Bills Introduced – 10-22-19

Yesterday with both the House and Senate in session there were 45 bills introduced. Three of those bills may see further coverage in this blog:

HR 4792 To establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes. Rep. Lieu, Ted [D-CA-33] 

S 2656 A bill to disclose access to election infrastructure by foreign nationals. Sen. Kennedy, John [R-LA] 

S 2664 A bill to establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes. Sen. Markey, Edward J. [D-MA] 

It looks like HR 4792 and S 2664 may be companion bills. See this article here about these bills. As always definitions and other details will be important.

It will be interesting to see how S 2656 deals with the complex attribution issue. I expect a simplistic approach.

1 Advisory Published – 10-22-19

Today he CISA NCCIC-ICS published a control system security advisory for products from Schneider

Schneider Advisory

This advisory describes three vulnerabilities in the Schneider ProClima building and automation control products. The vulnerabilities were reported by Haojun Hou, Kushal Arvind Shah, Fortinet, Yongjun Liu, NSFOCUS, and Telus. Schneider has released a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Code injection - CVE-2019-6823;

• Improper restriction of operations within the bounds of a memory buffer - CVE-2019-6824; and

• Uncontrolled search path element - CVE-2019-6825

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system.

NOTE: According to the Schneider advisory these vulnerabilities were reported on June 11^th, and I briefly reported on them on June 15^th. What NCCIC-ICS is actually addressing is an update to the original advisory that adjusted the CVSS Base Score and Vector for CVE2019-6823 and CVE-2019-6824.

NTIA Software Component Transparency Meeting – 11-18-19

Today the DOC’s National Telecommunications and Information Administration (NTIA) published a meeting notice in the Federal Register (84 FR 56446-56447) for a “Multistakeholder Process on Promoting Software Component Transparency” meeting to be held on November 18^th, 2019 in Washington, DC.

According to the notice:

“The main objectives of the November 18, 2019, meeting are to finalize and identify next steps in this effort, including how progress can be made on extending and refining the basic model, cataloging tooling needs and resources, and promoting awareness and adoption of stakeholder work.”

The Stakeholders and a number of working groups have been conducting meetings on this topic since the first meeting was announced in 2018. The NTIA Software Component Transparency web page contains detailed information and presentations from those meetings.

The meeting will be open to the public on a first-come seating basis. It does not appear that the meeting will be web cast.

Gas Pipeline Deregulation NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) on “Gas Pipeline Regulatory Reform”.

The Spring 2019 Unified Agenda describes the rulemaking this way:

“This rulemaking would amend the Pipeline Safety Regulations to adopt a number of actions that ease regulatory burdens on the construction and operation of gas transmission, gas distribution and gas gathering pipeline systems. These amendments include regulatory relief actions identified by internal agency review, existing petitions for rulemaking, and public comments on the Department of Transportation Regulatory Review and Transportation Infrastructure notices.”

This rulemaking was initiated by the Trump Administration; first appearing in the Spring 2018 Unified Agenda.

Committee Hearings – Week of 10-20-19

This week with both the House and Senate in session the big news is impeachment or spending. There are two House hearings of potential interest; cybersecurity threats and a homeland security markup hearing.

Cybersecurity Threats

On Tuesday the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee of the House Homeland Security Committee will hold a hearing, “Preparing for the Future: An Assessment of Emerging Cyber Threats”. The witness list includes:

• Ben Buchanan, Georgetown University;

• Ken Durbin, Symantec Corporation;

• Niloofar Razi Howe, New America; and

• Robert Knake, The Council on Foreign Relations

Homeland Security Markup

On Wednesday the House Homeland Security Committee will hold a markup hearing looking at a dozen bills. Bills of interest include:

• HR 3787, the DHS Countering Unmanned Aircraft Systems Coordinator Act; and

• HR 4402, the Inland Waters Security Review Act

On the Floor

Last week Sen. McConnel (R,KY) announced that the Senate would try to take up two spending bills this week; HR 3055 and HR 2740. Neither of these minibus spending bills will be considered as passed in the House. No amendments were filed last week, so it is not clear exactly what language will be included in the bill as there was significant Democratic opposition to the bills that came out of the Senate Appropriations Committee. But then again, there is no guarantee that either bill will actually be considered. Politics is getting increasingly iffy.

CFATS and a Small-Town Road Closure

It is not often that security measures under the Chemical Facility Anti-Terrorism Standards (CFATS) program make the newspaper, but they did this week in the El Dorado News-Times in El Dorado, AR. The issue was a meeting of the Union County Quorum Court where the owner of a local oil refinery was asking the County to close a portion of a public road that runs through the refinery. The owner cited the CFATS program as the reason that the road needed to be closed. According to the article:

“Ratcliff [lawyer representing the refinery] said safety standards imposed by the United States Department of Homeland Security in response to the Sept. 11, 2001 attacks on the United States are not able to be met by Lion Oil/Delek because the road is open.”

The author of the article noted that Ratcliff was referring to the CFATS program.

