Wednesday, January 22, 2020

S 3175 Introduced – Smart Transportation


Earlier this month Sen. Cortez-Masto introduced S 3175, the Smart Transportation Advancement and Transition (STAT) Act. The bill would amend 23 USC 512 (Note, §5305) and require changes to the DOT’s Intelligent Transportation Systems (ITS) program to improve the “development of local smart communities”. One minor mention of cybersecurity in the bill.

Amendment


Section 2 of the bill would make amendments to §5305(h) in the note to §512, revising provisions for the establishment of an ITS program Advisory Committee. It would modify and expand the membership of the Committee and revise the duties of the Committee.

New Requirements


Section 4 of the bill would require DOT to develop a resource guide “to assist States and local communities in developing and implementing intelligent transportation technology or smart community transportation programs” {§4(b)}. The guide would be updated at least every three years.

Section 5 would require the identification and development of various ITS workforce development efforts. This would include designating “not less than 10 consortia of public institutions of higher education as a ‘Center of Excellence in Advanced Transportation Workforce Training’” {§5(e)(1)}. It is in the ‘Education and Training Requirements’ portion of §5(e) that we find the bare mention of the term ‘cybersecurity’ {§5(e)(3)(F)}.

Moving Forward


Cortez-Masto is not a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that it is unlikely that the bill will receive consideration in that Committee. The only provision in the bill that would engender any opposition to the bill would be the $10 million annual grant authorization in §5(f)(7). It is not a lot of money, but it would have to come from somewhere.

Commentary


I continue to be amazed at the lack of congressional concern with cybersecurity issues in the ITS field. Any networked, cyber-enabled system that is designed to increase the efficiency of transportation networks is going to be a complicated amalgam of information technology and control system technology from a wide variety of vendors, owners and operators. The communications requirements for these systems ensures that they will be a major target for wide-spread ransomware attacks.

This bill is certainly not the best place to address this issue, but we could start by making the following changes:

On page 5, line 12 {revised §5305(h)(2)(A)(iii)} insert:

“(XIX) an automotive control system cybersecurity expert with knowledge of intelligent transportation system communications;”

On page 7, line 16 {revised §5305(h)(3)(B)} insert:

“(vi) how the Department is working to ensure the development of cybersecurity processes and protocols to prevent cyber-attacks on ITS components;”

On page 11, line 17 {§4(c)} insert:

“(4) cybersecurity best practices and lessons learned from smart community transportation demonstration projects, including information on inter-component communications security;”

On page 18, line 5 {§5(e)(3)(F)}, after “cybersecurity” insert”

“, including security of systems communications protocols:”

On page, line 25 {§5(f)(1)} insert:

(C) the development of a cybersecurity workforce skilled in various types of intelligent transportation technologies, components, infrastructure, and equipment.

Tuesday, January 21, 2020

1 Advisory Published – 1-21-20

Today the CISA NCCIC-ICS published a control system security advisory for products from Honeywell.

Honeywell Advisory


This advisory describes two vulnerabilities in the Honeywell MAXPRO VMS and NVR video management systems. The vulnerabilities were reported by Joachim Kerschbaumer. Honeywell has updates that mitigate the vulnerabilities. There is no indication that Kerschbaumer has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2020-6959; and
• SQL injection - CVE-2020-6960

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow elevation of privileges, cause a denial-of-service condition, or allow unauthenticated remote code execution.

Comments on CSB Spill Reporting NPRM


Last Monday the comment period closed on the Chemical Safety Board’s (CSB) notice of proposed rulemaking (NPRM) for “Accidental Release Reporting”. The CSB did not allow the Federal eRulemaking Portal to publish any of the comments until the comment period was closed. A total of 48 comments were reported as being submitted.

The number is certainly higher than that because the comments I submitted (comment tracking # 11kk33--99duee--jj77559) have not yet been posted to the Docket and it was almost certainly one of the first comments posted. I also posted a portion of those comments to the OMB’s Office of Information and Regulatory Affairs as a comment about the information collection request (ICR) included in the NPRM.

