Monday, August 30, 2010

National Dialogue on Preparedness Update 08-30-10

I am providing an update on the National Dialogue on Preparedness today because I added a new Idea to the discussion and thought that I would plug it here so the readers of this blog would have an additional reason to visit the Dialogue before the September 10th closure arrived.


There are currently 173 Ideas posted to the Dialogue with my latest addition. The 518 currently registered users have made 274 comments and have posted 1,949 votes to date. There are a wide variety of both idea topics and idea quality.

Newest Idea

My latest Idea deals with setting up a program to conduct research on disasters right after they happen. This will allow authorities to learn more about the actual consequences of the incident and be able to put that knowledge back into the planning process for future events.

Tracked Ideas

I now have six postings that I am tracking because of their possible interest to the chemical security community (well my last one is of interest only marginally to this community; but it is mine so I’ll track it anyway). My ideas are numbers 1, 3, 4 and 6. The current status is listed below.

Funding Post-Emergency Response Research (1 vote, 0 comments, rank 128)
Update "pre-fire" tours to include "pre-hazmat" considerations (5 votes, 0 comments, rank 63)
HAZMAT Rail Shipment Notifications (-4 vote, 0 comments, rank 166)
TSA Chlorine Dispersion Modeling Study (-1 vote, 0 comments, rank 143)
Bring in the Military (-12 votes, 4 positive comments, rank 175)
Counter-Terrorism Emergency Response Plan - CFATS (9 votes, 0 comments, rank 40)
Encourage Dialogue Participation

Once again, I would like to urge all readers of this blog to participate in this Dialogue. Everyone in this country has a vested interest in ensuring the preparedness of the nation to prevent, respond to, and recover from all sorts of disasters, man-made and natural. If you do nothing more than read and vote on the Ideas that catch your eye while surfing the site, you will have participated in the Dialogue and done at least a small part in increasing the over all level of preparedness.

TSA CDL Hazmat Endorsement ICR Renewal

Today the Transportation Security Administration published a 60-day notice of their intent to seek a renewal of the current information collection request (ICR, 1652-0027) to allow the continued collection of information necessary to complete the TSA's security threat assessment required to issue the hazardous materials endorsement (HME) on a commercial drivers license (CDL).


TSA is changing some of the information that will drivers seeking an HME will be required to provide to either State agencies of the TSA to allow for an effective security threat assessment. These changes “will enable the program to better understand and forecast driver retention, transfer rate, and drop-rate to help improve customer service, reduce program costs, and provide comparability with other Federal background checks, including the Transportation Workers Identification Credential (TWIC)” (75 FR 52962).

Public comments need to be submitted by October 29th. Comments may be submitted thru the Federal Rulemaking Portal (Docket # TSA-2003-14610). A subsequent 30-day notice will be published before the renewal request is actually submitted to the Office of Management and Budget (OMB) for their approval of the renewal.

Cybersecurity Legislation

There was an interesting conversation this weekend on the SCADASEC discussion list maintained by Infracritical.com. Bob Radvanovsky initiated the conversation by pointing list members at an article on GovInfoSecurity.com. That article noted the possibility of Congress attaching one or more of the current cybersecurity bills wending their way through the legislative process to some other legislation that had a better chance of being considered and passed before this November’s mid-term elections.


In my contribution I pointed at my recent guest post on DigitalBond.com where I discussed the prospects of the various bills being considered on their own merits before the elections (poor). I also mentioned that there are three bills (HR 4061, S 773 and S 3480) that would be reasonable candidates for being added to a budget bill to ensure their consideration this year. I also noted that none of these really address issues related to industrial control system (ICS) cyber security.

As people in the chemical security community know, all sorts of stuff can get added to budget bills. The CFATS program authorization and the authority for the much anticipated ammonium nitrate regulations (NPRM due this fall?) were both added to Homeland Security spending bills. In this case the GovInfoSecurity.com article mentioned the possibility of some sort of cybersecurity add-on to the DOD spending bill this year.

I think that cybersecurity legislation is a better fit in the Homeland Security budget bill because of the controversy surrounding military control of programs affecting civilian agencies and even perhaps American businesses. This controversy could end up derailing a DOD budget passing before the elections. Unfortunately, it looks like the DHS spending bill might not make it to through the system before the fall elections, mainly because the House has yet to even introduce such a bill and all spending bills must originate in the House.

As Readers who have been following this blog for a while well know, I will follow the budget process of any bills that contain significant chemical security related provisions. I would also like to remind Readers that there is a new page on this site (Legislative Status) that provides detailed links to the various bills that could be of interest to our community; including spending bills.

Saturday, August 28, 2010

Legislative Status Update 08-28-10

I just updated the Legislative Status page to add a new category that certainly belongs on the page; FY 2011 Budget Related Bills. Currently there is only one bill listed, S 3607, the Senate version of the DHS spending bill. I will add other department’s spending bills as I see significant chemical security related provisions added to those bills.

Friday, August 27, 2010

ICS-CERT DLL Vulnerability Alert

This afternoon ICS-CERT published a new cyber security alert on their Control Systems Security Program web site. This brief alert deals with the recently reported Microsoft Dynamic Library Loading Vulnerability and its potential effects on control systems. Not much information in this alert that isn’t covered in other CERT or Microsoft documents on the issue except for this important warning for the control system security:


“Of note to industrial control systems environments is the fact that DLL safe search mode is disabled by default in Windows 2000 Service Pack 4 and Windows XP prior to Service Pack 3. Windows 2000 versions prior to Service Pack 4 do not support DLL safe search mode.”
This is important because many existing control systems are still based on these older versions of Microsoft Windows.

DHS-CERT Stuxnet Mitigation

Late yesterday DHS-CERT posted a new report on their Control Systems Security Program web site that provides information on mitigation efforts for the Stuxnet malware (I really wish someone would come up with a standard term to describe this bugger; malware, Trojan, worm, and virus have all been used by various writers and organizations).


Mitigation Efforts

The ICS-CERT report suggests installing two Microsoft updates (on control systems only after off-line testing has confirmed the safety of the update on the system). The first is the one that Microsoft released earlier this month (MS10-046) specifically for the new vulnerability associated with Stuxnet. They also recommend installing an older Microsoft update (MS08-067; with the same control system caveat), noting that: “Stuxnet malware also references a Microsoft vulnerability that was addressed in MS08-067 g, although it is not yet clear how this vulnerability is used.” (pg 2)


Other than installing updated anti-virus software or the appropriate updates for existing AV software (with the same control system caveat), the only other advice ICS-CERT provides is: “If Siemens SIMATIC WinCC or STEP 7 software is running on an infected system, then Siemens Customer Support and ICS-CERT should be contacted.” (pg 3) This is probably very solid advice.

New Stuxnet Information

The above recommendations (with the exception of the second MS update) are old news and have been covered extensively in the cyber security press. The new information has little to do with mitigation efforts; it is the reporting about the new discoveries that are being made about Stuxnet that is much more interesting. The Stuxnet summary on the first page should be read by everyone in the industrial control system (ICS) community. I would like to call everyone’s attention to the following quote (pg 1).

“With approximately 4,000 functions, Stuxnet contains as much code as some commercial software products. The complex code is object oriented and employs many programming techniques that demonstrate advanced knowledge in many areas, including the Windows operating system, Microsoft SQL Server, Siemens software, and Siemens PLCs. The malware also employs many advanced anti-analysis techniques that make reverse engineering difficult and time consuming.”
If this doesn’t make ICS managers just a tad bit concerned, I don’t think they are paying attention. This is a sophisticated tool designed to attack industrial control systems. We don’t know where it came from so we don’t know why it is being used. The limited numbers of folks working for ICS-CERT are working on this as are a number of people in the industry. I really think that it is time for ICS-CERT to convene a high-level conference to coordinate the study of this weapon system. We need to know a whole lot more before our systems can be adequately protected.

