Tuesday, December 30, 2014

Reader Comment – Defending DVCP

A long-time reader and noted security researcher (I’ve mentioned his name many times here) Chris Sistrunk left a valuable comment on yesterday’s post about Marina Krotofil’s presentation, Damned Vulnerable Chemical Process (DVCP). Chris reminds us that an attack like Marina described will take a great deal of time and multiple trips to your system before the actual cyber-physical attack can be initiated. This provides plenty of opportunity to detect and prevent the attack if you are paying close attention to your control system (see his comment for more details).

But even before we start the kind of monitoring that Chris describes we need to take the same kind of look at our control system as we do the rest of our chemical process in our process hazard analysis (PHA). This will help us to identify those controls that could place our facilities at the most risk if/when a cyber-attack should take place.

In a well conducted PHA we look at each step in our process in great detail to look at all of the things that could go wrong. We look at each variable and ask question about what would happen if it were too high, too low, too fast or too slow, etc. For those events that could have catastrophic consequences (or were very likely to happen with lesser consequences) we put compensating controls in place to help prevent those occurrences. The more severe the consequence, the more compensating controls we put into place.

Given the new cybersecurity environment, we should now consider extending that process down to the controller level when we identify high consequence vulnerabilities in our chemical processes. When we determine, for instance, that a high temperature will lead to a catastrophic consequence we need to take a detailed look at the sensors and controllers that directly impact temperature control.

This detailed look would include the specific vulnerabilities associated with those devices. For example, are these devices that can have their programming changed by anyone with access to the device (Dale’s unsecure by design PLCs)? If so, we would want to take special precautions to limit access to that device.

Where process safety rules require multiple mitigating measures we could use multiple sensors for instance with a ‘tell me three times’ requirement familiar to rocket scientists. Or we could use stand-alone safety systems, air-gapped from both the control and IT networks, and provided with an uninterruptable power supply to provide the ultimate control system protection.

We shouldn’t forget Chris’ monitoring requirements. In fact, for those really sensitive portions of the process where the really bad things can happen (the things that go boom in every process engineer’s nightmares) we might want to ensure specific log checks for the most critical devices controlling that portion of the process.

In short, we really want to make safety and security two sides of the same coin. After all the goal of each is to keep chemical processes within the narrow confines necessary to keep employees and the community safe and healthy.

BTW: An anonymous commenter provided a YouTube link for Marina’s talk (without the annoying 15 minute delay at the start) - https://www.youtube.com/watch?v=TPUzNMcFb4A  

EPA Publishes 60-Day ICR for Methyl Bromide Program

Today the EPA published a 60-day information collection request (ICR) renewal notice in the Federal Register (79 FR 78425-78427) to support its program for the phase out of methyl bromide under the Clean Air Act and the Montreal Protocol on Substances that Deplete the Ozone Layer.

This notice reports a significant reduction in the reporting and record keeping burden imposed by this program due to the continuing reduction in the number of affected parties as the number of critical use exemptions to the phase out of methyl bromide continues to decrease. The table below shows that reduction since the latest version of this ICR was approved in 2011.

Affected Parties
Previous ICR
This ICR
End Users

Long time readers of this blog will no doubt remember that I have long complained about the fact that methyl bromide was not included in the list of DHS chemicals of interest (COI) under the CFATS program even though it is a toxic inhalation hazard (TIH) chemical and thus potentially an improvised chemical weapon that could be used by terrorists. DHS initially included it in its proposed COI list but removed it from the final version because the EPA was phasing out the authorized use of this chemical and it would thus disappear from the potential list of industrial chemicals that terrorists could use as a chemical weapon.

The table above shows that there are potentially 1,054 entities that could have as much as 2,000 pounds of methyl bromide (the quantity that would require Top Screen reporting for similar TIH chemicals) in their possession at various times during the year. While some of these facilities may already be CFATS covered facilities (almost certainly the four producers are) due to the presence of other COI, many of the distributors and most of the end users would not be.

If DHS had included methyl bromide in their COI list they would have been able to assess the potential risk of theft and diversion of methyl bromide from these ‘other’ facilities. Because they incorrectly assumed that EPA was quickly phasing out methyl bromide, DHS has effectively ignored the potential threat of the use of methyl bromide as a terrorist weapon.

Unfortunately, when HR 4007 was passed by Congress, there was no specific requirement for DHS to review the current list of COI. Because DHS will be working hard on meeting the time tables for the implementation of HR 4007 I really doubt that we will see any real attempt to modify the list of COI any time in the near future. This is one of the incremental changes in the Chemical Facility Anti-Terrorism Standards that the new Congress ought to take a look at.

Monday, December 29, 2014

Damn Vulnerable Chemical Process

As I continuously report, the Internet is a wonderful information sharing tool. Where else could I watch a video of a presentation (the actual presentation starts at about 15:50) presented earlier today at the 31st Chaos Communication Congress in Hamburg, Germany by a young German lady teaching computer security professionals how to attack a chemical plant.

Marina Krotofil provides a very good and detailed explanation about why it is so difficult to conduct a cyber attack on a chemical manufacturing process. Or at least a successful attack that produces a pre-selected outcome; as she mentions in passing an attack causing disruption or economic damage may be much easier to accomplish.

She does a good job of explaining the cyber-technical details of why it is so hard to cause specific damage to a chemical facility even with a vulnerable control system. This isn’t so much because of the security aspects of the control system, but rather because of the complexity of the chemical system and the complex systems needed to safely control that system.

As a process chemist with some experience in developing the processes by which chemicals are produced and dealing with the upsets that can affect those processes I can fully appreciate how difficult it would seem to an outsider to figure out a way to catastrophically disrupt those systems. Chemists, chemical engineers, and control systems engineers spend the better part of their careers developing systems to prevent those upsets.

But a person with the appropriate background and working experience in process control could take a quick look at the P&ID that Marina showed in her talk and point out dozens of process vulnerabilities that could be susceptible to outside attack. Interestingly these would almost certainly be clearly identified in process hazard analysis that OSHA requires to be conducted on most reasonably hazardous processes.