There was no evidence of any letter writing campaigns associated with this rulemaking. Instead of listing all of the agencies, corporate entities and organizations that commented on this NPRM I will list the ones that I have included reference to in this blog post. Many of the comments being made duplicate portions of other submissions, so only the first response that I see that makes that comment will receive recognition for the information here. NOTE: all links in this list are .PDF download links.

Air Alliance Houston, et al (AAH);
AFL-CIO, et al (AFL);

Extremely Hazardous Substance


USBSA noted that the term ‘extremely hazardous substance’ is undefined and unnecessarily broadens the reporting requirements. EEANY recommends using the definition “found in 40 CFR 355 [presumably §355.61] (including Appendix A and B)”.

REGFORM recommends that: “The definition should also make clear that consequences arising from the physical nature of the substance (e.g., temperature, mass, abrasive qualities) are not reportable.”

Overly Broad Definitions


USBSA notes that the definition of ‘serious injury’ is taken from the OSHA record keeping requirements [quoted 29 CFR 1904, but apparently referred to 29 CFR 1904.7(b)(vi)], not the OSHA reporting requirements [quoted 29 CFR 1904.39, but that only applies to “fatalities, hospitalizations, amputations, and losses of an eye”] .

TCI suggested that “the reporting criteria better align with internal criteria CSB uses to deploy investigative teams”. This would be accomplished by removing “‘medical treatment beyond first aid’ and ‘any injury or illness’ bullets” from the proposed §1604.2.

ACC recommends excluding “business interruption costs as a criterion for accident reporting under the rule”.

AFPA notes: “The proposed rule apparently would require a direct report to the CSB in situations where the CSB would require a report and a report to the NRC is not required by other laws.”

In reference to the definition of ‘ambient air’ in the proposed §1604.2 including ‘the atmosphere inside or outside a stationary source’ AFPA notes: “Congress made it clear in §112(r)(6)(E) of the CAA that the CSB was to conduct its activities in a way that minimizes duplication of activities conducted by OSHA”.

ISRI recommends that “The CSB must clarify that an explosion is not per se an “accidental release”, whether in the preamble of the final rule or by regulatory language.”

In order to reduce regulatory redundancy, ISRI recommends that: “The CSB needs to remove “death” from the proposed definition of “serious injury”.

Duplicative Reporting Requirements


USBSA notes that the rulemaking will require a duplicative reporting requirement if the incident requires reporting to OSHA under 29 CFR 1904.39.

TFI recommends that CSB “utilize the NRC reporting platform to satisfy the court mandate” instead of setting up a separate reporting process. Further, TAA recommends changing the NRC identification number language in the proposed §1604.3(b) to read:

“the CSB reporting requirements are satisfied by submission of the report to the NRC as upon receipt of the report, the NRC will provide the report’s NRC identification number to the CSB”

ORC HSE makes the point that:

“Finally, the CSB clearly does not have the resources needed to utilize the flood of information that they would receive from the submissions required by the proposal, nor is it likely that the Agency would receive sufficient additional resources any time in the foreseeable future.”

EEANY recommends that:

“A single reporting call-in center (at a minimum to satisfy federal requirements) that alerts all necessary authorities using a standardized template for data collection and serves to satisfy all of the existing reporting authorities is suggested, perhaps by making changes to the National Response Center system.”

Reporting Window


TCI recommends extending the proposed ‘4-hour’ reporting requirement to ’12-hour’ to allow for instances where the organization may not be cognizant of a covered incident because an employee seeks medical attention after leaving work. ACC recommends using the OSHA 8 hour and 24 hour reporting requirements of §1904.39.

Needed Definitions


TCI requests a definition of the term ‘evacuation’ used in the rule; should it cover ‘shelter-in-place’ or those denied entry into the ‘evacuation area’?

CEC requests a definition of the term ‘facility identifier’; noting that: “If it is referring to a regulatory reporting facility ID, then it is unclear which reporting ID is being referred to, as different agencies have different IDs.”

