Saturday, August 29, 2015

SSI Program Information and Accessibility

Part of the work that I do to keep up to date on programs that I write about here on this blog is to periodically check a number of web sites to see what changes have been made. One of the web sites that I check every Saturday is the web site for the TSA’s Sensitive Security Information (SSI) program. I’m not providing the link (okay I will) to that site since it no longer exists and hasn’t for three weeks now.

It was an information packed site. It provided links to program documents, explanations of terms, training requirements; all sorts of good information that anyone dealing with SSI would like to have handy to make sure that they were compliant with the regulations.

The first weekend that it was down (and I’m not talking about a standard 404 error message, but a nice pretty TSA ‘Page Not Found’ message) I wrote it off as one of those glitches that periodically happens on the internet. The second week I fired off a request to TSA asking about what was going on with their SSI web site. This week I got a very nice email from the SSI folks. It explained that:

“TSA recently deployed a new website which could only contain 508-compliant material. The SSI Program is currently working with Public Affairs to convert our programmatic content so that it is 508-compliant and may be loaded to the site.”

For those of you who do not readily understand government speak the term ‘508-compliant material’ refers to the requirements of §508 of the Rehabilitation Act of 1973 (29 USC 794d) as amended in 1992 by §509 of the Rehabilitation Act Amendments of 1992 (PL 102-569). In short the Federal government is required to provide equal access to information to people with disabilities. In this particular instance I would presume that that means people who cannot see the information on the web pages.

Now TSA information on the internet is hard enough to access for people with perfect vision, I can only imagine how hard it would be to find anything TSA related if I were visually impaired. So I whole heartedly endorse anything that makes access to this information easier for anyone, particularly those with physical disabilities.

What I find hard to understand, however, is how TSA could have deployed a new disability friendly web site without ensuring that all of the content was §508 compliant first. That does not make any sense to me.

Because of that inexcusable oversight we have gone at least three weeks now without information being available on this critical security program. The average small to medium business does not have professionals on staff that are fully up to speed on each and every Federal security program and it is sites like this currently missing site that made it possible for such enterprises to have some hope of complying with Federal mandates.

The SSI program is especially important when it comes to companies sharing security information with the Federal government. It is only possible for companies to protect security information that they share from public disclosure under the Freedom of Information Act if they properly request that the information be considered SSI. If an organization does not properly request SSI information protection of data shared with the government then it is not protected.

Without this site being available, the average small to medium company is not going to have a reasonable way of knowing how to protect their transportation security related information from public disclosure when it is shared with a Federal government agency.

There is currently no information available on how long it is going to take the TSA to convert their SSI program information to a §508 compliant format. In the meantime, the friendly email I received did provide an email point ( of contact for anyone needing information on SSI program needs. Of course, that isn’t a very large office and too many information requests will prevent them from doing their other SSI related work. It sure would be nicer if the web site had not been taken down.

Thursday, August 27, 2015

ICS-CERT Updates 2 Siemens Advisories and Publishes 3 New Advisories

Today the DHS ICS-CERT updated two advisories for Siemens products from earlier this year and then published three new advisories for products from Siemens, Innominate mGuard and Moxa.


This update is for an advisory originally published in April and updated in April and July. This adds additional clarification as to the versions of the previously listed products are affected. Similarly the update provisions have been updated. It also added update instructions for TIA V12 SP1 devices and WinCC V7.2.

SIMATIC STEP 7 TIA Portal Update

This update is for an advisory originally published in February. This adds additional clarification as to the versions of the previously listed products are affected. An update has been added for SIMATIC STEP 7 (TIA Portal) V12 SP1.

Innominate mGuard Advisory

This advisory describes a denial-of-service (DoS) vulnerability in the Innominate mGuard device. This vulnerability has bee self-reported. Innominate has produced a firmware patch to mitigate this vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to cause a temporary DoS condition in the VPN daemon on the device. Innominate reports that a successful authentication via X.509 certificate or PreShared Secret Key is required to exploit the vulnerability.

Siemens SIMATIC S7-1200 Advisory

This advisory describes a cross-site request forgery vulnerability on the Siemens SIMATIC S7-1200. This vulnerability was reported by Ralf Spenneberg, Hendrik Schwartke, and Maik Br├╝ggemann from OpenSource Training. Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that the researchers have been afforded the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to perform actions at the level of the victim user.

Siemens reports that there are different firmware updates for Standard CPUs and Fail-safe CPUs.

Moxa Softcms Advisory

This advisory describes two different types of buffer overflow vulnerabilities in the Moxa Softcms software package. The vulnerabilities were reported by Carsten Eiram of Risk Based Security and Fritz Sands. The HP Zero Day Initiative coordinated the disclosures on these vulnerabilities. Moxa has released a new version of the software to mitigate these 9 separate vulnerabilities. There is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to allow remote code execution.

BTW – ICS-CERT has included a formal note on their landing page that they have updated their PGP public key and they have corrected the bad link that I identified in my blog post Tuesday.

Tuesday, August 25, 2015

ICS-CERT Publishes Repetitive Hart DTM Advisory

Today the DHS ICS-CERT published another advisory for the CodeWrights Hart-DTM vulnerability that was originally reported in January. This time it was for a large number of devices from Endress+Hauser. Interestingly Endress+Hauser had already been added to the latest version of the CodeWrights version (C) of the advisory published in February.

The only new information in this advisory in this new advisory is the extensive list of E+H affected products and the fact that E+H had finally gotten around to updating the version of the CodeWrights library that they were using.

Nothing to see here move along.

Oh wait. There was an interesting tweet from ICS-CERT this afternoon before they announced the new advisory. It seems that they have recently updated/revised/whatever their public PGP key for secure submission to ICS-CERT. This is certainly important news. Fortunately they tweeted it because there is nothing on their web page that indicates that the key had been changed.

Instead of providing a direct link to the PGP key they send you to the main landing page. To find the link to the key you have to scroll all the way to the bottom of the page and click on “Download PGP/GPG keys”. This is NOT a download link but a link to the page where you can copy the PGP key.

I got there by a slightly more circuitous route starting with clicking on the “Report an Incident” button near the top of the same page. That page provides some interesting information on reporting stuff to ICS-CERT and is good to know. Near the bottom of the page it says:

“Organizations can download our PGP key at

Don’t waste your time clicking on that link unless you want to see the ICS-CERT 404 page; nothing special there. Fortunately there is the same “Download PGP/GPG keys” link on the bottom of this page to take you to the real PGP key.