DHS Chem Sec Training ICR

Today DHS published a 60-day notice of their intention to renew the information collection request (ICR; 1607-0009) that will allow them to continue to collect information for the administration of the Chemical Security Awareness Training Program run by the Sector Specific Agency Executive Management Office in the Office of Infrastructure Protection.
I looked at this training program a couple of years ago and found it to be a very effective training program for general security awareness training at chemical facilities. To continue to operate this on-line training program DHS will need the approval of the Office of Management and Budget (OMB) for this ICR because of the information collection activities that are inherent in the on-line training process. The current ICR will expire on October 31, 2010.
NOTE: It will not be possible to receive OMB approval for this request before the current ICR expires. There will be an additional 30-day notice that must be published in the Federal Register before the OMB can begin their approval process. I suppose that this means that DHS would have to shut down the training program until that approval is received.
No significant changes are being made in the information being submitted in this renewal application as compared to the original application submitted to OMB on July 11, 2007. In fact the only change that I saw was the listing of the total number of chemical sector employees, 850,000 (per 2009 American Chemical Council information) down from the earlier figure of 882,000 based on 2004 data from the same source.
Public comments on this ICR (there were none on the original ICR submission three years ago) may be submitted to the Federal Rulemaking Portal (docket # DHS-2010-0071). Comments need to be submitted by October 26, 2010.

Thursday, August 26, 2010

National Dialogue on Preparedness Update 08-26-10

I’m doing this week’s update on the National Dialogue on Preparedness web site early because the site closes for new ‘Ideas’, comments and voting when the month closes next week. I want to make sure that everyone gets the additional day to get to the site, submit their insightful ideas, comment on the Ideas in the current crop that are of personal interest, and most of all vote on the Ideas posted to the board.


As of 8:20 pm EDT tonight there were a total of 144 ideas posted on the site. A total of 416 users have posted 237 comments and voted a total of 1,614 times. That vote total definitely gives a distorted picture of the true case. Since you can actively vote-thumbs up or thumbs-down, the act of not voting on a particular Idea (if you have voted on anything else) is actually a statistical commentary on that Idea. With the Ideas being ranked based upon their vote totals, a non-vote is a mildly negative response; not a bad as a thumbs down, but negative none the less.

NOTE: I just (9:00 pm) went back and looked at the home page of the site and discovered that the Dialogue has been extended to September 10th. Well I’ve started this anyway so it’s still being posted tonight.

HAZMAT Preparedness Idea

We had a new Idea submitted today that was specifically targeted at preparedness for the chemical community and would certainly affect the high-risk chemical facilities. Michael Pirrello suggested that incentives should be given to industry with on-site hazardous materials to invite emergency response agencies to participate in hazmat response planning.

Idea Status

Here is the Thursday evening status of the Ideas that I am tracking because of their potential to be of interest to the chemical security community.

Update "pre-fire" tours to include "pre-hazmat" considerations (3 votes, 0 comments, rank 68)
HAZMAT Rail Shipment Notifications (-5 vote, 0 comments, rank 142)
TSA Chlorine Dispersion Modeling Study (-1 vote, 0 comments, rank 117)
Bring in the Military (-13 votes, 4 positive comments, rank 147)
Counter-Terrorism Emergency Response Plan - CFATS (6 votes, 0 comments, rank 46)
Of my three Ideas (#s 2,3 and 5 in the above list) only one is doing moderately well. Fortunately none are doing as bad as the one about using military forces for responding to large scale disasters. One of the drawbacks to this type of system is that very few people explain the reasons for their votes, one way or another.

My Ideas are kind of targeted at a small subset of the preparedness community so I can understand the low vote totals (I assume their low totals, we can’t tell for sure how many canceling pairs of +/- votes there are). But I had hoped that the Readers of this blog would be more active in their participation on these idea.

I am kind of disturbed by the heavy anti-military vote seen in the response to the ‘Bring in the Military’ idea. Part of the problem may be due to negative responses to some the comments about using the military in a semi-combat role along the border. Part of it may be a long-term fear in this country of military involvement in internal political matters. Outside of Reconstruction (which was an anomalous situation to say the least) there is no historical basis for that fear. But it has been a under current in this country for a long time.

Hot Ideas

At the top of the list of Ideas on each page there are six tabs to be used to sort the Ideas. The first two are self-explanatory (‘Recent’ – ordered by date submitted, and ‘Popular’ – ordered by vote totals). The last three (‘In Review’, ‘In Progress’, and ‘Complete’) are apparently going to be used by the Local, State, Tribal, and Federal Preparedness Task Force, to track their review of these Ideas after the submission/voting process is complete.

The final tab, ‘Hot Ideas’, is one that I can’t figure out. I looked at it early in the process and it looked like it was a listing of the Ideas with positive vote totals; eliminating those with zero or negative totals. It didn’t make a lot of sense so I didn’t say anything about it. I re-looked at the Ideas in the ‘Hot Ideas’ list tonight and that original idea doesn’t hold water.

The top idea on the ‘hot’ list has 48 votes, but there is one idea with significantly more votes than that. The second Idea on the ‘hot’ list is #6 on the ‘popular’ list. Interestingly the two Ideas on my coverage list with positive vote totals both made the ‘hot’ list. I don’t know why, maybe someone from DHS or Idea Scale can explain that.

Participate

I certainly want to encourage all of my readers to get involved in this Dialogue. Too often in this country we complain about the lack of responsiveness of the government to the ideas and wishes of the governed. We complain that the only voices heard are those of the rich and influential. When we are presented with an opportunity to have our individual voices heard and our unique ideas publicly discussed and evaluated we owe it to ourselves and our country to actively participate.

It is disappointing to see only 416 active participants in this Dialogue. That is fewer than the number of people sitting on our behalf in the House of Representatives. It is even more disappointing to see that there are only 144 Ideas on how we can make our country and local communities better prepared for responding to the inevitable disasters, both natural and man-made, that are sure to come our way.

I’m sure that our national and personal creativity has not waned that far. Step forward with your thoughts and ideas; become part of the Dialogue. Participate in the discussion and the evaluation of these Ideas. Remember the phrase from the radicals of the 60’s; if you aren’t part of the solution, you are part of the problem.

Stuxnet Update

Those of you who follow me on Twitter® (http://twitter.com/pjcoyle) will have noted that yesterday I re-tweeted an announcement from Industrial Defender that they had updated their White Paper on the Stuxnet worm (ID calls it a worm, others have called it a virus or a Trojan). That re-tweet was based upon my experience with their past information. Late last night I finally had a chance to read their updated paper and I certainly was not disappointed.

I have frequently found that white papers by technology companies have been little more than advertising copy for products they sell. Industrial Defender is in the business of providing cyber security services, and there is a brief mention of two of their products in this document, but it hardly counts as real advertising as there are no claims about how well their product does against other such products available in the market.


The White Paper does provide a very good technical discussion of how Stuxnet works and propagates. It outlines what is known about the history of the malware and the response of both Microsoft and Siemens to problem. While the discussion is technical, you don’t have to be a systems engineer to understand the points being made. Anyone with any significant experience in SCADA operations (not necessarily programming) should be able to follow the discussion without significant problems.

Most importantly, the paper provides a detailed discussion about how facilities can protect themselves from future problems with Stuxnet and outlines the types of steps that must be taken to safely remove a Stuxnet infection. Probably the most important piece of advice in the later discussion is to closely involve your control system vender in any removal operations.

The current version of the White Paper is a 21 page .PDF file which downloads quickly. You do have to register with Industrial Defender to be able to complete the download, but the process allows you to opt out of receiving sales literature if you so desire. The download page does provide access to a number of other Industrial Defender information products, including two webinars on the Stuxnet problem.

I think that anyone with a Siemens industrial control system should certainly download and spend some time studying this white paper. Industrial Defender has done an excellent job of preparing and presenting this information. It is certainly a valuable service to the control systems security community.

Wednesday, August 25, 2010

Blog Problems

I apologize for the inconveince some readers may have had today here on the blog site. Only the latest posting has been available because of a code problem. I had been adding a script to place a Digg(R) tool at the bottom of each post. Apparently Digg.com did there much anticipated update today and that tool no longer worked. Unfortunately, the code at the end of each post prevented the remainder of the page from loading.

I have removed that script from the latest links allowing readers to load the starting page for the blog as usual. It will take some time to go back and remove the script from past posts so there may continue to be problems when you link to an older post. You may not be able to post comments to some of those posts.

I will get this corrected as soon as possible. Again, I apologize for any inconvenience you may have experienced.

