Tuesday, November 30, 2010

HJ Res 101 to Extend CR

This afternoon the House Rules Committee met to set up the rule for the House debate tomorrow of HJ Res 101. That resolution would amend this year’s Continuing Resolution (PL 111-242) to extend the expiration of the authorization for government spending until December 18th, the Saturday before Christmas. The wording of the 41 word resolution would specifically extend the current CFATS authorization until the same date (the extension in §124 of the Continuing Resolution was tied directly to the expiration date of the CR in the §106 amended by this resolution).

House Resolution 1741 will first be debated for up to one hour and then voted upon. If that resolution passes the next order of business will another hour of debate on HJ Res 101 and then a vote. No major delaying actions will be allowed (other than a possible motion to recommit).

The joint resolution will almost certainly pass giving the Congress another two weeks (plus a couple of days) to decide which option (described in yesterday’s blog). There would always be the possibility of another CR extension to December 24th.

Chemical Sector Coordinating Council Attacked

There was a very misleading article posted on the Washington Post web site this last Thursday. It reflects a very paranoid assessment of cooperation between industry and government that cannot even get the name correct of the organization that it is attacking. It misleadingly identifies the Chemical Sector Coordinating Council (misnamed the Chemical Sector Committee) as a policy advisory agency, implying that the CSCC helps to set regulatory requirements for chemical security.

Purpose of Sector Coordinating Councils

The CSCC is just one of 18 such organizations established under the Homeland Security Presidential Directive #7. These Sector Coordinating Councils are established to provide a forum for industries within the 18 critical infrastructure sectors to share information about infrastructure protection, both within the sector and with the federal government. There are no government officials serving in any of the SCCs. There is a similar Government Coordinating Council for each sector, made up of representatives from federal agencies, State and local governments for that sector, with a similar mandate. Coordination between the two is done by the Sector Specific Agency office within the appropriate Cabinet level agency. For the Chemical Sector, that agency is DHS, but the chemical sector specific agency office is completely separate from the Infrastructure Security Compliance Division that manages CFATS implementation.

Congress has given DHS very limited authority to manage security issues in the chemical sector. The CFATS regulations cover just a tiny minority of chemical facilities. Even if you consider facilities that use the highest-risk chemicals, CFATS regulates only a small percentage of those facilities. The work of the CSCC helps to share information on chemical security measures for both those facilities covered under CFATS and those that will never be regulated by DHS.

The security guidance and information produced by the CSCC can get to industry much quicker than DHS will ever be able to implement security regulations. The CSCC is not bound by the requirements for publishing and public comment that DHS is, so they can respond much quicker to new and changing security conditions. Of course, their recommendations are not regulations and no one is required to follow their guidance.

A good example of this is the recent publication of the Roadmap to Secure Control Systems in the Chemical Sector. While Congress has just begun to debate the whole issue of regulating cyber security, a debate that, as of yet, hardly touches on chemical control system security, the CSCC has already provided the chemical industry with the information needed to get them started moving down the road to increased control system security. Now Congress might eventually get around to enacting legislation that would authorize DHS to establish regulations, but the effects of such regulations would be years in the making. Because of the CSCC, the chemical industry already is sharing the information to begin to allow them to move in the direction that might be mandated by Congress eventually.

Influence on CFATS Regulations

The Washington Post article implies that the CSCC directly influences the implementation of chemical security regulations. This is a gross exaggeration and over simplification of the regulatory process. First off, the CSCC has no official connection with CFATS policy or regulatory development. Do individual members of the CSCC lobby DHS generally and ISCD specifically, absolutely. Does industry control the CFATS process, absolutely not. All one has to do is look at the law suit filed the petroleum industry (one of the richest, most politically influential portions of the chemical sector) to get DHS to stop regulating security at their fuel distribution centers, to see how DHS applies their regulations despite industry objections.

But yes, DHS does seek input from the chemical sector, as required by both law and common sense. Congress has established a regulatory establishment process that requires the executive branch to take into account the impact their regulations would have on the business community. Overly burdensome regulations serve no purpose, they will either drive companies out of business, or force them to include the costs of fines in the cost of their products as they ignore the regulations. Now there will be legitimate disagreements about what constitutes ‘overly burdensome’ regulations, but those disagreements will be resolved through the political and legal processes.

Industry Participation

From a common sense perspective, DHS should consult with the industry that they regulate. Chemical facility security is a relatively new field and there are few, if any, real experts. Industry self-interest dictates that they will hire or develop such experts as they need to secure their facilities and they will pay better than the government. That combined with the miniscule number of people authorized by Congress to develop and enforce chemical facility security regulations ensures that DHS will have to frequently turn to industry to advise them on how to effectively achieve the government’s security goals.

DHS ISCD is to be commended on the way that they have worked with industry to ensure as trouble free an implementation of a major new regulatory framework as possible. Each step along the way DHS has used voluntary cooperation from some of the highest risk facilities to walk those facilities through the innovative Chemical Security Assessment Tool. The lessons learned in those cooperative ventures have been used to modify the tool to make it easier to use for subsequent users.

This does not mean that DHS has allowed industry to set the standards by which they are evaluated; they just made the process easier to follow. Anyone that has been following the CFATS implementation process knows that there have been many industry objections to some of the requirement. Some have been changed when there was sufficient justification; most have remained the way they were designed. Some of the delays in the Site Security Plan approval process have been because ISCD kept holding facilities to the standards that they had set forth in the Risk Based Performance Standards Guidance Document when industry interpreted those standards less strictly than did DHS.

Political Discussion

Articles such as this one in the Washington Post do little to advance the legitimate political discussion about potential changes to chemical security legislation. The blatant mischaracterization of the Chemical Sector Coordinating Council as a body of insiders designed to influence the chemical security process at DHS is factually flawed and denigrates a legitimate effort to enhance the security of the chemical industry, and by implication similar efforts in the other critical infrastructure sectors.

The admitted fact that many of the companies that participate in the CSCC have also politically opposed the simplistic application of inherently safer technology as the savior of chemical security has little, if anything, to do with their legitimate interest in cooperation to enhance chemical facility security. Even those that disagree with industry on the IST issue should applaud the industry’s effort to extend chemical security activities to unregulated chemical facilities.

Ill advised attacks like this article poison the political atmosphere and make it more difficult to establish a real dialog that will help to advance legitimate security concerns of those on both sides of the debate.

TSA Pipeline Corporate Security Review 30-Day ICR

Yesterday the Transportation Security Administration (TSA) published a 30-day information collection request (ICR) notice in the Federal Register for the proposed Pipeline Corporate Security Review (PCSR) program. This would be a follow-up to their 60-day notice that I discussed back in August. TSA proposes to conduct “likely 12” (75 FR 73117) of these PCSRs each year at selected facilities from up to 2,200 potential locations.

Public comments on this ICR are being solicited and should be submitted by December 29th, 2010. Comments should be submitted the Office of Management and Budget’s Office of Information and Regulatory Affairs. Those comment submissions should be addressed to Desk Officer, Department of Homeland Security/TSA, and sent via electronic mail to oira_submission@omb.eop.gov or faxed to (202) 395-6974.

ICR Description Revised

The information provided in this ICR notice is substantially less complete than that provided in the earlier 60-day notice (75 FR 42086-87). Since the reference to the earlier notice does not mention if comments were received, it is not clear if this constitutes a change in the ICR because of comments received on the original notice or if this is just due to a condensation of the description. To be fair the current notice lists the description as an ‘Abstract’ rather than a full listing of the ‘Purpose and Description of the Data Collection’.

There are, however, two apparent substantive differences in the descriptions of the information collection processes. The first difference involves the scope of the information collection. In the 60-day notice the on-site visit is specifically described as a two-phase visit. The first portion would be conducted at the corporate headquarters with follow-ups at “one or two of the owners/operators assets to further assess the implementation of the owner's/operator's security plan” (75 FR 42086). There is no such reference to assessing security plan implementation in the current notice.

