Wednesday, August 31, 2016

CFATS Security Model

One of the many complaints about attempting to regulate cybersecurity in critical infrastructure is that any attempt to mandate security procedures will, because of the rapid state of change in cybersecurity, result in outdated standards being applied as malware continues to evolve; making the regulations counterproductive. This has led to many (myself included) recommending that any cybersecurity regulatory scheme must be focused on out comes rather than specifying security measures. There is currently only one major security regulatory program that is based upon this concept, the Chemical Facility Anti-Terrorism Standards (CFATS) program. Thus an analysis of the successes and problems of the CFATS program would be important for an extension of that regulatory scheme into the cybersecurity realm.

CFATS Background


The CFATS program was established by Congress as an add-on the 2007 DHS spending bill (PL 109-295). Section 550 of that bill required DHS to establish “risk-based performance standards for security of chemical facilities and requiring vulnerability assessments and the development and implementation of site security plans for chemical facilities”.

A key provision of that section was that DHS was prohibited from disapproving “a site security plan submitted under this section based on the presence or absence of a particular security measure”. This provision resulted in DHS developing their Risk Based Performance Standard guidance document. This document provided expected outcomes that DHS would use to evaluate the eighteen performance standards (outlined in 6 CFR 27.230 that would have to be addressed in a covered facility’s site security plan.

RBPS Metrics


The guidance document provided a brief overview of each of the performance standards, including a discussion of the considerations that might have to be considered in selecting security measures and a brief outline of some of the types of security measures that could be employed. At the end of each performance standard discussion was a list of the metrics that the DHS Infrastructure Security Compliance Division (ISCD) would be using to evaluate the site security plan compliance with the RPBS.

For example, the metrics for RBPS 8, Cybersecurity, included:

• Cybersecurity policies;
• Access control;
• Personnel security;
• Awareness and training;
• Disaster recovery and business continuity;
• System development and acquisition;
• Configuration management; and
• Audits

Risk Assessment


Most of these metrics contained sub-metrics and a list of performance standards for each based upon the tier ranking of the facility. The tier ranking was a measure of risk assessment conducted by ISCD based upon data provided by the facility in a two-part risk assessment process. The first part was based upon the data provided in the facilities Top Screen submission. All non-exempted facilities in the United States that had chemical inventories that contained one or more of a list of 300+ DHS chemicals of interest (COI) at or above the screening threshold quantity (STQ) set for that COI were required to submit an on-line Top Screen.

ISCD took the information provided in the initial 40,000+ Top Screens to determine which facilities seemed to present a high-risk of terrorist attack. Those 7,000+ high-risk facilities were then directed to submit additional information via the on-line Security Vulnerability Assessment (SVA) tool. That information was then used to confirm the high-risk assessment and to further rank the risk of those facilities by placing them into one of four Tier; Tier 1 being the highest risk tier.

Site Security Program Negotiations


Once a facility receives its Tier ranking notification from ISCD it is then required to prepare and submit its site security plan (SSP) via another on-line tool. Since there is an expected inclination for facilities to minimize their spending on security (an expense with no expected financial return) and the guidance document is deliberately vague as to what security measures are required it is unlikely (ISCD has published no statistics on this) that any facility submitted an initial SSP that met the RBPS metrics is all aspects according to ISCD evaluators.

During the early days of the program ISCD took the stance that the Congressional prohibition against specifying security measures meant that ISCD could not tell facilities what they had to do to modify their SSP plan to ensure that it met all metrics. The most they could do was tell them what metrics had not been met. As the program advanced and Chemical Security Inspectors (CSI) had more experience with facilities having their SSPs authorized and later approved, many of the CSI were able to tell facility security managers what measures had been approved by ISCD at other facilities in similar situations.

As a practical matter this has meant that the process of getting an SSP approved has been a series of negotiations between facilities and DHS. The facility proposes an SSP and ISCD tells them where it is deficient. The facility then modifies the SSP and it is re-evaluated by ISCD. Some number of iterations of this process are required until the facility and ISCD can come to an agreement as to what security measures are necessary for that facility. Those security measures then become the enforceable CFATS requirements for that facility.

Manpower Intensive


While the on-line submission of the SSP allows for some automated analysis there are still a large number of man-hours needed to conduct the evaluation of each submission. Additionally, ISCD has been adamant that their CSI would be maximally available to facilities during the SSP approval process to help guide facilities through the approval process.

These manpower requirements were partially responsible for the lengthy delays that ISCD experienced during the early approval process. As the CSI became more experienced in the program, lower risk facilities were being evaluated, and ISCD instituted various management process improvements, the approval process was sped up significantly. But, even with these improvements, the SSP approval process is time intensive.

Lessons Learned


For anyone that is looking to the CFATS program as a model for creating a security related regulatory program that is both enforceable and does not specify any specific security measures in the regulations there are some very specific lessons to be drawn from an analysis of the CFATS program. The first and foremost is that a regulatory agency can negotiate facility specific security measures as long as:

• A strong, well-written set of performance standards is used as the basis of negotiation;
• There is a commitment on both the part of both regulated community and the regulators to work together to ensure the security of the regulated community; and
• The regulatory agency, and their political overseers, are willing to allow for a reasonable time frame for the negotiation process to proceed.

The second lesson that should be taken from the CFATS process is that for this process to be successful a relatively large and active inspection force is required to give the regulatory reviewers an accurate view of the on-the-ground situation at each regulated facility. The CFATS program has shown that there may be a need for multiple site visits by the inspection force to properly understand both the security plan and security capabilities of the regulated facility.


Finally, there must be a determined attempt to limit the size of the covered community to keep the size of the inspection force to a size that can be supported within the budget of the regulatory agency. CFATS did this by limiting the universe of potential covered facilities by limiting the number of chemicals that would drive the initial data submission. They then further reduced that number by doing a risk analysis to isolate just the highest risk facilities. Finally, they provided a means whereby a facility could ‘opt out’ of the CFATS program by reducing or eliminating their inventories of COI. Their initial universe of about 47,000 facilities was reduced to about 7,000 by risk analysis and they are now down to 2,984 covered facilities through the opting out process.