At least I think this is the new key. Nothing on the web site mentions that the key has been changed. This is getting to be a real problem on the ICS-CERT web site. There is no way to tell if something is new or old.

Homeland Security Committee Reports HR 1073

Before leaving Washington for the summer recess, the House Homeland Security Committee filed their report on HR 1073, the Critical Infrastructure Protection Act (CIPA). There are no changes to the bill beyond what I already reported, but there is some discussion about the one controversy surrounding the bill.

EMP vs Geomagnetic Storm

Section 2(a) of the revised bill amends 6 USC 101 by adding the definition of ‘EMP’. That definition includes both intentional man made electromagnetic pulse events and geomagnetic disturbances caused by solar storms.

On page 7 of the Committee Report there is a discussion about the difference between the two types of events. It clearly states that:

“The committee is aware of the concerns of industry in the possible confusion between pulses caused by intentional means, such as a high altitude nuclear weapon detonation, and those caused by natural phenomena such as solar storms. The magnitude and the temporal duration of the energy released are very different.”

Ranking Member Thompson (D,MS), in his ‘additional view’ response to the report on page 19, further explains the distinction between the two types of events this way:

“An EMP event is manmade and expected to impact all microprocessors. A GMD is naturally-occurring and expected to impact primarily bulk power and communication systems.”

This, of course means that the mitigation measures undertaken to lessen the effects of the two types of events will be different. They will both need to provide similar protections of the electric grid, but an EMP event would also have to protect a much wider variety (and much larger number) of electronic devices throughout the country to be effective.

Moving Forward

Because the bill allows no regulatory action or the spending of any new money this bill passed in Committee by a voice vote, even considering Thompson’s concerns. I would expect this bill to see the same bipartisan support on the floor of the House where it will almost certainly be considered under the ‘suspension of the rules’ process with limited debate and no amendments. There is a very good chance that this bill will reach the floor before the end of the fiscal year even with everything else that will be going on the House.


While the Committee noted that the intent of their EMP definition was to “keep these electromagnetic pulse initiating events distinct and separate, as well as the resulting impact on critical infrastructure such as the electric power grid” (pg 7) it would seem to me that defining the two terms separately and requiring planning and research activities to address both types of events would have made that distinction clearer.

This is not just a semantic distinction. It may be possible to protect the electric grid from a geomagnetic storm (GMS) event, or at least provide adequate spare parts to get substantial parts of the grid back into operation in a reasonable time after such an event. All it would take is large sums of money. The problem with a large scale EMP event is that while many of those same grid protection measures may be useable to mitigate an EMP event’s effect on the grid, the larger problem of the destruction of nearly all electronic devices within line of site of the nuclear device initiating the EMP event cannot practically be mitigated.

Smaller scale, non-nuclear EMP attacks (like that shown in the movie Oceans Eleven), are of course a different matter. Their small scale and relatively limited impact would still be much more difficult to mitigate than a similar scale GMS event, again because of the simultaneous destruction of microprocessor based devices. But, depending on the size of the device used, it may be possible to throw enough money at the problem after the attack to allow for a reasonable recovery.

This bill will move to the Senate in its current form. There is a remote chance that it will be revised by the Senate Homeland Security and Governmental Affairs Committee before it comes to a floor vote, but I suspect that it will move straight to consideration on the floor of the Senate by unanimous consent.

This means that we will have to rely on DHS to make a reasonable distinction between these two types of events. Hopefully they would use their limited resources (again no new resources are being authorized in this bill) to concentrate on the GMS threat and pretty much ignore the EMP event. Spending any time or money on the EMP threat will achieve nothing but detracting from other work on more likely threats.

Thursday, August 20, 2015

ICS-CERT Updates Two Rockwell Alerts

This afternoon the DHS ICS-CERT updated two alerts that it issued for Rockwell PLC’s last week. The updated alerts (here and here) have the same, single-sentence addition made:

“This vulnerability was discovered by Aditya K. Sood and presented by him at DefCon 2015 in Las Vegas, Nevada, on August 8, 2015.”

This means that all six of the DefCon related alerts that ICS-CERT published last week come from the same talk. Strange that none of the other talks about ICS security matters merited an alert, advisory or update of a previously issued advisory.

Tuesday, August 18, 2015

PHMSA Publishes 30-day ICR for 3 Hazmat Paperwork Requirements

The DOT’s Pipeline and Hazardous Material Safety Administration published a 30-day information collection request notice in today’s Federal Register (80 FR 50070-50071) for revisions to three separate hazardous material shipping paperwork ICRs:

Hazardous Materials Shipping Papers & Emergency Response Information (2137-0034);
Radioactive (RAM) Transportation Requirements (2137-0510); and
Subsidiary Hazard Class and Number/Type of Packagings (2137-0613)

Hazmat Shipping Papers

This ICR is being revised to reflect the termination of the pilot of the electronic shipping papers under the Hazardous Materials Automated Cargo Communications for Efficient and Safe Shipments program. This reflects a reduction in burden hours due to the elimination of the voluntary double reporting requirements for organizations participating in the pilot.

RAM Requirements

There is no change in the burden estimate for this ICR. The early resubmission for this ICR renewal is due to the two-year approval on the last renewal request because PHMSA failed to include some of the required paperwork in their data submission.

Subsidiary Hazard Class

There is no change in the burden estimate for this ICR. This is a simple renewal with no apparent change in the information collection.

Public Comments

As always public comments are being solicited on the ICR renewals. Comments can be emailed to OMB’s Office of Information and Regulatory Affairs (OIRA; Comments should be submitted by September 17th, 2015.


These ICR notices are typically a pro-forma exercise that are usually ignored by everyone. The problem is that it frequently takes some digging to find out if minor changes are actually be made to the collection requirements. Even when there are no apparent changes (like in the last two ICRs in this notice) we cannot not tell that for sure because there is a shortage of information provided in these notices. We won’t be able to tell for sure if there were minor changes made to the collection requirements until the ICR approval is published on the OIRA web site as that site will have copies of the actual information submitted to OIRA not just this brief summary material.

S 2007 Introduced – Federal Cybersecurity Personnel Management

Just before the summer recess Sen Bennet (D,CO) introduced S 2007, the Federal Cybersecurity Workforce Assessment Act. This bill specifically deals with the federal employees that hold positions that “require the performance of information technology, cybersecurity, or other cyber-related functions”, but it would have both short term and long term consequences for the civilian job market in these areas.