Reader Comment 08-25-10 ERP Requirements

I got a quick response from an anonymous reader to my blog posting this morning about the EPA ICR. Anonymous took exception to my comment about the lack of an emergency planning requirement in the CFATS program. Anonymous provided this quote from 6 CFR 27.230(a)(9):

“Response. Develop and exercise an emergency plan to respond to security incidents internally [emphasis added by PJC] and with assistance of local law enforcement and first responders;”
Anonymous is certainly correct that there is an emergency response component of CFATS, but it is limited to the on-site response. After all, facility management has no authority to do or require anything to be done off-site. And actually the same could be said for the emergency response requirement for water treatment facilities. Though, many of those facilities are owned by local municipalities so they may have more impact on off-site consequence planning.

I did not clarify that in my earlier blog post. That’s what comes from adding a toss off ‘by the way’ type comment to a blog post. I apologize for the lack of clarity.

Off-Site Consequence Response

While on-site emergency response is important (and it certainly is to on-site personnel), the entire focus of the CFATS regulations is the prevention of off-site consequences. In setting up the regulatory authority to establish a program to prevent terrorist attacks at high-risk chemical facilities, Congress completely overlooked the requirement to be able to respond to such a successful attack.

The security and response communities know full well that it is impossible to completely and absolutely prevent a terrorist attack. A determined and well trained terrorist team will be able to find a workable hole in any security scheme, especially if they are willing to die in the execution of their attack.

This is why an effective off-site emergency response plan must be an integral part of any security operation. Unfortunately, while facilities might be liable for off-site consequences they have no authority to effect off-site planning, preparation, rehearsal or execution of an emergency response plan. At most they may be required to contribute money, information and expertise to such efforts.

This is why, when Congress actually gets around to authoritatively addressing the CFATS reauthorization issue they need to include a mandate for off-site emergency response planning through an organization like FEMA.

Reader Comment 08-23-10 ERP Planning

Edward, a reader who works with CFATS facilities on their security planning, responded to an earlier blog about emergency response planning. As is usual with Edward’s comments, he makes some interesting points that I missed in my post.

Responder Protection

Edward writes:
“It is highly likely that in addition to fire, that Law Enforcement and EMT will be forced to operate in a hazardous atmosphere of some type. It is imperative the plan be matched with the resources and that the resources be properly trained and have access to the proper equipment.”
This is a very good point that I haven’t seen addressed before. Law enforcement personnel responding to a terrorist attack on a high-risk chemical facility will potentially be exposed to multiple chemical hazards on that site. Most of these personnel will not have adequate training to recognize and respond to such potential hazards. It is highly unlikely that the average patrol car will be carrying the necessary personal protective equipment (PPE) to safely respond to an incident in a contaminated environment.

In cities with multiple chemical facilities, Baton Rouge or Houston come quickly to mind, patrol cars would need to be mini-vans to carry the wide variety of PPE to allow the patrol personnel to safely respond to all of the various chemical hazards at the multiple facilities to which they might be required to respond. Obviously this would not be practical.

Tactical Response

Edward also notes:
“On another note, when considering the threat scenarios offered by CFATS, it is very likely that the lone deputy or patrolman will not offer a viable or adequate response. Tactical teams and EOD also play a large role in the response to CFATS incidents and must be coordinated for and included in the SSP.”
I certainly agree with Edward that during an active terrorist attack, unless you have a lone, unarmed terrorist on site, a singe patrolman, or even a two man team (though few patrol cars ever carry two patrolmen) will be an inadequate response to control the situation. At most they are going to be able to secure the front gate until a tactical response team arrives on site. With the threat of IED’s or vehicle borne IED’s (VBIED’s) the need for the response of an EOD team is also a near given.

Facility security planners need to take this into account when they consider whether or not to use armed guards at the facility. I understand the reluctance to have fire arm toting people on site where the simple act of discharging a fire arm could possibly cause a conflagration. An on-site armed response team may be necessary to stop a successful terrorist attack when the response time for a tactical team would prevent a timely interception of the terrorists.

Security planners also need to consider that an armed site security team can be aware of those sectors of the facility where the discharge of weapons may pose a serious hazard to the safety of the facility where an outside security response force without that familiarity might increase the threat to facility security.

EPA ICR Renewal Notice

Today the Environmental Protection Agency (EPA) published a 60-day notice of their intent to renew the information collection request (ICR) that allows them to collect information about vulnerability assessments (VA) and emergency response plans for water treatment facilities. The current ICR (2040-0253) approval expires on February 28, 2011.

There are no material changes to the ICR outlined in this renewal. The EPA notice explains that they expect the average respondent to this information collection request to require 237 hours to complete the information collection-submission process. EPA notes that (75 FR 52326):

“There is no decrease in the total estimated respondent burden compared with that identified in the ICR currently approved by OMB. This reflects EPA's continued need to collect documents that were included in the original estimate, but still have not been submitted to the Agency.”

Since the VA submission requirement applies to all water treatment facilities that serve 3,300 customers it seems that the EPA must have severely underestimated the number of covered facilities since the number of facilities that have yet to submit their VA has not changed in three years. This also points out the lack of authority to impose sanctions for not following this regulation.

I can’t help but note once again that this EPA program, in full accordance with Congressional direction, does not require water treatment facilities to have a security program to protect the facilities against terrorist attack. They must simply have an emergency response plan to respond to the results of such attacks. Congress just can’t seem to get it right; the CFATS program requires the establishment of a site security program to prevent an attack but no emergency response plan to respond to an attack. Maybe they ought to combine the two programs.

Public comments on this ICR renewal notice may be submitted at the Federal Rule Making Portal (Docket Number EPA-HQ-OW-2003-0013). Comments need to be submitted by October 25, 2010. EPA will respond to any comments received when they subsequently publish their 30-day notice.

Tuesday, August 24, 2010

Reader Comment 08-20-10 Effectiveness of RTK

Last week Fred Millar left two questions appended to my post about Emergency Response Planning. His second question is going to take some time to research, but I do have an opinion based response to his first question: “Ask why our 2 major federal Right-to-Know laws have failed (both involve emergency response planning) to communicate risks to the public.”

RTK Communications

I don’t think that it is fair to say that the right-to-know (RTK) rules have failed to communicate risks to the public. First there isn’t any positive requirement to “communicate risks” to the public, facilities simply have to make certain information available in specified ways. While there have been specific failures of these information requirements, they frequently result in significant fines by EPA or agreed upon contributions to local emergency response efforts.

The required information is certainly available to the public. We can see this in very active publicity campaigns by private organizations like the Center for American Progress, Greenpeace and PIRG. Their information has all come from the required public information disclosures made available by the companies involved.

‘Communication of risk’ is certainly different from the current information requirements. Risk involves a complex calculation of combining of potential consequences and the likelihood of a release occurring. Accidental releases have some history which would allow for a calculation of accidental release probability and there are established methodologies for estimating consequences.

Terrorist attacks have not occurred against chemical facilities so it is much more difficult to calculate a probability of an attack occurring. In fact, many in the industry would argue that the lack of such an attack since 9-11, or even the report of a credible plan of such an attack, indicates that there is a vanishingly small probability of such an attack happening in the future (I think this is more wishful thinking than valid reasoning). In any case, there is no easy way to establish a realistic probability of such an attack occurring.

Furthermore, the public response or relative lack thereof, to the numerous news articles and TV news reports about the risk of large-scale chemical release in the last couple of years indicates that most of the public does not care to listen to such communication. Part of it is caused by the endless reports about terrorist threats without a credible attempt at an attack. Another major part is that people are just not interested in looking at risk in general.

Now we can certainly discuss the EPA’s removal of much of the chemical risk information from the internet in the name of security. Making the information available in ‘Reading Rooms’ means that the information is really only available to the active researcher not the general public. I understand the EPA’s reasoning, but there should have been a public discussion of the issue before the unilateral move was made.

RTK Emergency Response

One thing that I will certainly agree with, however, is that the emergency response planning component of the current RTK rules has proven to be almost completely inadequate. There are some notable exceptions, but even where there are realistic planning efforts made, there has been little or no communication of those plans made to the potentially affected public. As we saw in New Orleans, failure to communicate emergency response plans (ERP) to the affected public in advance dooms such plans to complete failure.

Part of the problem is that the responsibility for ERPs has been given to Local Emergency Planning Committees (LEPC) that are have little or no training for conducting emergency response planning. Completing a couple of on-line FEMA courses does make one a professional planner. Furthermore, the lack of funding and oversight dooms most of these efforts to complete failure.