Tuesday, August 30, 2016

ISCD Announces CSAT 2.0 Webinars

Today the DHS Infrastructure Security Compliance Division (ISCD) published a notice on the CFATS Knowledge Center regarding two webinars in September introducing CSAT 2.0. In addition, they announced that there will be a series of in-person demonstrations of the new CSAT Portal User Interface as well at the three main CSAT tools; the Top Screen tool, the Security Vulnerability Assessment tool and the Site Security Plan tool at various locations to be announced.

The two webinars are:

• CSAT Portal User Interface and Top-Screen, 9-7-16, 13:00 EDT, register; and
• Security Vulnerability Assessment and Site Security Plan, 9-9-16, 13:00 EDT, register.

Additional information will be available in coming days on the CFATS Tiering Methodology page.

ICS-CERT Updates Moxa Advisory

This morning the DHS ICS-CERT published an update for the Moxa OnCell advisory that was originally published a week ago. The update adds a new vulnerability, cross-site scripting, to the previously reported to vulnerabilities.

Readers might remember that I added a note to my post on the original advisory. I quoted a TWEET® from Maxim Rupp, the researcher who originally reported the vulnerabilities. He complained that the advisory did not include all of the affected devices from Moxa. Interestingly, he did not claim that all of the vulnerabilities were not being reported. So the question is, did Maxim report this additional vulnerability or was it self-reported by Moxa?

The fact that there have been no changes in the fixes to the OnCell software kind of argues that the that Moxa had known about the problem when they wrote the firmware update. It would be really unusual for the firmware update to have fixed a cross-site scripting problem if it was not known about.

Monday, August 29, 2016

ICS-CERT Announces CSET v8.0 Webinar

Today the DHS ICS-CERT announced that they would be holding a webinar on September 20th introducing version 8.0 of their Cyber Security Evaluation Tool (CSET®). You can register for the free webinar on-line. Copies of CSET v8.0 will be available for free download on September 13th.

ICS-CERT describes CSET as “stand-alone desktop software that guides users through a step-by-step process to assess their control system and IT network security practices against recognized standards”.

Long-time readers of this blog will note that I have routinely commented on the poor way that ICS-CERT normally deals with upgrades of CSET. The upgrade to v7.1 earlier this year was the first upgrade that was actually announced in a timely manner on the ICS-CERT web site instead of waiting for the publication of the next ICS-CERT Monitor. To the best of my knowledge this will be the first time that ICS-CERT has conducted a public webinar on CSET. And it is certainly the first time that they have announced an upgrade in advance of publication.


If you have any sort of responsibility for the security of an industrial control system, it would probably be a good idea to sign up for this webinar. I certainly have.

Wednesday, August 24, 2016

Draft OSHA PSM Guidance Documents Published

Yesterday I received an interesting email from the folks at DHS that are providing administrative support for the DHS-OSHA-EPA response to the President’s Executive Order on Improving Chemical Safety and Security (EO 13650). The email reported that OSHA had published three new draft guidance documents for their Process Safety Management (PSM) program and noted that OSHA was soliciting public comments about these documents.

The three new guidance documents are for [NOTE: all links are for .PDF downloads]:


A brief review of the Storage Facility guidance document did not show any new information or outline any new requirements not already spelled out in the PSM guidance document. It looks like the intent is to provide a fairly brief (15 page) overview of the PSM requirements for facilities that may have thought that the PSM standard did not really apply to them. If that is the intent a brief section outlining how a facility determines if it is covered by the standard would have been appropriate.

OSHA is soliciting public comments on these documents. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #OSHA-2016-0021).

Commentary


I have two points of interest to discuss without having done a detailed review of any of the three documents. The first is a complaint about the administration of this process and the second is a pet peeve about the PSM program.

I am very disappointed in the way that OSHA is going about this publish and comment process. There is no notification about these documents on the OSHA EO 13650 web site nor has there been a notice published in the Federal Register. That combined with the very short (30-day) comment period makes me wonder just how interested OSHA and the Administration is in receiving public comments on these documents.

Since these are just guidance documents with no real information, I suppose OSHA is under no legal obligation to go through a formal publish and comment process. But, if you want to keep up appearances, especially this late in the life of the current Administration, then a formal publication of a request for comments in the Federal Register with a reasonable 60-day comment period would seem to be much more appropriate.

There are a series of ‘frequently asked questions’ at the end of the guidance documents and one of those in the Storage Facilities document (and most likely the others) is responsible for triggering a mini-diatribe about the major failing (IMNSHO) of the PSM program. The FAQ asks: “Must employers inform OSHA if the standard applies to them?” The OSHA response (in part) is very important:

“No. Unlike various other environmental, health, and safety regulations, the PSM standard does not have notification or reporting requirements. This means employers do not need to inform OSHA whether or not they meet the PSM applicability criteria. They need only ensure that they fully comply with the mandatory PSM requirements for all processes that meet the applicability criteria.”


This is one of the reasons (another being a totally inadequately sized inspection force) that PSM covered facilities seldom see an OSHA inspector until after a major accident has occurred; an accident that frequently would have been prevented if the PSM standard had been met. While some facilities deliberately ignore the safety standard, most facilities (particularly the smaller ones) fail to meet the standards set forth in the PSM program out of program ignorance and the lack of chemical safety experience. An active compliance inspection program before accidents happen would certainly help reduce the accident rates.

Tuesday, August 23, 2016

ICS-CERT Publishes Advisory Update and New Advisory

Today the DHS ICS-CERT updated an advisory previously published for a control system vulnerability in the Westermo industrial switch and published a new advisory for Moxa’s OnCell products. The Westermo advisory was originally published in January, 2016.

Moxa Advisory


This advisory describes two vulnerabilities in the Moxa OnCell product. The vulnerabilities were reported by Maxim Rupp. Moxa has produced new firmware to mitigate these vulnerabilities, but there is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Improper restriction of excess authentication attempts - CVE-2016-5799; and
• Plain-text storage of passwords - CVE-2016-5812

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to bypass authentication to log in as a valid user.

Rhetorical Question: Has Maxim Rupp selected Moxa to be his personal research project?

NOTE: According to a TWEET from Maxim Rupp the advisory does not list all of the affected devices. Sounds like a case where the vendor does not acknowledge all of the affected devices. ICS-CERT certainly does not test them. Added 08-24-16 0630 EDT.

