A couple of weeks back I did a post on a solicitation from the National Institute of Standards and Technology (NIST) for information about establishing a reconfigurable ICS testbed. Well this week NIST published a request for a quote for such a system. The response time for the RFQ is even shorter than the request for information was; it has to be submitted by September 8th.

The RFQ includes a 17 page description (Word® download link) of the system to be supplied and the actual solicitation notice (.PDF download link). NIST is describing the system this way:

“The National Institute of Standards and Technology (NIST) is in the process of developing a cybersecurity test bed for industrial control systems. The goal of this system is to measure the performance of industrial control systems when instrumented with cyber-security protections in accordance with best practices prescribed by national and international standards and guidelines. Examples of such standards and guidelines include IEC-62443 and NIST-800-82. The testbed will include a variety of industrial control simulation scenarios. The first of the scenarios will entail the simulation of a well-known chemical process called the Tennessee Eastman (TE) problem. The TE problem is an ideal candidate for cyber-security investigation because it is an open-loop unstable process that requires closed-loop supervision to maintain process stability and optimize operating costs.”


This is a small business set aside project. Only organizations with fewer than 500 employees should submit quotes. NIST is only accepting quotes via email.

If you did not take a close look at the project when it was announced earlier you might have a hard time getting a quote together in time. On the other hand this would probably be a great project to be involved in.

Thursday, August 28, 2014

No Wonder the Public is Ill-informed

The discussion about the location of chemical plants and emergency responder knowledge of what is stored at chemical plants is a complicated enough problem that it does not need to be complicated by unnecessary public hysteria. It is now wonder, however, that the public gets concerned when inaccurate news stories like this piece at HomelandSecurityNewsWire.com about the closing of an ammonium nitrate distribution facility ‘contribute to the discussion’.

The article is actually an extraction of information from a well written local Texas newspaper article about the apparent closing of an El Dorado Chemical company distribution facility in Pittsburg, TX (NOT Pennsylvania as HSNW reports). The newspaper story is part of the on-going discussion in Texas about ammonium nitrate distribution facilities in small towns across the State; a discussion started by the West Fertilizer plant explosion in April of last year.

The HSNW digested story reports that “ the Pittsburgh facility, which was reported to have stored around thirty tons of ammonium nitrate — the combustible matter responsible for the West disaster — at the time of the 17 April incident”. What the newspaper story actually said was that the “West plant [not the Pittsburg facility] was reported to be storing about 30 tons of ammonium nitrate, investigators say exploded after a fire broke out in the West plant on April 17, 2013”.

The HSNW story goes on about how officials were concerned about the movement of the ’30 tons of ammonium nitrate’ saying: “While some — including Superintendent Judy Pollan — were relieved that the company was now gone, others questioned the danger of moving the thirty tons of chemicals around within the city.” Not only was this ‘questioned the danger’ statement never mentioned in the newspaper article but the topic of the transportation of ammonium nitrate was never mentioned and has generally been absent from the discussion of the West, TX incident.

Another silly statement was made-up whole in the opening paragraph of the HSNW story: “The city emergency management department was aware that the plant was to be closed, but they were not informed of the date – or the fact that the company chose to move the volatile and toxic material [emphasis added].” Forget, for the moment that ammonium nitrate is not ‘volatile’ or ‘toxic’ but everyone would hope that the company would move the ammonium nitrate out of a facility that was being closed. Not doing so would pose a larger danger to the community.


The HSNW story makes the closing of the Pittsburg, TX facility sound like some diabolical plot by a nefarious chemical company. The newspaper story paints a much better picture of a complicated issue that faces many rural towns; agricultural chemical storage facilities that have been a fixture of the town for a long time, but are now a potential danger as the town has grown up around them. The HSNW story does nothing to help understand the problem.

Wednesday, August 27, 2014

DHS Updated Chemical Security Landing Page

This morning the folks at DHS updated their Critical Infrastructure: Chemical Security web page. The update is fairly minor, the reference to the CFATS update link has been changed to read “August 2014” instead of “July 2014”.


There are a couple of other problems with the page that I have not gotten around to pointing out and this seems like as good a time as any. First the link for the “Risk Based Performance Guidelines” no longer goes the RBPS Guidance document, but rather to the fact sheet published for the latest iteration of the Personnel Surety Program ICR. Second the link to the “Cyber Executive Order 13636 Section 10(b) Report” returns an “Access Denied” error message. Both of these problems pre-date today’s page revision.

CG Announces NMSAC Meeting in September

Today the Coast Guard published a meeting notice in the Federal Register (79 FR 51186-51187) for a two day meeting of the National Maritime Security Advisory Committee starting September 16th in Baltimore, MD. Cybersecurity will be one of the topics discussed at the public meeting. The meeting will be available on-line and via teleconference.

The agenda for the meeting includes:

Notification of Maritime Security Level changes to international partners; and

The Coast Guard is planning on conducting a one-day cybersecurity symposium. The agenda item for this meeting is the review of a draft agenda for that symposium.


Public input may be sought during each of the agenda items and there will be a period of time put aside at the end of each day’s meeting for public comments. Registration is required for 5 minute presentations made during those comment periods. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2014-0790).

Tuesday, August 26, 2014

ICS-CERT Publishes Two New Advisories

Today the DHS ICS-CERT published two control system cybersecurity advisories for multiple vulnerabilities in the CG Automation  Substation Gateway and the Schneider Electric Wonderware Information Server.

Wonderware Advisory

This advisory reports on five vulnerabilities reported by Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team in a coordinated disclosure. ICS-CERT reports that Schneider has produced an update that mitigates these vulnerabilities but there is no indication that Positive Technologies Research has validated that update.