An effective cyber-attack on something as complex as a chemical manufacturing process is not something that is going to be accomplished by a lone hacker over a highly caffeinated weekend. It will take the skills of a hacker, a control systems engineer and a chemical engineer and perhaps a chemist or two to really effectively execute a catastrophic attack on a modern chemical facility. And it will take time and resources to affect. That is the good news. The bad news is that any nation-state or large sophisticated terrorist organization will have access to plenty of the appropriate talent and resources.

Take the time to look at this hour and a quarter video. If you’re a process control professional, it will scare the hell out of you.

BTW: More about Marina’s brief mention about the NIST test bed effort see my post here - http://chemical-facility-security-news.blogspot.com/2014/08/reconfigurable-industrial-control.html

Wednesday, December 24, 2014

HR 4007 – The EAF Process

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. As promised in one of the earlier posts this post will look at the process to be used by expedited approval facilities (EAF).  The previous postings in this series were:

Establishing the Program

As I mentioned in an earlier posting DHS has 180 days to get the EAF program established. Thus, by June 16th, 2015 we should have the guidance for the program from DHS. Remember, DHS is specifically not required to go through the publish and comment cycle nor do they need to receive OMB clearance of this program, either the guidance document or the information collection request (ICR) under 44 USC 3507. This means that we are unlikely to receive much advance notice of the provisions in the guidance document.

DHS has three basic options on how they are going to proceed with this EAF program development:

● Publish a guidance document that is little more than a list of required minimum security measures that a Tier 3 and/or Tier 4 facility would have to have to obtain approval of their site security plan (SSP). Facilities would then certify compliance and submit their SSP using the current CSAT tool.

● Develop a new CSAT tool specifically for the EAF program. The tool would be a template {authorized, but not required, under §2102(c)(4)(H)} where facilities would fill in the appropriate blanks that would be a substitute for the current CSAT SSP tool and then certify compliance.

● A combination of the two above.

I would like to see the second option. It would seem to me to be the simplest way to proceed for the EAF owners, which was clearly the congressional intent. The cheapest and easiest way out for ISCD though would be the first option since it would only require publishing a new guidance document (that would have to be published in any case) and would not require any substantive changes to CSAT. I suspect that the blended approach will be what we actually see; ICSD will publish the guidance to meet their 180 day deadline and then at some future date put the CSAT template into use.

Facility Participation

Starting on June 16th CFATS covered facilities then assigned to Tier 3 or Tier 4 that do not already have approved site security plans will have 30 days to look over and assess whether or not they want to continue to attempt to have their current site security plans approved or whether they want to seek approval under the EAF program. This 30 day period could be important to facilities since they are required to give ISCD 30-days’ notice {§2102(c)(4)(D)(iii)} before submitting the certification and SSP.

Existing facilities would have until November 13th, 2015 (120 days) to submit their certification and SSP. Because of the 30-day notice requirement any current facility that has not notified ISCD by October 14th, 2015 that they intend to submit and EAF certification and SSP will have to go through the current SSP process.

While DHS will be specifying minimum security requirements in their guidance for facilities participating in the EAF program, those minimums are not set in stone. Congress has given facilities the option to use lesser security measures as long as they explain in their site security plan how those measures actually meet the requirements of the risk-based performance standards {§2102(c)(4)(B)(ii)}. But, DHS still has the final responsibility and authority to decide if those standards are met.

EAF Site Security Plan Approval

The whole purpose of the EAF program is to expedite the SSP approval process. With this in mind Congress provided a 100-day time limit for DHS to make a decision that the SSP is ‘facially deficient’ or obviously does not “address the security vulnerability assessment and the risk-based performance standards for security for the facility” {§2101(7)}. Lacking such an assessment the SSP will be approved.

Congress did not intend for chemical security inspectors to be involved in the EAF approval process, but they did not prohibit their involvement either. The decision is supposed to be made based on four factors {§2101(7)}:

● The facility’s site security plan;
● The facility’s Top-Screen;
● The facility’s security vulnerability assessment; or
● Any other information.

That ‘any other information’ is specifically and broadly defined to include any information “the facility submits to the Department; or the Department obtains from a public source or other source”. That covers just about any means the Department decides to utilize, as long as it is done within 100 days of the submission.

Disapproved EAF SSPs

If during the 100 day DHS review of the SSP, or after a compliance inspection (I’ll look at compliance inspections in more detail in a later post) of the facility after the SSP is approved, the Secretary (read ISCD) determines that the security measurements are “insufficient to meet the risk-based performance standards based on misrepresentation, omission, or an inadequate description of the site”, the Secretary has two options {§2102(c)(4)(G)(ii)(I)}:

● Require additional security measures, or
● Suspend the certification of the facility.

In either case DHS is required to provide written notice that includes “a clear

explanation of each deficiency in the site security plan”; this would include specific suggestions for additional security measures. If the deficient facility would like to remain in the EAF program they would then have 90 days to submit a new certificate and SSP and DHS would have 45 days to review the new submission. If the facility declined to resubmit an EAF certification, they would have 120 days to submit a full site security plan or an alternative site security plan.

Tuesday, December 23, 2014

ICS-CERT Updates NTP Advisory

Today the DHS ICS-CERT updated their advisory for the previously reported set of vulnerabilities in the Network Time Protocol Daemon. It is a rather unusual update in that the previous version reported that there were publicly available exploits and the new version claims that there are no known publicly available exploits. The CERT-CC notice also currently says that there are no known exploits available (I didn’t save a copy of their original report so I can’t tell if it changed).

The NTP advisory does not address the issue at all.

BTW #1: I missed it last week, but NTP web site is (has been) reporting that two of these vulnerabilities were fixed quite some time ago (2010 for the weak default key, and 2011 for the weak random number generator). I guess you just fix some things without knowing that they need fixing.

BTW #2: The NTP web site is (has been) reporting that there are two other, as of yet unspecified vulnerabilities in the NTP that have yet to be fixed. They expect to fix them within the next month.