To my mind the most important difference in the two ICR notices is that the current notice contains no mention of TSA’s responsibility to protect the information collected. The original submission contains the following language:

“TSA assures respondents that the portion of their responses that is deemed Sensitive Security Information (SSI) will be protected in accordance with procedures meeting the transmission, handling, and storage requirements of SSI set forth in 49 CFR parts 15 and 1520.” (75 FR 42087)
One would like to assume that this lack of SSI language is merely a bureaucratic oversight, but if I were a pipeline operator I would prefer to have this clearly documented since there is no specific regulatory mention of such protections, there being no current pipeline security regulations.

Monday, November 29, 2010

CFATS Knowledge Center and FAQ Update 11-29-10

This morning DHS ISCD updated their CFATS Knowledge Center web page with a new item under the ‘Latest News’ heading and adding four new FAQ questions and responses. The news items is specifically directed at refineries and LNG facilities. The four new questions are, for the most part, predictable questions concerning the SSP Edit process.

The news item deals with the actual Top-Screen tool and does not appear to necessitate a change to the Top-Screen manuals nor the Top Screen web page. Nor does it require any new Top-Screen submissions. The news item reads:

“Attention refinery and LNG facilities: the Chemical Security Assessment Tool (CSAT) Top-Screen tool has recently been enhanced to make it easier for such facilities to enter information about Theft/Diversion chemicals of interest (COI). DHS is aware that some refinery and liquefied natural gas (LNG) facilities previously encountered some difficulty using the prior version of the CSAT Top-Screen tool to locate questions related to Theft/Diversion COI. This enhancement to the Top-Screen tool does not change those questions but will enable refinery and LNFG facilities to find and answer those questions more easily in any future Top-Screen submissions.”
The four new FAQs are:

● 1714: What administrative edits can be made to a submitted Site Security Plan (SSP)?
● 1715: What technical edits can be made to a submitted Site Security Plan (SSP)?
● 1716: How frequently can I make a change to a submitted Site Security Plan (SSP)?
● 1717: I started to edit a submitted SSP to make a technical (or administrative) change and realized the previously submitted SSP does not need revision. What should I do?
DHS Directed Edits

The only new information provided in the FAQ is found at the end of the response to FAQ # 1717. There it says: “DHS-initiated SSP survey edits may NOT be deleted at the facility’s request.” I cannot find any mention of ‘DHS-initiated SSP survey edits; in the CSAT SSP Edit Process User Guide. I would suppose that these edits could technically fall into either the administrative or technical edit categories, but I would not expect that they would apply to the limit on the frequency of technical edits. I am certain that DHS will notify facilities about such directed edits and that the notification would include instructions on how to complete the edit.

I will see if I can get some additional information on these directed edits.

Congress Returns Today

Today marks yet another return of the lame duck session of Congress, this time after a nine (or ten) day Thanksgiving weekend. There are a lot of high-priority issues that must be dealt with by the end of the calendar year and it is unlikely that the legislative year will last past Christmas Eve. Only one of these high-priority issues, the budget, has the potential for directly affecting chemical security issues. But there are other legislative issues that might come up that might be of interest to the chemical security community.

The Budget

As of last night there was still no indication on the web sites for either the House or Senate spending committees that there was any movement on the budget. Since something must be done by midnight Friday (or the federal government will ‘shut down’), that means that there is almost certainly ‘behind closed doors’ work being done on the budget. I don’t have the kind of contacts necessary to tell you what is being discussed, but I would surmise that it falls into one of three categories:

• A short term continuing resolution with an end date of no later than December 24th;
• A long term continuing resolution with an end date after the first of the year; or
• An Omnibus spending bill.
The later would indicate that they had reached at least some form of agreement with the current Republican membership in the Senate that would allow for some of the spending priorities of the Democrats to be included in the budget. The first will take place if the Democratic leadership thinks that they have a decent chance wearing down opposition on at least some of their additional spending priorities in an Omnibus spending bill. If Reid sees no chance of getting any of the Democrats priorities included in the budget, we can expect to see them punt the problem to next year where the Democrats will do their best to ensure that the Republicans take the blame for any budget.

Any of the above options will almost certainly include specific language extending the authorization for CFATS. Now this is where it gets potentially interesting. Since it appears that any Omnibus bill will come out of the Senate (to be tacked onto one of the two budget bills passed by the House in June before the House Appropriations Committee stopped work for the year), a very important player in the bill will be Sen. Lautenberg (D, NJ) who is acting chairman of the Homeland Security Subcommittee.

Sen. Lautenberg has very definite views about what should be included in the CFATS program; for example he has been an active supporter of IST and of limiting federal pre-emption of State chemical security rules. Two years ago, Sen. Lautenberg was at least influential in the addition of revised federal pre-emption language in the Homeland Security spending bill.

It is highly unlikely that a full blown IST provision would be added to a spending bill; that would draw the ire of Sen. Collins, a vote that would be necessary for the Democrats to pass the bill in the Senate. Some other, carefully crafted, expansions of the CFATS authorization might make it past her opposition in the larger Omnibus bill. Any Lautenberg proposals would almost certainly pass, this year, in the House; not so likely next year.

CFATS Legislation

It continues to be unlikely that any CFATS specific bill will pass this year. The Senate Homeland Security Committee has yet to publish their report on HR 2868, the only bill that has any chance of being passed, so any consideration of that bill in the Senate is being delayed. A vigorous floor debate on that bill is a certainty, with Democrats sure to try to get IST and whistleblower provisions, at a minimum, added to the bill. This will be their last chance for at least two years to get such measures considered, much less passed.

The only other bill that has even a remote possibility for consideration is Lautenberg’s S 3598, the water facility security bill. Since Sen. Boxer’s Committee has not officially looked at the bill (their one hearing this summer was generic) and does not have a mark-up hearing planned, this bill will not make it to the floor for consideration. Even if it did, it would not garner enough votes for cloture.

Cyber Security Legislation

There are a number of bills in various stages of the legislative process that deal with cyber security measures and only one, HR 6423, actually addresses control system security. None of them is likely to be brought to a floor vote in either house. Sen. Lieberman (I, DE) made this point clear in the Stuxnet hearing earlier this month when he promised to re-introduce S 3480 early in the next session.

Inserted Stuff

This late in the session, and with a change in control coming in the next session, we are going to have to watch closely any controversial legislation that passes. Deals are going to be made and there are a number of people that have only a very limited number of options to get favorite things passed into law. This is a great prescription for little noticed items added to various bills, especially spending bills. We’ll have to watch for these additions.

Emergency Response Training

An emergency response plan that has not been supported by training and exercises is a complete waste of paper. People and organizations need to be trained to accomplish the tasks required in an ERP and the ERP must be practiced to ensure that it is practical, effective and achievable. There is an excellent article at FireEngineering.com about what goes into planning a full-scale hazmat exercise. The author, Steven De Lisi, also touches on some of the important training that supports the exercise and the ERP.

Performance Oriented Training

De Lisi notes in his article that the “components of a well-developed performance objective must include reference to the equipment used in accordance with an established standard that defines the conditions under which a task is performed and the level of performance that is considered acceptable”.

The military recognized the importance of these performance objectives almost forty years ago when they developed their performance oriented training (POT) programs. The Army realized that knowledge oriented training, the ability to answer questions on a written test in a classroom, did not translate well into being able to respond to a real world situation on a battle field.

The Army’s POT program was based on a three component definition of each training requirement. Those components were

TASK: A short, concise action-oriented description of the job that had to be accomplished.

CONDITION: A description of the real world situation in which that job would have to be accomplished, including a listing of the equipment required to complete the task..

STANDARD: A clear statement of the measureable objective requirements that would signify acceptable performance of the task in that particular environment.
De Lisi uses the example of victim decontamination in his article to describe how a performance objective would be written for an exercise; “Can first responders assigned to an engine company use equipment normally found on a standard engine in the department to decontaminate 10 ambulatory victims within 15 minutes?” Translating that into the POT definition requirements we would have

TASK: Decontaminate Ambulatory Victims

CONDITION: Given the equipment normally found on a standard fire engine;

STANDARD: Decontaminate 10 ambulatory victims within 15 minutes.
This is a nice generic training description. If the emergency response plan were designed for a generic chemical spill, for example a highway spill from a truck in transit through the community, this could be an adequate definition of the training objective. If, however, the ERP were for specific chemical release from a specific facility the task would include the name of the chemical, the condition might describe the type of release (catastrophic tank failure vs small spill for example), and the standard might include how adequate decontamination was measured (utilizing a specific paper test strip, no color change indicating contamination).

