Saturday, April 30, 2016

Bills Introduced – 04-29-16

With the Senate already on the road, the House finished up their business for the week so that they could also head back to their districts for a week of campaigning. Before they left they did submit 48 new bills. Two of those bills could be of particular interest to readers of this blog:

HR 5126 To enhance the early warning reporting requirements for motor vehicle manufacturers. Rep. Cartwright, Matt [D-PA-17]

HR 5131 To amend the Help America Vote Act of 2002 to make improvements to voting system technology, election official training, and protecting voting system source code. Rep. Johnson, Henry C. "Hank," Jr. [D-GA-4]

Cartwright’s bill will receive future coverage if it applies to automotive control system vulnerability reporting.


I really doubt that there will be control system language in this bill, but I had to include it in today’s list because the title includes the words ‘source code’.

Friday, April 29, 2016

ICS-CERT Adds ICS Whitelisting Guide to Site

This afternoon the DHS ICS-CERT (in coordination with the National Security Administration) published a new document on their web site that is designed to serve as an appendix to their “Seven Steps to Defend Industrial Control Systems” that was published last December. The six-page document is titled: “Guidelines for Application Whitelisting in Industrial Control Systems”.

Alert readers will recall that “Implement application whitelisting” was the first of the seven steps described briefly in the original paper. Where the concept of whitelisting was covered in just two paragraphs in the December paper, this document provides a much more detailed description of how whitelisting is used. This guideline document describes:

• AWL benefits;
• How AWL differs from and complements anti-virus;
• How AWL operates;
• Creating whitelists;
• AWL as a change control process verification tool;
• AWL limitations;
• Choosing a compatible AWL solution;
• Challenge of running AWL in some specialized environments;
• Protect administrator access;
• Managing an AWL system;

While this certainly is not a whitelisting text book (and at six pages, it was not intended to be) it does provide a detailed enough description of the whitelisting process to be valuable for process control engineers (and maybe more importantly IT specialists). At the same time, it is written at a general enough level that facility managers and C-Suite personnel in organizations with critical control systems should be expected to read the document.

While this guideline does make the point that whitelisting is only one part of a defense in depth security program, the authors did miss making an important point by not referring back to Figure 1 in the Seven Steps document. That document notes that in 2014 and 2015 ICS-CERT estimates that application whitelisting would have mitigated 38% of the ICS-CERT reported control system incidents.

An important addendum to this document is the list of references found on page 6. I particularly appreciate the links to the three NSA whitelisting documents. My only personal complaint is that ICS-CERT continues to use footnotes in their .PDF documents. I would prefer to see links put into the document where the document is referenced. That’s my personal preference, but at least they do have the links available.


I hope that this is just the first of seven appendix documents that ICS-CERT and NSA produce to support the Seven Steps publication.

Bills Introduced – 04-28-16

With both houses of congress preparing to head back home for a week in their districts, there were 77 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 5117 To ensure appropriate policies, planning, interagency coordination, and spectrum availability to support the Internet of Things '. Rep. Paulsen, Erik [R-MN-3]

It will be interesting to see how this bill relates to Sen. Fisher’s (R,NE) S 2607.


Thursday, April 28, 2016

RMP NPRM: Emergency Response Planning

This is part of a continuing series of blog posts about the EPA’s recently published notice of proposed rulemaking (NPRM) for revisions of their Risk Management Program. Earlier posts in this series include:


Background – Responding Facilities


The current risk management plan (RMP) rules provide that a Program 2 or 3 facility has a choice as to whether it will be a responding facility (establish its own emergency response program under 40 CFR 68.95) or whether it will rely on outside responders as part of a community emergency response plan under 42 USC 11003 (for holders of regulated toxic substances) or has coordinated response activities with the local fire department (for holders of regulated flammable substances). Non-responding facilities also are required to have emergency notification procedures in place to ensure a timely response by the outside agencies.

The preamble to the NPRM notes that while most covered facilities are claiming to be non-responding facilities, that the “EPA has often found that facilities either are not included in the community emergency plan or have not properly coordinated response actions with local authorities”. It goes on to examine a number of incidents where such failures aggravated the consequences of release incidents.

Clarification of Coordination Requirements


The EPA is proposing to add a new §68.93 that would outline the specific annual coordination activities that would be required by all covered facilities. These requirements would apply to both responding and non-responding facilities. They would include specific documentation requirements. A key component to the coordination activity is the requirement that “the owner or operator and the local response authorities would work together to determine who will respond if an incident occurs, and what would be an appropriate response”.

Along with this the current §68.90 would be changed into two paragraphs that would outline the emergency response plan requirements for non-responding {paragraph (a)} and responding {paragraph (b)} facilities. Paragraph (b) would apply not only to facilities that are actively seeking to be responding facilities, but also to facilities where there the coordination activities outlined in §68.93 “indicates that local public emergency response capabilities are not adequate to respond to accidental releases of regulated substances at the stationary source”. Additionally, provisions are included that a facility would be required to formulate a facility emergency response plan if so requested by the LEPC, local fire department or other appropriate local emergency response official.

Emergency Response Plan Requirements


Section 68.95 that outlines the ERP requirements is also being modified. The EPA is adding a sentence to paragraph (a) that specifically adds a requirement to include in the ERP procedures for notifying Federal, State and local authorities of accidental releases. Provisions are also being proposed that would require annual updates of the ERP and more frequent updated to reflect lessons learned from incidents or inspections or to respond to changes in notification requirements or procedures.

The preamble also goes on to discuss those situations where the only legitimate response to a release would be evacuations or shelter-in-place activities. It makes the point that even in these instances a plan developed in advance for conducting those activities would be significantly more effective than activities conducted on the fly after an accidental release occurs.

The preamble also includes a discussion of the situation where a facility is not large enough to have an effective emergency response capability and the community does not have local resources to execute an effective community emergency response plan. The EPA notes that those facilities are still responsible for having an ERP, but may use outside resources (mutual aid agreements or contractors are mentioned) to effect that ERP.

Information Availability


While not specifically included in the ERP section of the preamble, there is a lengthy discussion about the perceived problems with the sharing of information about chemical hazards with the emergency response community and the public. It would seem obvious that adequate information about chemical hazards, in a usable and understandable format would be a prerequisite to forming an effective community emergency response plan.