Monday, December 22, 2014

HR 4007 – DHS Security Suggestions

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. In this post I’ll discuss the way Congress worked around the problem of DHS telling facilities what is needed for security.  The previous postings in this series were:

I have long complained about the limitation Congress placed on DHS with their requirement in the §550 authorization that “the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure” {§550(a)} This has been interpreted to mean that DHS cannot tell facilities what security measures can be implemented to meet the risk-based performance standards. This has been one of the reasons why it has taken so long to get site security plans approved.

Congress did include similar language in HR 4007 {§2102(c)(1)(B)(i)}, but they also required the Secretary to ‘suggest’ security measures to bring site security plans into compliance when a submitted plan is deficient. For example, when the Secretary determines that a site security plan submitted by an enhanced approval facility (EAF) is inadequate during a compliance inspection, then DHS is required to “recommend specific additional security measures that, if made part of the site security plan by the facility, would enable the Secretary to approve the site security plan” {§2102(c)(1)(G)(ii)(II)(aa)}. The key word here is “recommend” as it is made clear that the facility still has the right to not use the recommended security measures as long as their alternatives serve the same purpose.

I understand that some chemical security inspectors (CSI; PLEASE DHS change their title so we can use a different acronym) have already been making these types of recommendations to owner of smaller facilities. The new requirement will ensure that all chemical facilities get this level of assistance regardless with which CSI they work.

FRA Train Crew Staffing Rule to OMB

The OMB’s Office of Information and Regulatory Affairs (OIRA) announced Saturday that they had received a copy of a notice of proposed rulemaking (NPRM) on train crew size from the Federal Railroad Administration. This NPRM is part of the ongoing effort by DOT to reduce the risks associated with crude oil trains.

According to the latest Unified Agenda entry for this rulemaking:

“This rulemaking would add minimum requirements for the size of different train crew staffs depending on the type of operation.  The minimum crew staffing requirements would reflect for the safety risks posed to railroad employees, the general public, and the environment and would account for differences in costs.  This rulemaking would also establish minimum requirements for the roles and responsibilities of the second train crew member on a moving train, and promote safe and effective teamwork.  Additionally, this rulemaking would permit a railroad to submit information to FRA and seek approval if it wants to continue an existing operation with a one-person train crew or start up an operation with less than two crew members.”

The Fall 2014 Unified Agenda reports that the FRA plans on publishing the NPRM for this rule in January. Achieving that goal is now in the hands of OIRA.

Saturday, December 20, 2014

HR 4007 – The Clock Starts Ticking

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. The President signed HR 4007 on Thursday so that is when the deadlines start (the important milestone dates for the program are shown below). The previous postings in this series were:

New CFATS Deadlines

January 17th, 2015

Effective Date of Title XXI;
Repeal of conflicting provisions of current regulations

March 18th, 2015

Have facility outreach program established

June 16th, 2015

Publish guidance for Expedited Approval Facility

July 16th, 2015

Start point for 120 day deadline for current Tier 3 and Tier 4 facilities to submit EAF site security plans

November 13th, 2015

Deadline for current Tier 3 and Tier 4 facilities to submit EAF site security plans

Grandfathered SSPs

All site security plans approved by DHS as of December 18th are grandfathered by law. SSPs approved between that date and the date of new CFATS regulations may be grandfathered by Secretarial discretion. 

Friday, December 19, 2014

ICS-CERT Publishes NTP Advisory

This morning the DHS ICS-CERT published an advisory concerning multiple vulnerabilities in the Network Time Protocol (NTP) reported by Neel Mehta and Stephen Roettger from the Google Security Team. A newer version of the protocol (NTP-4.2.8) is not affected by these vulnerabilities. The identified vulnerabilities include:

• Insufficient entropy - CVE-2014-9293;
• Use of cryptographically weak PNRG - CVE-2014-9294;
• Stack based buffer overflows - CVE-2014-9295; and
• Missing return on error - CVE-2014-9296

According to the NTP.org security notice on these vulnerabilities there are actually three different buffer stack overflows covered in the reported CVE: in crypto_recv(), in ctl_putdata(), and configure().

ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploits to execute malicious code. They also report that “NTP is widely used within operational Industrial Control Systems deployments”.

The CERT-CC vulnerability notice for these vulnerabilities is starting to list various vendors and their status vis a vi these vulnerabilities. Unfortunately there are no purely ICS vendors currently on their list. It would be nice if ICS-CERT attempted to do the same specifically for control system vendors.

Thursday, December 18, 2014

ICS-CERT Publishes 2 Advisories and 2 Updates

Today the DHS ICS-CERT published advisories for vulnerabilities in Honeywell’s Experion Process Knowledge System and Innominate mGuard and updated previously issued advisories for Siemens and Emerson control systems.

Emmerson Update

This update clarifies information that was published in an update two weeks ago. The earlier update added a new vulnerability to the advisory and the wording implied that the previously issued update mitigated that vulnerability as well. There was an interesting twitversation about this wording and it appears that someone may have been listening (a good thing).

ICS-CERT now clarifies that the patch mitigates all but the recently added authentication bypass vulnerability. That vulnerability is what requires the use of the third-party secure router for mitigation. There is also some interesting changes in the wording about the use of that router. Originally ICS-CERT reported that:

“Emerson asserts that by adding the EDR810 between the host and the field device it is virtually impossible for an attacker to eavesdrop on communications or falsify commands.”

The new wording is a bit less bombastic and limited in the claims:

“At this time, Emerson recommends that concerned asset owners install the EDR 810 between the host and the field device to mitigate this vulnerability.”

I suspect that someone’s lawyer got involved.

Siemens Update

This is the update that I described on Tuesday.

Innominate Advisory

This advisory describes a self-reported privilege escalation vulnerability in the Innominate mGuard devices. They have produced a firmware patch that reportedly mitigates the vulnerability.

ICS-CERT reports that a moderately skilled attacker who has admin privileges on the system could remotely exploit this vulnerability to increase those to root privileges to execute arbitrary commands. Innominate reports that in most installations the personnel with admin and root privileges are the same so that this vulnerability would have no effect in those cases.

BTW: Innominate also reported that there is a denial of service vulnerability found in a slightly different set of mGuard devices because of the way they use OpenVPN connection to
tunnel IPSec packets. I wonder why ICS-CERT didn’t publish an advisory for this vulnerability since it was also published yesterday by Innominate.