Identify Training Requirements

An effective emergency response plan will have to identify the tasks that each supporting agency would be expected to successfully complete to adequately support that plan. In the Army we identified thess organizational tasks as ‘Missions’ but the same performance oriented description would apply, simply substituting the word ‘mission’ for the word ‘task’. In any case, a clearly defined and mutually accepted description of what the organization is expected to be able to accomplish to support the ERP is essential.

The words, ‘mutually accepted’ are a very important part of the last sentence that cannot be ignored. An emergency response planner might determine that a local fire department needs to be able to measure the concentration in the air of a chemical of interest as part of their portion of the emergency response plan. If the fire department does not have the necessary equipment, or the funds to obtain the equipment, to measure that chemical concentration, then the inclusion of that requirement in the plan is useless.

If the supporting organization cannot agree to a particular mission requirement, the emergency response planner has just three options, delete the requirement, transfer the requirement to another organization, or work with the organization to overcome the obstacles to their acceptance of the requirement. Even when there is a command relationship between the planner and the organization, these are the only real options.

Supporting Emergency Response Plans

Every agency or organization identified in an emergency response plan as having a supporting mission or task to accomplish must be required to develop their own, supporting emergency response plan that includes the necessary training tasks that support that mission/task accomplishment. For example, let’s look at the decontamination task above.

If a fire department is given the responsibility (mission) to decontaminate victims prior to their evacuation to medical treatment, the emergency response planner at that department is going to have to devise a plan to support that requirement. First they will have to decide if every engine company in the department will be required to be able to support the decontamination task, or if only selected companies or even perhaps just one engine company will be so required. A lot will depend on the amount of specialized equipment that will be necessary for the decontamination task. There might be a general decontamination requirement for every company, but just one company might be required to have the specialized equipment for one specific chemical. If that is the case, the other companies have to know that they are not to attempt the decontamination of that particular chemical.

As one goes down the organizational tree, it is quite common for task/mission definition to expand into multiple tasks. Again, using the decontamination task identified above, at the engine company level that might be expanded to include a task for identifying the chemical of concern (if the chemical is not present, decontamination might not be necessary), isolation of contaminated victims from non-contaminated victims (to avoid increasing the number of people requiring decontamination), and marking of decontaminated victims (so they can receive appropriate medical treatment).

At some point in the emergency planning process, the planner will not have sub-organizations to task with requirements; they will be dealing with individuals. The training identification process will be very similar though. Individual supporting tasks will be identified, conditions under which those tasks will be performed will be described, and measurable standards that must be accomplished to successfully complete the task, must be established.

De Lisi makes an important point in his article about establishing training standards; there may already be standards developed. He notes that “national performance standards such as those published by the National Fire Protection Association can provide additional guidance when developing performance objectives”. Utilizing established standards, where applicable, makes the job of the emergency response planner, and the subordinate agencies much easier. Even modifying those standards to fit specific circumstances may make it easier to develop appropriate training plans.

Exercises and Training

The only thing more dangerous than an emergency response plan that has not been exercised is the complete lack of an ERP. Until an ERP is put through an evaluated full-scale exercise, no one really knows if it will work. But there is nothing more embarrassing than conducting an exercise for which one or more supporting agencies is not prepared for. That’s why emergency response plans are evaluated from the lowest level up.

Individuals that make up the various emergency response teams are evaluated by their immediate supervisors on the task they have to be able to complete. Each team or organization is evaluated, in turn, by their tasking organization. Once each element demonstrates proficiency the next level of evaluation or exercise can proceed.

At each level it is important to understand that the evaluation must be designed to accomplish two tasks. First (and most obvious) is to ensure that the standards set for the in emergency response plan can be met. But, just as important (and frequently missed), the adequacy of the defined task/mission to support the next level of the ERP must be evaluated.

If the evaluated task does not fully support the requirements for mission accomplishment at the next level, no amount of proficiency at the task will be adequate. The earlier, and lower in the training process, these discrepancies are noted, the easier it will be to correct the problem.

There is one last point that has to be made about the training process. At each level of evaluation, every subordinate level must also be evaluated. This increases the proficiency of each element being evaluated and also makes it easier to identify why an organization was not able to accomplish a given task to the required standard.

To give a military example, when an infantry company was evaluated on their ability to perform a mission, there was an evaluation team in each of the platoons that made up the company. When possible, there was a team evaluating each squad within each of those platoons. If evaluation manpower was short, at least one of the squads would be evaluated within each platoon. In each evaluated squad, one or two individual soldiers would be specifically evaluated on specific mission supporting tasks. This way there was a complete, vertically integrated evaluation of the ability of the company to perform its mission.

After Action Review

Every time an emergency response plan is used, either for an exercise or an actual emergency situation, it is absolutely imperative that a detailed after action review is undertaken. This review must clearly identify what happened, what portions of the ERP worked and which didn’t. Suggestions for improvement of the ERP, at all levels, must be developed (and every plan can be improved) and a specific plan for implementing those improvements must be established utilizing the same principles outlined above.

Finally, the improvements must be evaluated, again, working from the lowest affected level upwards. This must be a process of continuous improvements. The health and safety of the community and the emergency responders demands it.

Friday, November 26, 2010

SCADA Exploit Vulnerabilities

Readers of this blog will have noted that I have been writing more often about identified vulnerabilities in various industrial control systems and even the existence of published exploits to use those vulnerabilities to attack such control systems. Earlier this week I did a posting about the Stuxnet man-in-the-middle attacks that Ralph Langner has identified. On Wednesday Ralph posted a new entry into his blog that builds on the dangers identified in that attack methodology.

Not Patchable

One important point that Ralph continues to make is that we should not be expecting a ‘patch’ from Siemens to ‘correct’ the vulnerabilities used by Stuxnet. He points out that these vulnerabilities are “regular product features that you find in the majority of these systems, regardless of vendor [emphasis added]”. To eliminate these potential attack points is not going to just require a revision of the Siemens soft ware, but also a complete reworking of the programming for each of the millions of controllers currently in place in manufacturing facilities around the world.

It is not realistic to suppose that the multitude of controllers currently in use will be re-worked to avoid the attack techniques that Stuxnet utilized. I’m not sure about future PLC’s (I’ll leave that discussion to the engineers and security professionals), but it is just not practical to make such radical changes to all of the devices currently in the field. It cannot be done piece meal, it will require a simultaneous reload of all control software and PLC firmware in a facility to minimize the risk of compatibility issues. This would make for a very long turnaround time, with extensive (expensive) pre-installation testing and post-installation trouble shooting. Even then, subsequent process problems will be almost inevitable.

Not Limited to Stuxnet

Ralph makes the point that the two attack modes he describes in his Stuxnet analysis blogs are not limited to being used by Stuxnet (they could be carried by other attack vectors) nor are they limited to being applied to just Siemens controlled systems. Since the attacks actually takes aim at the PLC’s not the Siemens work stations, any industrial control system that utilizes programmable logic controllers could be attacked using these two modes.

One of the things that Ralph doesn’t explicitly state in his blog, yet is clearly implicated by his discussion, is that any vulnerability in control systems that allows an attacker to gain system access to allow code injection to the controllers would allow for a Stuxnet like attack on those systems. Ralph does note that the “development tools to aid in the [code injection technique] development are [available] in the wild”.

The hard work has been done. Now all it takes is a reasonably technically proficient person with the necessary intent to launch the next attack on industrial control systems. An attacker without any process knowledge could launch an attack that could randomly disrupt control system operations to the extent that facility shutdown would be required. An attacker with basic process knowledge (from a disgruntled, or cash strapped insider for instance) could cause worst case process upsets resulting in catastrophic failures of processes and/or equipment that could seriously affect the neighboring community.