The five reported vulnerabilities are:

• Account encryption and storage - CVE-2014-2381 and CVE-2014-2380;
• Cross site scripting - CVE-2014-5397;
• Improper input validation - CVE-2014-5398; and
• SQL Injections - CVE-2014-5399

ICS-CERT reports that crafting an exploit of these vulnerabilities ‘would be difficult’.

Looking at the CVE numbers it looks like there may have been two different vulnerability reports by Positive Technologies Research separated by a significant amount of time.

CG Automation Advisory


This advisory is the latest Crain-Sistrunk disclosed DNP3 improper input validation vulnerability. This should be the 22nd system report published by ICS-CERT of the reported 30 Crain-Sistrunk DNP3 reports submitted to date, according to the Automatak Robus web site.  CG  Automation has provided an update. ICS-CERT specifically reports that CG Automation has self-validated the efficacy of the fix, not Crain-Sistrunk; something smells there.

Follow-up NOTE (08-27-14 07:46 CDT): Adam reports that he and Chris no longer have access to CG Automation hardware to do the validation testing. So nothing nefarious, but it would have been appropriate (IMHO) for CG Automation to offer access for validation testing.

NIST Publishes Framework Follow-up RFI

Today the National Institute of Standards and Technology published a request for information in the Federal Register (79 FR 50891-50894) concerning information about organizational experiences with the implementation of the Framework for Improving Critical Infrastructure Cybersecurity that was published in February.

Responses to this RFI will help NIST develop tools and resources to help organizations to use the Framework more effectively and efficiently. The information will also be shared with DHS to aid in the implementation of the Critical Infrastructure Cyber Community (C3) Voluntary Program that the Administration developed to encourage organizations to implement the Framework. Finally, the information will help NIST to establish the agenda details of the upcoming Framework review workshop in October 2014.

The RFI is looking for specific information in three broad categories. Within each of those areas NIST proposes a series of questions that it would like to have answered by critical infrastructure organizations, standards setting organizations, and governmental agencies at all levels concerned with cybersecurity issues. Those three categories are:



As we came to expect during the development of the Framework, NIST is not using the Federal eRulemaking Portal for their information collection process. Responses will be sent directly to NIST and may be submitted by email (cyberframework@nist.gov). Responses should be sent by October 10th, 2014. Responses will be published on the NIST Framework web site.

PHMSA Publishes Latest Harmonization NPRM

On Monday, the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (79 FR 50741-50834). This NPRM is the latest in a series of rulemakings that attempts to harmonize the US Hazardous Materials Regulations (HMR) with the rules of the various international agencies that regulate the transport of hazardous materials throughout the rest of the world. These changes are necessary to make it easier for American companies to compete in international commerce.

This proposed rulemaking will adopt various changes in international regulations including changes to proper shipping names, hazard classes, packing groups, special provisions, packaging authorizations, air transport quantity limitations, and vessel stowage requirements. In addition, PHMSA is also addressing harmonization related petitions by UPS (P-1631), the Council on Safe Transportation of Hazardous Articles (P-1623), and a separate COSTHA petition (P1633).

The proposed changes include:


There are eight harmonization issues that are not being addressed in this NPRM. They are:


PHMSA is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2013-0260). Comments need to be submitted by October 24th, 2014.

Oh, yes. PHMSA finds itself in an uncomfortable position. Some of the changed international regulations addressed in this rulemaking go into effect on January 1st 2015. There is absolutely no way that this rulemaking will be completed by that time. In order to allow US businesses to domestically initiate international hazardous material shipments in accordance with those revised regulations PHMSA is planning on issuing an interim final rule late in December with an effective date of January 1st, 2015.


In effect PHMSA is saying that the public comments that it is soliciting (as required by law) are not really expected to persuade the agency to make any significant changes to this NPRM when it goes into its final form sometime next year (or perhaps later). While this is for all practical purposes generally true for these harmonization rulemakings, it does not look good for an agency to have to publicly admit it, no matter how obliquely.

Monday, August 25, 2014

ISCD Sneaks in the CFATS Update

Sometime in the last week or so the folks at DHS Infrastructure Security Compliance Division provided their monthly update of their Chemical Facility Anti-Terrorism Standards stats on the progress being made in approving site security plans. The “Critical Infrastructure: Chemical Security” still shows the link going to the July update for the month of June, but if you click on the link it actually takes you to the August 1st update for July. Well maybe there are finally doing like I did a couple months back and naming the Update for the month the data pertains to not the publishing month.

In any case the authorization and approval of site security plans proceeds at a relatively steady pace. There continue to be variations in the average daily rate of approvals, but that is to be expected because each of the facilities is truly a unique entity and will require a different security plan that will have to be considered on its own merits.




The total number of covered facilities dropped below 4,000 for the first time. Again, it would be helpful if DHS would periodically provide a report on the reasons for facilities leaving the CFATS program. The three categories for removal (I would guess) would be plant closing, reduction in inventory below Screening Quantity Thresholds, or removal of DHS chemicals of interest from inventory.




There is no information in the update about compliance inspections. There should be a large enough number of those that have been conducted now that the numbers might be of interest to the regulated and concerned communities.

Friday, August 22, 2014

ICS-CERT Releases ICS Advisory to US-CERT Secure Portal

Rumor has it that the DHS ICS-CERT has issued a control system advisory for multiple vulnerabilities in a well know SCADA system. The advisory has apparently been issued via the US-CERT Secure Portal to allow system owners a chance to evaluate their risk and mitigate it as appropriate before the vulnerability is released to the public. I’m hearing that the public release will be sometime next month.