Honeywell Advisory

This advisory describes five vulnerabilities in the Honeywell  Experion Process Knowledge System (EPKS) application. The vulnerabilities were reported by  Alexander Tlyapov, Gleb Gritsai, Kirill Nesterov, Artem Chaykin and Ilya Karpov of the Positive Technologies Research Team and Security Lab. ICS-CERT reports that Honeywell have developed patch updates for the affected products, but does not say that the researchers have validated the efficacy of the patches.

The five vulnerabilities include:

• Heap-based buffer overflow - CVE-2014-9187;
• Stack-based buffer overflow - CVE-2014-9189;
• Arbitrary memory write - CVE-2014-5435;
• Directory transversal - CVE-2014-5436; and
• File inclusion - CVE-2014-9186

ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to effect remote code execution or potential information disclosure. I can find no information on the public Honeywell web site about these vulnerabilities.

HR 4007 – Expedited Approval Facility

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. In this post I will be looking at new expedited approval facility provisions of HR 4007. The previous postings in this series were:

One of the suggested methods for reducing the backlog of site security plan approvals has been that there ought to be a simpler method for smaller, lower threat facilities to get their site security plan (SSP) approved. One suggested method has been to use a system similar to what the EPA uses for water treatment facility security; the facility would certify that it meets the security requirements specified in the Risk Based Performance Standards guidance document. Congress took this basic idea and made it a little bit more complicated when they created the expedited approval facility (EAF) program in §2102(c)(4).

DHS Requirements

To start this program off, the bill requires the Secretary to accomplish two tasks within 180 days of the bill being signed into law. They are:

● Issue guidance for expedited approval facilities that identifies specific security measures that are sufficient to meet the risk-based performance standards {§2102(c)(4)(B)(i)}; and

● Develop prescriptive site security plan templates with specific security measures to meet the risk-based performance standards under subsection (a)(2)(C) for adoption and certification by a covered chemical facility assigned to tier 3 or 4 in lieu of developing and certifying its own plan.

Actually the second item is permissive not required and there is no actual time limit associated with the Department’s publication of templates. I’ve included it here for two reasons; it is specifically mentioned in the EAF program {§2102(c)(4)(A)(ii)}and Congress gave the same exemption from the regulatory approval process that it gave the Secretary for development of the EAF guidance (see the previous post in this series for more details on this exemption).

After a facility makes its site security plan submission (as described below) DHS has 100 days {§2102(c)(4)(G)(i)(II)}to make a determination that the submitted plan if ‘facially deficient’, otherwise the plan is considered approved. The term ‘facially deficient’ means that the {§2101(7)}:

(S)ite security plan that does not support a certification that the security measures in the plan address the security vulnerability assessment and the risk-based performance standards for security for the facility, based on a review of—

(A) the facility’s site security plan;
(B) the facility’s Top-Screen;
(C) the facility’s security vulnerability assessment; or
(D) any other information that—
(i) the facility submits to the Department; or
(ii) the Department obtains from a public source or other source

I’m not sure how the good folks at ISCD are going to get this review system set up, but they have been specifically authorized by this bill to employ contractors for conducting this sort of review (not making the final go/no go decision – that’s a purely governmental responsibility). Whether they can get it set up in time is a question for a future date. From the facility point of view, if they can’t get the review done in 100 days, it doesn’t matter; the plan is automatically approved.

Owner Requirements

Things get a little more complicated from the owner’s point of view. Let’s talk timelines first. The starting point for timelines for existing CFATS facilities that have had their security vulnerability assessments accepted by ISCD and have been assigned to Tiers 3 or 4 is 210 days after the bill becomes law (which is 30 days after ISCD is supposed to have their guidance document published). Facilities notified of their tier ranking after the bill is signed start on the date of their tier notification.

Facilities have 120 days to submit their site security plan and certification that the plan conforms to the guidance provided by ISCD. At least 30 days before the certification is sent, the facility must notify ISCD that they intend to certify as an expedited approval facility {§2102(c)(4)(D)(iii)}. Actually the certification is just a tad bit more complicated than that; the owner/operator certifies that {§2102(c)(4)(C)}:

(i) the owner or operator is familiar with the requirements of this title and part 27 of title 6, Code of Federal Regulations, or any successor thereto, and the site security plan being submitted;

(ii) the site security plan includes the security measures required by subsection (b);

(I) the security measures in the site security plan do not materially deviate from the guidance for expedited approval facilities except where indicated in the site security plan;
(II) any deviations from the guidance for expedited approval facilities in the site security plan meet the risk-based performance standards for the tier to which the facility is assigned; and
(III) the owner or operator has provided an explanation of how the site security plan meets the risk based performance standards for any material deviation;

(iv) the owner or operator has visited, examined, documented, and verified that the expedited approval facility meets the criteria set forth in the site security plan;

(v) the expedited approval facility has implemented all of the required performance measures outlined in the site security plan or set out planned measures that will be implemented within a reasonable time period stated in the site security plan;

(vi) each individual responsible for implementing the site security plan has been made aware of the requirements relevant to the individual’s responsibility contained in the site security plan and has demonstrated competency to carry out those requirements;

(vii) the owner or operator has committed, or, in the case of planned measures will commit, the necessary resources to fully implement the site security plan; and

(viii) the planned measures include an adequate procedure for addressing events beyond the control of the owner or operator in implementing any planned measures.

I expect that we will see the certification as a form in CSAT with check marks in the appropriate places. Oops, maybe not as the bill clearly states that the certification must be “signed under penalty of perjury”. So I guess this will probably be another sign and send to ISCD form.


This post is starting to get more than a little long, so I’ll look at the compliance issues in another post.

Coast Guard Cybersecurity Standards RFI

Today the Coast Guard published a notice in the Federal Register (79 FR 75574-75575) requesting comments on the development of guidance for maritime cybersecurity standards. This RFI is closely associated with last Friday’s meeting notice (79 FR 73896-73897) about a January 15th public meeting in Washington, DC on the same topic.