DHS CSAT FAQ Update 11-26-10

Earlier this week the folks at DHS ISCD updated their CFATS Knowledge Center page with two new frequently asked questions (FAQ), a new article, and a ‘Latest News’ entry about the SSP webinars. The new article/.FAQs are:
• 1711: How can I make a change to a submitted Site Security Plan (SSP)?
• 1712: I am working on my facility’s Site Security Plan. How can I register to participate in a DHS SSP Webinar?
• 1713: How to Register for a DHS CSAT-SSP Webinar
The ‘Latest News’ piece is:

“Weekly CSAT-SSP Webinars are now open to any CFATS facility with a pending SSP. Webinars are held each Wednesday from 11:00 AM to 1:00 PM EST and 2:00 to 4:00 PM EST. A facility may register up to five persons to participate in one or more of these weekly webinars. See the Article “How to Register for a CSAT-SSP Webinar” posted under “Articles” above for registration information and requirements.”
If you read FAQ 1712 and Article 1713 you are going to find that they are identical. This will be kind of surprising unless you understand the organization of the Knowledge Center page. Articles are listed on that page and their limited number (currently 7 articles) means that the title is always visible on that page. The large number (437) of searchable FAQs makes it very unlikely that any particular FAQ will be visible on the Knowledge Center when you first land on it.

SSP Webinar Registration

The key point of this whole update is disseminating the sign-up procedure for their two SSP webinars conducted every Wednesday (presumably absent any Federal Holidays). ISCD has farmed out the management of the registration process. To register you need to send an email to cfatsssp@absconsulting.com. The email must include the following information:

• Name
• Position
• Company Name
• Facility Name
• Facility Number
• SSP Due Date
• Number of Participants
• Names of Participants
• Session Preference (morning or afternoon)
Reservations are on a modified first-come-first-serve basis. DHS notes that “in the rare event that a webinar is fully booked, preference is given to facilities within 30 days of an SSP due date followed by those facility representatives that have not participated in a previous SSP Webinar”.

I haven’t seen this webinar, but the ones that I have seen put on by ISCD have provided valuable information. Once again I suggest that facilities book a conference room where they can get all of their CFATS team (including consultants) in the room to watch the webinar at one time. To be fair to other participants, you will need to manage the participation in the question answer period so that one person asks the questions for the group.

Data Set Download Note: The downloadable list of FAQ/Articles has been updated to include the items mentioned above. Still no way to identify that without downloading the data set, but it is current.

Wednesday, November 24, 2010

Hazmat Fusion Center

There is an interesting article over at UrgentComm.com about the National Hazmat Fusion Center and their new web site. Actually the article describes the site as a web portal since it serves as a communications link between members and an information source to and from the two sponsoring organizations, the DOT Pipeline and Hazardous Material Safety Administration and the International Association of Fire Chiefs.

The press release from the IAFC about the new web portal describes it this way:

“The internet-based portal marks a significant milestone in the broader hazmat community. It closes a historical gap in nationwide, hazmat-information sharing capabilities by providing responders with unprecedented opportunity to both contribute to and access a suite of readily available resources. This free resource serves as a one-stop shop for hazmat-response information, including training packages, reports, incident-based case studies, statistics, trends, alerts, recommendations and peer-to-peer networking.”
Emergency Response Lessons

One of the unique things about this site is that it provides a way for sharing information about emergency response lessons learned from actual incidents. It utilizes two different information collection tools. First, members, organizations and individuals, can submit reports about incidents that they have responded to; describing new or unusual situations and sharing information that did, or did not, work. Before such reports are posted on line, they are stripped of identifying information, so that they really are learning tools.

Another way that real-life emergency response lessons are collected is through the use of the Regional Incident Survey Teams (RIST). These teams are made up of volunteers that are dispatched to look at actual incidents upon request of the local emergency response agency. The team members are experienced first responders with additional training on investigating, analyzing and reporting about hazmat response incidents. The RIST reports are prepared in two versions, the publicly available summaries, and the more detailed reports that are available only to members.

I first wrote about this fusion center in 2008 when they were forming the RIST. Looking at a few of the RIST summaries, it looks like these teams are providing a valuable service. This portal will make that service even more valuable since it will provide a way for more people in the emergency response community to find out about the service.

Other Information Available

The site also serves as a clearing house for other information of interest to the emergency response community. Located on the Home page today are links to a new Hydrochloric Acid Release training program, information on Hazardous Materials Emergency Preparedness (HEMP) grants, and an information bulletin on responding to chemically assisted suicides.

DHS Support Needed

Right now it looks like the only federal agency providing active support for this fusion center is PHMSA. This is a hazmat fusion center for emergency responders, a hazmat safety activity if there ever was one, so the PHMSA involvement is certainly central to that mission. Since the IAFC is involved, I would assume that there are at least informal links to the US Fire Administration and to the FEMA grants folks.

If the security agencies in DHS that are focused on hazardous material security (CFATS certainly, TSA ground freight, and MTSA) were more focused on the emergency response side of hazmat protection (not their fault, short sighted laws ignored response to attacks in authorizing these programs), then they would have an obvious interest in supporting this fusion center.

Now this is not a ‘Fusion Center’, in the DHS use of the term, it does not spend much time or effort (apparently) looking at intelligence collection and dissemination. It is after all an emergency response fusion center not a law enforcement fusion center. Never the less, the DHS intelligence folks are missing a very important potential asset if they don’t look at providing some intel support to this fusion center. Passing terrorist intent and capabilities information to this group could go a long way towards saving lives in the event of an attack. And setting up a reporting mechanism for emergency responders could provide a valuable source of information to the intelligence community.

Finally, the chemical community (producers, users and shippers) have a very large and clear self-interest motive in supporting this organization. I’m sure that they could use some financial support, but more importantly they need to be able to call on the technical expertise of the chemical industry. Establishment of links with groups like ACC, SOCMA, NPRA and the like would be beneficial to both the emergency response community and the chemical community they support.

CFATS FAQ Dataset Updated

On Sunday I noted that DHS had not updated their downloadable file containing a complete list of their frequently asked questions (FAQ) when they updated the responses to two of those questions. Yesterday afternoon I downloaded that data set again and it did include the updated responses. There is still no obvious way of knowing that you have the most up-to-date version of that data set (I still am resorting to including the date of download in the file name when I save the data set).

Once again I applaud DHS publishing this list, but they have set themselves up for complaints of this sort. I understand that the updating of this document is an added complication for their Help Desk people, but once you establish the document as being publicly available, you have a responsibility to keep it current.

A suggestion; add an ‘Updated on’ date to the download link on the CFATS Knowledge Center page. Then I would update the file on a scheduled basis after any changes are made to any of the underlying questions.

S 3964 Introduced

Last week Sen. Casey (D, PA) introduced S 3964, the Faster Action Safety Team Emergency Response Act of 2010, that is supposed to “provide for an expedited response to emergencies related to oil or gas production or storage”.

Regulations Required

This legislation would provide the Secretary of Labor, through OSHA, with the authority to establish regulations providing for emergency response requirements for on-shore oil and/or gas drilling operations. The regulations would require operators to have a person on-site at all times that is familiar with emergency response requirements and to have a certified “well response team” available to respond to emergencies at the well {§3(b)(3)(A)}.

Another important component of this bill is that it codifies emergency notification requirements. It specifies time limits for notifying local first responders, OSHA, State environmental agency, and the National Response Center {§3(b)(4)}. The time limits start with the ‘commencement of an emergency situation’, a term that is not defined in the bill.

Interestingly there is no mention of a time limit for notifying the ‘well response team’, nor is there any mention of a response time requirement for such a team. The wording is so vague as to allow for the establishment of a single industry ‘well response team’ to be located in say, Maine, to respond to all on-shore emergency situations in the United States.

Finally the regulations required by this legislation would require each operator provide annual training to local first responders who might be called upon to respond to emergency situations at the well head. The training would cover “the hazards of a well and proper emergency response techniques” {§3(b)(5)}.

Where is FEMA?

I understand that OSHA is the federal agency tasked with looking after employee safety. Much of the wording of this regulation, however, focuses not so much on employee safety as it does emergency response, which is more properly covered by FEMA. The provision requiring someone on site with an understanding of emergency response procedures would certainly fall under the OSHA mandate, as would training requirements for industry emergency response teams. Training for public first responders is not covered by OSHA (in fact State and local government agencies are exempt from OSHA training requirements, which, in my not-so-humble opinion, is a safety travesty).