The EPA is proposing to add a new §68.205 that would apply to all covered facilities (even those with just Program 1 processes). It would require facilities “to develop summaries of specific chemical hazard information for all of their regulated processes and provide this information, upon request, to the LEPC or local emergency response officials as part of their emergency response coordination efforts”. It would specifically require the following information to be made available:

• Information on regulated substances (held above TQ levels);
Accident history information;
• Compliance audit reports;
• Incident Investigation Reports;
Exercises.

The EPA is also proposing to clarify requirements about information that must be made available to the public. It is not changing the current restrictions on the disclosure of off-site consequence analysis (OCA) data, but it is going to require in a new §68.210(b) that facilities provide the following information to the public:

• Names of regulated substances held in a process above TQs;
• Safety Data Sheets (SDSs) for all regulated substances held above TQs at the facility;
• The facility's accident history required under §68.42;
• Information concerning the source's compliance with §68.10(b)(3) or the emergency response provisions of subpart E.

Commentary


The proposed changes to the emergency response planning portion of the RMP are a decent attempt at addressing some very serious holes in the that planning process. For small to medium sized facilities there are some very real financial and regulatory reasons to opt for being a non-responding facility and letting the local government handle the emergency response planning and execution.

This is certainly reasonable when the local government is large enough or prosperous enough to assume the role of chemical incident responders. It is not, however, reasonable when the local agencies do not have either the financial or technical resources to conduct the planning for, and/or the execution of, a chemical emergency response plan.

The proposed rule makes an honest effort to ensure that facilities and local governments cooperate in the emergency planning and execution process. There are, however, some very real problems that could be created by these rules when there is a significant disparity between the size of the local government and the size of the facility.

When a facility is of sufficient size that it becomes a major economic player in the local community, there is going to be a great deal of political pressure placed on the LEPC and emergency response community to go along with the emergency response plans of the facility whether they are adequate or not. Maintaining jobs and a tax base are going to be a higher political priority than effective emergency response planning.

Where facilities lack economic clout there could be a significant amount of economic pressure placed upon the management to go along to get along with the LEPC, fire department or emergency planning agency so that they are not forced to develop and support a full blown facility emergency response plan that could legitimately bankrupt the company.

Where there are professionals on both side of the table with chemical emergency response planning and execution experience, this is not likely to raise any significant problems as long as goodwill is maintained on all sides. But where that professional experience is lacking, and even if deliberate malfeasance is not an issue, political and economic issues will compromise the emergency planning process.


Without tighter regulation of the LEPCs or a huge increase in the RMP inspection force at EPA (neither of which is likely) I do not see an easy solution to this potential problem. The best response that I can come up with is to increase the EPA’s Inspector General’s ability to respond to complaints in this area. That is not, however, a regulatory response, but rather a legislative requirement that is little more likely than regulation of LEPCs or increasing the inspection force.

Bills Introduced – 04-27-16

Yesterday, with both the House and Senate in session, there were 35 bills introduced. One of those may be of specific interest to readers of this blog:

HR 5077 To authorize appropriations for fiscal year 2017 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Rep. Nunes, Devin [R-CA-22]


As with most of the spending bills that I watch, this one will be covered as and if it addresses cybersecurity issues.

Wednesday, April 27, 2016

House Passes HR 4240 – TSDB Report

Today the House passed HR 4240, the No Fly for Foreign Fighters Act, under suspension of the rules. There was only 17-minutes of debate and the bill passed on a voice vote. The bill would require a report to Congress on the efficacy of the Terrorist Screening Database (TSDB).

While the bill would require a report to Congress it neglects to consider the single biggest problem with the TSDB; the false positive rate and the lack of a meaningful method of redress for those false positives. As the TSDB is starting to be used to verify the lack of terrorist ties of current employees of a large number of chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program, the issue of false positives is likely to raise some very painful issues at a number of chemical facilities.

The report requirements specified in this bill have nothing to do with preventing foreign fighters from flying into or within the United States. Instead it will probably have the effect of making it easier to add unverified names to the TSDB; thereby exacerbating the problem of false positives.


The failure of Congress to even entertain questions about the false positive problem is indicative of the knee jerk reactions of our elected representatives when they see security failures. Unfortunately, this bill will probably be considered under the unanimous consent provisions in the Senate where there will be even less (actually no) debate and not even a pro-forma voice vote.

ICS-CERT Updates Moxa Alert Again

This afternoon the DHS ICS-CERT published a new update to their Moxa alert (originally issued on April 8th and then updated on April 20th). The new update adds an acknowledgement of the original disclosure and more details about the ports involved in the vulnerabilities.

The Changes


The Alert now reports that Reid Wightman of Digital Bonds Labs was the original reporter of the five vulnerabilities upon which this alert was based. It also now acknowledges that Reid did coordinate with Moxa (but not, shame for shame, with ICS-CERT).

A paragraph has also been added to the mitigation section of the report that lists the ports that Moxa recommends should be either blocked or have access restrictions applied. The list of ports was in the original alert, but was removed in the first update. The port information in this update is more complete in that it distinguishes between the ports that are not needed by the device and the ports that may be used in normal operation. The same information was available in the DBLabs report that was responsible for the initiation of this alert.

Intellectual Property


I am glad to see that ICS-CERT is finally giving Reid credit for discovering these vulnerabilities. ICS-CERT has had an on-again, off-again policy of disclosing the researchers responsible for alerts. I understand that ICS-CERT would prefer that they (or some other CERT) would be used as a disclosure intermediary. Their thought is that their official office can apply more pressure to vendors to take vulnerability reports more seriously. While that may be true (more on that later) that should have nothing to do with giving credit where credit is due. Not giving credit smacks of theft of intellectual property.

Vulnerability Coordination


Now as to the larger question of the role of ICS-CERT as a coordinator of vulnerability disclosures, let’s take a look at that role. First off, I have seen nothing in legislation or regulation that provides ICS-CERT with any specific authority to act as such a coordinator. That probably is not really necessary as long as researchers and vendors mutually recognize ICS-CERT as an independent arbiter of disagreements about the legitimacy of vulnerability claims, on the one hand, and the legitimacy of vendor mitigations on the other hand.

It is becoming increasingly obvious that there are elements within the research community that no longer have much respect for ICS-CERT as a dispassionate intermediary. I have read a number of social media comments over the last year or so from a number of different researchers that expressed their concerns about the apparent willingness of ICS-CERT to side with the vendors when there is a disagreement on vulnerabilities.