The summary for the RFI notes that:

The Coast Guard is developing policy to help vessel and facility operators identify and address cyber-related vulnerabilities that could contribute to a Transportation Security Incident. Coast Guard regulations require certain vessel and facility operators to conduct security assessments, and to develop security plans that address vulnerabilities identified by the security assessment. The Coast Guard is seeking public input from the maritime industry and other interested parties on how to identify and mitigate potential vulnerabilities to cyber-dependent systems. The Coast Guard will consider these public comments in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure.

The Coast Guard is focusing their cybersecurity concerns on the prevention of Transportation Security Incidents (TSI). A TSI is defined in 33 CFR 101.105 to be “a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area”. This would probably indicate a more specific focus on cyber-physical systems rather than the mainly informational system focus of the NIST Cybersecurity Framework.

In requesting this information the Coast Guard is looking for answers to some specific questions. They include:

• What cyber-dependent systems, commonly used in the maritime industry, could lead or contribute to a TSI if they failed, or were exploited by an adversary?
• What procedures or standards do vessel and facility operators now employ to identify potential cybersecurity vulnerabilities to their operations?
• Are there existing cybersecurity assurance programs in use by industry that the Coast Guard could recognize? If so, to what extent do these programs address vessel or facility systems that could lead to a TSI?
• To what extent do current security training programs for vessel and facility personnel address cybersecurity risks and best practices?
• What factors should determine when manual backups or other non-technical approaches are sufficient to address cybersecurity vulnerabilities?
• How can the Coast Guard leverage Alternative Security Programs to help vessel and facility operators address cybersecurity risks?
• How can vessel and facility operators reliably demonstrate to the Coast Guard that critical cyber-systems meet appropriate technical or procedural standards?
• Do classification societies, protection and indemnity clubs, or insurers recognize cybersecurity best practices that could help the maritime industry and the Coast Guard address cybersecurity risks? 

Public comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2014-1020). Comments should be submitted by February 17th, 2015. Reservations will be required for the January 15th public meeting. Reservations can be made via email (Josephine.A.Long@uscg.mil) and should be submitted by January 5th. There will be a live video feed available; access may be requested via the same email address.

Wednesday, December 17, 2014

HR 4007 – Current Site Security Plans

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. In this post I will be looking at the effect that the passage of HR 4007 has on current site security plans. The previous postings in this series was:

Congress clearly intended that all of the 1370+ facilities with currently approved site security plans would not have to go back and redo those plans because of the passage of HR 4007:

“In the case of a covered chemical facility for which the Secretary approved a site security plan before the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary may not require the facility to resubmit the site security plan solely by reason of the enactment of this title.” {§2102(c)(3)(B)}

What is not clear, however, is what the status of site security plans approved between the date the President signs the bill into law (“the enactment of this title”) and the time that the regulations are finally updated to take into account the changes required by HR 4007. Actually it may be slightly more complicated than that as there is still the date that the current authority for CFATS runs out and the new Title XXI takes effect 30 days after the enactment of the bill.

First 30 Days

Since the bill does not spell out what happens in this period, the Secretary has the discretionary authority to either continue current operations as is or suspend operations pending the effective date of Title XXI. I suspect that current operations will continue as before with the current approval process. It would be helpful if there were a statement to that effect from DHS.

DHS may give Tier 3 and Tier 4 facilities a choice as to whether or not they would prefer to wait and see what the expedited security plan process looks like. This is not required by the legislation, but it would certainly fit with the intent of the legislation. If I were a Tier 3 or Tier 4 facility manager early on in the SSP approval process, I think that I would ask my Chemical Security Inspector if that option was available.

Site security plans approved during this interregnum fall into somewhat of a grey area. They do not have the legal protection of §2102(c)(3)(B) so this falls back to the Secretary’s discretionary authority and that can be changed by a Secretarial whim, particularly if no guidance is published. I do not see any advantage to ISCD to change this at some future date, but I surely think that a successful terrorist attack on a facility with an SSP approved during this period would result in a quick change in policy.

Title XXI and Expedited Approvals

The other time period that is going to be fraught with some potential for conflicts is the time between the effective date of Title XXI and the issuance of the guidance for Expedited Approval Facilities document. Tier 3 and Tier 4 facilities with site security plans approved during that 180 day period will certainly be reviewing that guidance document and will be second guessing the cost of their security plans.

It is almost a certainty that some facilities will find that the EAF plan will be less expensive than the one approved by ISCD. There will be requests from facilities with approved plans to be able to opt out of those plans in favor of the EAF plan. It would be helpful if ISCD had a policy in place (publicly in place) on how they planned to deal with such requests.

Policy Decision

ISCD needs to make up its mind on how it intends to deal with these issues. No one expects that they will stop doing site security plan approvals while this is transition is underway; there has been just to much pressure to complete the SSP approval process. But they do owe it to the regulated community (and their physical and corporate neighbors) to be clear about how they will deal with the situations described above.

Many facilities awaiting SSP approvals have already spent the bulk of the money that their plans require so they have little incentive to wait out the publication of the EAF document. Facilities that are facing large future expenditures for their SSP will almost certainly want to take a wait and see attitude in the hope of lower cost compliance options. Making that decision effectively can only be done if all of the facts (in this case policy facts) are known.

Tuesday, December 16, 2014

ICS-CERT Publishes Schneider Advisory – Misses (again) Siemens Update

This afternoon the DHS ICS-CERT published a new advisory for five command injection vulnerabilities reported by Schneider last week and missed the latest BlackEnergy Siemens update for PCS 7.

Schneider Advisory

This advisory describes the five vulnerabilities reported by researchers Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc via ZDI in Schneider Electric’s ProClima software package. The ActiveX vulnerabilities are:

• MDraw30.ocx control, 3 vulnerabilities: CVE-2014-8513, CVE-2014-8514, and CVE-2014-9188;
• Atx45.ocx control , 2 vulnerabilities: CVE-2014-8511 and CVE-2014-8512.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to induce a buffer overflow situation that could allow for remote code execution. The link to Schneider advisory is currently reporting ‘http status 404’.