Workforce Measurement

Section 3 of the bill would establish the National Cybersecurity Workforce Measurement Initiative. It would require:

The Secretary of Commerce to update the National Initiative for Cybersecurity Education’s Cybersecurity Workforce Framework to include establishing employment codes for positions that require the performance of information technology, cybersecurity, or other cyber-related functions {§3(b)(1)(A)};
The Secretary to establish procedures to identify all federal positions meeting the coding requirements established above {§3(b)(1)(A)}; and
All Federal government agency heads would be required to identify positions within their agencies that meet those coding requirements under the procedures established above {§3(a)};

The section then goes on to require each agency to report to their respective congressional oversight committee an assessment of their workforce meeting the newly established employment coding requirements. That assessment would include {§3(b)(1)(D)}:

The percentage of those personnel that “currently hold the appropriate industry-recognized certifications as identified in the National Initiative for Cybersecurity Education’s Cybersecurity Workforce Framework;
The level of preparedness of other civilian and non-civilian cyber personnel without existing credentials to pass certification exams; and
A strategy for mitigating any gaps identified in clause (i) or (ii) with the appropriate training and certification for existing personnel.

Cyber-Related Roles of Critical Need

Section 4 of the bill would require each Federal agency head to report to the Office of Personnel Management identifying and justifying the “information technology, cybersecurity, or other cyber-related roles of critical need in the agency’s workforce” {§4(a)}. In turn the Director of OPM would provide agencies with procedures for identifying those critical need positions with ‘acute skill shortages’ or ‘emerging skill shortages’.

Finally two years after the enactment of this bill OPM would prepare a report to Congress on the implementation of this process.

Moving Forward

While Sen. Bennet is not a member of the Senate Homeland Security and Governmental Affairs Committee (the Committee designated to consider this bill) his co-sponsor, Sen. Portman (R,OH) is a relatively senior member of that Committee. Thus, there may be enough political pull to get this bill considered in the Committee.

Since there are no new funds included in the bill, and it essentially only requires reporting to Congress about the well-known problems in the Federal cybersecurity workforce, there would be little opposition to passage of this bill if it were to make its way to the floor of the Senate. I don’t see any quick action in that direction with all of the other priorities that the congress faces in the next couple of months.


This bill has an unfortunately common failure of not defining critical terms. One important term used here is ‘appropriate industry-recognized certifications’. It leaves that term to be defined by the Cybersecurity Workforce Initiative. Looking at their web site they turn to the Department of Labor for a listing of such certifications. The list provided for certifications of ‘information security analysts’ includes 148 certifications from over 30 different organizations.

If this bill were to be enacted, there would obviously be a push by most agency heads to increase the number of IT and cybersecurity personnel had ‘appropriate’ certifications. Since no additional funding would be provided, efforts would be focused on those certification programs that cost the least amount of money. Even so, the money would have to come from someplace in the agency budgets so other discretionary budget items would be adversely affected.

This emphasis on certifications would also have a significant impact on the hiring process. With this being a reportable statistic it is almost certain that if the bill passes all new hires would be required to have some sort of IT or cybersecurity certification.

All of this ignores the ongoing discussion within the cybersecurity community about certifications and qualifications in general. The control system security community in particular is still a fairly young community with a significant percentage of practitioners either being self-trained or having learned their craft in an informal apprenticeship program. At this stage in the development of the field reputation still counts more than degrees or certifications.

But this bill does point out, by default, the problems that hiring managers are facing as the field grows at a tremendous pace, with job postings increasing every day. How does a hiring manager ensure that a candidate is qualified for a job? The IT side of the house is a little bit easier as there have been degree programs for IT specialists for quite some time. This is much less true in the cybersecurity realm and degree programs for control system security practioners are few and far between.

If the Federal government moves to relying on certification programs (and I think that is almost inevitable whether or not this bill passes) industry is going to follow in those footsteps. The cybersecurity community needs to start thinking about how it wants that certification process to look like and how it will be controlled. Is it practical for there to be 30 different certifying organizations putting out 148 certification programs for information security analysts? Do we eliminate ineffective certification programs or do we need a ranking system that points to the certificates that imply a higher level of skill and working knowledge?

This debate needs to be seriously undertaken and resolved by the cybersecurity community now or the Federal government is going to step in and establish their own rules. We have all seen how effective that can be.

Sunday, August 16, 2015

Chemical Facility Fire in Texas

Friday afternoon there was a fire at a chemical facility in Conroe, TX. The facility was a supplier of drilling chemicals for the oil field. Interesting news accounts here, here, here, here and here.


There are a wide variety of chemicals used by the crude oil drilling industry. Many of the products used contain flammable solvents; including toluene, xylene, methanol and acetic acid. The first two are not soluble in water and typically float on water. The second two are water soluble and in fairly low concentrations make water flammable. Applying water to fires involving any of these chemicals has a tendency to spread the fire, not put it out.

Oil field drilling chemicals are typically shipped to the field in containers; 5-gal pails, 55-gal drums, and 250-gal plastic totebins. From the outside of the facility we cannot tell if this was strictly a warehouse of if blending operations happened in the facility. We can only see three relatively small storage tanks outside, but there may have been additional tankage inside of the building.

This facility was not specifically designed as a chemical warehouse or chemical manufacturing facility. According to Google Street Views as late as February 2013 it housed an insulation and fireplace supply company. As such it was originally designed to have a sprinkler system. From the progress of the fire (described below) that water based system may have been functioning on Friday.

The Figure below is a diagram that I drew of the facility based upon Google Maps. It is consistent with the photos shown in the various news stories about the fire. Bldg 1 was principally a warehouse with five loading docks facing the parking lot. The north end of Bldg 2 was also a warehouse facility with three loading docks. The south end of Bldg 2 was the facility office. There were roll-up doors from both buildings facing into the space between them with a ramp leading down to the parking lot level.

The Incident

From the news reports and accompanying photographs we can piece together much of what happened at this facility. A full investigation is underway and the initial cause of the fire is unknown.

At about 4:00 pm CDT the company closed up business for the weekend. The last employee left and the gates were locked. Apparently about 45 minutes later the fire started. Pictures (here) seem to indicate that the fire started in Bldg 1. By the time this picture was taken it is clear that there had been a release of one or more flammable liquids in the building and it had started to flow out of the building since you can see flames on the concrete parking lot.

There are a number of reports of explosions associated with this fire; with at least one being described as ‘large’. With fires in chemical warehouses it is very common to have containers ‘explode’. The heat of the fire causes the liquid to boil inside the container. The expanding gasses (even water vapor) in the container cause the container to catastrophically fail creating a small explosion. If the container contained a flammable or combustible liquid the expanding gas cloud would ignite providing a larger explosion. The relative sizes of the two explosions would depend on the volume of the container and the amount of solvent in the container.