Lame Legislation

I am not certain why legislation like this is introduced in a lame duck session of Congress. There is little or no chance that this legislation will be considered by the Senate Committee on Health, Education, Labor, and Pensions, much less the Senate as a whole. There is certainly a lot of controversy in Pennsylvania about the operations of gas production in that State, but it is unlikely that this late bill will have any effect on resolving that controversy. Of course this may be a purely political bill that Sen. Casey will point to in a future election to show his concern about drilling safety.

It will be interesting to see how early in the 112th Congress this bill is re-introduced.

Tuesday, November 23, 2010

HR 5498 Status 11-18-10

Last week the House Homeland Security Committee finally got around to publishing their report (House Report 111-659) on HR 5498, the WMD Prevention and Preparedness Act of 2010. This bill was introduced with much fanfare back in June and the Committee ordered reported favorably at their hearing on June 23rd. It only took five months to produce a committee report; so much for any chance of this bill being considered by the House. Add to that the fact that the Speaker extended the time limit for the House Energy and Commerce Committee to complete their consideration of the bill (no hearings to date) until December 3rd and we might as well declare this bill dead.

The proposed revision of the language of HR 5498 does little to increase the impact that this bill would have on the chemical community. This bill is basically a bio-security bill with a section on radiological dispersion weapons and only the occasional mention in passing of chemical weapons. It never discusses, addresses, or acknowledges the possibility of industrial chemicals being employed as chemical weapons, either in-situ or as delivered weapons.

The generic WMD provisions that I discussed in my earlier blog on this bill remain in the legislation. If this bill were to pass these provisions might have some measure of affect on the chemical security community, but that would only occur if the people at DHS had more recognition of the potential uses of industrial chemicals as WMD than did this Committee.

Well, I will say one thing in the defense of the House Committee; they were much faster at publishing their report on this bill than their Senate counterparts have been in reporting on their WMD legislation (S 1649). The Senate Homeland Security and Governmental Affairs Committee ordered S 1649 reported last November and have yet to publish their report.

PSRC 2.0 Update

Last weekend I did a blog posting about the recent update to the DHS Private Sector Resources Catalog. In that post I listed three programs from the previous version of the Catalog that I could not find in the current version and I promised to get more information on the change. I got quick responses from the folks at DHS and I can now provide more information.

Two Programs are Still There

Two of the programs that I listed as missing from the current program are actually still there.

● Improvised Explosive Device (IED) Awareness Web Training
● Surveillance Detection Web Training
Mary Page from the Commercial Facilities Sector Office was kind enough to point out their location in the Infrastructure Protection chapter (pg 31) of the Catalog. Additionally she pointed me at a listing of the IED awareness training on their web page which provides a link to the registration form.

Program Canceled

The third program that I identified, the Security Outreach and Awareness Program (SOAP), is no longer run by the Chemical Sector Specific Agency (CSSA). This was a cyber security review program run by the CSSA, but responsibility for cyber security issues was transferred to the DHS National Cyber Security Division. Esther Langer from the CSSA informed me that the program that effectively takes the place of the old SOAP program is the ICS-CERT’s Cyber Security Evaluation Tool that I have previously discussed.

Stuxnet Man in the Middle Attack

Ralph Langner has been one of the people that have been providing the most detailed looks at the internal workings of the Stuxnet worm. The Symantec people have provided a great deal of data on the worm, but their expertise has been focused on the Windows side of the worm’s operation. That, after all, reflects the nature of their typical cybersecurity work. Ralph has been providing insights into the operations on the Siemens side of the process.

Ralph’s blog has been active on this topic since August, but he has been posting blog entries daily (sometimes twice a day) since November 11th. His postings have been vocal in their criticism of both Siemens and ICS-CERT in the lack of information that they have shared with Siemens users, suggesting that the reason is that neither organization actually knows much about the workings of Stuxnet.

In addition to these complaints, he has been providing a detailed look at the Stuxnet 315 and 417 attack codes. These are the two separate sections of the Stuxnet code that actually cause changes in PLC programming. These two attack modes are so different in their operation that Ralph suggests that they are actually targeted at two completely separate targets in the Iranian nuclear industry.

Cyber security professionals should be concerned about the method of operation of both of these attack codes, but as a process chemist I am much more concerned with the methodology used in the 417 attack codes. So much so, that I have to admit that this attack mode professionally scares the hell out of me. This is because it compromises the chemical process professional’s trust of, and reliance on, data provided by the process control system.

Description of Stuxnet 417 Operations

Ralph takes a number of blog posts (11-15-10, 11-16-10a, 11-16-10b, and 11-18-10) to properly describe the mode of operation for the man in the middle attack. To truly understand the operation you should read all four of these posts by Ralph. I’ll provide a brief summary here (a summary that Ralph is no way responsible for).

In an automated control system the system takes inputs from various process measurements, compares them to the rules provided by the process professional, and automatically directs process equipment to respond appropriately. For instance, a typical process parameter is temperature. Inputs come from various temperature measurement devices in the process. If the measured temperatures are too low, valves are automatically opened to allow heat (via steam, hot water, etc) to flow into the process; when the process reaches the appropriate temperature range the valves are then automatically closed to stop the application of heat to the process. At the same time, the human machine interface (HMI) visually displays the temperature and the process response for that temperature to the human overseer of the process.

As Ralph describes the Stuxnet 417 operation the worm passively records process measurement inputs and outputs. When it executes the process changes programmed into the attack, it replays the normal process data for display in the HMI, allowing the operator and the process historian to see only that data that is expected in normal operation. This effectively prevents effective human oversight of the process or proper diagnosis of the process upset after the attack is over.

Process Implications

One of the biggest benefits of automated process controls in chemical manufacturing is that product quality is much easier to maintain because process variables are maintained through a narrower range than is possible with active human monitoring of those variables. Destroying that control capability via a man-in-the-middle attack like this could financially ruin many chemical manufacturers; increased raw material costs to remanufacture good product to fulfill orders and waste disposal costs are not easily recovered, especially in today’s economic environment.

From a security perspective the process safety implications are even more important. For many chemical processes there are safety limits for process variables as well as quality limits. One very typical limit is process temperature. There are a large number of processes, that if a critical temperature limit is exceeded, it is no longer possible to control the chemical reaction that takes place. These runaway reactions can, in some instances, result in process temperatures and pressures that will result in an overpressure situation that the press commonly calls an explosion.

While these catastrophic failures of process vessels are not technically explosions, the effect of such a failure would be the equivalent of a very large explosive device, potentially larger than even a VBIED. I have worked with military grade explosives and I have seen the results of a catastrophic process-vessel failure. I am much more concerned about a large vessel failure than I am with a typical terrorist bomb.

Process professionals typically understand the risks of these overpressure events and take appropriate precautions. Process controls are designed to prevent temperatures from approaching the runaway initiation temperature. Separate automated safety controls are designed to shut down the heat producing reactions that typically are the cause for these events. Unfortunately, it is becoming more and more common for these safety systems to utilize the same process input devices, computer systems, and often the same software, as the process control system as a cost control measure. Thus the compromise of process data by the Stuxnet 417 attack code could compromise these safety systems as well as the process control system.

Less than Catastrophic Attacks

Most industrial chemical processes that can result in catastrophic consequences only do so during specific, well defined portions of the manufacturing process. This means that a Stuxnet type attack leading to that catastrophic failure will require quite a bit of insider process knowledge. The attacker will need to know the process conditions that would lead to that event, when those conditions could lead to that event and how to identify that point in the process from information available through the process controller.

Terrorists would be expected to be best served by these high-visibility process failures, but there are other potential attackers that could benefit from less than catastrophic process failures. State actors wanting to disrupt opponents critical industrial processes, criminals wanting to extort money or even other companies trying to obtain a competitive advantages could benefit from a less targeted process upset event. Given recent Al Qaeda propaganda to the effect that they intend to conduct economic warfare in their future attacks, even they could be potential beneficiaries of process control attacks that don’t necessitate insider knowledge.

Langner identifies how this would be done. He notes that all “that needs to be done is to blind the legitimate program along with operators by re-playing normal input signals and manipulate outputs randomly”. Such random process changes are unlikely to cause catastrophic events in any but the most dangerous processes. They would almost certainly cause product quality issues. And Langner points out that it is entirely possible that such an attack “can be packaged into an exploit tool that lets attackers assemble an attack by point-and-click”.