One of the things that I would certainly advocate in adding to any comprehensive re-write of the current CFATS authorization would be that a realistic emergency response planning requirement be included in that legislation. I would like to see a requirement that in any area including a high-risk chemical facility with release chemicals of interest capable of off-site consequence being that the LEPC should moved into a more professional status under direct FEMA supervision and funding.

Standards would need to be set about ERP components, coordination and exercises. Participation in the ERP process would be an inspectable part of the facility’s site security plan. Part of the funding would come from the covered facility, but most should come from a specific federal budget line item. Such LEPCs would be required to have active representation at the State or local fusion center.

RTK for Transportation

Fred would be quick to point out that communities along rail lines and truck transport routes receive little or no information about hazardous chemicals that transit their community. I would reply that they do receive minimal hazmat information in the form of placards on the railcars and trailers containing hazardous materials. This information and format are mainly useful for first responders coming upon an incident and are of little use for community ERP purposes.

There is an active debate about community RTK and transportation security interests. Both sides have legitimate points of view. Added to that debate is the concern of railroads about having to set up communications systems with each little political entity along their extensive rail lines.

I think that a reasonable railroad RTK program could be established by Congress along the following lines. First since railroads are already collecting data about their toxic inhalation hazard (TIH) shipment routes, I think that it would be reasonable for them to provide to State Fusion Centers a list of rail lines that are routinely scheduled to handle TIH shipments and list the TIH chemicals on those routes. Fusion Centers could then pass that information to LEPCs along those routes. This would allow communities to develop ERPs for those shipments.

Individual shipment notification is more problematic. Advance notification of individual shipments could legitimately be targeting information for potential terrorist attacks. That plus the fact that there will not typically be any local response for a routine shipment leads to the conclusion that advance notice of shipments should not routinely be made.

Communities do have a more arguable need to know when TIH railcars are actually transiting their area of responsibility. I have proposed a notification methodology on the FEMA National Dialogue on Preparedness (HAZMAT Rail Shipment Notifications) that I think will provide a reasonable solution to this problem. I urge readers of this blog to visit that site and provide appropriate feed back in that forum since it is more likely to get a government response than the discussion here will.

Truck based transportation of TIH materials presents a much more difficult problem, especially since they may be more vulnerable since they can be stolen and moved to a specific target. I’ll leave discussion of this problem for a later date.

Monday, August 23, 2010

Cyber-Security Overview

I really do like to think that I can do a good job of explaining things and really hate to admit it when I know others can do a better job than I do. Not only am I going to have to admit it in this case but I am going to be forced to recommend an article by someone else as doing one of the best jobs I have seen of giving a general overview of the way to secure an industrial control system.

James R. Koelsch, a contributing editor over at AutomationWorld.com, has given an excellent overview of the typical steps a facility will need to follow to secure their cyber control systems. It is well written with a minimum of technical jargon. The experts quoted in the article are all well known within the community and provide the type of insightful comments that one would expect from people who truly know their business.

As always, a single article or book will not make you an expert on the subject, but the Koelsch article will give the new security manager enough of an understanding to be able to ask intelligent questions.

I highly recommend this article and only wish that I could have written it. As much as it pains me, I have to admit I can’t be an expert on everything.

CG LNG-LHG Rule Goes into Effect

Back in June the new Coast Guard rule on risk assessments for LNG-LHG shore side facilities officially went into effect. Unfortunately, because almost all of the rule requirements deal with information that facilities must submit to the Coast Guard, the Coast Guard could not start collecting that information until the information collection request (ICR; 1625-0049) modification was approved by the Office of Management and Budget.

As I noted in an earlier blog, the Coast Guard did not submit their ICR until June 9th. It was approved last Friday. The collection of vulnerability assessment information could probably start to take place today, but I expect that the Coast Guard will hold off until they post an official notice in the Federal Register in the next couple of days.

Nitrogen Cloud

The news story is a bit dated, coming from the first part of the month, but it illustrates a basic problem that we have with emergency response in this country; a lack of chemical knowledge on the part of responders and their supervisors. And worse a lack of chemical emergency response planning.

Cryogenic Nitrogen

The story is fairly straightforward. A cryogenic nitrogen tanks begins to leak. ‘Cryogenic Nitrogen’ is simply nitrogen gas cooled and compressed until it becomes a liquid, increasing the amount of nitrogen that can be stored in a given tank size. As the liquid nitrogen exits it tank it almost instantaneously converts into a gas. It is quite cold so it makes any water vapor in the air condense and form a white cloud.

Nitrogen is a colorless and odorless gas. It is not toxic; it better not be because it makes up over half of the composition of the air that we breathe every day. A nitrogen leak is hazardous for two reasons. First in the immediate vicinity of the leak the temperature is well below 0° C and can cause cold related injuries. In a slightly larger area around the immediate leak the concentration of Nitrogen can get well above 80% at which point there is not enough oxygen in the air to support human brain function.

Emergency Response

The problem identified this news story is the actions of the local fire department when they arrived on the scene. They apparently knew that they were dealing with a nitrogen leak. They evacuated the building closest to the leaking tank, a reasonable but probably unnecessary precaution. Excessive caution is commendable trait in an emergency response situation.

They then became concerned about the spreading white cloud. For some reason they assumed that it was a cloud of nitrogen gas (odorless, colorless remember?). As the cloud approached two off-site buildings, they ordered the evacuation of those buildings as well. This disruption was certainly not called for even given any reasonable measure of excess of caution. Okay, we’ll just write it off as unreasonable excessive caution, still probably not a real bad thing.

No, the silliest thing that they did was described this way in the article: “Firefighters dispersed the vapor cloud with a hose stream.” Yes, it was a cloud, not a cloud of nitrogen gas, not even a vapor cloud; just a cloud, condensed water vapor in small droplets. The same kind of cloud we see most every day high in the sky overhead. The only danger with the cloud is that it impedes visibility.

Now the atmosphere in that cloud was certainly nitrogen enriched, but their hoses did nothing to change that. The water couldn’t absorb or dissolve any of the nitrogen, it was already saturated in nitrogen from the atmosphere. It couldn’t chemically neutralize the nitrogen, atmospheric nitrogen is practically non-reactive. So, removing the cloud didn’t make the area any safer.

No, the only thing they could have done to protect the populous was to measure the oxygen concentration of the air downwind of the leak. That way they could have established a reasonable safe zone around the leak and assured the surrounding public of their safety. And it wouldn’t have taken “two fire engines, two ambulances, a HAZMAT vehicle, ladder truck, battalion chief and two deputy chiefs”.

Emergency Response Planning

Don’t get me wrong. I have the greatest respect for fire fighters and other emergency response personnel. They are extremely brave and selfless and one of the most under paid civil servants in this country. The ‘proper’ response to this situation is obvious to me because I am a chemist and I worked at a facility with one of these cryogenic nitrogen tanks. We had worked out this emergency response plan for our tank as part of our general facility hazmat response plan.

Our plan did call for notifying the local authorities of a significant nitrogen leak, but with the comment that we did not need any assistance (unless we had had someone injured in the initial leak). The plan called for a local evacuation, oxygen level monitoring and then contacting the owner of the tank to fix the leak and re-fill the tank when it was emptied. Oh, yes, and shut down all of our processes that required nitrogen.

The advantage of having an emergency response plan is that you know what to do in the event of an incident. We practiced our plans so we reacted in a practiced manner.

We did our planning with the local fire department for emergencies that would have an off-site effect or would require their support to respond to. And they took part in exercises with us on an annual basis. They understood the chemical hazards they would face when they rolled through our gates and understood their part in the response. We never did require their assistance on any real incident in the 16 years I worked at that plant, but we knew that they would be there as part of the team if and when.

And nobody would use water hoses to knock down a cloud.

Reader Comment 08-20-10 TRANSCAER

Long time reader and frequent commenter on matters related to the transport of toxic inhalation hazard (TIH) chemicals Fred Millar left a rather long comment on my recent blog about the TRANSCAER training program. I would urge anyone interested in TIH transport or emergency response to read his entire comment, but I think I can safely summarize his complaint about the TRANSCAER training by saying that it does not deal with the problem of emergency response to a catastrophic release of chlorine gas from a railcar.