A later picture shows the parking lot fully engaged in flames. Again this is a sure sign that there has been a major spill of a flammable liquid. Fortunately the parking lot was designed to keep any liquid on site and flowed into the drainage basin located on the south end of the facility. Aerial photos (here, here, and here) show that drainage basin on fire. From those photos it looks like the major fire in the parking lot was out by the time that the fire department arrived on the scene.

Pictures from the aftermath of the fire (here, here, and here) would indicate that Bldg 1 was a total loss, there is severe damage to the warehouse portion of Bldg 2 and there does not appear to be any significant off-site damage or runoff.

Probable Course of Fire

This was an unusual chemical warehouse fire. Fires that start in these facilities after hours typically involve electrical systems or non-chemical debris on site. For there to have been a significant chemical release early in the fire without a catastrophic explosion (the building was intact in early pictures) is very unusual. To get fire flowing into the parking lot there had to be a large amount of flammable liquid released; more than a drum or totebin’s worth.

I suspect that there was at least one storage tank inside the building containing a product with a fairly low concentration of flammable solvent (so that there wasn’t a large explosive vapor cloud). Somehow there was a failure of that tank that allowed the contents to start to drain onto the warehouse floor. At some point (either before or after that leak was initiated) a fire started igniting that liquid on the floor and the sprinkler system tripped applying water to the fire. The water from the sprinkler system spread the fire throughout the warehouse and out the door leading to the parking lot ramp.

The fire would have spread to wooden pallets holding drums or totebins of other combustible or flammable liquids in the warehouse. As those liquids started to heat there would have been a number of drums or totebins that would fail and some of those would have resulted in small fuel-air explosions as the volatile solvent vapors ignited.

The remaining liquid in those containers would have also been washed into the parking lot by the sprinkler system, contributing to the pool fire there.

At that point the warehouse would be fully involved and nothing would stop it from burning until all of the fuel (including chemicals that are normally rated as not being combustible) was consumed.

The large volume of fire in the parking lot was almost certainly caused by the failure of the small storage tank at the north end of Bldg 1. The smaller pool fire would have spread to near that tank. It looks like it was a plastic tank so that the fire caused the bottom of the tank to soften and release the contents. From the size of the resulting fire ball, I would assume that this was a solvent tank and resulted in a large fuel-air explosion described in the various news reports.


Fortunately, this facility was designed with a system to catch rainwater and return that water to the aquafer via the drainage basin. This system was not specifically designed for catching chemical run-off from the facility as it is clearly visible in the pictures taken before the current occupant moved in. This allowed all of the burning runoff from the fire to be contained on site. The size of this fire would have been significantly larger if that system had not been in place. It will also make the clean-up of the aftermath of this much easier to accomplish.

It appears that the large pool fire in the parking lot was substantially over by the time that the fire department arrived. If fire trucks or personnel had been anywhere near that parking lot when it was fully engaged they would have been destroyed. Firefighters approaching a chemical facility fire really need to be aware of drainage patterns at the facility before they approach too closely.

Finally, facility owners and fire departments need to look at alternate routes of access to these types of facilities. In this case the wind was light and out of the east, blowing the smoke away from the only access to the facility. If the wind had been out of the north or worse yet, northwest, there would have been no way for firefighters to safely approach the fire.

Counter-Terrorism Notes

Now I don’t know exactly what products this facility contained, but I would suspect that this was not a facility that would have been required to report to DHS under the Chemical Facility Anti-Terrorism Standards (CFATS). That means that it is not really fair to discuss site security measures for the facility. The facility did have a perimeter fence and locked gates, much the same as you would see at most industrial facilities across this country.

Having said that, this fire would have been fairly easy to have started as part of a terrorist attack. Approaching through the woods behind the facility, a lone attacker with some small explosive devices could have started a nearly identical fire by putting those small charge on a number of different totebins containing flammable chemicals scattered around the warehouse.

A small fairly isolated facility like this would not be a typical target form Islamic militants or radical militia members, but an environmental wacko (no, not an environmental activist, but a real fringe nut case) would find a company associated with supplying the crude oil drilling industry a prime target.

Friday, August 14, 2015

PHMSA Announces Integrity Verification Process Workshop

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a meeting notice in the Federal Register (80 FR 48955-48956) for a public workshop on the
concept of `Hazard Liquid Integrity Verification Process (HL IVP)’. The meeting will be held in Arlington, VA on August 27th. This will be similar in concept to the workshop on the gas pipeline integrity verification process held by PHMSA in 2013.

This workshop is part of the process that PHMSA is using to develop requirements for an integrity verification process for hazardous liquids pipelines. Background information on current ideas of what that process would look like can be found here.

The current agenda for the workshop can be found on the meeting web site. It includes presentations on:

Integrity Verification Process Perspective: National Transportation Safety Board
PHMSA's Approach for the Integrity Verification Process, Summary of Comments Received thus far on docket
NAPSR Perspective on the Integrity Verification Process
Pipeline Safety Trust Perspective
Pipeline Operator Perspectives

The public is invited to attend this free workshop either in person or via a web cast. Registration for either version can be accomplished here. Written comments may be submitted before or after the workshop via the Federal eRulemaking Portal (; Docket # PHMSA-2014-0150). The only area currently (as of 5:00 pm CDT, 8-14-15) open for comment on that site is for the proposed HL IVP flowchart.

NOTE: For some reason the block of reserved rooms was only held until August 6th. Register early if you intend to attend in person.

DHS Announces HSAC Cybersecurity Subcommittee

Today the DHS Office of Intergovernmental Affairs published a notice in the Federal Register (80 FR 48893-48894) that last week the Secretary had tasked the Homeland Security Advisory Council (HSAC) with establishing a new Cybersecurity Committee.

The new committee will address:

Identifying the readiness of the Department's lifeline sectors to meet the emerging cyber threat and provide recommendations for building cross-sector capabilities to rapidly restore critical functions and services following a significant cyber event; and
Providing a more unified approach to support State, Local, Tribal and Territorial cybersecurity.

The HSAC provides the Secretary real-time, real-world, sensing and independent advice to support decision-making across the spectrum of homeland security operations. The new committee will be tasked with providing findings and recommendations that will be submitted to the Homeland Security Advisory Council for their deliberation and vote during a public meeting.


There was no specific mention of control system security in this brief notice. Typically what happens is that either the Secretary or the full HSAC would provide specific taskings to the Committee. Those could certainly involve control system security items of interest.