ICS-CERT reports that Schneider has produced an update that mitigates the vulnerabilities. The do not say that the researchers have verified the efficacy of the fix.

Siemens Update

This morning Siemens ProductCert tweeted that they had just updated their WinCC/PCS 7 advisory that ICS-CERT had previously linked with some of the BlackEnergy attacks.  Siemens reported that they had produced an update for PCS 7 V7.1 SP4. This only leaves WinCC V7.0 SP3 without a fix in place. Siemens is working on that and will further update their advisory when that becomes available. ICS-CERT will presumably get around to updating their advisory.

HR 4007 – Implementation Deadlines

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. In this post I will be looking at the various implementation deadlines set by Congress. The previous postings in this series was:

Congress has been fairly vocal about the delays in getting site security plans approved, so it is not unexpected that there were a number of very specific implementation deadlines put into this legislation. Some of them are very tight deadlines that don’t take into consideration review requirements outside of DHS.

CFATS Repeal

The bill is very clear that, in general, the current CFATS regulations will continue in force with some changes. Section 2107(b)(1) states that “each existing CFATS regulation shall remain in
effect unless the Secretary amends, consolidates, or repeals the regulation”. And it is important to note that the term ‘existing CFATS regulation’ is specifically defined {§2101(5)} to include any guidance documents published in the Federal Register. This would include the Risk Based Performance Standards guidance document and the Clarification to Chemical Facility Anti-Terrorism Standards; Propane and presumably the current Agricultural Facilities Time Extension Notification.

Having given with the one hand, however, Congress required the Secretary of DHS to take away with another. In §2107(b) the bill would require that:

“Not later than 30 days after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary shall repeal any existing CFATS regulation that the Secretary determines is duplicative of, or conflicts with, this title.”

Now I have not had the time to go through the current regulations and see what if any of the current provisions of 6 CFR Part 27 may be “duplicative of, or conflicts with, this title”. Even though the bill has not yet been signed into law, I’m sure that the Secretary has at least a couple of lawyers looking at this requirement.

Unfortunately, even with the best of intentions and unlimited lawyer power, I am afraid that the Secretary is going to have a hard time meeting this deadline. Forgetting for the moment the amount of time lost to holidays and the resultant short staffing in any agency at this time of year, even if the Secretary meets the 30 day deadline to produce such a regulation change, it will probably take another 30 to 60 days for it to be processed through OMB.

Also, I’m not sure that this requirement is specific enough to allow the Secretary to avoid the publish and public comment process required by 5 USC 553.

Facility Outreach Program

Section 2109 give DHS just 90 days to establish an outreach program to help identify potential chemical facilities of interest (think back to the West Fertilizer incident) and to make “make available compliance assistance materials and information on education and training” {§2109(2)}. Since the Department has done a great deal of work on this topic since the publication of Executive Order 13650 (see requirement here) this requirement should be fairly simple to complete.

Expedited Approval Facilities

As I mentioned in my last post the Secretary is required to come up with a program to help Tier 3 and Tier 4 facilities expedite the site security plan approval process. This is essentially a program where the facility can self-certify that their plan meets the minimum risk based performance standards associated with a facility at their level of risk.

There are actually two prongs to this program, both of which DHS is required to have up and running within 180 days of the bill being signed. Both are set forth in §2102(c)(4). First it requires that the “Secretary shall issue guidance for expedited approval facilities that identifies specific security measures that are sufficient to meet the risk-based performance standards”{§2102(c)(4)(B)(i)}.

Then it allows the Secretary to “develop prescriptive site security plan templates with specific security measures to meet the risk-based performance standards under subsection (a)(2)(C) for adoption and certification” {§2102(c)(4)(H)(i)}.

To aid in DHS being able to meet this deadline Congress has allowed that the Department should not be subject to the administrative rulemaking provisions of 5 USC 553 (publish and comment requirements) or 44 USC Chapter 35, Subchapter I (clearance through OMB’s Office of Information and Regulatory Affairs). These exceptions to the regulatory process will certainly make things easier for ISCD to publish a final guidance document as they essentially have carte blanch to do things their way.

Congress could justify moving this outside of the normal rulemaking process because any Tier 3 or Tier 4 facility has the full option to use this expedited approval method in full or in part or not at all. This means that the guidance cannot ‘really’ be a burden on anyone.

Whistleblower Protections

One of the provisions that was added to this bill to make it easier to obtain bipartisan support was the whistleblower protections set forth in §2105. This requires the Secretary, within 180 days, to “establish, and provide information to the public regarding, a procedure under which any employee or contractor of a chemical facility of interest may submit a report to the Secretary regarding a violation of a requirement under this title” {§2105(a)(1)}.

Setting up the reporting and investigation mechanisms may be possible within the 180 day time frame, but this will also require the publication of a regulation (actually just an addition to 6 CFR 27) and Congress did not try to exempt DHS from the normal regulatory process for this requirement. Since this will place a potential ‘burden’ on every ‘chemical facility of interest’ (NOT just CFATS facilities) the normal process will have to be followed.

Various Reports

All of the remaining time deadlines for implementation processes deal with reports to Congress. And no one (besides some beleaguered staffers at ISCD and various congressional committees) cares about those. 

Sunday, December 14, 2014

HR 4007 – An Overview

While we are still waiting on the President to sign this bill into law (which he is fully expected to do considering the Administration’s vocal support of the measure) it would seem that this on-going discussion about HR 4007 should start with an overview of the provisions of the bill. The previous posting in this series was:

Table of Contents

The general layout of the bill includes five sections:

SEC 1. Short Title – Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014;
SEC 2. Chemical Facility Anti-Terrorism Standards Program – Codifies the CFATS program in 6 USC Title XXI;
SEC 3. Assessment; Reports – Provides for a series of reports to Congress about the performance of the program;
SEC 4. Effective Date; Conforming Repeal – Changes the authority for the CFATS program effective 30 days after this bill is signed into law; and
SEC 5. Termination – Provides for the termination (barring future Congressional action) of the CFATS program 4 years from the date the bill is signed.