Expand the Scope of the Rule


AAH has an extended discussion of how the scope of the current rule should be expanded to increase the CSB’s ability to “permit more accurate surveillance of chemical incidents”. They also recommend that the reported data be entered into a publicly searchable database.

AFL recommends including reporting requirements for ‘near misses’.

On-Line Reporting


ISRI recommends that: “The CSB should add to proposed §1604.3(c) an option to report by web-based form established by the CSB.”

Commentary


First off, CSB is going to have a tough time meeting its February 5th court-ordered publication of the final rule on this topic. This was the reason for the short comment period as explained here [.PDF download link] by CSB. I suspect that they may have started formulating the final rule preamble as they were receiving comments; it would be the only hope that they have of meeting the deadline. Unfortunately, they will still have to get through the OMB review process before they can publish their rule.

There seems to be some confusion as the purpose of this reporting rule (beyond just satisfying a legal requirement) and CSB is at least partially to blame for that confusion. If CSB is intending to utilize these reports to establish a comprehensive database for evaluating the status of chemical incidents (as they proposed in their ANPRM preamble) the more expansive definitions involved in the NPRM make sense. If the reporting is solely to provide CSB with information with which to decide to initiate an investigation, more limited definitions would make more sense given the small agency size and budget.

The one definition that most industry commenters seized upon was that missing definition for the term ‘extremely hazardous substance’. It seems to me that the reason that CSB did not use the EPA definition or that term is that the Board is tasked with providing the Administrator with recommendations for updating the EPA’s list of such substances. This makes the operational rather than a list-based definition of the term more reasonable.

One final comment; The Houston Air Alliance, et al, comment is well worth reading even if it is more than a little adventurous in what it expects to see from any CSB reporting rule. This is what the environmental/safety advocacy community would like to see the CSB tackle, particularly their desire for a publicly searchable database of chemical incidents. Industry observers should carefully read that document to see how reasonable (in comparison) the CSB rule really is.

Sunday, January 19, 2020

Updated NTAS Bulletin – 1-18-20


Yesterday afternoon the DHS Cybersecurity and Infrastructure Security Agency (CISA) published a new Bulletin on their National Terrorism Advisory System (NTAS). The new Bulletin replaces the one issued on January 4th, which expired yesterday at 1:00 pm. While the new Bulletin continues to focus on a potential threat from Iran and its proxies, CISA is apparently expecting a narrowing the focus of that threat.

Change in Focus


The Bulletin continues to focus on two major potential threats, cyber attacks and direct action by Iranian proxies. In the earlier bulletin CISA made the following comment about the potential for cyberattacks:

“Iran maintains a robust cyber program and can execute cyber attacks (sic) against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”

The new advisory changes that wording to a more focused:

“Iran maintains a robust cyber program and is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States. Based on Iran’s historic homeland and global targeting patterns, the financial services and energy sectors, maritime assets, as well as U.S. Government and symbolic targets represent consistent priorities for Tehran’s malicious operational planning.”

While the chemical sector is not included in the listed potential target list, some chemical facilities could certainly be included in the ‘energy sector’.

Both versions address the potential for direct terrorist attacks in the United States. In the earlier version CISA stated:

“Homegrown Violent Extremists could capitalize on the heightened tensions to launch individual attacks.”

The latest version narrows both the possible agents and targets of terrorist attacks in the US:

“Homegrown Violent Extremists (HVE) sympathetic to Iran could capitalize on the heightened tensions to launch individual attacks, with little or no warning, against U.S.-based Iranian dissidents, Jewish, Israeli, and Saudi individuals as well as against the U.S. Government infrastructure and personnel.”

While not all terrorist attacks employ improvised explosive devices (IED), the potential for such attacks certainly exists. HVE’s will probably not have access to weapons supplied by Iran so they will probably be forced to locally source materials for IEDs. While many IEDs use commercially available chemicals, employing larger devices will necessitate obtaining precursor chemicals from chemical facilities. Facilities maintaining inventories of such chemicals of interest (COI) will need to maintain increased vigilance.