Westermo Update


This update explains that Westermo has now produced a patch that that allows changing default certificates to custom certificates instead of requiring the certificates to be changed manually.


NOTE: ICS-CERT announced this update on TWITTER® today. Without that notification it would be very difficult to know that the advisory had been updated.

ISCD Publishes CFATS Cybersecurity Guidelines

Today the DHS Infrastructure Security Compliance Division (ISCD) posted a link to the CFATS Knowledge Center providing some additional guidance on how ISCD looks at cybersecurity in the site security plans (SSP) for facilities in the Chemical Facility Anti-Terrorism Standards (CFATS) program. This is supplemental information to that found in Risk-Based Performance Standard (RBPS) 8 of the RBPS Guidance Document.

Since the CFATS program is a risk-based security program, ISCD is really only interested in cybersecurity as it relates to the security of the DHS chemicals of interest (COI) that are responsible for the facility being covered by the CFATS program. Specifically, the guidance notes that ISCD is looking at cyber systems that:

• Contain business or personal information that, if exploited, could result in the theft, diversion, or sabotage of a COI;
• Are connected to other systems that manage physical processes that contain a COI; or
• Monitor and/or control physical processes that contain a COI.

The new document provides a brief overview of the types of activities that ISCD is looking to see in facility SSPs related to three specific types of cyber systems:

• Critical business systems;
• Critical physical security systems; and
• Critical control systems.


As with all ISCD guidance, there is very little detail in this document. This is because of Congressional limitations on the ability of DHS to specify security measures under the CFATS program. Once a facility has an approved SSP, however, the measures described in the SSP are specifically enforceable by ISCD.

Coast Guard Publishes TWIC Reader Final Rule

Today the Coast Guard published a final rule in the Federal Register (81 FR 57651-57713) outlining the requirements for the use of Transportation Workers Identification Credential (TWIC) card readers at facilities and on vessels covered by the Maritime Transportation Security Act (MTSA) program. The notice of proposed rulemaking (NPRM) for this rulemaking was published in March of 2013 and I completed a series of blog posts on the public comments received on that NPRM. This final rule was approved by OMB back on July 11th, 2016.

This rule will require that before an individual is allowed unescorted access to designated secure area of a Risk Group A vessel or facility, an individual will have:

• His or her TWIC authenticated;
• The status of that credential validated against an up-to-date list maintained by the TSA; and
• The individual's identity confirmed by comparing his or her biometric (i.e. fingerprint) with a biometric template stored on the credential.

The final rule authorizes a facility or vessel owner to use either a TWIC Card Reader on the approved TSA list or choose to fully integrate electronic TWIC inspection and biometric matching into a new or existing Physical Access Control System (PACS). Due to the exemption for vessels with 20 or fewer covered personnel there is only one vessel currently covered by this rulemaking. A total of 525 facilities are affected.

The effective date of this rule is August 23, 2018.


Future blog posts will take a more detailed look at the provisions of this final rule.

Monday, August 22, 2016

FAA Publishes Two Cybersecurity Special Condition Notices

Today the DOT’s Federal Aviation Administration published two cybersecurity related special condition rules in the Federal Register for aircraft from Beechcraft (81 FR 56475-56477) and Bombardier (81 FR 56474-56475). These final special conditions are required because of novel or unusual design features that require special attention not outlined in normal airworthiness standards.

Beechcraft Special Conditions


This Special Condition applies to the Beechcraft Model 400A airplane. The Special Condition is required to allow installation of digital-systems network architecture, composed of several connected networks that may allow access to or by external computer systems and networks, in Beechcraft Model 400A airplanes. The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. The FAA notes that:

“The existing regulations and guidance material did not anticipate this type of system architecture, or external wired and wireless electronic access to airplane electronic systems. Furthermore, regulations, and current system safety-assessment policy and techniques, do not address potential security vulnerabilities that could be caused by unauthorized access to airplane electronic systems and networks.”

The Special Conditions require that:

“1. The applicant must ensure that the airplane electronic systems are protected from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.
“2. The applicant must ensure that electronic system-security threats are identified and assessed, and that effective electronic system-security protection strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.
“3. The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the airplane is maintained, including all post-type-certification modifications that may have an impact on the approved electronic system-security safeguards.”

Bombardier Special Conditions


The Special Condition applies to the new Bombardier Model BD-700-2A12 and BD-700-2A13 airplanes. The Special Condition is required because the aircraft will contain a digital system architecture that contains multiple, interconnected domains, including:

• Flight-safety-related control, communication, and navigation systems (airplane-control domain);
• Operation and administrative support (operator-information-services domain); and
• Passenger information and entertainment systems (passenger-entertainment domain).

Additionally, this digital systems architecture will have the capability to allow access to or by external network sources.

The Special Conditions require that:

1. The applicant must ensure that the design provides isolation from, or airplane electronic system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.
2. The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the airplane is maintained, including all post type certification modifications that may have an impact on the approved electronic system security safeguards.

Public Comment


The FAA is soliciting public comments on these special conditions. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Beechcraft Docket #FAA-2016-8029; Bombardier Docket #FAA-2015-6359). Comments should be submitted by October 6th, 2016.

Commentary


The FAA continues to address aircraft cybersecurity issues on a case by case basis. This is almost certainly due to the fact that most aircraft being certified do not have digital control systems with the potential for outside access that could affect safety of flight issues. That is obviously changing.

These special conditions are written in broad enough language that each manufacturer and aircraft operator is being given a wide degree of latitude in how they accomplish the requirements set forth in the Special Conditions. And it must be remembered that each applicable solution still has to be specifically certified by the manufacturer and/or the operator.


Two questions remain. First, does the FAA have enough adequately trained cybersecurity personnel to do the evaluation necessary to complete the certification process? Second, does the FAA have a vulnerability disclosure process in place to allow third party cybersecurity researchers to notify the FAA of newly discovered vulnerabilities in these flight control systems? I do not have an answer to these questions, but I do not get a warm and fuzzy feeling when contemplating the probable answers.