Non-Catastrophic Release

I think that Fred unfairly disparages the true benefit of the TRANSCAER training. The vast majority of chlorine release incidents in rail or truck transport deal with leaking valves. These releases are not typically going result in the large chlorine gas clouds that will require mass evacuations and result in inevitable mass casualty events.

These type incidents do require first responders to get up close and personal with rail car and truck fittings in a very hazardous personal exposure situation. Proper training in how to respond to these situations will allow these first responders efficiently and safely handle these events.

Fred does make a good point, however, in noting the relatively small number of responders that this program reaches every year. This is a problem since there is a very real need for the program to reach all of the first responders that might be called upon to respond to these incidents. Emergency response personnel in every community where a rail car may pause in transit really do need this training.

Fred is correct in noting that Federal grant monies would be necessary to expand this program to provide truly adequate coverage of the communities involved. This does not need to be a one time event. Any professional safety trainer knows that training like this needs to be repetitive (on at least an annual basis) if it is to be truly effective.

I do think, however, that this combined effort of the railroads and chlorine producers and shippers (who do not see eye-to-eye on chlorine transport issues) is to be commended for what it does accomplish. The creative use of railcars as training aids should be applauded. Congress should certainly look at providing funds for extensive expansion of the program.

Catastrophic Release

I have not attended any of these training events so I am not absolutely sure that the TRANSCAER training does not address the issue of a catastrophic release of chlorine gas. Lacking a comment from the TRANSCAER folks I will accept Fred’s observation about the lack of such coverage, at least for the sake of this discussion.

I would hope that the TRANSCAER folks would at least briefly address the situation with a discussion of evacuation requirements outlined in the Chlorine Institute’s Pamphlet 74. If I were planning/conducting this general chlorine response type training I would also include a relatively brief discussion of how to detect and respond to a catastrophic release with emphasis on the personal protective equipment and mitigation techniques.

I am not sure, however, that a TRANSCAER type hands-on training event is the appropriate forum for the type training and planning event that is necessary to properly prepare a community for a catastrophic chlorine release event on this scale. I’m not sure that there is currently an appropriate forum for that information exchange.

This begs the larger question of how we deal generally with low probability, high impact (LPHI) events of this sort. Getting all communities along all potentially affected rail lines in this country to the point where they have an effective plan (which requires both planning and exercise components for truly effective plans) for a catastrophic release of chlorine gas of a transiting chlorine railcar would be extremely expensive and time consuming. The limited emergency response planning resources in most of these communities would be better focused on events of a higher local probability.

FEMA should be the agency developing generic emergency response plans for the whole spectrum of LPHI events. There should be a manual produced with a whole host of such generic plans that emergency response professionals could easily refer to in the event that an LPHI event actually occurred in their area. This would not be as effective as a locally produced and exercised plan, but it would be a cost/resource effective alternative.

Fixed Chlorine Sites

Fred does mention the US Army’s nerve agent response program for communities surrounding the sites that are finishing up the destruction of the nerve agent munition stockpile as an example of the type of effective emergency response program that would be needed to protect a community from a catastrophic chlorine release. Those programs include the provision of personal protective equipment to potentially affected off-site personnel along with the appropriate training for the use of that equipment. There is also an extensive detection device network surrounding the storage and destruction sites and an often tested and evaluated emergency notification network.

While nerve agent is a much more toxic chemical than chlorine gas, this type of emergency response planning should be considered for the closest neighbors of a facility with release toxic COI of all types, but especially facilities storing/using/producing a significant amount of chlorine gas. At an absolute minimum there needs to be a network of chemical sensors that provide automatic warning of a chemical release. Neighbors within the immediate danger zone need to be trained and equipped to either shelter in place (where appropriate) or evacuate the hazard zone.

Recently the TSA has raised a number of questions about the accuracy of the chlorine gas dispersion model embodied in Pamphlet 74. Until those questions are resolved, that remains the industry standard model and the one that emergency response personnel use for their planning purposes. TSA needs to proceed with their planned studies to evaluate the model, but FEMA should be an active part of those studies. FEMA is the Federal agency responsible for all-hazards emergency response planning and execution. They have an inherent interest in the accuracy of the chlorine gas dispersion model (see my ‘Idea’, TSA Chlorine Dispersion Modeling Study, on the National Dialogue on Preparedness web site and please vote on the 'Idea').

Sunday, August 22, 2010

Gate Busting

Earlier this month I posted a blog about perimeter fencing and I talked about how easy it was to penetrate fences. I didn’t particularly address the issue of vulnerability of gates, but CNN® provided video evidence earlier this week of how easy it is for vehicles to break through many standard gates. According to the accompanying news story the pickup truck was being chased by police when it entered the airfield through the closed gate. Pursuing police were able to stop the truck before it got near any aircraft.

Perimeter Gates

Most gates, like most fences, are designed to keep honest people honest, not to provide a serious impediment to unauthorized entry by vehicles. Where there is no specific reason to expect antagonists to crash a gate, these standard gates are perfectly adequate to define a boundary. Where there is a suspected risk of terrorist attack, facilities relying on a perimeter fence to reduce the risk of a vehicle borne improvised explosive device (VBIED) being introduced to the facility will require a specially designed (and much more expensive) gate.

Airport Security

While this isn’t an airport security blog, I can’t help but mention how badly this incident reflects on the status of airport security. This country has spent untold billions of dollars on TSA screeners, high-tech screening devices, and complex programs to ensure that all packages going into cargo holds are properly screened. Now we see how totally inadequate simple perimeter security measures are around the same airports.

If this truck hadn’t been closely pursued by a number of police cars, there would have been little that would have prevented a VBIED from being driven into planes waiting on the tarmac. Even a truck load of heavily armed gunmen could have destroyed a number of loaded aircraft. Obviously the vulnerability assessment at this airport (and probably most others as well) failed to take a serious look a perimeter security measures.

Saturday, August 21, 2010

EO 13549 – Classified Info for SLTPS

Earlier this week I did a brief post about President Obama signing a new Executive Order (EO) establishing a new program for sharing classified information with State, local, tribal, and private sector (SLTPS) entities. Today, Monday’s Federal Register was posted on-line and EO 13549 was published. ERROR NOTE: In my earlier blog I stated that “DHS will be responsible for inspecting, accrediting and monitoring SLTPS storage of classified material.” Because I was quickly scanning the EO on the White House web site I missed read “SLT” for “SLTPS”. DHS is only responsible for the program at State, local, tribal entities. Extension of EO 12829 In many ways this new EO is simply an extension of the 1993 EO establishing the National Industrial Security Program. It provides authority for setting up a program for sharing classified information with SLT and extends the program for private sector entities. What it does do is to ensure that once an entity is authorized access to classified information by one agency of the Federal Government, all other agencies will accept that authorization {§1(c), 75 FR 51609}. The National Industrial Security Program established the program for sharing classified information with private companies that the Government did business with. It did not extend that authorization to places like high-risk chemical facilities that might need to know about classified threat information. This new EO takes the earlier EO and extends it to “persons outside government who are critically involved in ensuring that public and private preparedness and response efforts are integrated as part of the Nation's Critical Infrastructure or Key Resources (CIKR)” {§5(g), 75 FR 51612}. Since DOD already has a program up and running for managing an classified information program with private businesses this EO extends that earlier program to the “management, oversight, inspection, accreditation, and monitoring of all private sector facilities that have access to classified information” {§4(b), 75 FR 51611}. This will probably mean that DOD will have to make some modifications to its National Industrial Security Program Operating Manual specified under §201 of EO 12829. Security Clearances One significant change established by this new EO is that it makes the Secretary of Homeland Security responsible for:
● “[P]rocessing of security clearance applications by personnel, when requested by a sponsoring agency” {§4(c)(3), 75 FR 51611} ● “[D]ocumenting and tracking the final status of clearances for all SLTPS personnel {§4(c)(4)} ● “[D]eveloping training, in consultation with the [SLTPS Policy Advisory] Committee, for all SLTPS personnel who have been determined eligible for access to classified information, which shall cover the proper safeguarding of classified information and sanctions for unauthorized disclosure of classified information {§4(c)(6),}
The EO sets up the limit for these clearances to the Secret level unless “the applicant has a demonstrated and foreseeable need for access to Top Secret, Special Access Program, or Sensitive Compartmented Information” {§1.3(a), 75 FR 51609}. Knowing how the classification system has historically gotten inflated, I expect that it won’t be long before the exceptions will quickly outnumber the Secret level clearances. Program Set-up This will be an extremely interesting program for DHS to set up, especially given the 180-day time frame that the President gave for this program to go into effect. One of the complaints about the current security clearance program has always been the length of time it took to get a clearance approved. This program will likely have to handle as many folks as the current government program. It will be interesting to see if DHS is able to streamline the process.