Commentary


One other change in the versions of the Bulletin is just a little bit odd. The earlier version included the comment; “An attack in the homeland may come with little or no warning.” There is no similar phrase in the latest version. This could indicate that CISA feels that the law enforcement community and the intelligence community have a better handle on the identity of potential HVE’s. I do not really expect that that is true. Rather I think that this is a measure of how serious CISA takes the potential threat.

As more time passes between the assassination of General Qassem Soleimani, it would seem that the threat of additional retaliation measures by Iran and its proxies should decrease. The confounding issue is the increasing dissention in Iran. I believe that there is an increasing possibility of Iran’s proxies increasing pressure on the US to cause responses (including sanctions) that would allow the current Iranian regime to point to the US as a common enemy to promote unity within Iran.

Saturday, January 18, 2020

LNG by Rail Comments – 1-18-20


Comments continue to be submitted on the PHMSA liquified natural gas by rail NPRM. This week (see note in comments section below) there were a total of 233 comments submitted. I have discussed previous submissions:


As with earlier comments, most submissions were from private citizens with concerns about the safe transportation of LNG gas. Unfortunately, no new information there. The following submissions were more involved and will require PHMSA to address at least some of their comments. NOTE: All links are .PDF download links.

Transportation Division of the International Association of Sheet Metal, Air, Rail, and Transportation Workers (SMART)
New York State DOT/DEC/CHSES (NYS);
Fred Millar (FM) [.DOC download link]

Letter Writing Campaigns


We saw three different approaches to letter writing campaigns this week by environmental/safety advocacy groups. The  Clean Air Council submitted 1127 comments under a single docket submission. PennEnvironment apparently (it is no longer on their site) provided a fill in the blank web page to submit separate (and of course) identical comments for a large number of supporters. And then there is some anonymous organization (no organizational name on the comments) that provided a cut-and-paste comment for supporters to submit on their own.

Again, none of the above comments provided new information for the consideration of PHMSA and government organizations do not take into account numbers of comments in their review of comments for moving forward on a rulemaking.

Fire Safety


NJL pointed out the historic 1944 Cleveland gas explosion where an LNG leak entered sewer system and resulted in large area explosion and fire.

NYS points out the need for additional funding for fire fighter and other emergency response personnel training on LNG response requirements.

Other Safety Restrictions


NJL calls for operational limitations similar to that for HHFT along with BLEVE modeling and a requirement for a non-hazardous buffer car to protect train crew.

SMART recommends that trains containing LNG “must be restricted to a length that is no longer than the shortest siding in which it is to traverse” to ensure that trains parked on sidings do not interfere with adjacent active tracks.

Other Safety Concerns


SMART makes the following comment about current railroad safety trends:

“And while we agree the likelihood of a rail mishap is low, it should be noted that rail incidents are trending upward as a result of the advent of Precision Scheduled Railroading (PSR) and that with each-and-every derailment that occurs the probability increases with it. In other words, now is not the time to add a high-consequence commodity to a railroad industry whose safety and accident ratios are already trending in a dangerous direction without the proper study and testing performed by the Federal Railroad Administration (FRA) and PHMSA.”

FM has a lengthy discussion about the apparent inadequacies in the safety calculations that were used to support the PHMSA rulemaking.

Other Regulatory Concerns


CBD questions whether PHMSA has adequately consulted the US Fish and Wildlife Service to ensure adequate protections under the Endangered Species Act.

PF has a lengthy discussion about their opinion that PHMSA needs to do a complete Environmental Impact Assessment (EIS) before this rulemaking can move forward.

Commentary


NOTE: I said that there were 233 comments submitted this week. That is more than a little misleading. The dates on the documents indicate that they were all submitted on Monday and Tuesday. PHMSA is probably still reviewing comments before referring them back to the Regulations.gov site for posting. The comment period ends today, but I expect that there will be another large number of comments for me to report on next weekend.