To understand how thoroughly this can disrupt a chemical manufacturer (and to a lesser extent any manufacturer that uses process control software) you have to understand how companies that rely on product quality to market their wares deal with off-spec product. First the off-spec material must be isolated so that it cannot be inadvertently shipped to customers. Next an investigation must determine the cause of the quality issue and identify process changes that will prevent a recurrence of the problem. All of this will have an economic cost associated with the effort.

Since the advent of modern process control one of the key tools that the industrial chemist or engineer uses to diagnose process upsets is the Process Historian. This is a data file that collects information from the control system. If the data in the control system is corrupted, then the data in the Process Historian will be similarly worthless for the diagnosis of the problem.

If the cause of the quality issue cannot be determined by a detailed process data review (and it can’t be if the data is corrupted), most companies will resume production, keeping a closer eye on the process. If subsequent random and undocumented process changes are made, there will be additional quality issues (usually different issues), that will cause the isolate and investigate cycle to be repeated with their associated costs. With the actual cause of those problems equally impossible to identify, the manufacturer will have to shut down the process; continued manufacture will be just too expensive.

Prevention is the Key

So, you can see why I am very concerned about the potential for this man-in-the-middle type of attack being used against chemical manufacturing facilities. Similar types of issues are possible in a wide range of industries utilizing process control software. Prevention of these types of attack are key to preventing the occurrence of these quality or safety issues. That means keeping the malware out of the control system is very important. Unfortunately, it seems that that may be very difficult to achieve. I’ll address that in a future post.

Monday, November 22, 2010

PHMSA Hazmat Bulk Loading NPRM to OMB

The Office of Management and Budget (OMB) announced that last Friday it received a draft of a notice of proposed rule making (NPRM) from the Pipeline and Hazardous Material Safety Administration (PHMSA) regarding bulk hazardous materials loading and unloading operations. According to the OMB’s Unified Agenda both the National Transportation Safety Board and the Chemical Safety Board have made recommendations for additional regulations in this area based upon accident investigations the two Safety Boards have conducted.

As with most chemical safety measures, a number of bulk unloading safety requirements could have a significant, positive effect of security at high-risk chemical facilities. Examples could include the use of remote emergency shutdown controls and high-flow preventers on unloading systems. Another safety/security issue that could be included would be a requirement for positive identification of materials to be unloaded into bulk tanks to prevent hazardous reactions because of incompatible materials.

Once the OMB reviews and (if it) approves the draft (with or without recommendations for revisions) PHMSA will prepare the NPRM for publication in the Federal Register. We will not know any of the details of the proposed rule until that time. There is no way to estimate how long the OMB review or the PHMSA final preparation will take.

S 3954 Introduced

Last week Sen. Casey (D, PA) introduced S 3954, the Air Cargo Security Act. While there are slight differences in wording between this bill and HR 6410, a bill introduced earlier last week by Rep. Markey (D, MA), that they should probably be considered companion bills; bills introduced into both the Senate and House that allow for nearly simultaneous committee consideration in both bodies.

Companion Bills

The introduction of a companion bill typically indicates that the original bill’s author seriously wants the bill to be considered and passed. The identification of a like minded legislator in the other body and the negotiation of the acceptance of the provisions included in the original bill require enough political energy that it demonstrates an increased level of political intent.

Most bills introduced in Congress never receive any political consideration beyond their original introduction. Most bills exist to be used as a reference during political campaigns to prove the author’s support for a particular political cause.

Basically Flawed Legislation

Ignoring for the moment the basic concept that forms the basis for these two bills, that all air cargo needs to be screened for explosive devices, these bills are basically flawed. As I explained in the blog on HR 6410, the timelines that are required in the bill to develop programs and processes, establish rules and regulations and to hire necessary inspectors and regulators are patently impossible to achieve.

Setting patently unachievable deadlines in a piece of legislation ensures that there will be objections to that bill from both the federal agencies involved and the potentially regulated community. Giving such opponents clearly identifiable and easily understood attack points makes it a near certainty that the opposition will succeed in killing the legislation.

Flawed Security Concept

It is a basic premise of security operations that it is not possible to prevent all security threats. First off, any security measure that can be defined will have flaws that can be exploited. Second, all security measures have a cost associated with them and the more complete the security measure is the more expensive it will be. The only way to completely prevent terrorists from using airplanes as a target is to shut down all airplanes.

The costs of security are always passed along to consumers either in the form of higher prices, if industry makes the security outlays or higher taxes if government pays for the security measures. The rules embodied in these two bills ensure that consumers would be hit from both sides as the air cargo shipping costs would increase and the TSA bureaucracy would have to increase.

There needs to be a serious discussion of the costs associated with the security measures versus the cost associated with the threat. News reports this weekend highlighted the claims of Al Qaeda that the costs of the recent ‘toner’ attacks were in the neighborhood of $4,200. What amount of money are we willing to spend to prevent these attacks? And will we be willing to spend a similar amount to prevent the next low cost attacks that Al Qaeda or other terror groups come up with?

Don’t get me wrong, I believe that reasonable security measures are required for high-risk targets. The higher the risk or potential consequence the higher the justifiable security costs. But, we need to have an explicit discussion of how we determine what costs are justifiable and which are just too high to pay.

Sunday, November 21, 2010

DHS CFATS FAQ Update 11-19-10

On Friday afternoon the folks at DHS ISCD updated two of the Frequently Asked Questions (FAQ) listed in the CFATS Knowledge Center. There were no substantive changes in either response. The two questions updated were:

1661: What is the definition of A Commercial Grade (ACG) for the purposes of CFATS? Specifically, under Appendix A of the Chemical facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27, if a chemical facility manufactures or otherwise possesses a Theft/Diversion or Sabotage chemical of interest (COI) but does not directly offer the chemical for commercial sale, does the facility need to count the chemical toward the applicable screening threshold quantity to determine if the facility must submit a Top-Screen to DHS?

1672: For purpose of completing the Agriculture Survey, how will I know if a pesticide includes an agricultural chemical of interest (COI) at or above the minimum concentration? Where can I find the EPA Registration Number for the pesticide? Where can I find the percent by weight of a COI in the pesticide?
The only thing that makes it worthwhile to report this particular update of the FAQ list, beyond simply accounting for a change in the date of review of the response is the fact that these changes had no affect on the downloadable listing of all of the FAQs and Articles that I discussed in my blog on Wednesday.

If this FAQ dataset is going to be of any use to the public, DHS is going to have to update it every time they update a FAQ response (and when there is no substantive change like Friday’s update, that may be a waste of time and effort to also edit this very large .PDF file) or they are going to have to note the effective date of the dataset on the CFATS Knowledge Center web page.

In my earlier post I suggested that DHS should date the .PDF document to allow users to clearly understand which version of the dataset they had in their possession. This suggestion today is not the same thing. Because of the very large size of the file, and the length of time that it will take to download (and for someone on a limited speed internet connection it will take a VERY LONG TIME to download this, DHS needs to provide the effective date of the dataset to the user before the download begins.

Saturday, November 20, 2010

Private Sector Resources Catalog 2.0

On Thursday I informed you that the latest revision of the Private Sector Resources Catalog had been released and I also said that I would let you know about the changes that would be of interest to the chemical security community after I had a chance to do an in depth review of the new document. Well, as promised, here it is.

First, I did not do an in depth review of the entire document. I concentrated on the four chapters that I thought would be of the most interest to the chemical security community. That does not mean that there won’t be items of potential interest in the other chapters of the Catalog, it just means that I don’t have time to go through the whole thing. Those four chapters are:

Cybersecurity and Communications (CS&C)
Office of Infrastructure Protection (IP)
Transportation Security Administration (TSA)
U.S. Coast Guard (USCG)
New Programs

There are a number of new programs listed in each of these chapters. I am not going to provide explanations of all of them; I’ll just list the titles. If it looks like something that might be potentially interesting, use the links above to find a brief description of the program as well as either a web site or email address to obtain additional information.