Thursday, August 18, 2016

ICS-CERT Publishes Navis Advisory

Today the DHS ICS-CERT published an advisory for the SQL injection vulnerability reported yesterday by ICS-CERT in an alert concerning an uncoordinated public disclosure about the vulnerability in the Navis WebAccess application. Today’s advisory reports that Navis has produced” custom patches to mitigate this vulnerability”. There is no indication that bRpsd, the researcher who published the vulnerability, has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to compromise the confidentiality, integrity, and availability of the SQL database. A separate incident response Alert published yesterday reports that there have been multiple live exploits of this vulnerability.

There is a very interesting explanation in the Mitigation section of this advisory that I am repeating here:

“Navis reports that they have released custom patches on August 10, 2016, for the Navis WebAccess application, which is a legacy product that is in use by thirteen customers around the world, five of which are in the United States. The SQL injection vulnerability, which targeted publicly available news-pages in the application, was brought to Navis’ attention on August 9, 2016. Navis reports that they have contacted all their affected customers and that all customers in the United States have implemented the fix.”


This is a remarkably quick response to a vulnerability in an extremely low volume legacy product. An SQL injection vulnerability should be relatively easy to fix, but a one-day turnaround from a vendor is commendable and should set the standard for the industry.

PHMSA Sends New Lithium Battery Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an interim final rule from the DOT’s Pipeline and Hazardous Material Safety Administration amending the Hazardous Materials Regulation (HMR) provisions for the shipment of lithium batteries. This rulemaking appeared for the first time in the Spring 2016 Unified Agenda.

According to the Unified Agenda abstract:

“This action would amend the Hazardous Materials Regulations to incorporate three amendments that impact the transport regulations for packaged lithium cells and batteries not packed with or contained in equipment. These amendments would: (1) prohibit the transport of lithium ion cells and batteries as cargo aboard passenger carrying aircraft; (2) limit lithium ion cells and batteries to a 30 percent state of charge; and (3) limit the number of packages that may be offered under current provisions for small (excepted) cells and batteries to not more than one package per consignment. We anticipate these amendments will result in temporary supply chain disruptions [emphasis added] but will produce immediate safety benefits by eliminating vulnerability in the existing transport regulations.”

The same high energy density that has led to the ubiquitous use of lithium batteries is also a major contributor to the fires that have resulted during shipment and use of these batteries. It will be interesting to see if OIRA allows PHMSA to go directly to an interim final rule on this rulemaking this late in the life of this Administration. While safety, not politics, is almost certainly the impetus for the rulemaking, we can expect to hear cries of ‘midnight regulations’ if this rule is issued without the normal publish and comment process.


Note: I do not expect to provide any future coverage of this rulemaking on this blog.

ICS-CERT Publishes Two Navis Alerts and Siemens Update

This alert briefly describes a reported SQL injection vulnerability in the Navis WebAccess application. The vulnerability was publicly reported (NOTE: link was not included in ICS-CERT Alert) by bRpsd without prior coordination.

According to ICS-CERT: “WebAccess, is a web-based application that provides the operator and its constituents with real-time, online access to operational logistics information.” There is currently no mention of ‘WebAccess’ on the Navis web site, but there is a brief Navis promo on the Georgia Ports Authority web site that uses WebAccess.

Navis Incident Response Alert


This alert briefly reports that the vulnerability described in the vulnerability Alert has been publicly exploited, noting that the vulnerability “has been exploited against multiple U.S.-based organizations, resulting in data loss”. ICS-CERT reports that NCCIC Scoring System rates these incidents as ‘LOW’, noting: “Is unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.”

Siemens Update


This update updates the list of versions affected by twin vulnerabilities included in the Advisory. It also provides an updated list of links to the updated versions of the affected software.

As noted above, ICS-CERT published this update and announced it on TWITTER® on Tuesday. Siemens, of course, published their ProductCERT update last Thursday; specifically adding “fix information for WinCC V7.2, Route Control and SIMATIC BATCH V8.2”. They announced their update on TWITTER the same day.

Commentary


The incident response alert issued today is the first that I recall seeing from ICS-CERT. According to the blurb on the ICS-CERT landing page describing this alert: “This report is intended to provide awareness to the US Critical Infrastructure community and make available Indicators of Compromise (IOCs) and mitigation recommendations.” This is an important function of ICS-CERT.

Fortunately, this is a relatively low impact vulnerability, at least on the national level. For the individual database owner, this could be costly depending on how much they depend on the ready availability of the database for their (and their customer) operations.


Since this is an SQL injection vulnerability there is not much in the way of ‘indicators or compromise’ for ICS-CERT to share beyond data logging and analysis. While database owners should be doing this anyway (but I suspect very few do), I doubt that this advisory will have much direct effect on the problem in the short run. Hopefully Navis will get an update out quickly and will actively push it to their customers.

Tuesday, August 16, 2016

PHMSA Clarifies Pipeline Safety Terms

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a safety advisory in the Federal Register (81 FR 54512-54514) clarifying terminology used to describe the operational status of pipelines and identifying the regulatory requirements operators must follow for the abandonment of pipelines. PHMSA was directed to take this action by Congress via Section 23 of PIPES Act of 2016 (PL 114-183).

As a result of a number of incidents where releases of natural gas or hazardous liquids resulted from inadequate maintenance of pipelines that were not active service PHMSA is issuing this safety advisory to remind pipeline operators that PHMSA only recognizes two types of pipeline status; active and abandoned. To be classified as abandoned the pipelines have to meet all of the standards under  49 CFR 192.727 (gas pipelines) 49 CFR 195.402(c)(10) (hazardous liquid pipelines). All pipelines not meeting the regulatory standards for being abandoned, must comply with all pipeline safety regulation requirements.


PHMSA is considering a rulemaking action addressing permissible deferred pipeline maintenance activities on pipeline segments that have not been abandoned, but that have been emptied and purged. Pending completion of that rulemaking, pipeline operators that intend to defer such activities on this type of idled pipeline should coordinate with PHMSA first.

Sunday, August 14, 2016

PHMSA Publishes Direct FAST Act Rule

The DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a direct final rule in the Federal Register (81 FR 53935-53957) implementing the Congressionally directed changes to the rules concerning the transportation of flammable liquids by rail. Congress mandated these changes in Title VII of the Fixing America’s Surface Transportation (FAST) Act of 2015 (HR 22 – PL 114-94).