Once again, if you are a control system owner, a system integrator, or a control system security researcher you could be able to access this reported advisory if you were registered to have access to the US-CERT secure portal.

Thursday, August 21, 2014

ICS-CERT Updates Siemens HeartBleed Advisory Again

Today the DHS ICS-CERT published another update to the Siemens HeartBleed advisory that was updated just a week ago. The latest update provides a link to the patch for the CP 1543-1 Ethernet interface for the S 1500 system. This leaves just the RuggedCom ROX I and ROX II operating systems to be patched for this vulnerability.

Wednesday, August 20, 2014

NHTSA Publishes V2V ANPRM

Today the DOT’s National Highway Transportation Safety Administration (NHTSA) published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (79 FR 49270-49278) concerning potential creation of a Federal Motor Vehicle Safety Standard (FMVSS) for vehicle-to-vehicle (V2V) communications. NHTSA believes that requiring V2V communication capability in new light vehicles would facilitate the development and introduction of a number of advanced vehicle safety applications.

Along with the publication of this ANPRM NHTSA is publishing “Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application” (.PDF download link). According to the report abstract (pg i), the “report explores technical, legal, and policy  issues relevant to V2V, analyzing the research conducted thus far, the technological solutions available for  addressing the safety problems identified by the agency, the policy implications of those technological solutions, legal authority and legal issues such as liability and privacy”.

This ANPRM is not an actual proposal for any specific regulatory language; rather it asks a series of questions that NHTSA needs to have answered before it can proceed with the rulemaking process. The extensive list of questions covers ten general topics:


Of particular interest to readers of this blog will be the cybersecurity questions asked in the communications security section of the ANPRM. These questions include:

• Do commenters believe that using machine-to-machine PKI for V2V is feasible, and that a security system based on PKI provides the level of security needed to support wide-scale V2V deployment?
• Do commenters believe that the current security system design (as shown in Figure IX-3 of the research report) is a reasonable and sufficient approach for implementing a secure and trusted operating environment?
• Do commenters believe the Certificate Revocation List is necessary? 
• Do commenters believe a V2V system would create new potential “threat vectors” (i.e., “ways into” a vehicle's electronic control unit) that could somehow control a vehicle or manipulate its responses beyond those existing in today's vehicles?
• Do commenters believe that V2V could introduce the threat of remote code execution, i.e., that, among possible threat vectors, malicious code could be introduced remotely into a vehicle through the DSRC [dedicated short-range communications] device and could create a threat to affected vehicles?
• Do commenters have suggestions on how NHTSA could mitigate these potential threats with standardized security practices and how NHTSA could implement a self-certification or third-party audit or testing program to guard against such threats? 
• Does the absence of encryption of the Basic Safety Message itself create any security threat, e.g., reverse engineering of a V2V system?
• If OEM DSRC devices were kept up-to-date through the current methods of upgrading that existing consumer electronics use today, would the use of this updating process introduce a new attack vector?
• Is there a possibility of cyber-attacks across the entire vehicle fleet and, if so, how should they be analyzed and addressed?
• Are there any other specific security issues that have not been mentioned here, but that should be addressed in the V2V security review?


NHTSA is soliciting public responses to the questions listed in the ANPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # NHTSA-2014-0022). Comments should be submitted by October 20th, 2014.

Saturday, August 16, 2014

Public Comments on PHMSA HHFT NPRM – 08-16-14

This is the first in a series of blog posts that will look at the public comments on the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) notice of proposed rulemaking (NPRM) on high-hazard flammable trains (HHFT).

As is typical for the early comments received on a rulemaking, the six comments in the first two weeks of the comment period come from private individuals. Organizations usually take longer to develop, coordinate and publish their comments. Individuals have a shorter response time, but their comments are frequently less technically developed and focus on limited solution sets.

Less than Helpful Comments

One commentor provides an up-to-date list of ‘Reference National Standards for a 21st Century HMR’. Few of the standards on the list have anything to do with this NPRM. Yet another commentor provides a lengthy diatribe against the Surface Transportation Board and railroads in general and proposes a complete reworking of the rail transportation system.

Simple Answers

A commentor from Washington State points out that there will be an increase in oil train traffic in that state in the coming years because of planned port and refinery expansions. This writer wants the DOT-111 cars immediately banned and briefly outlines additional safety measures that should be taken; including:

• Sensible speed limits;
• Rescheduling trains to avoid peak times;
• Notifying affected communities of increasing rail traffic,
• Requiring two operators for each train,
• Requiring at least one of these operators is alert at all times; and
• Automatic brakes (dead-man switches).

Another commentor wants to stop any more increases in crude oil shipments until the railcar fleet is replaced with safer models.

More Detailed Suggestions

Another writer acknowledges the problems with railcar safety and poor system maintenance, but attributes the current problem of “explosions; the 300 foot fireballs, walls of fire, incinerated buildings, vaporized humans, fouled water, and poisoned soil” to the lack of stabilization of the crude oil by removing the most volatile “NGLs” (natural gas liquids). He wants the government of North Dakota to require the removal of NGLs prior to their being loaded for transport.

Another writer of an obvious technical background wants to ensure that the hazard classification of crude oil is correct by requiring a detailed certificate of analysis (that would include “ include dissolved organic and inorganic gasses, % composition of aromatic and aliphatic compounds and their identity and quantification of inorganic substances including radioisotope identification”) to accompany each shipment. He would also require an independent lab corroboration of the analysis at the 95% confidence level.

More Comments to Come

We should start to see comments coming in from some of the industries involved and the various advocacy groups interested in this issue. Interestingly there have not been any requests yet for either public meetings or a delay in the relatively short response window (60 days) provided for this NPRM. That will almost certainly change.