It will be interesting to see who is named to this new Committee. If there is at least one control system vendor or research organization, we can expect to see something specifically addressing control systems issues. If not, it will be catch as catch can and any control system security recommendations will be more generic than useful.

Chlorine Release at Recycling Center

Earlier this week there was a chlorine gas release from a 1-ton cylinder that was being processed for recycling at a facility in Spokane, WA. As we expect to see in an event of this sort initial news reports (here, here, here, and here) are somewhat contradictory and more than a little confused. It is clear, however, that a number of people are in local hospitals in serious condition from complications due to chlorine inhalation. No deaths have been reported.

What we appear to know at this point is that a chlorine cylinder was delivered to the facility for recycling. The facility expects the offeror of the cylinder to ensure that it is empty before it is delivered to the facility. There is probably no reasonably safe way to the facility to test this for themselves.

At some point in the recycling process (in a crusher?) the cylinder integrity was compromised and the contents were released to the atmosphere inside a building on site. The resulting gas cloud was not confined to the building and off-site personnel were affected. This argues that there was a substantial amount of chlorine in the cylinder, not just residues.

At this point in the investigative process there has been no information released about who delivered the cylinder to the facility. Since these cylinders are re-useable and fairly expensive, I find it difficult (but certainly not impossible) to believe that the rightful owner of the cylinder (a chemical company or chemical distributor) sent an in-service cylinder to be recycled. These things are very expensive and have a long service life that is used to amortize the initial cost of the cylinder.

Cylinders that no longer meet the PHMSA criteria for use would certainly be recycled after they were emptied and cleaned (these are big heavy metal cylinders and worth a significant amount of money as scrap metal). The determination that they no longer met PHMSA standards would only be done after PHMSA approved testing which has to be done on an empty and cleaned cylinder. This is why it is unlikely to have come from the rightful owner.

This leads me to believe that the cylinder may have been stolen for its scrap metal value by a thief that did not know that the cylinder still had a significant amount of chlorine still inside or didn’t care. In either case it should be fairly easy to track the cylinder back to the facility from which it was stolen. These cylinders are serial numbered and even if the number were removed there should be a VERY small number of these cylinders stolen.

In any case this situation does show that it is reasonably possible for someone to get their hands on a significant amount of chlorine in this country. That combined with the current use of chlorine based improvised munitions in the Middle East by the Islamic State forces raises the specter of similar munitions being used in terror attacks in here at home. This is not a real high threat as it isn’t an attack method that could easily be used by your local internet-recruited IS wannabes, but it could be used by someone trained by the IS in Syria or Iraq.

It will be interesting to see if we ever hear about where this particular cylinder actually came from.

Thursday, August 13, 2015

PHMSA Announces Pipeline Risk Modeling Workshop

The DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a meeting notice in today’s Federal Register (80 FR 48620-48621) for a PHMSA Pipeline Risk Modeling Methodologies Public Workshop on September 9th and 10th, 2015 in Arlington, VA.

PHMSA notes that the “workshop will focus on advancing risk modeling approaches by looking at risk modelling methodologies for pipeline and non-pipeline systems, and practical ways that operators can adopt and/or adapt them to the analyses of their systems”.

The draft agenda can be found on the meeting web site and will be updated as the meeting date approaches. That agenda currently includes:

Current Regulatory Requirements for Evaluations of Risk
State Regulatory Perspective
Industry risk improvement approaches post-San Bruno and Marshall events
International Regulatory Perspective - Risk Evaluation Approaches
Other Industry Regulatory Risk Requirements and Approaches
Practical Risk Modelling Challenges
Path Forward (PHMSA)
Panel Discussion / Q&A Opportunity

This is the same meeting that I posted about last month. Where the earlier PHMSA notice was more of a request for abstracts for possible presenters at the meeting, this is a notice about the actual meeting itself. Copies of the submitted abstract can be found here.

This is a public meeting and it will be web cast. Registration for either live attendance or via the web cast can be done on the meeting web site. Public comments on the topic may be submitted before or after the workshop via the Federal eRulemaking Portal (; Docket # PHMSA-2015-0139).


While most people consider pipeline risks to be associated with the physical integrity of the pipeline and perhaps preventing damage to the pipeline from a physical attack, it is becoming more and more obvious that gas and hazardous material pipelines are also subject to attacks and accidental damage due to control system hazards.

The introduction to this notice states that:

“To support integrity management requirements, a risk analysis modeling approach must be able to adequately characterize all pipeline integrity threats [emphasis added] and consequences concurrently, and the impact of measures to reduce risk must be evaluated.”

It is disappointing to see that this cyber threats (both deliberate and incidental) do not seem to have been addressed by any of the abstracts submitted for this workshop and it is not mentioned in the draft agenda for this workshop. Perhaps a discussion about the need to include the cyber perspective in any comprehensive risk model for pipelines should be added by PHMSA.

ICS-CERT Publishes one Advisory and Two Alerts

This afternoon the DHS ICS-CERT published an OIsoft advisory for 56 vulnerabilities in one product and alerts on two different Rockwell products. ICS-CERT did not name researchers on Rockwell alerts so we cannot tell if these are DefCon related. The OIsoft vulnerabilities are all self-reported.

OSIsoft Advisory

This advisory almost describes the most serious of 56 vulnerabilities in the OSIsoft PI System software. The categories are listed for the top 25 vulnerabilities based upon risk; they are:

CWE-20: Improper Input Validation (6 issues),
CWE-250: Execution with Unnecessary Privileges (3 issues),
CWE-200: Information Exposure (1 issue),
CWE-476: NULL Pointer Dereference / Denial of Service (13 issues), and
CWE-384: Session Management (2 issues).

OSIsoft has produced a new version of Data Archive that mitigates these vulnerabilities.

Rockwell Alert 1

This alert describes a cross-site scripting vulnerability in Rockwell Automation’s 1769-L18ER/A LOGIX5318ER web interface. A proof-of-concept exploit has been publicly released. ICS-CERT is coordinating with Rockwell.

Rockwell Alert 2

This alert describes a remote file inclusion vulnerability in Rockwell Automation’s 1766-L32BWAA/1766-L32BXBA web interfaces. A proof-of-concept exploit has been publicly released. ICS-CERT is coordinating with Rockwell.


How long has OSIsoft known about some of these vulnerabilities. Probably a relatively long time. Luckily for them (we hope) no researcher found these vulnerabilities first. Just think of how many BH/DC presentations were missed because no one was looking.

Rhetorical question to think about: Was OSIsoft marketing behind the notification of ICS-CERT about these vulnerabilities? Great way to get folks to upgrade but might warn off new customers. I guess it could go either way.