Appearance of Favoring Vendors


In my very limited interactions with ICS-CERT, I have never had any problems. But then again, I am a security gadfly not a researcher. But that really does not make any difference. As I told young NCO’s in numerous leadership classes; it doesn’t make a damn bit of difference if you are or are not prejudiced. If those that report to you think you are prejudiced, then they are going to respond to you as if you were prejudiced.

At the very least ICS-CERT has a problem with the appearance that they favor vendors when there is a dispute between researchers and vendors. That appearance is going to help drive away researchers, particularly those without enough of an industry reputation to have their disclosures stand on their own merit. Those researchers are going to take less desirable modes of disclosure, public zero-day disclosures or, even worse, sell disclosures to the highest bidder.

This is particularly disturbing as the ICS security world is expanding by leaps and bounds. The number of researchers in this space is continuing to expand as new researchers (and established researchers from other fields) continue to see ICS research as an expanding field. Even more important the number of vendors affected by ICS vulnerabilities is also increasing as more industries (medical, automotive, aircraft, and security controls) begin to realize that their control systems have important security vulnerabilities that are no longer masked by obscurity.

Need for Coordination


The other question that this specific set of vulnerabilities raises is whether or not a disclosure coordinator is really needed. A legitimate case can be made that new researchers in the field, without a well established reputation, probably do need to have an independent agency act as a go between particularly when the security issues being raised are novel or difficult to understand.

That was certainly not the case here. Reid Wightman is not, by anyone’s measure, an ICS neophyte. He has a well-established personal reputation built across a number of organizations. That plus his current association with Digital Bond Labs should provide as much weight to the vulnerability disclosure as could ICS-CERT. He should be able to approach any ICS vendor in the world and have his report of vulnerabilities taken seriously and promptly acted upon. I question the commitment to security of any vendor that fails to respond promptly to a researcher of Reid’s stature and knowledge.

To take over a year to correct serious security vulnerabilities (and we are hoping that they will be completed in August as promised) is inexcusable. Particularly when the devices in question exist in a critical communications nexus in so many critical installations. Even if there is a legitimate reason for it taking a year to correct all of the problems (and I find that difficult to believe) most of these issues could certainly have been corrected well before now.

The Siemens model of disclosing a vulnerability even before all of the affected devices have patches/updates available is one that deserves close study by the industry. This is particularly true when there are legitimate methods of reducing the risk of vulnerability exploits that the owner can take while waiting for an update to become available.

A Good Step Forward


In closing, I want to make a clear statement that I think ICS-CERT took a valuable and correct step today with their making these changes to the Moxa Alert. Reid deserves credit for the vulnerability discovery and for his efforts to properly disclose those vulnerabilities to Moxa. System owners deserve to have the information on mitigation measures that are now available in the Alert. I continue to believe that ICS-CERT has an important role to play in coordinating vulnerability disclosures. The changes made today will help to ensure that they look like they are playing the role of a disinterested intermediary that both sides can respect and trust.


Bills Introduced – 04-26-16

Yesterday with both the House and Senate in session saw the introduction of 39 bills. Of those three may be of specific interest to readers of this blog:

HR 5050 To amend title 49, United States Code, to provide enhanced safety in pipeline transportation, and for other purposes. Rep. Upton, Fred [R-MI-6] 

HR 5056 To modernize and enhance airport perimeter and access control security by requiring updated risk assessments and the development of security strategies, and for other purposes. Rep. Keating, William R. [D-MA-9]

HR 5069 To amend the Sarbanes-Oxley Act of 2002 to protect investors by expanding the mandated internal controls reports and disclosures to include cybersecurity systems and risks of publicly traded companies. Rep. McDermott, Jim [D-WA-7]

HR 5050 is almost certainly the pipeline safety bill I described in my post on congressional hearings for this week.

The airport security bill will be of interest here if it includes provisions addressing the cybersecurity of security control systems.


The definition of covered computer systems will be the key to the future coverage of HR 5069 in this blog. If the definition includes control systems, it will certainly bear watching.

Tuesday, April 26, 2016

DHS Announces NSTAC Meeting – 5-11-16

Today the Department of Homeland Security published a meeting notice in the Federal Register (81 FR 24624-24625) for a public meeting of the President's National Security Telecommunications Advisory Committee (NSTAC) to be held in Santa Clara, CA on May 11th, 2016. The meeting will be web cast.

The agenda includes:

• A panel discussion with several notable industry technology leaders on emergent
information and communications technologies (ICT) in the private
sector;
• A panel discussion with senior government officials on the
government's efforts to adopt emergent ICT in support of its NS/EP
functions.
• An update on the NSTAC Emerging Technologies Strategic Vision Subcommittee's study
of emerging ICT;
• A deliberation and vote on the NSTAC Report to the President on Big Data Analytics; and
• The Department of Homeland Security will provide NSTAC members with an update of the implementation of the Cybersecurity Act of 2015.


The public is invited to attend. There will be an opportunity for public comments at the meeting and written comments may be submitted to NSTAC. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2016-0021).

House Passes HR 3583 – The PREPARE Act

This evening the House passed HR 3583, the PREPARE Act. There were only sixteen minutes of debate and a voice vote. The bill reauthorizes and makes minor modifications to a number of emergency response and planning grant programs.

The bill requires a DHS report on the cybersecurity of FirstNet, the nationwide first responder network. It also requires DHS to establish a Social Media Working Group to enhance public communications during emergencies. And it requires the DHS Office of Health Affairs to establish a medical stockpile program for DHS employees.


It is likely that this bill will be taken up by the Senate under their unanimous consent procedures; again with limited debate and no actual vote.

ISCD Updates CFATS Web Site

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated their Chemical Facility Anti-Terrorism Security (CFATS) program web site. Links were added for two fact sheets; one dealing with the compliance inspection program and one dealing with the personnel surety program (PSP).

The compliance inspection fact sheet is the same one that I wrote about last Friday. I would not have even mentioned this except for the fact that whenever the landing page is changed, I go back and check all of the links on the page to see if there were any additional changes made since the last landing page change. In this case there was; a week ago the PSP page was changed to add a link to a new fact sheet about the relatively new identifying people with terrorist ties portion of the PSP.

The first page of the two-page fact sheet is a basic description of this new portion of the PSP program. It contains no new information and everything there has been thoroughly (in my not so humble opinion) discussed here in this blog on a number of different occasions. The second page is a short list (3) of frequently asked questions (FAQ) about the program that provide a little more emphasis and one nugget of new information about the program.