Security Issues

Looking at the Satellite view from Google Maps® it is easy to see what ‘security issues’ come into play with this public road. First it divides the large storage tank farm on the west side of the refinery in two. It also divides a flammable gas storage tank area just north of the larger tank farm. And many of the storage tanks (liquid and gas) are well within the blast radius of a reasonably sized vehicle-borne explosive device. There is also a tank-wagon marshalling area and a tank-wagon loading area along the road.

It is hard to tell what chemicals are stored in the large tank farm, but, given that this is a petrochemical refinery, I would reasonably assume that most of the tanks contain some sort of flammable hydrocarbon. The horizontal pressure tanks on either side of the tank farm contain some sort of flammable gas; the give away is the ‘4’ in the upper diamond on the hazard placard on the tanks.

CFATS Considerations

Neither of these tank farms are very close to any residential areas or schools. There are two small churches that the refinery is using to define the road closure limits, but I doubt that either attracts more than a couple hundred parishioners at most. What that means is that the Infrastructure Security Compliance Division (the CISA group that administers the CFATS program) probably bases their high-risk determination for this refinery on the close proximity of the operations area of the facility further to the East to residential areas of El Dorado.

ISCD give facilities a great deal of leeway in defining facility boundaries for the purposes of determining what is a covered facility. There might be a chance that, if the refinery were to be divided into two parts with the boundary between them being the creek that runs north-south through the facility, the western potion of the facility that includes Hinson Road (the road being proposed to be closed) might not be determined to be a high-risk facility and thus out of the scope of the CFATS program.

Similarly, if the western half of the facility were to be determined to be a high-risk facility, the facility could manage the large tank farm in such a way that the three tanks closest to Hanson Road would not be used for storage of chemicals that were on the list of DHS chemicals of interest (COI). This would allow the facility to exclude those three tanks from the restricted-access portion of the facility. This would leave just the flammable-gas tanks as areas of concern along the road. Security measures could be designed to specifically protect those tanks from VBIED attacks.

CFATS and RBPS Guidance

The author of the article about the situation made note about the “Dept. of Homeland Security’s Chemical Facility Anti-Terrorism Standards Risk-Based Performance Standards. She picked up on the following repetitive statement in that guidance document:

“Note: This document is a “guidance document” and does not establish any legally enforceable requirements. All security measures, practices, and metrics contained herein simply are possible, nonexclusive examples for facilities to consider as part of their overall strategy to address the risk-based performance standards under the Chemical Facility Anti-Terrorism Standards and are not prerequisites to regulatory compliance.”

What most people who have not worked with the CFATS program do not understand is that the CFATS regulations (6 CFR 27.230) set 12 broadly worded risk-based performance standards (RBPS). The guidance document provides information about how facilities can meet those broad requirements. The facility and ISCD reach an understanding about what the facility will include in its site security plan (SSP) to meet the statutory requirements for that particular facility; each facility would have its own unique methods to deal with the specific security situation at that facility. Once that SSP is approved by ISCD, the requirements of that SSP are the regulatory requirements for that facility.

Public Decisions and CVI

The big problem for the refinery going forward with the road closure process is providing enough information about their security issues to the County without running afoul of the restrictions on sharing Chemical-terrorism Vulnerability Information (CVI). Security information about CFATS covered facilities are considered to be controlled unclassified information (CUI) with specific rules about how that information can be shared with local government officials; for CVI that includes requiring individuals that are being given access to have completed on-line training in how to protect CVI information.

The County rules, in this case, requiring a 3-person panel to review the information for a contested road closure seem well suited to the CVI requirements. The three people assigned to the panel could take the relatively brief training and then receive the security information from the refinery’s lawyer to consider in the road closure petition. They could then make their recommendation without including any of the specific security information.

The big problem with that is that the 3-member panel is supposed to hold public hearings to get both sides of the issue. The public is specifically excluded from having access to CVI so the refinery would be required to make their arguments without providing any of the pertinent security information. Those sanitized arguments may be inadequate to support the request.

Commentary

I would be very surprised if a large refinery were just starting the CFATS process, but I suppose that it could happen. If the facility has not yet had its SSP authorized, there are still alternatives available to closing the road through the facility. I have discussed some of them above, but there are other, probably more expensive, security measures that could be employed that would obviate the need for the road closure.

If the facility SSP has been authorized, it would seem that the facility had included as a proposed security measure the closure of the road. If that is the case the facility made a commitment to ISCD that the road would be closed. Failure to get the County to effect the closure would require the facility to renegotiate their SSP; ISCD would be upset, but I suspect that they would understand that the facility had no control over the actions of the County government.

What I suspect is happening is that the original facility SSP was negotiated by the previous owners and authorized and subsequently approved by ISCD. It would have included some expensive planned compensating controls to allow the road to remain open. Those controls would have been proposed because the owners knew that getting the County to close the road was going to be difficult at best. The new owners have no desire to spend the money necessary to implement the controls. ISCD would be in the process of threatening noncompliance sanctions and the new owners are trying hard to get the financially easier security measures in place as an ‘appropriate response’ to the non-compliance actions.

It will be interesting to see how this turns out.

CG Cybersecurity at MTSA Facilities Guidance to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs reported that it had received from the Coast Guard a guidance document, “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities”, for review. As with most guidance documents there is no related description of this document in the Spring 2019 Unified Agenda.