Many of the commenters have expressed concerns about ‘unit trains’ of LNG impacting their communities. While the history of crude oil unit trains certainly suggests that the number and severity of derailments associated with unit trains is much higher than those associated with individual train cars of hazardous materials, it should be remembered that there is only a very small fleet of DOT 113 railcars currently in service, not even enough for a singe 100-car unit train. It will be quite some time before the potentially higher-level threat could emerge. Perhaps it would be appropriate for PHMSA to limit train consists to 20 LNG railcars, until further safety data can be gathered.

Another thing seen in many of the comments is PHMSA’s failure to take into account the potential for a terrorist attack on LNG rail shipments. First off, security of transportation is not a primary responsibility of PHMSA, the Transportation Security Administration (TSA) has that primary responsibility. We can certainly discuss the inadequacies of the surface transportation security efforts of that agency, but we cannot fairly transfer those responsibilities back to PHMSA in this rulemaking.

Having said that, early readers of this blog will recall that I had significant comments on security of toxic inhalation hazard (TIH) rail shipments from a security perspective, and I have similar concerns with LNG rail transportation. However, there is one thing clear to me, an attack on a single-tank TIH rail car would be easier than an attack on a double-hull cryogenic car. And a successful attack on any 5/8” heat treated steel tank is going to be difficult at best, especially while it is moving.

Derailing a hazmat train (of any composition) is probably going to be the most effective form of terrorist attack, and it would not require a loss-of-cargo result to achieve a terroristic affect. Having a derailed hazmat car sitting in an urban center is going to cause a large enough amount of panic in any case. Slowing traffic through High Threat Urban Areas (HTUA) will make it harder to achieve a high-profile derailment; low speed derailments are a major bother, but they do not look dangerous and seldom result in loss of hazmat cargo.

Public ICS Disclosure – Week of 1-11-20


This week we have three vendor disclosures about the Windows CryptoAPI vulnerability from Philips, GE Health and Rockwell Automation. We also have two other new vendor disclosures from Siemens and Schneider and five updates from the same vendors.

CryptoAPI Spoofing Vulnerability


Phillips published an advisory for the Windows CryptoAPI vulnerability. They are currently reviewing the Windows® patch. Do not apply the patch until they say so.

GE Healthcare published an advisory for the Windows CryptoAPI vulnerability. They are currently reviewing the Windows® patch. More to follow.

Rockwell published an advisory for the Windows CryptoAPI vulnerability. They have provided an initial listing of products affected, which can apply the Windows patch, and which will require the development of firmware updates.

Siemens Advisory


Siemens published an advisory describing generic ActiveX vulnerabilities in a variety of their Industrial Products. The vulnerability is self-reported. Siemens provides generic work arounds to mitigate the vulnerability.

COMMENT: I’m sorry but do not waste your time reading this advisory. This is the most incomplete and least actionable advisory that I have ever seen from Siemens.

Schneider Advisory


Schneider published an advisory describing an uncontrolled search path element vulnerability in their MSX Configurator software. The vulnerability was reported by Yongjun Liu of nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Yongiun has been provided an opportunity to verify the efficacy of the fix.

Siemens Updates


Siemens published an update for their advisory on GNU/Linux subsystem vulnerabilities in the SIMATIC S7-1500 CPU products. The advisory was originally published on November 27th, 2018 and most recently updated on November 12th, 2019. Ten new GNU/Linux CVE’s were added to the advisory.

Siemens published an update for their advisory on SIPROTEC 5 Ethernet plug-in communication modules and devices. The advisory was originally published on August 2nd, 2019 and most recently updated on December 10th, 2019. The new information included:

• Revised affected version and mitigation links for  SIPROTEC 5 devices; and
• Removed DHCP vulnerabilities since no products were affected.

Siemens published an update for their BlueKeep advisory. The advisory was originally published on May 24th, 2019 and most recently updated on July 9th, 2019. The new information includes the availability of a new version that mitigates the vulnerability.

NOTE: This update automatically ‘covered’ in the latest version of the NCCIC-ICS BlueKeep advisory because the link remains the same for this Siemens advisory.