In response to an implementation timing question, the fact sheet reiterates the previous information provided that ISCD, through the facility’s Chemical Security Inspector, will notify the facility when it needs to start modifying their Site Security Plan (SSP) to include implementation of the terrorist screening portion of the PSP. They emphasize this point by stating (in bold print): “Facilities should wait to be contacted by the Department before altering their SSP/ASP or attempting to submit any information for vetting.”

The fact sheet then goes on to explain that ISCD will “provide an optional supplement [emphasis added], which discusses information the Department will consider and review in order to make a determination on the facility’s ability to satisfy RPBS 12(iv)”. Hopefully, this guidance will provide the information that I had complained about being absent from the Compliance Inspection Fact Sheet. It is more than a little disappointing that a link to this ‘optional supplement’ has not been provided on the PSP web site.

The interesting nugget of information that I referred to earlier is found in the response to the second FAQ about how ISCD will be providing the notification to begin implementing the terrorist screening portion of the PSP. It states that: “Initially, DHS will be working with certain
facilities to complete this requirement during compliance inspections.”

This helps explain the confusion raised in the latest CFATS Quarterly where ISCD explained that the first compliance inspection that included Terrorist Screening Data Base (TSDB) personnel vetting was conducted on January 28th, 2016 and the first SSP change with an updated PSP was approved a little over one-month later. This was probably the same facility in both instances.


In any case, ISCD is continuing to parcel out new information about changes in their CFATS program. I hoping, however, that they are directly notifying covered facilities about these changes in their web site. The average facility security officer (for most facilities a second job for someone) does not have time to do a daily detailed perusal of the CFATS web site to ferret out these changes. Though to be fair, ISCD does a good job of annotating when web site changes are made. That is much more than I can say for other DHS agencies, like TSA for instance.

Monday, April 25, 2016

S 2837 Introduced – FY 2016 CJS Spending

Last week Sen. Shelby (R,AL) introduced S 2837, the Commerce, Justice, Science, and Related Agencies (CJS) Appropriations Act, 2017. As is usual, there is no mention of cybersecurity in the actual bills beyond internal cybersecurity spending. There are, however, some interesting comments in the Appropriations Committee Report.

NIST Cybersecurity


The Committee provides (pg 18) a total of $75 million for cybersecurity activities; including:

• $33 million for the National Cybersecurity Center of Excellence [NCCoE];
• $4 million for the National Initiative for Cybersecurity Education; and
• $38.7 million for cybersecurity research and development

“The Committee recommends that NIST continue to work in concert with its public, State, and county partners to encourage co-location of companies involved in NCCoE activities, which will encourage further innovation by leveraging the development of new applications, business use cases, and technology transfer among all stakeholders.” (pgs 18-19)

 In its cybersecurity grant program, the Committee recommends that (pg 19) “consideration should only be given to institutions of higher education, including community colleges, designated by the National Security Agency as Centers of Academic Excellence for Information Assurance Education and Centers for Academic Excellence for Information Assurance Research”.

Other Science Cybersecurity


The Committee commends the National Telecommunications and Information Administration (NTIA) for its recent request for information (RFI) on federal government role on encouraging the development of the ‘internet of things’. The Committee urges continued work on “its consideration of how to appropriately plan for and encourage the proliferation of network connected devices, including soliciting input from: industry stakeholders; subject matter experts; businesses, including small- and medium-sized businesses; consumer groups; and relevant Federal agencies” (pg 17).

The Committee continued funding for cybersecurity research at the National Science Foundation at FY 2016 levels; noting that that research “will form the intellectual foundations for practical applications that make our information networks safer, more secure, and better able to predict, resist, repel, and recover from cyber attacks” (pg 11).

DOJ Cybersecurity


The Committee is funding Department of Justice cybersecurity related programs at $896 million, a 10% increase over the previous fiscal year.

Throughout this title, the Committee’s recommendation for cybersecurity-related activities for the Department totals $896,325,000 for fiscal year 2017, which is an increase of $82,679,000, or 10 percent, above the fiscal year 2016 level.

The US Attorneys’ Office will receive $58 million (almost 4% above requested) to “able to increase the number of investigations and prosecutions of cyber attacks and cyber intrusions, and provide the high-caliber level of training on cybercrime and digital evidence needed for Assistant U.S. Attorneys to be able to analyze and present digital evidence across all types of criminal case” (pg 65).

The FBI cybersecurity funding is being increased by $17 million with an addition $43 million increase for the Cyber Division to “to strengthen its cyber capabilities and investigations including those into ransomware attacks against institutions such as hospitals” (pg 71).

The Committee is also carving out a new $1 million grant program for a new “Cybercrime and Digital Evidence Resource Prosecutor Pilot Program to provide State and local prosecutors with training and trial experience in cybercrimes and digital evidence” (pg 89).

Moving Forward


There has been a general consensus that we will be seeing a continuing resolution passed this year just before the end of the fiscal year, as has become common, especially in an election year. The unspoken assumption has been that no spending bills would be completed before that continuing resolution passed. With the early introduction of this bill and the THUD bill there is a chance that these two less controversial bills may have a chance to be sent to the President before the summer recess. It will all depend on how fast the Senate can take up an pass the two bills.

Commentary


With the FBI and DHS going around the country warning utilities of a potential for a Ukraine style attack on the it is disheartening to see no mention of control system security, particularly ICS forensics in the DOJ portions of this bill. Unfortunately, I think that it is going to take a high-profile attack on a control system for Congress and the DOJ to understand that the forensics capability to collect and evaluate usable evidence for a prosecution against a control system hacker just does not exist within the criminal justice system.


Almost a billion dollars for cybersecurity investigations and prosecutions sounds like a bunch of money, but once it gets spread around the various programs and agencies, it really is not all that much money. The $49 million for the Cyber Division doesn’t really go that far; the CSI Cyber stars probably pull in close to that in salaries and perks (sorry couldn’t help myself). And, on a more serious note, remember the FBI reportedly spent more than $1 million to access a single encrypted device (and yes they probably got a tool out of it, but only for one specific type phone).

Committee Hearings – Week of 04-24-16

Both the House and Senate are in Washington this week and there are an unusual number of markup hearings scheduled that may be of specific interest to readers of this blog. A number of cybersecurity related bills will be addressed as well as another pipeline safety bill.