Yesterday’s alerts clearly identified researcher who notified ICS-CERT days before public release. Today’s alert without apparent ICS-CERT notification did not get attribution. Is that the way ICS-CERT plans on handling this touchy issue in the future? If so, researchers take note. Drop ICS-CERT a line just before you go public.

Wednesday, August 12, 2015

ICS-CERT Publishes Four DefCon 2015 Related Alerts

This afternoon the DHS ICS-CERT published alerts for four control system product vulnerabilities that were publicly disclosed during DefCon 2015 by Aditya K. Sood on August 8th. Proof-of-concept exploit code was presented at the conference.

Three of the four vulnerabilities were disclosed to ICS-CERT shortly before their release in Las Vegas, but they have not yet been able to complete the coordination/verification process with the vendors.

Moxa Alert

This alert describes three password related vulnerabilities in the Moxa ioLogik E2210 Ethernet Micro RTU controller. Two of these vulnerabilities are reportedly remotely exploitable.

Prisma Alert

This alert describes a cross-site request forgery vulnerability and an insufficiently protected password vulnerability in Prisma web products. Both of these vulnerabilities are reportedly remotely exploitable.

Schneider Alert

This alert describes three types of vulnerabilities in Schneider Electric’s Modicon M340 PLC Station P34 CPU modules. Those vulnerabilities include:

Hard-coded credentials (remotely exploitable);
Local file inclusion; and
Remote file inclusion (remotely exploitable).

Some of these vulnerabilities were already in the coordination/mitigation process while others had not been disclosed to either ICS-CERT or Schneider.

Kako Alert

This alert describes a hard-coded password vulnerability in KAKO HMI products. This vulnerability is remotely exploitable.

FRA Publishes 30-day ICR for Accident Reporting Form

Today the DOT’s Federal Railroad Administration published a 30-day information collection request (ICR) notice in the Federal Register for changes that it is proposing to make to their accident and incident reporting requirements for accidents involving crude oil trains. The 60-day ICR was published in April and I submitted comment to that ICR based upon a blog post made a few days before that were based on a draft version of the ICR that was published along with the FRA’s Emergency Order 30.

I mentioned my comment submission because a large portion of today’s ICR notice is taken up with the FRA’s responses to my comments (though they did get my first name wrong – Patrick not Peter).

The FRA somewhat agreed with my suggestion that an entirely new form would be needed to collect the data needed for a complete analysis of the crude oil train accidents. They noted that that was beyond the scope of the current ICR (which legitimately was for a revision to an existing reporting requirement) and reported that they intend “to continue considering other options for gathering additional information concerning rail cars carrying crude oil (and other hazardous materials) involved in reportable accidents”.

That was the only positive response to my comments. In response to my comment about their handling of residue cars the same as filled railcars, they noted that they were already doing that for all other railcar reporting requirements on the form. And to my complaint about the lack of data collection about railcar types and failure rate analysis they responded that would be considered in future rulemaking activities as well.

The FRA is soliciting public comments upon this ICR submission. Comments should be submitted to the OMB’s Office of Information and Regulatory Affairs (OIRA) by September 11th, 2015 and may be submitted via email (

NOTE: While my suggestions and comments were not actually adopted in this instance, at least my comments were heard and considered. I urge anyone with an interest in Federal regulatory affairs to take any opportunity that is provided to respond to the governments. You may not get to see the changes you want to be made, but it is probably the only way that an individual American is going to have a direct chance to influence Government without spending a ton of money.

Tuesday, August 11, 2015

ICS-CERT Publishes Schneider Advisory

This afternoon the DHS ICS-CERT published a new advisory for a memory corruption vulnerability in the Schneider Electric IMT25 DTM component. The vulnerability was originally reported by Alexander Bolshev, Gleb Cherbov, and Svetlana Cherkasova of Digital Security. Schneider has produced a patch that mitigates the vulnerability and ICS-CERT reports that the researchers have validated the efficacy of the fix.

ICS-CERT reports that it would be moderately difficult to craft an exploit for this vulnerability and notes that access to an adjacent network is required to exploit this vulnerability. The vulnerability is remotely exploitable.

The Schneider Security Notification for this vulnerability explains that the vulnerability “includes a potential buffer overflow that possibly could lead to memory corruption and cause Denial of Service or permit remote code execution”.

HR 3350 Introduced – Transportation Threat Assessment

Last month Rep. Higgins (D,NY) introduced HR 3350, Know the CBRN Terrorism Threats to Transportation Act. This bill would require the production of a threat assessment of the transportation of chemical, biological, nuclear, and radiological materials through United States land borders and within the United States.

The DHS Secretary, acting through the Under Secretary of Intelligence and Analysis, would be required to make the assessment within 90 days of the enactment of this bill. It would then be required to be shared with DOT, DOE, State and local officials and distributed to the network of fusion centers.

There is no discussion of the parameters of the types of threats to be assessed and no funding is provided for conducting the assessment. Neither is there an explanation as to why such an assessment is now necessary.

Moving Forward

Rep. Higgins is the Ranking Member on the Counterterrorism and Intelligence Subcommittee of the House Homeland Security Committee. Subcommittee Chair King (R,NY) and Committee Ranking Member Thompson (D,MS) are both cosponsors of this bill so there is definitely the political pull necessary to get this considered in Committee. Since there are no funding provisions and no regulatory actions required there is little in this bill that would prevent its passage in the House. If it does make it to the floor it would certainly be considered under the suspension of the rules process with minimal debate and no amendments.


I certainly think that an assessment of the potential security threats against the transportation of chemical, biological and radiological materials into and through this country would be a valuable thing. I would be very surprised and disappointed if the TSA had not already done such an assessment.

I am disappointed, however, that a bill of this sort does not lay out the reasons that such an assessment would be appropriate and what sorts of issues that Congress expects this assessment to include. Assuming that there are no current specific indicators that anyone intends to attack such shipments, the broad intent of this bill would be served by a simple statement that there are currently no credible indicators of an intent to attack such shipments. Such a report, even if puffed up with the typical bureaucratic verbiage we have come to expect from intelligence agencies, would serve little or no purpose.

What would serve a more useful purpose, both for counter-terrorism planners and legislators, would be detailed look at what materials currently in commerce could be useful as either an expedient weapon of either mass destruction or mass hysteria or could be used to develop such weapons. This would need to include a discussion of both the potential consequences of the release/detonation of both the largest commercial shipping container and the most common size shipping container of the materials and how difficult it would be to effect such an attack.