DHS Publishes CFATS ANPRM

The DHS National Protection and Programs Directorate (NPPD) is publishing in Monday’s Federal Register (79 FR 48693-48696; available on-line today) an advance notice of proposed rulemaking (ANPRM) concerning possible changes to the Chemical Facility Anti-Terrorism Standards (CFATS) program. This is the third rulemaking that was directed by the President’s Executive Order on Increasing Chemical Safety and Security (EO 13650) and the only one to start as an ANPRM rather than a request for information (RFI).

Actually the EO gave only a very limited requirement for the CFATS program to look at the list of DHS chemicals of interest (COI) that triggers the initial facility reporting requirement that may lead a facility to be covered by the CFATS program. This ANPRM address that issues and takes a broader look at the potential for changes to the CFATS program. No specific changes are proposed in this ANPRM; rather this is functionally similar to the RFIs for the EPA Risk Management Program (RMP) and the OHSA Process Safety Management (PSM) program.

NPPD’s Infrastructure Security Compliance Division (ISCD) proposes a number of questions that it would like answers to from the regulated and affected communities that would allow ISCD to formulate a proposed rule. Those questions are grouped into seven functional areas:

Appendix A (COI list);


In soliciting responses to these questions, ISCD requests that the responses be as detailed as possible and include analysis of the potential cost and benefits of the proposals. Comments may be filed using the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2014-0016) Comments should be filed by October 17th, 2014.

ICS-CERT Publishes Two Siemens Advisories

Earlier this week (still getting caught up) the DHS ICS-CERT published two advisories for control system vulnerabilities in Siemens products. One was for a new denial of service attack vulnerability in the Simatic S7-1500 CPU and the other was an update of an earlier HeartBleed advisory.

S-1500 Advisory

This advisory addresses a vulnerability in the handling of specially crafted TCP packets that could result in a CPU restart and hold in the STOP mode which would require manual reset. It was originally reported by Arnaud Ebalard from Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) in a coordinated disclosure.

Siemens has produced a firmware update that mitigates the vulnerability. There is no indication that Ebalard has been given the opportunity to verify the efficacy the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability. The Siemens Product-CERT advisory clarifies that network access is required to exploit the vulnerability.

OpenSSL Update

This advisory updates the Siemens HeartBleed Advisory originally issued on July 17th and previously updated on July 23rd. The new update:

• Provides affected version information not previously provided for the S7-1500 product;
• Provides a link to the newly available S7-1500; and
• Removes the alternative mitigation measures previously provided for the S7-1500.

The Siemens ProductCert advisory was also updated.


NOTE: Siemens reports that they are continuing to work on HeartBleed fixes for their ROX 1, ROX 2, and CP1543-1 products.

Friday, August 15, 2014

FRA Submits Securement NPRM to OMB

On Thursday (I’ve been on the road so I’m catching up on stuff) the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the DOT’s Federal Railroad Administration (FRA) concerning the securement of unattended equipment. This rulemaking was not covered in the Spring 2014 Unified Agenda, but it does not take any great imagination or regulatory insight to guess that this will address the train securement problems identified in the Canadian crude oil train catastrophe last year.


At the very least we can expect that the proposed rule will codify the requirements set out in Emergency Order #28. It remains to be seen if the rulemaking will go beyond those requirements. Back in April the Railroad Safety Advisory Committee approved draft language (.PDF File) for a rulemaking on this subject, but there is no requirement for DOT to use that consensus language.

Thursday, August 14, 2014

S 2519 Reported in Senate – NCCIC Act

On the last real day of Senate activity before the current recess the Senate Homeland Security and Government Affairs Committee ordered the publishing of their report on S 2519, the National Cybersecurity and Communications Integration Center Act of 2014. As I reported in my original blog posting on this bill this bill was ordered reported the day after its introduction by HSGAC Chair Carper (D,DE).

There was one amendment made to the bill during the markup hearing (.PDF Download link) on June 25th; an amendment by Sen. Johnson (R,WI). That amendment {§3(b)} clarifies that the legislation does not provide an new authority for the Secretary of Homeland Security to “promulgate regulations or set standards relating to the cybersecurity of private sector critical infrastructure”.


Writing and publishing a committee report in just 30 days (for a non-appropriations bill) is pretty quick in the Senate. That combined with insuring that the report was ordered printed before the recess probably indicates that at least Sen. Carper expects this bill to come to the floor of the Senate early after the return of the Senate in September. We will just have to wait and see if Sen. Reid (D,NV) shares that intention.

Wednesday, August 13, 2014

OMB Approves NHTSA V2V Communications ANPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the DOT’s National Highway Transportation Safety Administration’s (NHTSA) advanced notice of proposed rulemaking (ANPRM) on establishing a Federal Motor Vehicle Safety Standard (FMVSS) for vehicle to vehicle (V2V) communications.


This rulemaking was not included in the Spring Unified Agenda so it isn’t clear exactly what this rulemaking would encompass, but I suspect that it is related to the DOT’s Intelligent Transportation Systems Joint Program Office’s (ITSJPO) connected vehicle program. I last mentioned this program back in February. I expect that we will find out more details when the ANPRM is published, probably next week.

Tuesday, August 12, 2014

PHMSA Publishes Special Permit Approval NPRM

Today DOT’s Pipeline and Hazardous Material Safety Administration published a notice of proposed rulemaking (NPRM) in the Federal Register (79 FR 47047-47063) that would formally establish current standard operating procedures and criteria used to evaluate applications for special permits and approvals. The NPRM would add Appendix A to the existing 49 CFR 107. This rulemaking was initiated in response to a Congressional mandate set forth in §33012(a) of  MAP21 (PL 112-141; Pg 126 STAT 383).