Pipeline Safety


The House Energy and Commerce Committee will hold a two-day markup hearing starting Tuesday. Among the 22 bills to be considered is an as of yet un-introduced pipeline safety bill. This is not the same as last week’s HR 4937; that bill was the House Transportation and Infrastructure’s bill. I’ll have more details on the differences between the three bills now under consideration in a later post.

NOTE: This hearing will also take up HR 2031, the Anti-Swatting Act of 2015.

Cybersecurity


On Wednesday the House Armed Services Committee will hold a markup hearing of HR 4909, the National Defense Authorization Act (NDA) for FY 2017. While the original bill did not have any cybersecurity provisions, last week the Emerging Threats and Capabilities Subcommittee did add a number of new sections addressing cybersecurity issues; including:

• Section 221—Strategy for Assured Access to Trusted Microelectronics
• Section 806—Amendments Related to Detection and Avoidance of Counterfeit Electronic Parts
• Section 1631—Special Emergency Procurement Authority to Facilitate the Defense Against or Recovery from a Cyber Attack
• Section 1632—Change in Name of National Defense University's Information Resources Management College to College of Information and Cyberspace
• Section 1633—Requirement to Enter into Agreements Relating to Use of Cyber Opposition Forces
• Section 1634—Limitation on Availability of Funds for Cryptographic Systems and Key Management Infrastructure

On Wednesday the Senate Commerce, Science and Transportation Committee will hold a markup hearing addressing six bills; including the:

S 2607, Developing Innovation and Growing the Internet of Things (DIGIT) Act; and
• S 2817, Space Weather Research and Forecasting Act (text still not available).

On Thursday the House Homeland Security Committee will hold a markup hearing on four bills; including HR 4743, the National Cybersecurity Preparedness Consortium Act of 2016. It will be interesting to see if they address the definition issue so that the bill would also address control system security issues.

On the Floor


The House will consider two bills under suspension of the rules this week that may be of specific interest to readers of this blog:

HR 3583 – PREPARE Act, as amended
HR 4240 – No Fly for Foreign Fighters Act

As usual these will be considered under limited debate and no amendments from the floor.


The Senate resumes consideration of the military construction spending bill. There is a possibility that another spending bill may come up for consideration late this week.

Sunday, April 24, 2016

S 2844 Introduced – THUD Spending

This week Sen. Collins (R,ME) introduced S 2844, the Transportation, Housing and Urban Development, and Related Agencies (THUD) Appropriations Act, 2017. Since the Senate Appropriations Committee has already completed it markup of this bill the Committee Report is also available.

As is usual the bill contains no specific mention of chemical transportation safety or cybersecurity issues (beyond internal cybersecurity requirements) other than funding. The Committee report, however, does provide guidance to DOT and its constituent agencies on such topics. Topics of potential interest to readers of this blog include:

• Unmanned Aircraft Systems (UAS);
• Autonomous Vehicles;
• Safe Transport of Energy Products (STEP);
• Comprehensive Oil Spill Response Plans

Unmanned Aircraft Systems


While there are a number of mentions of UAS programs in the report, one specific topic that has been covered in this blog was included; UAS registration (pg 30). The Committee commends the FAA for the development of the on-line registration process for UAS. It then goes on to direct the FAA to “to include in its electronic registration system a link for registrants to undergo a suitable and interactive online education and training program.” A report to Congress is included in the requirement.

Autonomous Vehicles


The Committee mentions autonomous vehicle programs in two different areas of the report; FHWA (pg 45) and NHTSA (pgs 55-6). In the FHWA section of the report the Committee requests a report on the economic effects of autonomous vehicles; specifically focusing on “on motor carriers, ports, transit, and related industries”.

The NHTSA portion of the report notes that the Committee is recommending “$6,600,000 for vehicle electronics and emerging technologies”. A brief note adds that the “Committee directs the agency to also reduce cybersecurity risks associated the vehicle’s electronic and communications systems” with those funds.

Safe Transport of Energy Products


The report notes (pg 60) that FRA funding includes monies intended to “support FRA’s efforts to improve the safe transport of energy products”. Those funds would support “FRA’s efforts to improve the safe transport of energy products. The STEP initiative supports crude oil safety inspectors, crude oil route safety managers, and tank car quality assurance specialists, tank car research, as well as supports increased mileage of a dedicated Automated Track Inspection Program vehicle on routes with energy products traffic”.

Comprehensive Oil Spill Response Plans


While the Committee recognizes that PHMSA did publish an advance notice of proposed rulemaking (ANPRM) on comprehensive oil spill response plans for railroads, the Committee is extremely disappointed in the lack of action since then. In this report the Committee “directs PHMSA to initiate a rulemaking to expand the applicability of comprehensive oil spill response plans to rail carriers no later than June 30, 2016, and to issue a final rule no later than December 18, 2016”.

Moving Forward


With the Senate taking up HR 2028 last week (the vehicle for the FY 2017 military construction spending bill), it is obvious that the Senate is not going to wait for the House to start the spending bill process. Where this particular bill fits in the schedule is open to some question, but it is obviously relatively high on the priority of the Senate Appropriations Committee.

The House will most likely take up their own bill and then the two bills would go to Conference before a final version is passed and sent to the President. It is still too early to dismiss final action on this bill before the election. If the Senate takes action on the bill in the next couple of weeks we might actually see this bill pass before the summer recess. I’m not holding my breath, but it is possible.

Commentary


The UAS training program suggestion seems like a no brainer on its face; ensuring that small UAS operators have at least a minimum of safety and regulatory training before they operate their UAS is a motherhood and apple pie proposal. Unfortunately, this is one of those appearance suggestions that is likely to have adverse consequences. While registration is legally required, the way that it has been implemented is actually a voluntary registration program, particularly for non-commercial UAS.

Since there is no effective way of policing the registration requirement, the FAA is relying on voluntary compliance with the registration requirement. And that voluntary compliance is apparently failing miserably. The FAA estimated that there were 1.6 million UAS sold in the United States in 2015, yet the registrations reported by the FAA total less than 10% of that number.

Anything that makes the registration process more difficult or expensive will reduce the number of registrations. The current ‘training’ requirement in the registration process is nothing more than an ‘I have read and understand’ check box that is probably as effective as the similar check boxes found during the ‘registration’ process for many web sites and software programs. To add requirements for anything more complicated than that will ultimately reduce the number of UAS owners that will undergo the registration process.