Cybersecurity and Communications

• The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
• Research and Standards Integration Program (RSI)
• Telecommunications Service Priority (TSP) Program
Office of Infrastructure Protection

• Chemical Sector Training and Resources Database
• DHS Webinar “Surveillance Detection Awareness on the Job”
• Improvised Explosive Device (IED) Search Procedures Workshop
• IED Threat Awareness and Response
• Infrastructure Information Collection System (IICS)
• IP Sector-Specific Tabletop Exercise Program (IP-SSTEP) Chemical Sector Tabletop Exercise (TTX)
• Protected Critical Infrastructure Information (PCII) Web-base
• Protected Critical Infrastructure Information (PCII) Officer Training
• Chemical Facility Security: Best Practice Guide for an Active Shooter Incident
• Chemical Sector Training Resources Guide
• The Roadmap to Secure Control Systems in the Chemical Sector
• Chemical Sector Security Awareness Guide
Transportation Security Administration

• Maritime Passenger Security Courses
• Air Cargo Screening Technology List-For Passenger Aircraft
Coast Guard (no new programs listed)

I have already written about many of these new programs. Those that I haven’t, I am asking for additional information about and you may see them listed here in future posts.

Removed Programs

In going through these chapters I did note that there were some programs that were missing from the new catalog. Three were three from the Office of Infrastructure Protection chapter that I thought might be of interest to the chemical security community. Since they are not listed in the new catalog, there is no explanation about if/why they may have been discontinued. I am trying to get such explanations and will relay them to my readers if/when. In the meantime here is a list of the delisted programs:

• Improvised Explosive Device (IED) Awareness Web Training
• Surveillance Detection Web Training
• Security Outreach and Awareness Program (SOAP)
Training Programs

There is a wealth of training programs available in this catalog covering a wide variety of subjects and skill levels. Many of them were specifically developed by DHS agencies to meet mandated training requirements. I won’t guarantee the quality or appropriateness of each of these training programs. Each will have a variety of good points and bad points that will have to be evaluated for each facility’s training requirements. But, one thing is for sure, you won’t be able to beat the prices.

Once again, if you are responsible for a DHS covered program, particularly security related programs, you owe it to yourself and your organization to download the appropriate chapters of this Catalog and take a good hard look at the resources that DHS is providing. Your tax dollars are paying for this catalog and the resources listed. Get your share of the benefit.

Friday, November 19, 2010

Thanksgiving Recess Update

Yesterday, the Senate passed H Con Res 332, thus officially making 11-29-10 the end of the Thanksgiving Recess, as I noted yesterday.

BTW: When the House adjourned last night they invoked HCR 332, officially starting their Thanksgiving holiday; so much for their enhanced work ethic. The Senate will meet today.

Reader Comment – Awareness Videos

Jon Greenwood provided an update to my previous blog about the security awareness training video that his team has available. Where previously they had a video trailer available on-line for their video, they now have the complete video available for on-line review. They also now have a MARSEC/TWIC customization available for review.

I haven’t had a chance to review these complete videos, but that is the whole point of having them available on-line. You don’t have to rely on my opinion of how well they will fit your particular training needs; you can check them out yourself. As someone who has been responsible for planning training, this is a very valuable service and I commend Greenwood Security for making these available for preview.

Thursday, November 18, 2010

DHS ICS-CERT Issues OPC Server Vulnerability Advisory

This afternoon DHS ICS-CERT has issued a new Advisory regarding an identified vulnerability in the Automated Solutions OPC Server. The advisory only applies to the stand alone version of the Modbus/TCP OPC Data Access OPC servers (versions 3.0.0 and earlier versions) produced by Automated Solutions.

The advisory describes this as “a heap corruption vulnerability” that, if exploited, could corrupt the OPC server memory. ICS-CERT estimates that the vulnerability could be exploited by an attacker with an intermediate skill level, but that it would be unlikely that an attacker could use this vulnerability to execute arbitrary commands.

ICS-CERT has confirmed that Automated Solutions’ latest patch mitigates this vulnerability. ICS-CERT recommends the following mitigation steps:

● Upgrade to the latest version and install the latest patch. The patch is available at http://automatedsolutions.com/demos/demoform.asp?code=17.

● Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls, and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be utilized.
As always the standard ICS-CERT caution applies; “Owners and operators should exercise caution and consult their control systems vendor prior to making any changes. Proper impact analysis and testing should always be conducted prior to making any changes to control systems.”

HR 6423 Introduced

As I mentioned in a posting last night, Chairman Thompson introduced HR 6423, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2010. This bill is significantly different than any of the other cyber security bills introduced during this session. It establishes the Office of Cybersecurity and Communications (OCSC) at DHS and makes it responsible for establishing and enforcing cybersecurity “requirements for civilian nonmilitary and nonintelligence community Federal systems to prevent, deter, prepare for, detect, report, attribute, mitigate, respond to, and recover from cyber attacks and other cyber incidents” {§222(a)}.

Regulation of Civilian Networks

That authority, in and of itself, is significant, but of little interest to those of us in the private sector. To keep us involved, the bill would also give the Secretary the authority “establish and enforce risk-based cybersecurity requirements for private sector computer networks within covered critical infrastructures” {§224(b)}. As Mickey McCarter noted in an article on HSToday.US, this risk-based regulatory scheme sounds an awful lot like the mandate given to DHS for regulating high-risk chemical companies.

The similarity does not end there. This bill would give the Director of the newly created Cybersecurity Compliance Division (within the OCSC) the authority to determine “which systems or assets of critical infrastructure shall be subject to the requirements of this section and designate them as covered critical infrastructures for purposes of this section” {§224(e)(1)(A)}. There are all sorts of ‘consultation’ requirements with a wide variety of people, but it is clear that the Director is making the determination much the same way that the ISCD Director determines which chemical facilities are at High-Risk of Terrorist Attack.

There are some restrictions on this authority. First the ‘system or asset’ must meet the existing requirements for inclusion “prioritized critical infrastructure list established by the Secretary” {§223(e)(2)(A)}. Next the ‘system or asset’ must meet one of the following two criteria.

● It “is a component of the national information infrastructure or the national information infrastructure is essential to the reliable operation of the system or asset” {§224(e)(2)(B)}.

● The “destruction or the disruption of the reliable operation of the system or asset would cause a national or regional catastrophe” {§224(e)(2)(C)}.
The later criterion is the one that will allow for the regulation of control systems at designated facilities. There are some additional criteria to define the types of catastrophes to be considered. They specifically include mass casualty or mass evacuation events. This could certainly point at selected chemical facilities. This is one of the unique characteristics of this bill and makes it significant to the chemical security community (and many other communities as well).

There is an interesting twist to this designation authority. Before the final designation can be made “the Director shall provide the owner or operator of the system or asset an opportunity to appeal the determination” {§224(e)(4)}. The details of that appeals process would apparently be established by regulation.

Regulation thru Other Agencies

Another interesting part of this regulation is that Thompson, Harmon, and Clarke knew that many of these potentially covered facilities are already formally regulated or informally guided in security matters by existing agencies, inside and outside of DHS. When there is a formal regulatory scheme (like CFATS, MTSA, etc), the regulating agency is called a ‘first-party regulatory agency’. Unregulated critical infrastructure entities that are not covered by regulations are guided in security matters by sector-specific agencies.

With the exception of the information technology sector (OCSC becomes the sector specific agency for that sector) and the communications sector (the National Communications System, an office within the OCSC, is the sector specific agency for that agency) the “enforcement of cybersecurity regulations should be accomplished through appropriate first-party regulatory agencies or sector-specific agencies” {§224(a)(5)}.

In a rather devious way this makes a certain amount of sense. Take for example CFATS covered facilities. Their security is already regulated by ISCD. ISCD has some risk-based guidance on cyber security measures, but they are really vague and they probably don’t have the internal expertise to really determine what security measures would be appropriate for control systems (a point I have made before in more detail). If, however, OCSC provided the regulatory scheme and guidance (and training) for control system security issues, then ISCD could be expected to enforce those regulations as part of their regulatory scheme.

I do see a potential problem with this. Let’s look at a chemical facility that is designated as a covered critical infrastructure facility, but is not covered under CFATS. The designation would because they are a sole source supplier for some other critical infrastructure or government agency. The Chemical Sector Specific Agency within the Office of Infrastructure Protection is a relatively small office without any existing enforcement staff. I’m sure that there are many other potentially covered critical infrastructure entities that would be similarly under-served.