In addition to formally establishing current permit approval procedures as part of the Hazardous Material Regulations (HMR) the rulemaking would:

• Change the definitions of ‘approval’ and ‘special permits’ currently found in §105.5, §107.1 and §171.8 to reflect the requirements of Appendix A;
• Change §107.113 to require that the PHMSA Associate Administrator review all special permit applications using the procedure set forth in the new Appendix A;
• Change §107.117 to require the Associate Administrator to use the procedures set forth in the new Appendix A to review all emergency permit applications; and
• Change §107.709 to require that the Associate Administrator review all approval applications using the procedures set forth in the new Appendix A.


PHMSA is soliciting public comments on the proposed rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2012-0260). Comments need to be submitted by October 14th, 2014.

Nationalizing Cybersecurity?

Last week the Langner Group published a blog post by Perry Pederson talking about the need for nationalizing cybersecurity for critical infrastructure. Perry very clearly outlined the reasons why individual companies did not have the resources to take on nation state backed entities in the cybersecurity realm. Citing the ‘provide for the common defense’ clause {§8} in the US Constitution he argues that at some level cyber defense is purely governmental function.

In a brief twitversation I asked where the line should be drawn between national cyber defense and daily operations security and that is the topic that I would like to look at today.

National Defense

In a classical sense a nation state provides for the common defense in a couple of ways. First it maintains a military of sufficient size, equipment and training that potential adversaries are forced to decide that attacking the state would cost more than the potential benefits. Where potential adversaries are right at the border in neighboring states fortifications are constructed and manned to ensure that there will be enough delay of the enemy forces to allow the full strength of the military to rally to the defense of the point of attack while remaining prepared for attack at other points along the border.

On the other hand nation states also under take diplomacy as a means of reducing tensions with potential adversaries to lessen the need for taking up arms.

In extremis nation states conduct pre-emptive attacks on their adversaries so that they can set the time and place for armed conflict to best suit their needs and capabilities. Establishing a well understood capability to conduct pre-emptive strikes provides potential adversaries with an additional incentive to use diplomacy to address tensions that could lead to armed conflict.

Cyber Defense

Until recently cyber defense was more of a police type action against individuals rather than a military type activity against nation states. Individual owners of cyber infrastructure took minimal security protections to ensure that the common criminal had to have a minimal level of skill and ingenuity to gain access to the owner’s cyber infrastructure. In the event of a break in police were notified, rudimentary investigations were conducted, and the occasional high-profile arrest and subsequent conviction of the cyber criminal served as a deterrent of sorts to further cyber crime.

As more wealth has been moved into the cyber realm criminals have become more sophisticated in their abilities to attack that wealth. In response the owner’s capability to defend against breaches has become more complex; the law enforcement effort has become more sophisticated; and the courts’ response has become more intense.

Enemies not Criminals

Since the public discovery of Stuxnet just a little over two years ago it has become apparent that the nation state has discovered the capability of surreptitiously attacking an adversary’s critical infrastructure. Nation states have the resources to pull together a comprehensive development team to fashion and operate cyber tools and techniques to execute attacks that are practically undetectable in the short term.

The cyber attack objectives of these nation state actors may include the gathering of intelligence (spying) that has been a common tool of statecraft and warfare for millennia, gaining a political or economic advantage by destabilizing critical infrastructure in an adversarial state, stealing technological innovation to allow for economic advancement at reduced cost, or just weakening an adversary as a prelude to a physical attack.

The point that Pederson makes so clearly in 7 points is that in an unequal contest between a nation state and most private sector owners, the private sector will almost certainly loose. Now this is bad for the economy if it is just the random facility that is attacked, but nation states will be conducting targeted attacks ultimately against critical infrastructure facilities. The only other target of worthy of their effort is the military and suppliers of the military.

What does the Government Defend?

It is quite clear that the Government does not have the unlimited funds to provide for an absolute defense of all cyber assets within the country. It will have to pick and choose those cyber assets which provide some level of existential threat to the country if damaged or destroyed. This is the essential definition of ‘critical infrastructure’. A political decision will have to be made about what requires protection, what needs protections and what cannot be protected.

Since cyber operations are an integral part of the operational and management of most all critical infrastructure (I would say all but someone would come up with some off-the wall counter example to prove me wrong) does this mean that the Government will have to take complete control of an enterprise to defend it against a nation state attack? There are many people that would make that argument, but any real assessment of the situation would show that the government does not have the manpower, expertise or will to manage all aspects of the varied infrastructure that goes into providing critical support for the day-to-day operation of the country.

So the government, if it is to be even moderately successful at defending critical infrastructure against catastrophic cyber attack, is going to have to carefully pick and choose the cyber battles that it chooses to fight. To do that it is going to have to understand exactly what portions of the national infrastructure require national defense. This understanding has both strategic and tactical implications.

Under strategic considerations it must be remembered that all infrastructure is critical at some level; see the old story about the want of nail. The government (and that includes the governed) will have to prioritize the national cyber defense to what can be afforded (to spend) and what can’t be afforded (to loose). And it must be remembered that those priorities will change frequently as the economy grows and contracts and as adversaries change.

On the tactical level is not necessary to defend every inch of the cyber coastline. The national level cyber defense only requires that only those portions of critical infrastructure that pose the threat of catastrophic failure (call it Catastrophically Critical Infrastructure or CCI) if attacked on the cyber battlefield need the limited attention and resources of the Government defense. The Government will find it less expensive and more effective to respond to non-catastrophic damage to critical cyber infrastructure than to try to defend it all.

How do you defend CCI?