National Dialogue on Preparedness Update 08-21-10

As of this morning (at 8:45 EDT) there were a total of 85 ideas posted on the FEMA National Dialogue on Preparedness web site. This is an increase of about 49% over last week. It is still a rather poor showing for such an important topic, but then again DHS has been doing little to advertise this site. The number of users has increased by almost 40% to 229. There has been a similar increase in the number of comments posted (48% to 142) and a significantly larger increase in votes cast on ideas (65% to 726). This Dialogue will only remain open for a little more than a week (it closes August 31st) it is important that anyone with an interest in emergency preparedness log on to the site and put in their 2 cents worth. New Idea I posted another new idea this morning; HAZMAT Rail Shipment Notifications. It deals with a method of satisfying the emergency response community’s need for notification of railcar shipments of toxic inhalation hazard chemicals through the communities that they serve while still satisfying the security community’s concern about potentially providing targeting information to terrorists. Idea Tracking Here is the current status of the four Ideas currently posted on the Dialogue that I think will be of interest to the chemical security community:

HAZMAT Rail Shipment Notifications (1 vote, rank 59) TSA Chlorine Dispersion Modeling Study (0 vote, rank 68) Bring in the Military (-6 votes, rank 84) Counter-Terrorism Emergency Response Plan - CFATS (4 votes, rank 33)

Remember, your votes will influence which ideas that FEMA and the Local, State, Tribal, and Federal Preparedness Task Force will consider in their assessment of the state of national disaster preparedness and which ideas will make it into their recommendations for improvement.

Friday, August 20, 2010

Stuxnet Cleaning

A blog over on Technet.com describes the results from the first week’s application of the latest Microsoft Malicious Software Removal Tool (MSRT) release. One of the new targets of the MSRT was the Stuxnet Trojan. This blog post provides figures on the number of machines from which Stuxnet was removed. US Infections The United States had the largest number of machines from which the Stuxnet Trojan was removed, almost 32,000 machines. Of course this represents a very small percentage of the machines in the US; it was less than 0.1% of the machines that reported processing the MSRT. (NOTE: I wasn’t aware that when I authorized the MSRT on my machines that it reported the results of its application back to Microsoft. But, then again, like most people I don’t actually read the user’s agreement that we check off on before signing up for the update service). That 32,000 machine figure seemed awfully high to me since Stuxnet is targeted at Siemens WinCC systems. The blog post didn’t mention anything about these systems so I asked an expert Dale Peterson at DigitalBond.com. Dale told me that the number didn’t seem high to him because the Trojan infects a computer and then looks for the SCADA systems. This means that normal replication would take the Trojan to many more non-SCADA systems because there are more available. One thing is almost certain; the 32,000 machines from which this Trojan was removed are not all of the infected machines in this country. Many people don’t signup for automatic updates, and many machines are not directly connected to the internet. So there is going to be a reservoir of infected machines to keep the Trojan being an active threat. One last thing to consider, with about 1:10,000 tested machines being infected we can assume that there is a relatively high probability that any given Siemens WinCC system in the US has been exposed to this Trojan, even if it hasn’t been specifically targeted. The more machines that have potential linkages to the control system the higher the probability is that the SCADA system is infected. This includes networked machines and machines that can be linked via USB file transfer devices. Most of these SCADA machines are not set up to run automatic updates so they are unlikely to have been cleaned by the MSRT. So we don’t have a good handle on how many SCADA systems have been cleaned and had Stuxnet removed. That further means that it is hard to quantify the actual chance of any given SCADA machine having been infected. Foreign Infections There has been much discussion in the press about the number of machines in Iran that have been infected. According to the Technet blog the MSRT removed Stuxnet from almost 5,000 machines in Iran. While this is a significantly smaller number than found in the US it is a much higher percentage (1.83%) of the machines checked in that country. The only other country that had anywhere near that infection rate was Indonesia with a rate of 1.66%. This statistical anomaly has given rise to speculation that the Stuxnet was specifically developed to target machines in those countries. This leads to the suggestion that it might have been an intelligence agency that developed Stuxnet. The problem with that speculation is trying to determine what intelligence agency would want to target these two particular countries.

CFATS Inspections

There is an interesting article on ICIS.com about comments made by Dennis Deziel, acting director of the Infrastructure Security Compliance Division (ISCD), at the OPSEM2010 conference being held Austin, Tx. He told the conference that ISCD had conducted 80 on-site reviews of site security plans since the inspection process began in February. He also explained that the inspection rate is expected to increase to 30 to 40 per month. I have addressed the problems inherent in this type of inspection process. One of the reasons that the inspection process is being accelerated was identified by Deziel. He was quoted in the ICIS article as saying: “People are now starting to understand exactly what the expectations are, which helps us get quality site-security plans.” Increased Experience Level Part of the reason for this is the fact that many facilities are using a relatively limited number of security consultants to help them complete their CFATS process. This means that there is an unofficial spread of ‘lessons learned’ through these organizations. Subsequent facilities using these consultants benefit from the increased knowledge base about what DHS is actually looking for in their site security plan. Another factor that cannot be discounted is that the inspection teams are gaining experience in the process. Each time they enter a new facility they have a better understanding of what to look for, and what questions to ask. They also learn what other facilities have had success with so this adds to the suggestions that they can make. Helping DHS accelerate the inspection process is the continued increase in trained inspectors coming out of the Chemical Security Academy. Hopefully ISCD is rotating their new inspectors through experienced teams so that they can acquire the lessons learned by those teams. SSP Tool Problems One of the things that has impressed me with the CFATS process is the willingness of ISCD to take a hard look at what they are doing and make appropriate changes. The article quotes Deziel as saying: “That said, we realise (sic) that the site-security plan tool is not perfect, and there hasn’t been a lot of guidance given to facilities.” Part of the guidance problem is that DHS has bent over backwards to avoid looking like it was violating the §550 prohibition of mandating specific security measures. This brings up the interesting possibility of changes being made to the Risk Based Performance Standards Guidance document and/or the Site Security Plan Tool on CSAT. It is probably more likely to have the SSP tool changed since that doesn’t require any publication and comment period to implement. The RBPS Guidance does require a publication and comment period to implement significant changes. I have not heard any specific talk about these changes, but it would be typical for ISCD to update either of these documents to reflect the lessons learned in the process.

Thursday, August 19, 2010

Call for Papers

The American Institute of Chemical Engineers (AIChE) and the Center for Chemical Process Safety (CCPS) announced a call for papers today for the 7th Global Congress on Process Safety. This year’s Congress will continue to focus on inherently safer design, “an approach to process safety that focuses on eliminating or reducing hazards”. Readers of this blog will recall that the 6th Global Congress earlier this year had a two and a half day session addressing the issues surrounding inherently safer design and chemical facility security. That session included a presentation by Larry Stanton from DHS-ISCD on how DHS might be able to implement an inherently safer design requirement in the CFATS regime. There will be a closely related session in next year’s Congress; “Inherent Process Safety – Experience Applying the Discipline in Operating Facilities”. According to the conference web site:
“This session is particularly focused on papers addressing plant-level experience – successes and challenges – applying inherently safer precepts. Papers are sought discussing case studies, lessons learned, risk reduction evaluations and economic justifications resulting from applying inherently safer practices at any stage of the process plant life cycle.”
The deadline for submission of abstracts is September 15th.

EO- Sharing Classified Information

Yesterday President Obama signed a new executive order establishing specific authority for Executive Branch agencies to allow “access to classified national security information shared by the Federal Government with State, local, tribal, and private sector (SLTPS) entities” (§ 1.1). This is a relatively detailed EO providing policy guidance and establishing a new SLTPS Policy Advisory Committee. While it will take some time to digest this here is a very brief overview:
● Generally limits the authority to sharing Secret and lower level classified material. ● Provides for non-disclosure agreements as a pre-requisite to sharing of classified information. ● Exempts sitting Governors from requirement for background checks. ● DHS will be responsible for inspecting, accrediting and monitoring SLTPS storage of classified material. ● Prohibits sharing of classified information by State and local government agencies under State and local laws/regulations/ordinances requiring information sharing.
This order goes into effect in 180 days (except for provisions establishing SLTPS Policy Advisory Committee. Presumably this will provide time for DHS to establish inspection, accreditation and monitoring programs. I also expect that some rules will have to be issued. Interestingly there is not the standard provision found in many Executive Orders requiring that they be published in the Federal Register. I suspect that we will see this published in any case.