The meat of the program is laid out in §2 with 9 new sections added to the US Code:

Sec. 2101. Definitions.
Sec. 2102. Chemical Facility Anti-Terrorism Standards Program.
Sec. 2103. Protection and sharing of information.–
Sec. 2104. Civil enforcement.
Sec. 2105. Whistleblower protections.
Sec. 2106. Relationship to other laws.
Sec. 2107. CFATS regulations.
Sec. 2108. Small covered chemical facilities.
Sec. 2109. Outreach to chemical facilities of interest.

What the Bill Does

First and foremost this bill codifies the CFATS program and takes it out of the annual renewal in the DHS spending bill process. It establishes a 4 year term for the program, subject to future renewals of this authorization by the Congress. In many ways it also makes it easier for Congress to make incremental changes to the program.

The legislation does add some new components to the current CFATS program, including (a more detailed discussion of these additions will be seen in future posts):

• An expedited approval process for site security plans at Tier 3 and Tier 4 facilities;
• The establishment of a whistleblower protection program;
• A requirement to include employee participation in the development of site security plans; and
• Special assistance programs for small chemical facilities.

Interestingly, for the two complicated new processes included in the expedited approval program the bill specifically exempts the Secretary from having to go through the ‘publish and public comment’ regulatory approval process. This is the only way that the tight timeline (180 days) for these two programs could be accomplished.

There is nothing in the bill that specifically repeals anything in the current program. It does, however, provide some more in depth guidance to clear up what has been seen as ‘problems’ within the program. These include (again more details in later posts):

• Additional guidance on the personnel surety program;
• Provision of specific authority to provide guidance on what security measures to include in a site security plan;
• Authority to use inspectors from other government agencies and contractors;
• Risk assessment methodology;
• Changes in Tiering;
• Clarification of enforcement authority; and
• Outreach to chemical facilities of interest.

What is Missing

If I had been writing this legislation there are some additional areas that I would have included to make this a truly comprehensive chemical facility security bill. These could have included:

• Guidance on updating the list of DHS Chemicals of Interest (COI; Appendix A to 6 CFR Part 27);
• Inclusion of the ammonium nitrate security program;
• Guidance on coordination with the Coast Guard on chemical security at MTSA facilities and the NRC on chemical security at nuclear power generation facilities;
• A clear definition of what railroad related facilities could be included in the facilities of interest definition;
• Some sort of discussion about cyber-security requirements; and
• Clear guidance on the status of agricultural facilities as potential facilities of interest.

What is good about the passage of HR 4007, however, is that the heavy lifting on chemical security has now been done and the details (like those mentioned above) can be dealt with on a piecemeal basis.

Saturday, December 13, 2014

Reader’s Questions – CFATS Internal Audits

Earlier this week I had an interesting question from a long time reader; he asked:

I was wondering if you had any news and/or statistics on how many entities with approved SSPs/ASPs have done their annual audit? 

At first I thought that he was talking about the compliance inspection that DHS is supposed to do one year after the site security plan is approved, but he corrected my misconception by reminding me about the requirements of 6 CFR 27.225(e):

“A covered facility must conduct an annual audit of its compliance with its Site Security Plan.”

This is pretty standard language for a large number of Federal programs that require companies to develop a plan on how to do something. It requires that the company goes back and verifies that they are still complying with the plan on a recurring basis. Many companies overlook this type requirement since there is no requirement to submit any data or reports about the audit. Even companies that make an honest effort to follow the spirit and letter of the law seldom do more than a proforma look at their existing plan to ensure that they are still in compliance.

If a facility wants to do a real audit of their SSP, what are the types of things that they need to look at? Lacking any specific guidance from ISCD (and your Chemical Security Inspector would be a good person to talk to about any current guidance), here are some things that you might want to pay particular attention to (WARNING: This is my opinion and has not been verified with ISCD):

Status of planned security measures – If the approval of your SSP included any planned security measures you need to ensure that the agreed upon plan for their implementation has been followed. You are certainly required to report deficiencies in that implementation plan to ISCD.

CVI certification – Fortunately the CVI certificates that were obtained at the beginning of the CFATS process are all still good. But, if any new people were added to the program administration (people with significant responsibilities under the SSP) you need to ensure that they have also obtained CVI certification. If they haven’t, geterdone.

Training files – Ensure that your other training files are also up to date. This specifically includes awareness training for all new employees and contractors.

Exercise files – Remember that plans (both security and emergency response) that are not exercised are likely to fail in a real situation. Make sure that you document the exercises and the after-action reviews. If those reviews indicated that changes were required for your SSP, those changes would need to be approved by ISCD.

Cybersecurity – A lot has changed in the cybersecurity world in the last year, particularly in the realm of control systems. This would be a real good time to have a cyber-security consultant come in and take a fresh look at your system. If you’re fortunate enough to have your own cybersecurity experts, this would be a good time to do a CSET review.

Verify your CSAT Team – Go back and verify that the Authorizer, Preparers, Submitter and Reviewers are still the people that you want in those positions. Update as necessary. BTW: It looks very bad if one of the people currently listed in these positions with ISCD no longer works for the company. If you don’t know who all is listed, contact the CFATS Help Desk {Phone (866) 323-2957}.

Review the threat landscape – The facility security officer should have a good relationship with the closest fusion center and local law enforcement. Talk with them about their view of the current threat landscape in your area.

There are other things that should be looked at in the audit; actually everything should be. But, if you hit the above list hard and do a standard read and review of the rest, you will probably be in good shape. 

HR 4007 Sent to the President

This week saw Congress take a serious step forward in helping to assure that chemical facilities across the country would be protected against a terrorist attack by passing HR 4007, the first comprehensive chemical security bill passed by Congress. As much as Democrats and Republicans have disagreed in the past about how to accomplish chemical security the votes this week were without significant debate.

To be sure there was considerable work done behind the scenes by the staffs of both the House Homeland Security Committee and the Senate Homeland Security and Governmental Affairs Committee working out compromises that both sides could live with. Even so there were some last minute changes made to the bill that ease the concerns that a few unidentified Senators had. Without those changes the bill never would have come up for a vote in the Senate and we would still have to continue limping along on an appropriations bill to appropriations bill basis for the CFATS program.