NOTE: This rule was approved by OMB back on July 29th. The two-week delay in publishing this rule indicates that the Administration is apparently doing an extra level of political approval of rule publication in trying to avoid charges of midnight rulemaking in the last six months of its tenure.

This rule implements the following Congressional mandates:

• Changes to the DOT 111 Retrofit Schedule (FAST Act §7304);
• DOT 117 and DOT 117R Thermal Protection Blanket (FAST Act §7305); and
• DOT 117R Top Fittings Protection (FAST Act §7306);

The main change in this rule is that it implements the FAST Act requirement that mandated a commodity-specific phase-out of all DOT-111 tank cars used to transport Class 3 flammable liquids. The rule implements the mandate that the phase-out proceeds regardless of train composition and requires that all tank cars used to transport Class 3 flammable liquids meet the DOT-117, DOT-117P, or DOT-117R requirements. The new phase-out dates are based upon commodities (crude oil, ethanol, and by packing group by all other flammable liquids). The new phase-out dates for crude oil and ethanol generally reflect the original phase out dates for Packing Group I and Packing Group II respectively.


The effective date for this rule is August 15th, 2016.

Thursday, August 11, 2016

ICS-CERT Publishes Rockwell Advisory

Today the DHS ICS-CERT published an industrial control system security advisory for the Rockwell Automation MicroLogix 1400 programmable logic controllers (PLC). The advisory describes an execution with unnecessary privileges vulnerability in the PLC due to the use of the Simple Network Management Protocol (SNMP) to manage the product’s firmware, including the capability of applying firmware updates to the product.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to make unauthorized changes to the product’s configuration, including firmware updates.

ICS-CERT reports that due to the nature of this product’s firmware update process, this capability cannot be removed from the product. The advisory provides a series of mitigating measures to reduce risk of this capability being used by a malicious actor.

Important Question – What other ICS devices use the same SNMP protocol?

DHS Issues IED Precursor Study Notice

Today the DHS Infrastructure Security Compliance Division posted a brief notice on the CFATS Knowledge Center about a new study that DHS has contracted with the National Academies of Sciences, Engineering, and Medicine to perform. The Academies will produce a report entitled “Reducing the Threat of Improvised Explosive Device Attacks by Restricting Access to Chemical Explosive Precursors” as a result of this study.

Background


The notice describes the study this way:

“Under the oversight of the Board on Chemical Sciences and Technology at the Academies, an ad hoc committee will identify and prioritize a list of chemicals that have been used either in the U.S. or internationally or are susceptible for use in IEDs, analyze how the priority chemicals move through commercial supply chains, assess existing control measures for the priority chemicals, and suggest controls that might be effective for a voluntary or regulatory strategy.”

Part of the reason for this study is the problem that ISCD is having in establishing a cost-effective regulatory strategy for the Ammonium Nitrate Security Program that the Department was directed to implement by Congress. While ammonium nitrate is the improvised explosive device precursor that is best known by the general public, there are a number of other chemicals that have been used frequently by ‘modern’ terrorists in preparing IEDs. Among the most common are chemicals like hydrogen peroxide, acetone and nitric acid.

The CFATS program tried to address these IED precursor chemicals in their list of DHS Chemical of Interest (COI; Appendix A to 6 CFR 27), but there has not been an effective, formal study of what chemicals could be (and have been) used to make effective IEDs and what types of cost effective controls could be used to restrict access to those chemicals by terrorists. The point of this study is to fill that knowledge gap.

The Study


The notice describes the conduct of the study this way:

“A committee of approximately 14 experts from chemical and engineering disciplines will be appointed by the Academies drawing members from the academic, industrial, and national lab sectors. Expertise on the committee will include the following areas: chemistry, energetic materials, commercial supply chain operations, security, and law enforcement.”

The Academies have already established a web site to support the study. That web page provides a little more detail on how the ad hoc committee will approach this task. They provide a basic five step study process:

1. Review the available literature and data, both U.S. and international, to identify and list chemicals that have been used either in the U.S. or internationally or are susceptible for use in IEDs. For chemicals found to be currently used in IEDs, identify these chemicals in order of the most widely used to the least used.
2. For each of the listed chemicals, analyze how the chemical moves through commercial supply chains. Assess the vulnerabilities and weaknesses of the supply chains with respect to susceptibility to theft and diversion of the chemical.
3. Using the information obtained in Steps 1 and 2 to develop a priority ranking of chemicals to consider for control and discuss the criteria used.
4. Describe and assess existing control measures, both in the U.S. and internationally, for the priority chemicals, including vulnerabilities in the existing framework of voluntary and regulatory controls.
5. Suggest controls that might be effective for a voluntary or regulatory strategy and discuss the tradeoffs between factors such as economics, cost, security, and impact on commerce.

Call for Nominations


The Committee will consist of approximately 14 individuals that will be appointed by the Academies. The individuals will come from the following disciplines:

• Chemistry;
• Energetic materials;  
• Commercial supply chain operations;
• Security; and
• Law enforcement


The Academies are soliciting nominations to serve on the Committee. Nominations should be submitted by August 22, 2016.

Tuesday, August 9, 2016

OMB Approves NARA CUI Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the final rule from the National Archives and Records Administration (NARA) concerning the administration of the various Federal Controlled Unclassified Information (CUI) programs. The final rule was submitted to OIRA back in October of last year. The notice of proposed rulemaking (NPRM) was published in May, 2015 and I did a series of blog posts on the provisions of that NPRM.

This rulemaking is mainly targeted at protecting CUI on government and contractor IT systems. It is expected that it will require the implementation of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as the IT security standard for contractors and other non-government organization that are required to protect CUI.

Readers of this blog will be interested in this rule making because of its potential effects on the following CUI programs:



I expect that the final rule will be published in the Federal Register later this week.

NOTE: Corrected SSI program link - 08-10-16 21:30 EDT

Friday, August 5, 2016

ISCD Updates CFATS Fact Sheet – 08-05-16

Today the DHS Infrastructure Security Compliance Division (ISCD) published their latest monthly update of their CFATS Fact Sheet, outlining the state of implementation of the site security plan (SSP) portion of the Chemical Facility Anti-Terrorism Standards (CFATS). The report shows continued increases in the number of approved SSPs and compliance inspections completed.