The autonomous vehicle cybersecurity provisions are just another case of satisfying appearances. While encouraging NHTSA to address cybersecurity issues the Committee only authorizes $6.6 million for all spending on autonomous vehicle technology. The fact that the Committee also cautioned NHTSA not to kill the innovative program with regulation helps to ensure that NHTSA will be doing little in vehicle cybersecurity regulation.

It is nice to see that the Committee supports the STEP program, but without a line-item in either the bill or the report for the program, it is evident that this is more of a pro forma support rather than taking any real action to support safe transportation of flammable fuel liquids.

Saturday, April 23, 2016

More Information on PCII ANPRM

On Thursday the Department of Homeland Security published an advanced notice of proposed rulemaking (ANPRM) seeking public input on possible changes to the Protected Critical Infrastructure Information (PCII) program. Yesterday the Department also updated its website to provide additional information about the ANPRM. The Federal eRulemaking Portal also provided the docket number for comments on the ANPRM that was missing from the notice.

PCII Web Site


DHS has maintained a rather extensive web site about its PCII program. The landing page for that program was updated yesterday with a new section at the bottom of the page briefly outlining the purpose of this week’s ANPRM. It also provided links to two new web pages dealing with the ANPRM:


The first page provides a brief overview of the rulemaking process and explains that the National Protection and Programs Directorate (NPPD) expects that this rulemaking process will take about two years and that the expectation is that a notice of proposed rulemaking (the next step in the process) should be published next year.

The second page provides essentially the same information in a slightly different format and just a tad bit more detail.

Docket Number


I noted in Thursday’s blog post about the ANPRM that DHS had made a minor administrative mistake and failed to include the docket number for the ANPRM in the notice. That docket number is important because it is used to access or provide information about this proposed rulemaking on the Federal eRulemaking Portal.


A search of that portal this morning shows that the docket number does actually exist. It is DHS-2016-0032. I still expect that DHS will publish either an amended ANPRM notice or an update to the current notice in the Federal Register that will show this docket number. That almost certainly needs to be done to keep everything kosher.

Friday, April 22, 2016

ISCD Posts CFATS Compliance Inspection Fact Sheet

Today the DHS Infrastructure Security Compliance Division (ISCD) posted a new document to their CFATS Knowledge Center that provides some limited information about the compliance inspection process.

Since compliance inspections are based upon compliance with the facility’s Site Security Plan (SSP), each facility’s compliance inspection (CI) will be slightly different. This document provides a general overview of what facilities can expect. It does make a very valid point that facilities should contact their Chemical Security Inspector or regional Compliance Case Manager for more specific details.

Two additional items of information could have (probably should have) been addressed in this document. First is the difference between compliance inspections for facilities that have completed the Expedited Approval Program (EAP) versus the standard SSP submission process. Facilities that went directly to the EAP process without undergoing the authorization or approval process may never have had a CSI inspect their facility. This will almost certainly mean that it will take more time for the CSI to look at the facility to gain a better understanding of the facility operations and how they will affect their SSP. The consequences of not successfully completing an EAP Compliance Inspection are also significantly different than for a facility that is operating under and authorized/approved SSP.

There is also a disturbing failure to mention Personnel Surety Program (PSP) compliance issues. Now this may be because ISCD is planning on explaining to facilities what to expect with the PSP portion of the CI when they approve the changes to the site security plan for the PSP. While the vast majority of the Tier I and Tier II facilities will have to go through this update process, there may be facilities that are new to the CFATS process that actually have had their PSP approved along with their SSP.

In any case it would have been beneficial to have ISCD include in this document at least a brief description of what kind of documentation facilities would have to be prepared to show compliance with each of the four PSP Options.


Still, this should be a valuable document for any facility that has an approved SSP. This combined with some frank discussions with the facility CSI should make it much easier to successfully complete a compliance inspection.

Bills Introduced – 04-22-16

With the House and Senate preparing to leave Washington for the weekend there were 53 bills introduced yesterday. Of those three may be of specific interest to readers of this blog:

HR 5026 To direct the President to develop and submit to Congress a comprehensive strategy to combat cybercrime, and for other purposes. Rep. Ross, Dennis A. [R-FL-15]

S 2837 An original bill making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2017, and for other purposes. Sen. Shelby, Richard C. [R-AL]

S 2844 An original bill making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2017, and for other purposes. Sen. Collins, Susan M. [R-ME]

HR 5026 could be interesting depending on its definition of ‘cybercrime’. I will only provide coverage if it looks like it would include attacks on control systems.


As always, I watch spending bills for cybersecurity provisions. Of course the transportation bill will also be followed for its effects on hazardous chemical transportation issues.

Thursday, April 21, 2016

DHS Publishes PCII ANPRM

Today the Department of Homeland Security (DHS) published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (81 FR 23442-23445) for a possible update of the Protected Critical Infrastructure Information (PCII) program as established in 6 CFR Part 29. This program protects critical infrastructure information (CII) voluntarily submitted to DHS from public disclosure.

Information Sought


The notice provides background information on the initial establishment of the PCII program in 2006. It then goes on to explain that the program needs to be transitioned to a modern electronic environment that transition would:

• Enhance the submission and validation process for critical infrastructure information;
• Use state of the art technology for an automated interface for quicker access and dissemination of PCII;
• Modify requirements for the express and certification statements;
• Expand the use of categorical inclusions;
• Require portion marking of PCII; and
• Implement specific methods to capture and deliver metadata to the PCII Program.

Specifically, DHS is requesting information and comments on the following topics:


The first topic is the one about which DHS is seeking the most information. It is seeking comments on nine specific areas in this topic. Those areas include:

• How to enhance the submission methods for critical infrastructure information and automate sharing via structured information expression profiles and electronic exchange protocols;
• Whether an updated PCII rule should permit multiple submissions of information under one express statement and certification statement enabling the submission of multiple documents by an organization over the course of several weeks or months;
• Whether an updated PCII rule should allow submissions in a purely electronic format that includes an electronic express statement and certification statement in order to simplify the submission of large data sets in particular;
• Whether and to what extent an automated submission process should incorporate auditing and statistical reporting requirements to increase transparency of the frequency and types of data being submitted to the program;
• Addressing any process amendments or program enhancements to effectively implement automated submission processing in order to facilitate the submitter's ability to request and receive timely audits of access to the submissions;
• What effect, if any, an updated PCII Program would have on enabling broader sharing and analysis among other trusted recipients of cyber threat and risk data;
• Which specific programmatic-submission use cases that define data collection needs should be developed and established as categorical inclusions in specific data exchange activities in order to increase the submitters' community use and ease of submission in the PCII submission process;
• The extent to which specific programmatic-submission use cases should be developed and established as categorical inclusions in order to normalize a range of permissible and impermissible uses for specific types of data shared as PCII; and
Expanding categorical inclusions to the State governmental level to increase the range of submissions, enhance the efficiency of information sharing, and make the protection of critical infrastructure information more effective.