Schneider Updates


Schneider published an update for their URGENT/11 advisory. The advisory was originally published on August 2nd, 2019 and most recently updated on December 10th, 2019. The new information includes adding mitigation links for:

• Modicon X80 I/O modules;
• Modicon Momentum Unity;
• Nanodac Recorder / Controller (added to affected products);
• SCADAPack 53xE RTUs; and
• Saitel DR with HU_A CPU

Schneider published an update for their DejaBlue advisory. The advisory was originally published on September 24th, 2019 and most recently updated on November 26th, 2019. The new information includes:

• Updated version information for  TelevisGO; and
• Updated remediation information for  EcoStruxure Foxboro DCS and EcoStruxure Foxboro SCADA

Friday, January 17, 2020

CISA Publishes CFATS Iranian Threat Guidance


Yesterday the Cybersecurity and Infrastructure Security Agency (CISA) published their second “Insights” publication dealing with the increased tensions between the United States and Iran; the newest one deals with “Enhancing Chemical Security During Heightened Geopolitical Tensions”. It is interesting to note that neither of the two Insight documents issued since January 6th specifically mention Iran.

CFATS Coverage


This document was issued by CISA not the Infrastructure Security Compliance Division, the office in CISA that administers the Chemical Facility Anti-Terrorism Standards (CFATS) program. While not specifically a CFATS document it does make one very important CFATS announcement:

“As of January 15, 2020, tiered CFATS facilities are not being required to implement the heightened security measures under Risk-Based Performance Standards (RBPS) 13 and 14 of their security plans. CISA is monitoring the intelligence information and will inform high-risk chemical facilities if there are changes that warrant activation of RBPS 13 or 14.”

I covered the RPBS 13 requirements under CFATS a couple of days ago. RBPS 14 covers the requirements for facilities to address new threat information provided to them by DHS. This RBPS envisions potential security issues that may arise that would not be covered by a facility’s Site Security Plan and would require emergency type planning and actions on the facility’s part to address the new issue.

As of this morning there is no reference to this document in the CFATS Knowledge Center.

Facilities of Interest Coverage


The document makes multiple references to “facilities with chemicals of interest (COI)—whether tiered or untiered”; what 6 USC 21(2) refers to as a ‘facility of interest’. What this means is that the 42,000+ facilities that have submitted Top Screens should probably pay some attention to this non-regulatory publication. And, of course, any other chemical facility that may feel it needs to pay special attention to their security during this ‘time of tension’.

One area where the ‘facilities of interest’ becomes interesting is in the next to last paragraph of the Insight:

“CISA has more than 150 Chemical Security Inspectors (CSI) around the country who are available to assist facilities possessing chemicals of interest, including non-tiered facilities. To request further information, please contact your local CSI. To find out who your local CSI is, please email [CFATS@hq.dhs.gov] the CFATS team the facility name, location, facility point of contact, contact information (i.e., phone and email), and desired meeting dates.”

The offer to make CSI available to non-regulated facilities to provide their advice on chemical facility security matters is impressive, but it is not the first time that this offer has been made. ISCD Director Wulf made the same general offer in his testimony before the House Energy and Commerce Committee last year.

The Document


The two-page document is broken down into three broad categories:

• Things to Do Today;
• Actions for Cybersecurity; and
• Actions for Physical Protection

Each of those categories is broken down into smaller bites with multiple bullet points. It could be made into a rather good PowerPoint® presentation without much effort. This could mean that there is little detail provided, but CISA has dealt with this by adding links at several points to more complete information. Still this is a broad guideline and the help of a security professional (including CSI) would certainly be desirable if a facility is really interested in responding to the increased tensions. At the very least, this provides a good set of talking points for a facility security officer to take up with management.

Commentary


The only major point that I have any disappointment with this document is the a lack of detail about IED precursor chemicals. All of the Iranian specific documents released this year by the Department highlight the potential IED threat from Hezbollah and other groups associated with Iran and their Revolutionary Guards. I suspect that this lack of specific coverage is due to the fact that the document is not specifically addressing the Iranian related threat.

 
/* Use this with templates/template-twocol.html */