June 2016
July 2016
August
2016
Covered Facilities
2,999
2,991
2,984
Authorized SSPs
3,370
3,390
3,410
Approved SSPs
2,562
2,595
2,645
Compliance Inspections
958
1,079
1,177

The report would seem to indicate that there are only 339 site security plans remaining to be approved, but because of the way that ISCD continues to report more authorized SSPs than there are facilities remaining in the program, there is no way of knowing how many more approvals we are expecting to see.


More disturbing is the continuing refusal of ISCD to report on the number of compliance inspections that are passed or failed. The last time that numbers were publicly available, the GAO reported that the failure rate for compliance inspections was very high, calling into question the efficacy of the CFATS program in its effort to help high-risk chemical facilities protect themselves from potential terrorist attacks.

DHS Announces ISAO SO Meeting – 8-31-18

Today DHS published a meeting notice in the Federal Register (81 FR 51925-51926) for a two-day meeting of the Information Sharing and Analysis Organization (ISAO) Standards Organization (SO) on August 31st, 2016 in Tysons, VA. The notice also includes a request for comments on the latest drafts of ISAO 100-1, Guidelines for Establishing an ISAO V0.1, and ISAO 600-1, U.S. Government Relations, Programs, and Services V0.4 (SWG6). The meeting will be available on-line (not mentioned in the FR notice). Only the September 1st meeting will be open to the public (again, not mentioned in the FR notice).

The agenda for the meeting includes:

• An in-depth public discussion of ISAO 100-1 and ISAO 600-1.
• The State of the Ecosystem from the ISAO SO: “Where We Are and Where We’re Going” and “How We’ll Get There”.
• A special meeting of emerging ISAOs.
• Panel discussions from industry experts and thought leaders on ISAO Services and Capabilities, and Building an ISAO.


Comments are being solicited on the two draft documents. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2015-0017). Apparently through some sort of administrative snafu the deadline for comments is today; an exceedingly short deadline (SARCASM). A request for comments was posted on the ISAO-SO web site on Wednesday, though there was a blog post made about the new documents last Friday. Even if the community were watching this site closely (I have not been) a week’s notice for a request for comments is ludicrously short and ill advised. The ISAO-SO should extend the comment period at least through the 26th of this month, but even that is way too short to get carefully vetted corporate comments.

A copy of this blog post was submitted as a comment to the ISAO-SO on 8-5-16, 10:00 EDT.

S 3187 Introduced – Rail Hazmat Safety

Last month Sen. Merkley (D,OR) introduced S 3187, the Mandate Oil Spill Investigations and Emergency Rules (MOSIER) Act of 2016. The naming of the bill makes it clear that it was introduced in response to the crude oil train derailment near Mosier, OR in June of this year. The bill addresses rail hazmat investigations, emergency orders and a crude oil volatility standard.

NTSB and Hazmat Spills


Section 2 of the bill amends the NTSB authorization language in 49 USC 1118. It increases the funding authorization of the bill from the latest value (FY 2008, $92,625,000) to $108 million per year for 2018 thru 2020. Of that amount $2 million would specifically be set aside for “the costs associated with carrying out railroad accident investigations and investigations of significant railroad incident” {new §1118(a)(3)}.

Section 3 of the bill would amend the NTSB’s authorization to conduct transportation accident investigations under 49 USC 1131 to specifically require investigations of railroad accidents that involve “a significant release of hazardous materials into the environment within a close proximity to communities, personal property, or critical landscapes” {revised §1131(a)(1)(c)}.

Emergency Orders


Section 4 of the bill would expand the explicit authority of the Secretary of Transportation to issue emergency orders by adding the words “or reoccurring situation” to the description of when the Secretary may issue an emergency order under 49 USC 20104.

Crude Oil Volatility


Section 5 of the bill would require the Secretary to establish, within 90 days of the passage of the bill, “a national standard for the maximum volatility of crude oil to be permitted to be shipped by rail based on the safest practicable standard” {new §20154, Note: that section number is already taken, it should have been §20168}.

Moving Forward


Neither Merkley nor his co-sponsor, Sen. Wyden (D,OR), are members of the Senate Commerce, Science and Transportation Committee, the committee to which the bill was assigned for consideration. This means that the bill is unlikely to be considered in that Committee, especially considering how late we are in the session.

Even if the bill were to make it out of committee it would not make it to the floor of the Senate for consideration due to the expected opposition to the imposition of a volatility standard.

Commentary


This bill is certainly more of a political ploy to gain points with (and monetary support from) the voters back home in Oregon than a real attempt to have an effect on the safe transportation of crude oil. The naming of the bill makes that perfectly clear.


The NTSB authorization language is another dead giveaway that neither Senator had any intention of this bill being considered in Committee. Federal agency authorization bills are always written by senior members of the committee with oversight authority. Attempting to usurp that power and prestige is a sure way to get a bill buried and forgotten.

Thursday, August 4, 2016

ICS-CERT Publishes FY 2015 Assessment Report

Today the DHS ICS-CERT published a report that looks at the results of 112 formal assessments that ICS-CERT conducted of industrial control systems during FY 2015. These assessments were conducted using the ICS-CERT’s Cybersecurity Evaluation Tool (CSET, 38 facilitated assessments), the Design Architecture Review (DAR, 46 assessments), and the Network Architecture Validation and Verification (NAVV, 28 assessments).

The report provides the following snap shot of the assessments conducted in FY 2015 (pg 1):

• ICS-CERT conducted 112 assessments in FY 2015, including 38 facilitated CSET®, 46 DAR, and 28 NAVV assessments.
• There were 638 weaknesses identified through DAR and NAVV assessments.
• The top six categories represented 36 percent of all weaknesses.
• Boundary protection was the most commonly identified area of weakness in both FY 2014 and FY 2015.
• Weaknesses related to boundary protection and least functionality represented 21 percent of all discovered weaknesses.
• Key trends included pervasive issues related to virtual machines, remote access, virtual local area network (VLAN) use, bring your own device (BYOD) risks, use of cloud services, and ICS network monitoring.