A discussion of current efforts to prevent or mitigate such an attack would also be useful for those tasked with assessing what new efforts would need to be taken to lessen the threat. Also helpful would for such an assessment to include a look at the potential types of attackers that would have special skills or incentives to attack effect such attacks.

A detailed and more useful report of this type would probably take more than 90 days to prepare, but it would serve to better inform both the emergency response/planning community as well a potentially provide law makers with the information necessary to consider potential legislative action that might be required.

Monday, August 10, 2015

OMB Approves CG Oil Spill Reporting ICR

On Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the reinstatement of a Coast Guard information collection request (ICR) supporting both the reporting of oil or hazardous substance discharge, and reporting of suspicious maritime activity.

Lapsed ICR

Apparently the Coast Guard inadvertently allowed this ICR to lapse in February of 2012. Both the 60-day and the 30-day ICR notices in the Federal Register from earlier this year reported that the ICR was a renewal. And there is nothing in the Supporting Statement [.DOC download link] submitted to OIRA that indicates that the CG was aware that the ICR had expired.

Change in Burden Estimates

The table below shows the differences in the burden estimates between the previously approved ICR and the lasted version.

Burden Estimate
Change in Burden Estimate

The CG explained the drastic reduction in the number of responses this way in their submission document to OIRA:

“The change in burden is an ADJUSTMENT due to a change (i.e., decrease) in the number of NRC reports received by the Coast Guard.  It is unknown why we have seen a large decrease in the number of annual responses.  The reporting requirements, and the methodology for calculating burden, remain unchanged.  Additionally, the Coast Guard has revised the methods for submitting a report by eliminating the online option.  The upkeep of that method proved too costly.”

There was a reduction in burden estimate between the 2011 ICR and the ICR approved in 2008, but that change was only about 7%, not the almost 73% decrease reported in the latest CG data. Such a large decrease in reported spills means that either industry has made tremendous strides in reducing the number of spills that it is experiencing or there has been a decrease in the rate of reporting of spills that are occurring. More than likely it is some combination of the two.

Cybersecurity Issue

The CG did report on programmatic change that may have an impact on the reporting rate. In the quote above the CG noted that it had eliminated the online reporting option for this ICR. The reason for that change was described in a little more detail earlier in the submission document:

“The NRC online submission option was eliminated in February 2014 following a security breach.  The online submission website was built in the 1990s, and does not meet modern security standards.  At this time, the NRC does not have the funds necessary to build a modern, functional, and secure site.”

A footnote to that statement notes that in the last full year of on-line reporting those reports only accounted for about 10% of the NRC reports submitted.


A drastic change (and a 74% reduction in spills is nothing short of miraculous if true) in spill reporting numbers must be investigated. It is not acceptable to dismiss a 74% reduction in spill reports with just the brief comment that: “It is unknown why we have seen a large decrease in the number of annual responses.”

Now I understand that OIRA is an administrative body that would have nothing to do with the actual investigation of why there is such a drastic change in spill reporting. So may be the Coast Guard is actually conducting such an investigation and just did not feel that it was necessary to mention that investigation in their submission data to OIRA. I am surprised, however, that OIRA accepted this dramatic change in reporting burden without more justification.

Likewise, I am concerned that OIRA did not demand at least a cursory explanation of why the Coast Guard had allowed this ICR to lapse for almost two years before submitting this ICR revision. The NRC is a vital part of a major environmental response program and while this ICR does not actually effect the operation of that program failure to keep the ICR up to date reflects poorly on the management of the program and begs the question of what other programmatic issues exist.

Finally I sympathize with the Coast Guard discovering security issues with an on-line reporting program designed in the 90’s. Cutting off that reporting process due to lack of funds does seem very short sighted. Looking at the last two Coast Guard authorization bills (and Committee Reports supporting those bills) I have seen nothing that would indicate that Congress has been informed of this problem. If they have been informed and they have been ignoring the problem this is a political problem that should be addressed. If they have not been repeatedly made aware of this problem than shame on the Coast Guard and the Secretary of DHS.

Sunday, August 9, 2015

Connected Rail Cars

There is an interesting blog post over at discussing the use of a new Bosch product used for tracking railcar position and status. This idea has been tossed around for a couple of years now, but it seems that Bosch has actually fielded a commercial product.


The blog post is a bit of a sales pitch, but it does provide some interesting justifications for tracking railcars and the status of key information about those cars. It talks about GPS tracking, temperature sensing and vibration sensing as some of the things that railcar owners or shippers might want to keep track of.

For chemical tank car shipment I can think of a couple of other things that could also be included. Tank pressure and temperature sensors could provide valuable information to first responders at a derailment. Tank cars with rising temperature and pressure because of a localized fire could be monitored for safety considerations. As pressures and temperatures started to increase water streams could be placed on the car to prevent venting or a catastrophic release. As those parameters approached safety critical values first responders could be pulled back to a safer position.

Pressures decreasing on a tank car would be a sure sign of a leak and could allow protective measures and evacuations to be conducted before the leak reached a critical mass.


As with anything else involved in the internet of things (IOT), security has to be designed into to these data reporting sensors at an early stage. While shippers certainly want to know about the location of their products in the distribution chain, so do crooks and terrorists. Know which box car contains high value electronics is certainly desirable information for a gang of thieves wishing to intercept the shipment, but a GPS reporting of where that boxcar is parked on a siding is even more valuable.

A terrorist would bent on using a chlorine rail car as a weapon of mass destruction would love to be able to use a GPS tracker to locate the car to place an improvised-explosive device on it to make it into a very large barrel bomb, but then using that same GPS tracker to allow the device to be detonated at the most effective location would make the attack that much more devastating.

Balanced Approach

Again IOT devices in chemical transport are a double edged sword. They can provide benefits in product transportation monitoring for the supply chain managers, safety information for emergency responders and potential targeting data for terrorists and criminals. Proper planning and design will enhance the first two and prevent the third.

Saturday, August 8, 2015

DHS Updates CSSS Web Page

Earlier this week the folks at DHS Office of Infrastructure Protection updated the web page for the annual Chemical Sector Security Summit which was held last month. The update included links to the following:

The web cast of the keynote address from Amy Pope, Deputy Homeland Security Advisor and Deputy Assistant to the President at the National Security Council;
The web cast of the update on the Chemical Facility Anti-Terrorism Standards (CFATS) program by David Wulf, Director of the Infrastructure Security Compliance Division; and
The DHS Blog post from Caitlin Durkovich, Assistant Secretary for Infrastructure Protection, about the success of the 2015 CSSS.