Once CCI are identified the planning for the cyber defense of CCI will begin by prioritizing the protection of CCI assets based upon their critical failure nodes (CFN); a CFN is any operation where a minimal change in control could cause a catastrophic incident.  The most critical failure nodes will get first attention. This will be determined by looking at the level of catastrophe that would result from the worst case failure of the node and the likelihood that a cyber attack could cause the failure of that node.

Once the CFN are identified then the cyber failure modes for those nodes would have to be identified. This would be done in a cooperative effort between the Government and the owner of the CFN; the fewer cyber protective resources available to the owner the more those resources would have to be supplied by the Government. The cost of reliance on Government resources would be the partial loss of control over the use and employment of those assets. This potential loss of control would be the incentive for business owners to develop their own cyber protective resource capability because the Government use of those resources would not necessarily align with the business interests of the owner.

For the highest risk CFN, the government would retain the ability to monitor the cyber protective resources to detect probing and attacks on those resources. The purpose of the monitoring capability would detect the early stages of a cyber attack with the intent to trace them back to their origins. Political, electronic or physical counter-attacks would then be used to dissuade adversaries from pursuing their attacks.

The Government would also share information about attacks against CFN with other CFN defenders so that they could use that information to improve the defenses of their cyber assets.

Protecting the Rest of Critical Infrastructure

While the Government has the highest level of interest in protecting CFN, the protection of all critical infrastructure is of legitimate concern to the Government. Instead of the Government taking an active role in the defense of non-CCI facilities, the Government would require the identification and minimum protection of CFN at non-CCI facilities. It would also require reporting of all attempts to compromise those protections, which the Government would then investigate and take appropriate actions against the perpetrators.

The protection of all non-catastrophic failure nodes would be the sole responsibility of the owner of the facility. Owners most Government regulated facilities would be required to report detected cyber attacks to a Government agency that would then investigate those suspected attacks with the view towards identifying the perpetrators and the techniques that they used.

Broad Outline

This is, of course, only the broad outline of how the Government could address the protection of critical infrastructure against cyber attacks. As it becomes more and more obvious that nation states are undertaking cyber operations against their adversaries, it becomes clearer that the Government needs to be actively involved in the defense of the most critical infrastructure from such operations.


Serious discussion needs to begin on how this type of defense of private sector facilities can be best implemented.

Sunday, August 10, 2014

PHMSA Publishes Reverse Logistics NPRM

On Monday DOT’s Pipe Line and Hazardous Material Safety Administration if publishing a notice of proposed rulemaking (NPRM) in the Federal Register (79 FR 46748-76758) proposing to modify the Hazardous Material Regulations (HMR) to provide for return shipments of hazardous materials by motor vehicle. The advance notice of proposed rulemaking (ANPRM) was published on July 5th, 2012.

In this NPRM PHMSA is proposing to:

• Define the term “reverse logistics;”
• Establish a single section in the regulations for the shipment of hazardous material in the reverse logistics supply chain;
• Establish training requirements tailored to reverse logistics shipments;
• Define the authorized packaging for reverse logistics shipments;
• Establish segregation requirements for reverse logistics shipments; and
• Allow for more flexibility in the transportation of lead acid batteries.

Reverse Logistics Defined

The definition of the term ‘reverse logistics’ would be added to 49 CFR 171.8. The definition would read:

Reverse logistics is the process of moving goods from their final destination for the purpose of capturing value, recall, replacement, proper disposal, or similar reason.”

The preamble explains that this rulemaking is targeted at consumer goods that are returned from retail facilities to collection centers or warehouses. It would specifically “include consumer products in hazard classes 1.4 (ammunition), 2.1, 2.2, 3, 4.1, 5.1, 5.2, 6.1, 6.2, 8 and 9 in the reverse logistics exception”.

Reverse Logistics Requirements

PHMSA proposes to add a new §173.157. The new section would establish:

Quantity limits for the covered materials based upon Division and Class and Packing Group designation;

Lead Acid Battery Recycling

On a slightly different, but related topic PHMSA is proposing to amend §173.159 as it relates to the transportation of used lead acid batteries for the purpose of recycling. The current requirements of §173.159(e)(4) only allow recycled batteries to be shipped from a single shipper. This change would re-write (4) to allow that:

“A carrier may accept shipments of lead acid batteries from multiple locations for the purpose of consolidating shipments of lead acid batteries for recycling.”

Two additional subparagraphs would be added that would require that no other hazardous materials would be allowed on vehicles transporting used lead acid batteries and reiterates that the immediate incident reporting requirements of §171.15 apply to these shipments.

Public Comments Solicited


PHMSA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2011-0143). Comments should be submitted by October 10th, 2014.

NIST Proposes ICS Cybersecurity Testbed

Yesterday the GSA published a National Institute of Standards and Technology (NIST) solicitation seeking information on a Reconfigurable Industrial Control Systems Cyber-Security Testbed. The solicitation notes:

“After results of this market research are obtained and analyzed, and specifications developed, NIST may conduct a competitive procurement and subsequently award a Purchase Order. If at least two qualified small businesses are identified during this market research stage, then any competitive procurement that resulted would be conducted as a small business set-aside.”

The test bed to be developed will allow the measurement of the performance of industrial control systems when instrumented with cyber-security protections in accordance with best practices prescribed by national and international standards and guidelines. In order to allow for the test bed development to concentrate on developing methods of measuring system security performance instead of first having to develop a process, NIST is using a chemical control system model that has been widely investigated, the Tennessee Eastman (TE) Problem {original article (must pay for actual article) and the Challenge Archive}. The solicitation explains that:

 “The TE problem is an ideal candidate for cyber-security investigation because it is an open-loop unstable process that requires closed-loop supervision to maintain process stability and optimize operating costs.”