While the report draws some interesting conclusions about the most common cybersecurity weaknesses found in these assessments, it is very difficult to determine how these weaknesses apply to the total control system environment in the United States. The small number of facilities assessed, the fact that they were self-selected (the facilities requested ICS-CERT assessments), and the lack of information about facility size, type of control system (DCS, SCADA, etc), or the extent of support the facilities had from internal or contract cybersecurity personnel in setting up the security of their control systems all make it very difficult to draw wider conclusions about the results of these assessments.

The other problem with this report is that we are not even sure that there were 112 separate facilities included in the assessments. The very real possibility that facilities may have had ICS-CERT conduct combinations of assessments could seriously reduce the actual number of facilities involved in the study.


Having said all of that, I think that control system security personnel (professional or the untrained grunts on the frontline) should probably read this 25-page document. Addressing the most common problems identified in these assessments will not necessarily make the associated industrial control systems secure, but they will provide a good starting point for making facilities more secure.

HR 5762 Introduced – Rail Hazmat Safety

Last month Rep. Bonamici (D,OR) introduced HR 5762, the Hazardous Materials Rail Transportation Safety Improvement Act of 2016. The bill provides a number of measures designed to increase the safety of liquid hazardous material transportation by rail.

The bill includes four separate titles:

• Creation and Funding of Hazardous Liquids Rail Spill Liability Account;
• Preparedness;
• Data Collection; and
• Authorization of Appropriations

Hazardous Liquids Rail Spill Liability Account


Title I of the bill would amend 26 USC 9509 to create a Hazardous Liquids Rail Spill Liability Account within the Oil Spill Liability Trust Fund (OSLTF). The account would be used to fund Federal responses to oil and other liquid hazmat discharges resulting from accidents related to rail transportation of liquid hazardous materials. The account would also be used to fund various requirements of this bill.

Monies deposited in this account would come from deposits made to the OSLTF due to rail transportation incidents resulting from:

• Damages to natural resources which are required to be deposited in the Fund under 33 USC 2706(f);
• Amounts recovered by the Trust Fund under §2715; and
• Any penalty paid pursuant to 33 USC 1319(c) or §1321.

Additionally, §103 of the bill would add monies to the Account from fees established on the use of DOT 111 and CPC 1232 railcars for the transportation of hazardous flammable liquids. The fees would increase from an initial $175 per shipment in 2016 to a maximum of $1400 per shipment in 2018. The shipper would be required to pay these fees.

Preparedness


Title II of the bill address actions to be taken by the DOT to enhance potential responses to accidents related to the rail transportation of liquid hazardous materials. These actions include training of local first responders and implementation of a number of NTSB recommendations related to rail hazmat preparedness.

DOT would be required to add training standards for responding “to an accident or incident involving trains transporting at least 20 tank cars of flammable liquids or gases” {new §5115(b)(1)(B)} to the existing requirements of 49 USC 5115. Additionally, the DOT would be required to include planning and training for “to accidents and incidents involving trains transporting at least 20 tank cars of flammable liquids or gases” {new §5116(a)(1)(E)} to the allowable uses for grants under 49 USC 5116.

Section 204 of the bill would require DOT to implement the following National Transportation Safety Board (NTSB) recommendations:

R–07–002, dated April 25, 2007, relating to real-time information regarding the identity and location of all hazardous materials on a train:
R–14–014, dated August 22, 2014 (relating to railroads providing communities and States with current commodity flow data and assisting with development of emergency operation and response plans;
R–14–018, dated August 22, 2014 (relating to ensuring that emergency response information carried by train crews is consistent with the Emergency Response Guidebook;
R–14–075 and R–14–076, dated December 30, 2014 (relating to allowable limits for track conditions; and
R–14–019, dated August 22, 2014 (relating to developing, implementing and periodically evaluating requirements for railroads that transport hazardous materials to conduct public education programs for communities along railroad hazardous materials routes.

Data Collection


Title III of the bill requires the Department of Transportation and the Department of Commerce (for the Census study) to conduct four studies, each with a mandated report to Congress. Those studies involve:

• National flammable rail fire preparedness survey (§301);
• Hazardous materials railcar census (§302);
• Energy train data collection (§303); and
• Train length study.

Authorization


Title IV of the bill provides authorization for spending to support some of the requirements of this bill. The authorizations include:

• High hazard rail shipments preparedness and training grants - $15 million per year for 2016, 2017, and 2018 {§401(a)};
• Track relocation and railroad inspection safety grants - $25 million per year for 2016, 2017, 2018, and 2019 {§401(b)};
• Data collection funding - $5 million for each of the three non-census studies mentioned above {§401(c)}; and
• Federal spill response funding under 42 USC 9604 (CERCLA) for flammable liquids and gasses rail-accident related spills - $100 million {§401(d)};

Moving Forward



Bonamici is not a member of any of the four committees to which this bill was referred for consideration. This means that it is unlikely that any of these committees will consider the bill. If the bill were to make it out of committee to be considered by the whole House, the bill would almost certainly be opposed by most of the Republican (and some Democratic) members of the House because of the additional spending authorized by the bill and the fees being required for the continued use of DOT 111 and CPC 1232 railcars for flammable liquid transport.

Wednesday, August 3, 2016

PHMSA Publishes HHFT Oil Spill Response Rule

Last week the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in the Federal Register  (81 FR 50067-50129) concerning oil spill response plans and information sharing for high-hazard flammable trains. The advance notice of proposed rulemaking (ANPRM) for this rulemaking was published in August of 2014.

This rulemaking addresses three general areas:


Oil Spill Response Plans


The current hazardous materials regulations (49 CFR 130) currently requires two types of oil spill response plans (OSRP). The basic OSRP {§130.31(a)} covers any oil shipment in containers of 3,500 gallons or greater. The comprehensive OSRP {§130.31(b)} covers any oil shipment in containers of 42,000 gallons or greater. Since railcars used for transporting crude oil are generally 30,000 gallons, railroads are currently only required to prepare basic OSRPs.