Safety Systems

Thanks to the folks at Putnam.net I was able to download a copy of a Honeywell white paper on implementing control system recommendations from the Buncefield investigation. That investigation was conducted by UK safety authorities in the wake of the massive fuel-air explosion in 2005 at the Buncefield fuel storage facility. The vapor cloud that formed the source of the explosion resulted from overfilling a storage tank. There were two interesting things in this white paper. First there is a brief discussion about a number of similar incidents that belies the claims of the fuel industry that these tank farms are not potential terrorist targets (or more accurately shouldn’t be regulated as potential terrorist targets) because of the difficulty in forming the requisite vapor cloud. Second there is a lengthy discussion of the requirements for designing a safety system that would prevent the accidental overfilling of these storage tanks. History of Vapor Cloud Explosions The white paper states that: “Records show that overfilled or leaking petroleum tanks have been cited as the cause of an industrial accident almost every five years since the early 1960s.” (pg 4) It then goes on to list seven vapor cloud explosions in that period (and it doesn’t include the more recent incident in Puerto Rico). To be fair there are a number of factors that are a pre-requisite to the formation of a gasoline vapor cloud. There has to be some measure of ‘congestion’ which serves to prevent natural dispersion of the vapor cloud. There must be low to no wind at the site that would disperse the vapor cloud. There must, of course, be a very large leak of fuel that provides a large enough surface area to provide the vapor cloud. And finally there must be a source of ignition. Any reasonable assessment of the risk of potential terrorist attack would see that only the first of these pre-requisites is an inherent factor at a given fuel facility. The others are factors that are either potentially at the control of terrorists or form a timing issue for a particular attack. Requiring fuel facilities to submit a Top Screen and having DHS evaluate the ‘congestion’ at the site and then evaluating the potential effects of a potential vapor cloud explosion would allow for a reasonable determination of whether or not a particular fuel depot was at high-risk of terrorist attack. Preventing the Overfilling of Fuel Storage Tanks As one would expect, the bulk of the Honeywell white paper looks at the control system requirements for the prevention of overfilling fuel tanks. There is an extensive discussion about the separation of safety systems from control systems and the importance of redundant detection methods to assure the reliability of the safety systems. As far at that goes this looks to be a very reasonable and useful discussion. I do have to take objection to the fact that there is no discussion about protecting either control systems or more importantly safety systems from attack. There is a nice description of the importance of PLCs in automated safety systems, but there is no mention of the recently released warning about the vulnerability of a popular PLC programming language. Since there is not a date on this white paper, I assume that it predates the warning. Even so, the reliability of safety systems is of even greater importance than the reliability of industrial control systems. After all, the safety systems backstop the control system and should prevent a control system compromise from initiating a catastrophic event. In today’s cyber security environment the failure to even mention the need to isolate safety systems from any outside communications is extremely negligent and does a severe disservice to the control system community. Major control system vendors need to be leaders in the field of cyber security. They have a major responsibility to educate their customers about the emerging threats to control systems and advocate for the routine application of security measures to those systems. I understand that the security add-ons take money to develop. Companies cannot afford to undertake those added costs unless the customers are willing to pay the price. But, no one, certainly not customers, should know more about cyber security issues than the developers and vendors. There needs to be a routine, clear and continuous communication from the control system suppliers about the threats to control systems and the ways to mitigate the resultant risks.

Wednesday, August 18, 2010

Hazmat Training

The folks over at USFA.DHS.gov have a brief piece on their emergency responder page reminding people about the free hazmat response training made available through TRANSCAER. They also provide a link to the Spring-Summer 2010 issue of the TRANSCAER newsletter. TRANSCAER is a training organization supported by national railroad and truck associations in concert with organizations supporting hazmat producers and distributors. It provides high-quality hands-on training for first responders in how to respond to transportation incidents where there is a release of hazardous materials. The newsletter describes a new program TRANSCAER is planning on providing for anhydrous ammonia transportation incidents. The 2011 Anhydrous Ammonia TRANSCAER Training Tour is scheduled to start next February. The target audience for tour events includes emergency responders, agricultural businesses, emergency management officials, public safety representatives, law enforcement agencies, consultants, etc. High-risk chemical facilities handling anhydrous ammonia need to consider working with their local responders to get local access to this training.

Tuesday, August 17, 2010

Vendor Admin Accounts Warning

Yesterday the DHS ICS-CERT issued a new alert about vendors establishing administrative-level accounts on new control systems software during the installation process. The alert notes that: The addition of an administrative account to an ICS network with the password known by a contract company increases the cybersecurity risk to the asset owner.” (pg 1) High-risk chemical facilities should also note that this gives an untold number of people at the vendor company unaccompanied access to a cyber system that might be a ‘critical asset’ at the facility. In addition to the risk of unauthorized access to the system, there is also the additional burden of insuring that adequate background checks have been conducted on these personnel. Rather obviously ICS-CERT recommends against this practice, but they do note that there might be legitimate reasons where this may be necessary. In those cases they recommend:
“Where it is not possible or practical to avoid creating an administrator account (some control system software versions may require this practice) the asset owner should work with the contractor or vendor service organization to reach agreement on how best to control the system’s cybersecurity risk profile. This should be formalized into a security level agreement that clearly defines the responsibilities of both parties and should be documented in the systems configuration management process.” (pg 2)
If a facility’s site security plan has already been approved, allowing this type of access to a critical asset may require approval from DHS-ISCD before it is implemented. DHS-ISCD should be contacted for advise on the particular facility situation.

Monday, August 16, 2010

Emergency Response Planning

High-risk chemical facilities, while they are planning on preventing a successful terrorist attack on their facility, need to consider the very reasonable possibility of a successful attack occurring despite their best preventive effort. Developing an effective emergency response plan (ERP) will help reduce the effects of a successful attack on the facility; both on-site and off-site effects. Counter-Terrorism ERP Facilities with toxic release chemicals of interest (COI) and flammable release COI should have already established ERP’s for most of those COI under EPA regulations. Those plans would have been designed to deal with an EPA worst case scenario based upon an accidental release. Those scenarios are based upon reasonable expectations about COI release rates for typical industrial accidents such as failed valves or broken hoses. They also typically only take into account the release of the single largest container on site. An ERP for a terrorist event is going to have to be based upon a much more expansive definition of the ‘worst case’ scenario. An IED or a VBIED will result in an almost instantaneous of the entire contents of a storage tank instead of the draining of the tank through an existing 4” line. Instead of focusing on a single storage tank, a terrorist attack based ERP will have to assume catastrophic failure of multiple storage tanks simultaneously. This could lead to the release of chemically incompatible materials that would expand the adverse effects that must be dealt with in the ERP. On-Site Planning Facility management will mainly be responsible for the on-site portion of the ERP. The on-site planning will focus on the protection of on-site personnel and efforts to mitigate the off site consequences of the release. These are the same things that a typical accidental release ERP would deal with, but there will still be some fundamental differences with the terrorist attack ERP. The most obvious difference will be the fact that the CFATS site security plan will provide a basic focus on detecting a terrorist attack as early as possible. This will potentially allow the facility management some advance notice for the initiation of the ERP. Thus the terrorist attack ERP should include protection and mitigation measures that can begin before the actual release takes place. Unfortunately, this advance notification will also require actions to protect on-site personnel from physical attack by terrorists. Personnel evacuation plans will have to take into account the potential desire of the terrorist attackers to kill or capture key facility personnel. Key personnel will potentially include operations personnel who would be conducting mitigation operations to limit the effectiveness of the successful terrorist attack. Thus, control rooms should be hardened against physical assault by terrorists to allow personnel the most time to conduct mitigation operations. Off-Site Planning There is a certain disconnect between authority and responsibility for off-site emergency response planning that has become very clear in the response to the BP extended oil release (I refuse to call this a spill a totally inadequate term in my opinion for this situation) in the Gulf of Mexico. It should be clear to nearly everyone that there is both a moral and legal obligation for the off-site results of an on-site release. Unfortunately, facility management has no authority over the organizations that are responsible for the off-site emergency response planning and execution. Facility management does have a clear legal obligation to provide adequate information to local and State government organizations about the potential off-site consequences of an EPA delineated worst case scenario. It is less clear that similar information must be communicated for the potentially more serious potential releases resulting from a truly successful terrorist attack. DHS is prohibited from requiring such communications under the §550 restrictions on requiring any specific security measures. ERP responsibilities should not stop with the planning phase of the ERP. Proper execution of the ERP is dependant on a continued flow of information about the status of the release and on-site mitigation efforts. Emergency response personnel need the timely flow of this information to adjust their plans to the realities of the situation. Facility management needs to provide for this flow of information in their on-site ERP planning because managers are going to be rightfully more concerned about their on-site responsibilities for responding to the attack. This means that the communications protocols need to be established in advance so that management does not need to remember to take care of this information exchange during incident management. Part of Site Security Plan The emergency response planning for a terrorist attack should be an integral part of the development of the site security plan (SSP). That it was not included in the list of risk-based performance standards is not unusual. Security personnel frequently overlook the post incident consequences of an attack. Their focus is on preventing and stopping terrorist attacks. ERP does not fit neatly into the process of deter, detect and delay that is the keystone of the CFATS security process.