Public Comments


DHS is soliciting public comments on the above topics and questions. Those comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # OOPS there is no docket number provide in today’s notice). I expect that we will see a revision notice next week in the Federal Register providing a docket number. Until then, the only other method of comment submission included in the notice is snail mail, not my recommendation. Still comments should be submitted by July 20th, 2016.

Commentary


The one thing missing from this notice is mention of the pending rule on Controlled Unclassified Information. The final rule on CUI was submitted to OMB back in October. This rulemaking from the National Archives and Records Administration (NARA) seeks to standardize the administration of CUI programs like PCII.

Since the PCII program was established by statute {the CII Act of 2002 (Sections 211-215, Title II, Subtitle B of the Homeland Security Act of 2002, PL 107-296)} most of the NARA regulations can be overridden by the PCII regulations. But, any areas of the NARA regulations that are not specifically addressed in the PCII regulations will have to comply with the NARA provisions. And there will be some areas of the NARA regulations that may not be superseded unless specifically authorized in legislation.

Unfortunately, this ANPRM cannot attempt to address those issues since the NARA regulations have not yet been approved. I suspect that the most likely areas of potential conflict will deal with page and paragraph marking requirements.


The other area of potential concern (though probably not an actual conflict since it has never been addressed) will be the requirements for cybersecurity of electronic copies of documents. This will be particularly important with this ANPRM because of the expressed intent of expanding the use of electronic data submission and sharing. But, again, it is hard to express concerns about these issues until the NARA rule is published.

DHS Publishes ISAO Meeting Notice – 5-18-16

Today the Department of Homeland Security published a public meeting notice in the Federal Register (81 FR 23506-23507) for a two-day meeting in Anaheim, CA on May 18th, 2016. The meeting will support the establishment of Information Sharing and Analysis Organizations (ISAO) in accordance with EO 13691.

The first day of the meeting will be limited to the ISAO Standards Organization and its six working groups. The second day will the public forum for the discussion about an initial set of draft documents that will focus on the needs of those seeking to join or form an ISAO and should be released for public comment by early May on the ISAO web site.

Seven questions will be addressed during the public discussion:

• What needs to be considered by a newly-forming ISAO and what are the first steps?
• What capabilities might an ISAO provide?
• What types of information will be shared and what are some mechanisms for doing so?
• What security and privacy is needed for a newly-forming ISAO?
• What mentoring support is available for newly-forming ISAOs?
• What government programs and services are available to assist ISAOs?
• What concerns do regulators and law enforcement have about the new ISAO construct?


The DHS also be soliciting written comments on the draft documents and the above questions. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2015-0017). There is some confusion about when such comments should be submitted. The notice states that the comments should be received by November 14th, 2015, but that is obviously a hold-over from a previous notice. The Portal notes that the comment period is closed on this notice. This may be clarified when the Standards Organization posts the draft documents.

ICS-CERT Updates (Changes) Moxa Alert

Yesterday afternoon the DHS ICS-CERT updated the Moxa Alert that was originally released on April 8th. ICS-CERT reports changes in three areas of the Alert, the summary section, the list of affected equipment and the mitigation section. As was true with the original release, there is some controversy associated with this revision of the alert.

Changes in Summary


First the update removes a general description of the uses of the affected equipment from the Summary. Then it removes the statement that: “The researcher released the report after initially coordinating with the vendor.” Finally, it provides updated information from Moxa confirming all five of the vulnerabilities reported by Digital Bond LABS instead of the just 3 of 5 confirmed in the original Alert. The Alert still does not list DBLABS as the source of the public report of the vulnerabilities.

The removal of the initial coordination statement appears to be a political move by ICS-CERT to minimize the issue that Moxa still does not plan on issuing a fix to the problems until ‘late August 2016’. The revised language makes it look like Moxa was blindsided by the April 5th report and are diligently working on a firmware update. They may be working on an update now, but the DBLABS report provides a timeline showing that Moxa was notified of the vulnerabilities on July 24th, 2015.

Changes in Products Affected List


The revised Alert reformats and expands the list of affected Moxa NPort devices affected by the five vulnerabilities. It also indicates that Moxa acknowledges the defect in the new list of affected devices. The DBLABS report suggested that more devices than they originally reported were probably affected by the vulnerabilities, acknowledging that the ones listed in the report were the only ones that they had tested.

Interestingly, some of the devices tested by DBLABS do not appear on the revised list of affected devices. These include Moxa NPort 6150/6250/6450/6610/6650, firmware release 1.13. Also interesting to note is that DBLABS was careful to list the firmware versions of the devices they tested and there are no version numbers on the revised list in this update. This indicates that the problem is nearly universal across the NPort product line.

Changes in Mitigation


The third section of changes to the Alert actually over laps mitigation section heading and includes the last two paragraphs from the summary section. Changes were made in those two paragraphs as well. First the new version eliminates the list of affected port numbers provided by DBLABS. Second it removes the description of the uses of the affected NPort devices. That description had stated that:

“The Moxa NPort 6110 device is a Modbus/TCP to serial communication gateway that integrates Ethernet and serial Modbus devices. The Moxa NPort 5100 series and 6000 series devices are serial to Ethernet converters that can be used to connect serial devices to an Ethernet network.”

The changes in the mitigation section of the Alert deal mainly with the fact that Moxa now acknowledges all five of the reported vulnerabilities and reports that the expected August update will mitigate all five. Moxa continues to report that it will not be updating the firmware for the NPort 6110 since that was discontinued in 2008.

Finally, ICS-CERT removed the statement that: “Password protecting the configuration file for the NPort 5100 and 6000 series devices has been reported by the vendor to prevent the upload of unauthorized binary files to the device.” It has been replaced with the more generic and even less helpful (but more truthful): “Set up access control to affected devices to prevent any unauthorized access.”