This NPRM proposes to generally re-write Part 130; moving (and expanding) the comprehensive OSRP requirements to a new Subpart C. The changes to the comprehensive OSRP requirements would include:

• Expanding the applicability for comprehensive oil spill response plans to include “Any railroad which transports a single train transporting 20 or more loaded tank cars of liquid petroleum oil in a continuous block or a single train carrying 35 or more loaded tank cars of liquid petroleum oil throughout the train consist” {new §130.101(b)};
• Establishing a general requirement for the overall development of the comprehensive response plan and requires the plan uses the National Incident Management System (NIMS) and Incident Command System (ICS) {new §130.102(a)};
• Establishing a general requirement for the plan format including the development a core plan and the establishment of geographic response zones and accompanying response zone appendixes {new §130.102(b)};
• Establishing requirements for the notification procedures and contact information that a railroad must include in a comprehensive oil spill response plan {new §130.105};
• Establishing requirements for equipment testing and drill procedures consistent with PREP requirements for comprehensive oil spill response plans {new §130.108}; and
• Establishing requirements and procedures to submit comprehensive oil spill response plans for approval to FRA {new §130.111};

Nothing in this rule changes the basic OSRP requirement that the plan is targeted at oil spill containment and recovery. In fact, a new definition is added in §130.5 for ‘Response Activities’ that specifically limits that definition to the “the containment and removal of oil from navigable waters and adjoining shorelines”.

Information Sharing


While information sharing was not included in the ANPRM for this rulemaking, Congress did recently specifically direct DOT to “require each Class I railroad to provide advanced
notification and information on high-hazard flammable trains to each State emergency response commission, consistent with the notification content requirements in Emergency Order Docket No. DOT–OST–2014–0067 [.PDF Download link added]” {§7302(a)(3) of the FAST Act (PL HR 114-94)}.

This NPRM establishes information sharing requirements that expands the notification requirements of the Emergency Order to include all Highly Hazardous Flammable Trains (HHFT) as defined in §171.8. The NPRM would require monthly reports to State and Tribal Emergency Response Commissions (SERC and TERC) that would include:

• A reasonable estimate of the number of HHFTs that the railroad expects to operate each week, through each county within the state or through each tribal jurisdiction;
• The routes over which the HHFTs will operate;
• A description of the hazardous material being transported and all applicable emergency response information required by subparts C [Shipping Papers] and G [Emergency Response Information] of part 172; at least one point of contact at the railroad (including name, title, phone number and address) with knowledge of the railroad's transportation of affected trains (referred to as the “HHFT point of contact”); and
• If a route is subject to the comprehensive spill plan requirements, the notification must include a description of the response zones (including counties and states) and contact information for the qualified individual and alternate, as specified under § 130.104(a).

SERCs and TERCs would be required to share the supplied information with “appropriate local authorities, upon request” {new §174.312(a)}. Further dissemination of the information may be restricted upon request by the submitting railroad if the railroad determines that the information may be “security sensitive or proprietary and exempt from public disclosure” {new §174.312(a)(2)(iii)}. The language does not make the information Sensitive Security Information under §1520.5 so the SERC and TERC would be able to make their own decisions as to what State or local regulations applied to the protection of the information.

Initial Boiling Point Test


One of the concerns about shipping crude oil from the Bakken region is that the current standard for classifying the crude oil for shipment may not appropriately address the volatility of the crude oil. Suggestions have been made to include a vapor pressure measurement for use in the classification of crude oil and I have discussed the problems with that sort of measurement.

The current testing process outlined in §173.120 and §173.121 almost certainly allow significant amounts of the light-ends (low molecular weight hydrocarbons). Depending on the concentration of these light-ends, these current test methods could significantly under-state the flammability of the material.

Recognizing this problem, PHMSA and the American Petroleum Institute (API) came up with a best practice (ANSI/API RP 3000) for measuring the flammability of crude oil that includes using ASTM D7900 for determining initial boiling point. This test method, however, is not one of the approved methods for classifying flammable liquids in §173.121. This NPRM would add ASTM D7900 as an acceptable alternative for determining initial boiling point to be used in determining packing groups for Class 3 (flammable liquids) hazardous material.

Public Comments


PHMSA is soliciting public comments on this rule making. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2014-0105). Comments should be submitted by 9-27-16.

Commentary


My major concern with the OSRP section of the NPRM is that it fails to address what is the most publicly acknowledged problem with crude oil transportation by unit trains; the potential for catastrophic fires and explosions resulting from a rail accident and the inability of most local first response agencies to properly deal with this type of catastrophic emergency. Unfortunately, the current OSRP rules are based upon the Clean Water Act provisions that are intended to protect waterways (and drinking water sources) from contamination with crude oil. Until Congress specifically addresses the flammability problems associated with a variety of energy chemicals shipped by unit trains, neither PHMSA, FRA, nor the Coast Guard will be able to address these very real probable consequences of oil spills.

PHMSA took a pass on addressing the issue of confidentiality of HHFT train schedule information by allowing the railroads to claim that the information was either sensitive from a security perspective or confidential business information and then allowing each SERC or TERC to evaluate those claims based upon State and local laws. Again, PHMSA has not really been authorized to make a determination that the information falls within the Sensitive Security Information rules; only TSA is authorized to make that determination. Again this is going to take Congressional action to resolve this problem.

The issue of crude oil testing is a more complex problem. The addition of ASTM D7900 to the list of allowable test methods provides crude oil shippers with a more accurate method of classifying crude oil based upon the initial boiling point. PHMSA has long maintained that shippers are responsible for determining which of the allowed test methods is the most appropriate for classifying the material which they ship. The use of this test should result in upgrading some shipments from Packing Groups II and III and that will result in some increase in safety of those shipments.

What is missing, however, is a more complete discussion of the role of volatility in the fires and explosions seen in a relatively small number of crude oil derailments. Measurement of volatility, alone will not increase safety unless some additional safety measures are required for flammable liquids with higher vapor pressures. For crude oil, that could include a requirement to remove light-ends from the material to reduce vapor pressure before it is offered for shipment.

To be an effective safety tool, any vapor pressure testing is going to have to specifically address protection of samples from vapor loss (sealed sampling devices and sample containers) as well as measuring vapor pressure at multiple temperatures if there is any hope of using the test as an effective tool for predicting the safety consequences of the fluid vapor pressure.


The current NPRM provides a good first step at addressing the transportation safety classification of crude oil. Hopefully PHMSA will continue to look at possible additional changes to test methodology to more completely identify the safety issues associated with crude oil transportation.
 
/* Use this with templates/template-twocol.html */