But everyone needs to remember that the purpose of a terrorist attack is not to destroy the chemical facility (though it may be a motivator for some terror groups). The purpose of a terror attack is to inspire terror in the population to affect some political goal. A well prepared ERP will help to lessen that terror and reduce the effectiveness of the attack. Facilities and communities that publicly communicate their ERP to the populous will actually be part of the deterrence purpose of the security plan. A terrorist attack on a well prepared community is doomed to failure.

Sunday, August 15, 2010

Legislative Status Page

I was asked by another blogger if I would do an update on cyber security legislation that he could post on his blog. It sounded like an interesting idea and was certainly flattering. I thought about trying to do something like that for chemical security legislation in general, but thought that might be an awfully long post. I thought about it a good bit yesterday and came up with the idea of maintaining a separate Legislative Status page on this blog site. Google has made provisions for adding additional pages so I might as well use that capability. Today I added the Legislative Status page to this site. You can use the link here or simply click on the link at the top of the blog page. In either case you will be taken to a separate page that provides a listing of the bills that I have addressed here in this blog during the 111th Session. I have placed the bills in numerical order (House then Senate) in four different categories:
● CFATS Related Legislation ● Cyber Security Related Legislation ● General Homeland Security Related Legislation ● Hazardous Material Related Legislation
Each entry provides the bill number and name, the current status of the bill, and a link to the most recent version of the bill on the GPO web site. I have also provided links to each of the blog posting on this blog where I have written about that legislation. I would certainly be interested in hearing from readers about the utility of this legislative list. Does it provide some helpful information? Is there more information that might make it more useful? Or am I just wasting my time?

TSA - Pipeline System Operator Security ICR

TSA has published in Monday’s Federal Register (available on-line on Saturday) a 30-day notice for a new information collection request (ICR) that has been forwarded to the Office of Management and Budget (OMB) for approval. If approved by OMB, the ICR will authorize TSA to collect security information from pipeline operators. This is a follow-up to the 60-day notice that was published last July and it has been slightly modified in response to the four public comments submitted on that notice. The ICR continues to support the request for the voluntary provision of contact information on both security managers and pipeline operations centers. It also provides for notifications of all incidents “that are indicative of a deliberate attempt to disrupt pipeline operations or activities that could be precursors to such an attempt” (75 FR 49944). Details of collection methodology are provided in the draft Pipeline Security Guidelines that has not yet been made public. Presumably the Guidelines will be published in the final form once OMB approves this ICR. Public comments on this ICR need to be submitted to OMB by September 15. Comments should be addressed to Desk Officer, Department of Homeland Security/TSA and emailed to oira_submission@omb.eop.gov or faxed to (202) 395-6974.

Saturday, August 14, 2010

Preparedness Dialogue Update 08-14-10

As of 10:30 am this morning the FEMA Preparedness Dialogue had a total of 54 ideas posted (two of them are mine), with 96 comments appended (one of them is mine), a total of 441 cast and 164 registered users. These is kind of disappointing statistics for the first week of operation; not unexpected though, DHS is doing little publicize this dialogue. I guess they are depending on bloggers and such to make this go viral; they are going to be disappointed. My New Idea I posted a second Idea on the Dialogue this morning dealing with TSA gas dispersion study that I discussed here (twice) earlier this week. Here I suggested that FEMA might also have an interest in participating in the TSA study because of the preparedness issues that may be affected by the results of the study. Military Assistance Other than my two ideas, there is really only one other idea posted to date that would potentially be useful in emergency response planning for high-risk chemical facilities; it deals with using the resources of the US military as part of the governments planning for and response to a variety of natural or man made catastrophes. I have always maintained that the only organization with the necessary logistics, transportation and communications capabilities needed for responding to a truly national catastrophe is the US Military. The only surprising thing to me here is the response to this idea; it has a -3 vote total so far. There are no negative comments (I did provide some minor supporting comments to this idea) it is not clear what the reason is for the negative votes. Idea Tracking These are the three Ideas that I am tracking because I think that they might be of interest to the chemical security community. I submitted the first and last Ideas on the list. Counter-Terrorism Emergency Response Plan - CFATS (+3 Votes, Ranking 26) Bring in the Military (-3 Votes, Ranking 54) TSA Chlorine Dispersion Modeling Study (+1 Vote, Ranking 43)

Friday, August 13, 2010

DHS CFATS FAQ Update 08-13-10

This week the folks at the ISCD Help Desk added four new questions (and answers) to the CFATS frequently asked questions (FAQ) list on the CFATS Knowledge Center. All four of the questions deal with the on-going Agriculture Survey. Those questions are: 1685: What is the definition of a pesticide for the purpose of the Agriculture Survey? 1686: I submitted the Agriculture Survey for my facility and, in reviewing my printed copy, found a significant error. What can I do? 1687: I didn’t identify any COI that functions as a pesticide, yet I was still asked to identify pesticide products. What do I do? 1689: I am an agricultural facility subject to the indefinite extension to the Top-Screen submission deadline, published on January 9, 2008. I purchase and apply at my agricultural facility a product containing COI from a distributor. For the purpose of the Agriculture Survey, do I “commercially apply” the COI-containing product? There is no real new information in the answers, just clarification of already available data. As I usually do, though, I recommend reading the answers, even if your facility does not have to complete the Survey. It does provide some insight into how the folks at DHS look at CFATS issues. For example, the gap in the numbers between question 3 and 4 is something that has happened fairly routinely over the last three years. The ISCD staff prepares a number of questions that they think will be asked about new programs, that way the Help Desk folks have a prepared and approved answer on hand when the questions are actually asked. Some sort of internal rule requires that the question has to be actually presented to the Help Desk before they can publish the question/response on the FAQ list. Maybe we'll see question 1688, may be not.

Water Security Congress

Today the ASDWA Security Notes blog announced that registration is now open for the AWWA’s 2010 Water Security Congress. As I have mentioned before, water security is not chemical facility security (water treatment facilities are currently exempted from CFATS by specific language in the §550 authorizing legislation) but chemical security is an important component of water facility security for many water systems. Looking at the WSC10 technical program web page we can certainly see that the organizers of this annual get together certainly realized it this year. There are a number of presentations and one workshop that address chemical security related issues. On Sunday (09-19-10) there will be a workshop on the new voluntary consensus security standard (AWWA/ASME-ITC) for water facilities, J100-10 Risk And Resilience Management Of Water and Wastewater Systems, based on the RAMCAP – Plus methodology. This is one of the justifications that I mentioned in a previous blog that the AWWA is using to support their opposition to CFATS coverage for water treatment facilities. A Tuesday afternoon session on chlorine and cyber security will include a presentation on the legislative changes that are being proposed for the CFATS program. Of course the two of interest to this community is the removal of the water facility exemption and then the IST proposals. A second presentation in that session will look at IST evaluations in detail; specifically addressing drivers for chlorine substitutes. The remainder of that session will look at cyber security issues for industrial control systems.
 
/* Use this with templates/template-twocol.html */