The response date required for this solicitation is August 18th, 2014.

NOTE: Thanks to The Langner Group for publicly identifying this opportunity.

TSA Revises STA System of Records

The DHS Transportation Security Administration (TSA) is publishing a notice in Monday’s Federal Register (79 FR 46862-46866) concerning changes being made to the DHS Privacy Act System of Records for the Security Threat Assessment (STA) program. This is the system of records that TSA uses to collect and maintain information on STA’s and employment investigations for programs like the Transportation Worker Identification Credential (TWIC) and the Hazardous Materials Endorsement (HME) for State commercial driver’s licenses.

TSA is modifying the “Purposes” portion of the system of records description to update the actual uses TSA and DHS make of the information collected in the STA program. One interesting change is moving two categories of records (‘known or suspected terrorists’ and personnel requesting redress actions) from the “Categories of individuals” to the “Categories of Records” section of the description.


Interestingly, there is still no mention in this revised description of the STA system of records for use by the Chemical Anti-Terrorism Standards (CFATS) program’s personnel surety program (PSP). The OMB’s Office of Information and Regulatory Affairs (OIRA) still has not approved the CFATS program’s personnel surety program (an very likely will not until it Congress acts or fails to act on the CFATS bill (HR 4007) now pending in the Senate.

Thursday, August 7, 2014

S 1961 Reported in Senate – Drinking Water Protection Bill -

On the last effective day of the Senate session before the summer recess, the Senate Environment and Public Works Committee finally published their report on S 1961, the Chemical Safety and Drinking Water Protection Act of 2014. There is nothing really new in the report that I did not report in my earlier post on the results of the markup hearing.

When the Senate returns to Washington in September, it is now remotely possible that the bill could be brought to the floor for consideration. In the lead up to the mid-term elections and with spending bills (or most likely a continuing resolution) still to be considered it is unlikely that this bill will be brought to the floor. Even though the bill had some bipartisan support in Committee (only two Republicans voting no with no demand for a recorded vote) I don’t think that there was enough support to overcome the bipartisan bickering that only increases the closer we get to election day.


Rep. Capito’s (R,WV) similar bill in the House, HR 4024, has yet to be considered in committee, so I think we can safely assume that there is no plan to consider that bill or the Senate alternative during this session. This legislation appears to be effectively dead for this session, unless of course there is another water treatment facility similarly affected by an industrial chemical spill.

Fast Action on Flammable Railcars Rule

After a brief Twitversation yesterday about an article calling for swift action on crude oil railcar safety rules Terry Hardy made the point that the discussion called for more than 140 character snippets of information. He is correct, so here is my take on the issue.

Crude Train Safety Issues

The crude oil rail safety problem is not really new; the tendency towards catastrophic failure of the DOT 111 rail car in high-speed (by freight railroad standards) derailments has a well-documented history. What has brought it to the foreground of public debate has been the stringing together of large numbers of these cars hauling crude oil out of the Bakken reserve. The failure of a single car containing flammable liquids is seldom noticed outside of the immediately affected community, but the fire spreading to multiple failed cars and the subsequent bleve of undamaged cars suddenly makes for impressive evening news clips.

PHMSA and the FRA have been taking increasingly dramatic actions under existing regulations to lower the accident rate that leads to these catastrophic incidents since the first crude oil train catastrophe last year in Canada. The oil industry and the railroad industry have been responding generally positively to these actions and have agreed to take some voluntary measures suggested by Federal regulators to lower those risks. These actions while incomplete and of a stop-gap nature, need to be acknowledged by everyone taking part in the discussion of new regulations for railroad safety.

No one disagrees that in longer term more effective regulations will be needed to control the risks associated with the shipment of this volatile crude oil to refineries (and other volatile flammable liquids to other destinations) located across the country. PHMSA is in the process of two rulemaking actions now to address the railcars safety issues and the emergency response issues related to this problem.

Regulatory Process

Emergency orders and negotiated voluntary actions can take place fairly quickly and provide a rapid and flexible response to an immediate problem. And, they have the added benefit of being able to be changed, adopted to changing circumstances and even canceled with equal dispatch. Unintended consequences can be dealt with fairly rapidly when they are recognized.

Regulations, on the other hand, take on a life of their own and are relatively resistant to change. So there is a very strong incentive to get them done right the first time. This is one of the reasons that regulatory process is so involved and time consuming. Everyone involved (all of the industries, advocacy groups and the public) needs to have a chance to have their input heard an thoughtfully considered before regulations are put into their final form.

An Already Accelerated Process

PHMSA has taken steps to accelerate their regulatory process. They removed a number of unrelated petition responses that were in the ANPRM from the NPRM. This will not help the people that wanted regulatory relief for those other problems, but the crude oil train accident problem is arguably a larger societal problem and the others are essentially ‘local issues’.

PHMSA also expanded the coverage of the NPRM to include more than just the DOT-111 upgrade issue. This means that those topics have not had the amount of detailed discussion that they would have undergone had they been in the original ANPRM.

PHMSA has offered in a couple of separate instances in the NPRM a couple of different options that might achieve their regulatory purpose. This type of regulatory discussion is normally found in an ANPRM not an NPRM, but this was done because it is not yet clear which of the options will truly be cost effective. Again, this was done because PHMSA changed the scope of the rulemaking due to political pressures to get things done quickly. But it could have the effect of putting language into the final rule that has not yet had a chance to be considered in public debate upon the rule. This could leave the final rule open to legal challenge.