We are going to have to have at least one more extension (maybe two) of the current §550 authorization of the program to allow the new program authorized by the new ‘Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014’ once it is signed by the President (probably next week). The new legislation will not erase, or necessarily make serious changes to the current CFATS regulations under 6 CFR Part 27. Rather it will codify (under 6 USC Title XXI) most of the existing program and provide a four year authorization of the program.

In many ways the hard part is just starting. The folks at the Infrastructure Security Compliance Division (ISCD), in addition to having to continue to enforce the current regulations, will have to develop a number of new processes and guidance documents and to craft some changes to the current regulations to implement what Congress has now directed. Some of this will have to go through the normal, time consuming regulatory revision process, but significant changes have been specifically exempted from that process in the legislation so that they can be implemented in an expeditious manner. It will be interesting to see how that works out.

Over the next couple of days, I will be looking at what is included in the final legislation and how DHS might go about implementing the changes. The clock does not start on any of these changes until the President signs the bill into law, but I’m pretty sure that ISCD has already informally started work on putting a plan together to implement the new requirements.

Friday, December 12, 2014

Bills Introduced – 12-11-14

As the last week (hopefully) of the 113th Congress finishes up there were 54 bills introduced yesterday in the House and Senate. Two of those (at any other time of the session) might be of specific interest to readers of this blog:

HR 5855 To require a report on procurement supply chain vulnerabilities within the Department of Defense. Sponsor - ep. Grayson, Alan [D-FL-9]

HR 5868 - To provide for a study by the Transportation Research Board of the National Academies on the impact of diverting certain freight rail traffic to avoid urban areas, and for other purposes. Sponsor - Rep. Ellison, Keith [D-MN-5]

Not much chance of either of these coming to the floor in the House much less getting to the President, so I doubt that I’ll even bother trying to report on them once their printed.

Thursday, December 11, 2014

ICS-CERT Updates Siemens Advisory

This afternoon the DHS ICS-CERT updated their advisory for the Siemens vulnerability that they recently noted may be involved in some of the BlackEnergy attacks. Siemens reported two additional product variants for which there is now version that is resistant to the exploit of this vulnerability. Neither Siemens nor ICS-CERT have yet identified exactly what the vulnerabilities are; just what could result from a successful exploit. Hopefully that will change when the last two products are also protected.

I was a little surprised to see ICS-CERT get this update out this afternoon; after all Siemens only published their version this morning. I guess that now that ICS-CERT thinks that this might be involved in the BlackEnergy series of attacks (that ICS-CERT is only really explaining in classified briefings), they think that it may be important to get this information out to owners of  potentially affected systems.

Wednesday, December 10, 2014

Ammonia Leak Sends Employees to Hospital

A Reuters report today describes a leak at a food processing plant in Rogers, AR that ended up sending 18 employees to a local hospital for ‘evaluation and treatment’. The chemical involved was anhydrous ammonia and it was almost certainly released from the refrigeration system used to cool/store poultry. This is not an unusual occurrence and just about every fire department of any size will have to respond to one of these leaks at some point.

Anhydrous Ammonia

Anhydrous ammonia (AA) is the second most widely used toxic gas in the United States. AA is a toxic inhalation hazard gas; it has the capability of killing people exposed to relatively small concentrations of the gas. Along with its industrial cousin chlorine gas, AA is used, in spite of its hazards, because it is such a versatile chemical. It is used as a chemical intermediate in the manufacture of a number of products including fertilizers, explosives, and pharmaceuticals. It is directly applied to the soil as a fertilizer.

Farm Exposures

There are two uses where accidental ammonia exposures are most common, during transportation to and from farms in small tank trailers towed by tractors or farm truck, and in leaks from refrigeration systems. The farm related spills are usually in isolated rural areas and rarely affect anyone beyond the farmer/drive who is typically very experienced at holding his breath and heading upwind out of the small ammonia cloud.

Refrigeration Exposures

Refrigeration related incidents are about as common, but typically affect a larger number of employees who have a harder time getting out the ammonia cloud as it is usually contained within a building.

Fortunately, ammonia is a ‘friendly’ toxic gas. While the immediately dangerous to life and health (IDLH) limit for ammonia is 300 ppm it is easily detectable by smell at concentrations as low as 5 ppm (even lower in some people). The pungent odor tends to drive people away from leaks.

AA is used in many commercial scale refrigeration systems because of its low cost and high heat transfer capability. Most exposures in this environment are from small leaks at joints in the piping system. If the process areas where the piping is found are properly monitored, these leaks are seldom more than maintenance problems, but typically require local evacuations within the building to avoid unnecessary exposures.

More serious exposure issues are normally due to venting issues. Any gas storage system has to be protected against over pressurization. Failure to do so can result in a catastrophic loss of pressure situation where the vessel fails in what really does look like an explosion and causes significant amounts of physical damage and a large toxic cloud. To avoid that situation, engineers design relief systems that vent off (release) excess pressure to the atmosphere (or preferably to a scrubber system). Since AA is lighter than air, venting small amounts to the atmosphere is frequently not noticed.

Bad Venting

When vent systems are not properly designed or when emergency venting takes place during line-breaks (opening the pipes that carry the AA for maintenance reasons) you can have real problems. This is particularly true when the venting takes place close enough to an air handling system intake that the gas cloud does not rise above the intake by the time it reaches that space on the roof. The typical HVAC system is not designed to remove AA before pumping the contaminated air into living and working spaces.

That is what appears to have happened in this case. During maintenance operations a line containing anhydrous ammonia was opened too close to an air-conditioning system intake. It was apparently a relatively small leak as the article does not mention anyone being seriously injured or being held overnight for observation.

I have worked around ammonia gas (from ammonium hydroxide not the more dangerous anhydrous ammonia) and even exposures to low concentrations in the air can be very irritating to eyes, nose, throat and lungs. I’m one of the unfortunate few that experience temporary blindness at relatively safe levels of ammonia exposure, so I fully understand why exposed employees are routinely transported to emergency rooms for observation and treatment. The immediate effects of moderate exposure are very unpleasant, but there is usually no long term damage.
/* Use this with templates/template-twocol.html */