The Controversy


While it appears that this update was a political response to satisfy the sensibilities of Moxa, or maybe minimize the concerns of the owners of the NPort devices, it did nothing to sooth the outrage of the investigators who had attempted to ‘properly’ coordinate their disclosure of these very serious vulnerabilities with the vendor.

Last night there was an interesting exchange of TWEETS® between Reid Wightman (@ReverseICS) the author of the original DLABS report and Dale Peterson (@digitalbond) the owner of Digital Bond. Now admittedly, Dale and Reid are very vocal (and persuasive) complainers about insecure by design ICS devices (which might legitimately include the noted overwrite firmware vulnerability), but insecure passwords, buffer overflow, cross-site scripting and cross-site request forgery vulnerabilities are just plain, old-fashioned, sloppy programming problems. And taking over a year to correct that crappy programming is just unforgiveable.

I am more than a little concerned that the ICS-CERT alert continues to ignore two very important points made in the DBLAB report. First the fact that Moxa serial converter devices were targets in the December cyberattacks on the Ukraine grid and that they were bricked by over-writing the firmware. Second that DBLABS has shared at least one report of a live exploit of an NPort device with Moxa.

Finally, the mitigation measures mentioned in the Alert are totally inadequate to provide any sort of protection of these devices in the field. And that is totally inexcusable since the DLABS report provides detailed mitigation measures based upon the vulnerable ports (again those port designations were removed from the alert). If the list of the vulnerable ports had not been removed from the Alert, ICS-CERT might have been forgiven for not quoting the DLAB mitigation suggestions, but they did and I’m not.

I have been a champion in this blog of the vulnerability coordination activities of ICS-CERT, even suggesting that they be made responsible for coordination activities for NHTSA, the FAA, and the FDA. With blatant industry pandering like this alert update, I think that I am going to have to re-think that position.


Wednesday, April 20, 2016

HR 4937 Introduced – PIPES Act

Last week Rep. Denham (R,CA) introduced  HR 4937, the Protecting our Infrastructure of Pipelines and Enhancing Safety (PIPES) Act of 2016. This bill would reauthorize the Pipeline Safety Regulations (PSR) enforced by DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA). The Senate passed their version of this bill (S 2276) last month by unanimous consent.

S 2276 vs HR 4937


While there are many similarities between the two bills, there are also many differences. S 2276 is a larger bill, containing 11 sections not found in HR 4937. Those sections are:

Sec. 5. Statutory preference.
Sec. 10. Pipeline odorization study.
Sec. 13. Research and development.
Sec. 20. Surface transportation security review.
Sec. 21. Small scale liquefied natural gas facilities.
Sec. 22. Report on natural gas leak reporting.
Sec. 23. Comptroller General review of State policies relating to natural gas leaks.
Sec. 24. Provision of response plans to appropriate committees of Congress.
Sec. 25. Consultation with FERC as part of pre-filing procedures and permitting process for new natural gas pipeline infrastructure.
Sec. 26. Maintenance of effort.
Sec. 27. Aliso Canyon natural gas leak task force.

While HR 4937 is a shorter bill, it also contains a number (5) of sections not included in the Senate version. Those sections are:

Sec. 14. Safety data sheets.
Sec. 16. Emergency order authority.
Sec. 17. State grant funds.
Sec. 20. Pipeline safety technical assistance grants.
Sec. 21. Study of materials and corrosion prevention in pipeline transportation.

Committee Markup


The House Transportation and Infrastructure Committee met this morning to conduct a markup hearing that included HR 4937. Four amendments to the bill were offered, a Manager’s amendment that included two new sections for the bill, a minor word change amendment from Rep. Sanford (R,SC) and two amendments from Rep. Nolan (D,MN) regarding steel used in pipes. The first two amendments were passed by voice votes (34-25 and 34-25 respectively). The amended bill was approved by a voice vote; this was described as a unanimous vote by the Committee press release.

The two new sections added by the Manager’s amendment include:

SEC. ­___ Research and Development.
SEC. ___ Active and Abandoned Pipelines.

The first closely replicates one of the sections found in S 2276.

Moving Forward


This bill is likely to move to the House floor within the next month or so. The relatively small number of amendments offered in Committee and the voice vote in adoption indicate that the bill is likely to pass with substantial bipartisan support when considered by the whole House. The bill would probably be addressed under a rule allowing debate and limited floor amendments.


Because of the extensive differences between the House and Senate bills, there would likely be a conference committee appointed to work out the differences between the two bills. It is very likely that a conference report could be completed before the summer recess making this one of a relatively small number of bills that would land on the President’s desk before the elections this fall.

Senate Resumes Considering S 2012

Yesterday the Senate resumed consideration of S 2012, the Energy Policy Modernization Act of 2015. There were 27 amendments considered en bloc and passed by unanimous consent. Four additional amendments (including the substitute language) were approved and four were rejected; all by voice votes. A unanimous consent agreement was reached to schedule a final vote on the bill for today.

Provisions of Interest


The language in the substitute amendment included two specific provisions that could be of specific interest to readers of this bill (described previously here):

• Critical Electric Infrastructure Information; and
• Enhanced Grid Security

Only six of the large number of amendments offered to this bill could have been of interest to readers of this blog. None of those were considered in yesterday’s actions. Those amendments were:

SA 2997 – Sen. WYDEN (D,OR) – Internet of Things;
SA 3163 – Sen. FISCHER (R,NE) – Pipes Act;
SA 3186 – Sen. FISCHER – OSHA Retail Facility Exemption;
SA 3196 – Sen. Mr. KIRK (R,IL) – Large Scale Cyber Incidents;
SA 3197 – Sen. COLLINS (R,ME) – Critical Electric Infrastructure at Greatest Risk;
SA 3236 – Sen. WYDEN – Energy Train Data Collection;

Moving Forward


It is being reported on Twitter that the bill passed this morning by a vote of 85 – 12; as expected a significant bipartisan majority. The question now is whether the House will take up this bill or whether the House will insist on the language in HR 8 that passed along a party-line vote and that the President has threatened to veto. The later choice would lead to a conference committee to work out the differences between the two bills.

NOTE: HR 636 passed yesterday, as expected, by a vote of 95 – 3.
 
/* Use this with templates/template-twocol.html */