For those of you who have disabled your Adobe Flash Player® for security reasons, you will have to re-enable it to view the two web casts. Homeland Security likes Adobe.

The production values on the two web casts leave something to be desired, but these are talking head presentations so that does not take away from the many interesting points the two speakers had to make.

I’m hoping that we will see the slides from the other presentations at the CSSS in the next couple of weeks.

Friday, August 7, 2015

Bills Introduced – 08-06-15

Seven bills were introduced in the Senate yesterday in a pro forma session specifically designed to allow the late submission of bills while the Senate started their five week summer recess. Of those bills there was only one that might be of specific interest to readers of this blog:

S 2007 A bill to create a consistent framework to expedite the recruitment of highly qualified personnel who perform information technology, cybersecurity, and cyber-related functions to enhance cybersecurity across the Federal Government. Sen. Bennet, Michael F. [D-CO]

Since the Federal government should be the single largest employer of cybersecurity professionals, their hiring practices should be of interest to other cybersecurity employers and employees alike.

Thursday, August 6, 2015

Amendments to S 754 – 08-05-15

Yesterday there were 23 additional amendments submitted in the Senate for S 754, the Cybersecurity Information Sharing Act  (CISA) of 2015. Only three of those proposed amendments may be of specific interest to readers of this blog.

SA 2623. Ms. Collins, pgs S6411;
SA 2626. Mr. Whitehouse, pgs S6415-6; and
SA 2628. Mr. Wyden, pg S6419

The Amendments

The Collins amendment would require the owners of ‘critical cyber infrastructure’ to report to the DHS Secretary or appropriate agency head “if an information system of a covered entity that is essential to the operation of critical cyber infrastructure is successfully intruded upon” {new §lll(b)(1)}; note that there is no definition of ‘successfully intruded upon’ provided. The report would include {new §lll(b)(2)}:

A description of the technique or method used in such intrusion;
A sample of the malicious software, if discovered and isolated by the covered entity, involved in such intrusion;
Damage assessment; and
Such other matters as the Secretary or the appropriate agency head, as the case may be, consider appropriate.

The Whitehouse amendment would add a new section to the US criminal code; 18 USC 1030A. This new section would make it a federal crime “during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer” {new §1030A(a)}. Unfortunately, because of the definition of ‘protected computer’ in §1030(e)(2) only attacks on financial institutions or communications companies would give rise to the underlying felony that is a required part of this new definition. I do not think that that was the intent.

The Wyden amendment would require the Secretary of Commerce to reconsider the rulemaking concerning the implementation of the Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items. The reconsideration would include drafting a supplemental of proposed rulemaking that is written in consultation with “civil society organizations, including privacy advocates, public and private sector technologists, security researchers, and public and private sector software developers” {new §ll(b)(1)}. The new proposed rule would be required to be:

Limited to the scope of the agreements reached at the plenary meeting of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies in December 2013;
Consistent with the regulation of cybersecurity items by other countries participating in the Wassenaar Arrangement, as appropriate; and
Exclude cybersecurity items available for mass-market purchase from regulation under the proposed rule

Agreement to Consider the Bill

A unanimous consent agreement was reached yesterday to allow for the Senate to move forward with the consideration of the bill without having to go through a cloture procedure. That agreement calls for the consideration of 21 specific amendments; ten from the Republicans and eleven from the Democrats. There is a possibility that other amendments may be subsequently considered.

Of the seven amendments that I discussed here yesterday and today only one is on either list; Whitehouse 2626. Most of the remaining ones that I discussed were excluded from consideration because they did not directly deal with cybersecurity information sharing.

FRA Publishes Train Securement Final Rule

Today the DOT’s Federal Railroad Administration (FRA) published a final rule in the Federal Register (80 FR 47349-47386) to amend the brake system safety standards (49 CFR 232) for freight and other non-passenger trains and equipment to strengthen the requirements relating to the securement of unattended equipment. This is the same rule that FRA announced a week ago. The notice of proposed rulemaking (NPRM) for this rule was published in September of last year.


This rule makes changes to §232.5 by adding a new term, moving a definition into this section, and changing a term without changing the definition. Those three terms are respectively

Yard {from yard limits also defined in §218.35(a) with a conflicting definition}.

Rule Coverage

A minor change in wording from the NPRM was made in the new §232.103(n)(6); the term ‘loaded tank car’ is used instead of ‘loaded freight car’. With this new wording, the new changes in securement requirements now applies to {new §232.103(n)(6)(i)}:

Any loaded tank car containing PIH material, including anhydrous ammonia and ammonia solutions; or
Twenty (20) or more loaded tank cars or loaded intermodal portable tanks of any one or any combination of PIH materials (including anhydrous ammonia and ammonia solutions), or any flammable gas, flammable or combustible liquid, explosives, or a hazardous substance listed at §173.31(f)(2) of this title.

For purposes of this rule rail cars containing a residue will not be considered in determining if a freight train is covered under the rule.

The Plan

The new rule includes basically the same plan requirements found in Emergency Order #28 which this rule supersedes. Railroads are still required to have the required plan in place before they can secure and leave unattended a covered train outside of a yard. There is only one change in the plan requirements:

The final rule allows a railroad to leave a train or equipment unattended on mainline track that is running through a yard or on mainline track that is adjacent to the yard without covering the location in the railroad's plan.

FRA still reserves the right to review such plans and direct changes in them when necessary. They still will not require the plans to be approved by FRA prior to their use.


There are some differences in the securement requirements in this rule and in the Emergency Order #28. The FRA has removed the specific requirement for railroads to “review, verify, and adjust, as necessary” the securement procedures to be employed in support of this rule. The FRA is also discontinuing the requirement from EO #28 of preparing a written verification of the securement procedure used on each unattended train.

A couple of changes were made from the proposed wording in the NPRM. One change is found in the revised §232.103(n)(1); The new language now makes it clear that at least one hand brake must be set on unattended trains. A change to §232.103(n)(2) removes the words ‘on a grade’ from the description of areas where air brakes cannot be relied upon to hold standing unattended equipment.

The discussion in the preamble seeks to clarify that the final rule requires all unattended covered trains to be secured in accordance with the new §232.103(n)(8). The exception for trains left unattended in yards or on mainlines adjacent to yards only applies to the plan requirements of the new §232.103(n)(7).

Effective Dates

The effective date for the requirements of this new rule is October 5th, 2015. Emergency Order #28 is rescinded on October 5th, 2015. Petitions for reconsideration must be received by September 25th, 2015. 
/* Use this with templates/template-twocol.html */