The Next Step

PHMSA has provided for just a 60-day comment period. There will certainly be a number of petitions for extending that comment period. I also expect there to be a call for public meetings to address the issue more completely. These will both have to be considered carefully before PHMSA accepts or rejects the decision. Politically, I don’t think that PHMSA will have any choice but to extend the comment period by 30-days (given the introduction of new regulatory proposals and the complexity of the issues). Likewise, I think that there will have to be a series of regional meetings to address the complex issues in a public setting.

After all of the comments are in (and I expect that there will be a very large number of comments on this rulemaking) PHMSA will have to go through and read and analyze each of the comments and take the ideas contributed under advisement. Usually these things tend to coalesce around a couple of viewpoints, but it is going to be more complicated than that in this case. Instead of the typical business vs activist dichotomy found in these debates we are going to see four different public interest groups (railroads, crude producers, shippers, and emergency response personnel) that have a major stake in the issue. More importantly they all want the other guys to take the heat for the problem.

PHMSA will not be able to win on this issue. If they take their time, get lots of input, do the hard work of getting a comprehensive approach to the whole problem, it will take a year or more to get the final rule into the Federal Register and even longer for it to take actual effect. One major accident (in a town or city) during that time and PHMSA will be crucified for ‘taking too long’.


If they take short cuts and get a half-way acceptable DOT-111 replacement/upgrade schedule on the books and leave it at that, they will be in the courts fighting opponents from three viewpoints that think the final rule is unfair or does not address the ‘real issue’ (and that issue will be different from each perspective). Oh, and some US District Court will tell PHMSA that the rule needs to be rewritten.


PHMSA Publishes Civil Penalties Final Rule

Today DOT’s Pipeline and Hazardous Material Safety Administration published a final rule in the Federal Register (79 FR 46194-46200). The rule will would prohibits a person who fails to pay a civil penalty as ordered, or fails to abide by a payment agreement, from performing activities regulated by the Hazardous Materials Regulations until payment is made. As was the case with the NPRM for this rulemaking, this final rule was not reviewed by OMB’s Office of Information and Regulatory Affairs prior to publication.

As I noted in the NPRM blog post this bill implements a congressional mandate set forth in §33010 of the Moving Ahead for Progress in the 21st Century Act (MAP-21) (Pub. L. 112-141, page 126 STAT 838) that added paragraph (i)(1) to 49 USC 5123:

“Except as provided under paragraph (2) [Chapter 11 bankruptcy exemption], a person subject to the jurisdiction of the Secretary under this chapter who fails to pay a civil penalty assessed under this chapter, or fails to arrange and abide by an acceptable payment plan for such civil penalty, may not conduct any activity regulated under this chapter beginning on the 91st day after the date specified by order of the Secretary for payment of such penalty unless the person has filed a formal administrative or judicial appeal of the penalty.”

There were three public comments posted to the docket for the NPRM for this rulemaking; one supportive and two adversarial comments (here and here; both .PDF download links). In the preamble to this rule PHMSA explains why they rejected the suggested changes to the rule made by the packaging organization and by the railroads. In both cases the final PHMSA argument was that this rulemaking was specifically mandated by Congress.

Today’s notice summarizes the new rule this way:

“Under the provisions of this final rule, the agency [PHMSA, FAA, FMCSA, or FRA] that issued the final order outlining the terms and outcome of an enforcement action will send the respondent a COO [Cease Operations Order] if payment has not been received within 45 calendar days after the payment due date or a payment plan installment date as specified in the final order. The COO would notify the respondent that it must cease hazardous materials operations on the 91st calendar day after failing to make payment in accordance with the agency's final order or payment plan arrangement, unless payment is made. A respondent will be allowed to appeal the COO within 20 days of receipt of the order according to the procedures set forth by the agency issuing the COO.”


The effective date for this rule is September 8th, 2014.

Wednesday, August 6, 2014

OMB Approves FRA PTC Update Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOT’s Federal Railroad Administration (FRA) regarding changes to the implementation requirements for positive train control regulations. The final rule could be published later this week, but more likely next week, in the Federal Register. This rulemaking was pursued in response to a petition (.PDF download link) from the American Railroad Association.

Congress Adjourned for Summer Recess Yesterday

While most people think that the Senate pulled out of town on Thursday and the House on Friday, the last day of work for the two bodies was Tuesday and Monday respectively. The House adopted H. Con. Res. 112 on Monday ‘without objection’. The Senate took up the resolution yesterday and passed it by a voice vote. There is no official tally of how many members were present in either body, but I doubt it was more than three, the designated presiding officer and a standard bearer from each party. The formalities took just minutes to complete.

Both bodies will reconvene on September 8th.

Tuesday, August 5, 2014

S 2664 Introduced – Public Alert System

As I noted earlier Sen. Begich (D,AK) introduced S 2664, the Integrated Public Alert and Warning System Modernization Act of 2014. This bill appears to be very similar to HR 3283 that was ordered reported in the House back in April. It is probably a ‘companion bill’ but it is hard to tell because the House Homeland Security Committee has not yet actually reported the much amended bill, so we cannot see exactly what that bill looks like.


I don’t see anything particularly objectionable to anyone in the bill, so it would not seem that there would be any great impediment to its passage in either the House or Senate. The greatest obstacle will be convincing the leadership to actually bring the bill to the floor in the election season after the summer recess.

OMB Approves Published PHMSA OSPRP ANPRM

On an anti-climactic note, yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the already published ANPRM on railroad oil spill prevention and response plans (OSPRP) from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA). I would hope that the changes indicated by OIRA’s concluded action’s “Consistent with Change” had already been made by PHMSA prior to the ANPRM being published last Friday.
 
/* Use this with templates/template-twocol.html */