Other Details of the Plan

If this plan had a serious chance of being considered in the limited time remaining in the 111th Congress, I would go into additional details involved in this bill for things like cybersecurity plans, certifications and training requirements. There are a lot of interesting things that deserve serious consideration. It would have been nice if this had been developed a year ago; it might have gone somewhere. I hope that Ranking Member Thompson re-submits this bill in January. It certainly should go through the hearing and markup process to further refine its provisions.

Thanksgiving Recess

Yesterday the House passed House Concurrent Resolution 332 that outlined the plans for the Thanksgiving recess for the House and the Senate. It is expected to pass in the Senate today. The resolution provides that when the House and Senate adjourn at the end of this week they will not return until Monday, November 29, 2010. The Senate would meet at noon that day and the House at 2:00 pm.

The wording is appropriately vague on to when that adjournment will actually start. The House expects to implement this resolution at the end of either today or tomorrow. The wording for the Senate’s adjournment allows for the possibility of working through this Sunday.

I had expressed my opinion in an earlier blog that I didn’t think that they would return until the 30th, so I guess they have a better work ethic than I gave them credit for. I would have been more impressed, however, if they had worked Monday and Tuesday of the coming week. But, what the heck, it is a lame duck Congress and a large number of these folks are effectively retired or on notice. And they aren’t getting any extra pay for the post election work.

BTW: The House passed S. J. Res 40 yesterday so the official first meeting date of the 112th Congress is January 5th.

DHS Private Sector Resources Catalog Updated

Today DHS announced that they had updated their Private Sector Resources Catalog. This publication provides a summary of, and points of contacts for (including links in mst cases) a variety of programs within the Department. This catalog was first published back in May and, as promised DHS has issued their first update.

As with their first revision of the Catalog web page you can either download the entire thing or just the ‘chapters’ that are of interest. The latest version adds two new chapters; Office of Civil Rights and Civil Liberties (CRCL) and DHS Privacy Office.

I certainly haven’t had time to peruse each of the chapters to look at the changes in their list, I’ll probably have a chance to do that this weekend. But my review not withstanding, I would certainly recommend downloading the newest version of which ever chapter (or perhaps you want the whole catalog) that might be of interest to you or your organization.

Stuxnet Hearing

The Stuxnet hearing yesterday before the Senate Homeland Security and Governmental Affairs Committee was interesting for a couple of reasons. First it was one of the few informational hearings that I have watched where the congresscritters actually seemed to be interested in hearing what the witnesses had to say. Second the only political posturing came from one of the witnesses, none from the questioning politicians.

The Politics

Senators Lieberman (and Collins opted to have their official opening comments entered into the record without reading them, providing more time for the witnesses to talk and respond to questions. There was none of the typical speechifying questions; they were all short and to the point. The questions were intelligent, informed and actually sought information. If more congressional hearings were conducted in this manner, Congress might actually learn some things.

The witnesses all commended the Committee on their work on S 3480 and expressed their support for the legislation. None of them pointed out that the bill doesn’t specifically address the control system security issues that might have something to do with Stuxnet defense or mitigation.

The only real disappointment in the hearing was the testimony and responses from Mark Gandy, the sole industry representative. While Gandy works for Dow Chemical he was actually representing the American Chemistry Council. He could have provided some valuable insights about control system security issues from the user’s perspective. Instead he spent most of his time spouting the standard ACC chemical security political mantra; voluntary efforts, $8 billion dollars spent on security, support for current CFATS program, we have everything under control, etc. The exact same testimony could have been made at any of a number of hearings. It was a waste of the Committee’s time and contributed nothing to the Stuxnet, control system security discussion.

PET PEEVE RANT WARNING: How many times do we have to hear about the ‘$8 Billion dollars that ACC members have voluntarily spent on upgrading their facility security since 9/11’? First off the figure hasn’t changed in two years; surely the expenditures have continued. Second, your opponents don’t care about what has been done, they are interested in specific things they want to see happen, you need to discuss those issues if you don’t want the measures imposed upon you. Finally, in this instance that figure means little, how about telling the world what you have done about control system security.

Stuxnet Information

Sean McGurk, Acting Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security provided some interesting political theater at the start of his testimony when he held up a USB drive and told the Committee that it contained Stuxnet. If true, I hope he keeps that drive locked up, it’s one drive we don’t want to see go missing. His opening remarks and printed testimony provided a good overview of the current DHS cyber security program and ICS-CERT as well as a pretty good, if brief, overview of the Stuxnet worm.

For those people who questioned what ICS-CERT was doing during the initial phases of the Stuxnet investigation, McGurk told the Committee about the efforts undertaken at INL to deconstruct Stuxnet in their malware lab. He noted that they set up a control system, complete with PLCs to watch what the worm did. It would be interesting to see a report on those efforts to see if they discovered anything that Symantec and Langner have reported about the worm.

I think the most important information about Stuxnet came from Dean Turner, Director, Global Intelligence Network, Symantec Corporation, in response to a question from Sen. Collins (R, ME). Turner told the Committee that there were 1600 unique Stuxnet infections in the US and that fifty of them were in systems that included Siemens control systems components. That is more than three times the last number that I’ve seen reported by Siemens world wide.

I would understand why Symantec would not publicly release the identity of those fifty systems, but I would hope that they have or (at least) will share that information with ICS-CERT. Given the difficulty in cleaning system of Stuxnet, it would be helpful if an ICS-CERT team would help insure that those fifty systems have actually been cleared of their infections.

Process Information

Sen. Coons (D, DE), the Committee’s newest member, asked a very interesting question. Given the testimony about the ability of Stuxnet to capture and report system information the Senator asked if this capability placed trade secrets at risk. All of the witnesses opined that yes, they thought that intellectual property was at risk. McGurk explained that Stuxnet accessed process history files which would allow an attacker to reverse engineer the development of the process.

I think that this issue might have been a tad bit overblown. The amount of equipment knowledge that an attacker would need to reverse engineer the process development from the computer commands sent to the PLC’s is immense. If the attacker had that sort of insider knowledge they would likely already have access to process development information. Besides, process changes are not based entirely on information obtained from measurement tools that are connected to the control systems. A major source of information driving process development comes from lab testing of in-process and final product samples. Without access to that information, there would be no understanding of the reasons that changes were made.

In his response to this question Turner explained that Stuxnet had the capability to install ‘back-doors’ on infected systems and those would allow the attacker to steal design information. It wasn’t clear if he was talking about the reporting capabilities that have been widely discussed in the reports on Stuxnet or a specific feature that could provide a new entrance to future access. If the later is the case, the close inspection of all Stuxnet infected machines (not just control systems) seems to be indicated.

Response to Stuxnet

Michael J. Assante, President and Chief Executive Officer National Board of Information Security Examiners, in his written testimony, provided the committee with a number of important recommendations to help protect critical infrastructure from Stuxnet-like attacks. His testimony should be required reading for every security manager with responsibilities for an industrial control system and for Congressional staffers preparing cyber security legislation for the next session of Congress.

One point that I think demands special attention (particularly when looking at recent SCADA vulnerability disclosures) is the need for a reporting requirement. In his testimony (pg 10) he notes that there should be a requirement for “critical infrastructure asset owners and control system vendors to report industrial control system specific security incidents and the U.S. government must provide up-to-date information to asset owners and operators on observed adversary tactics and techniques, especially when investigations reveal attacker capabilities to side-step or exploit relied upon security technologies.”

Sen. Lieberman asked each of the witnesses if they thought that the response to Stuxnet required voluntary or government mandated programs. Assante was the only one who unequivocally stated that DHS would benefit from additional authority, including a mandate for reporting of incidents. McGert’s reply was a particularly disappointing bureaucratic reply that he didn’t make policy, he just did what he was told. Turner recommended that Congress take measures to shore up the “existing voluntary communications channels”.

The best argument for increased DHS authority came from the representative from the industrial user community, Mark Gandy. He reported that industry was doing just fine thank you with their voluntary efforts, though he did note that the CFATS program would help counter this threat. This head in the sand point of view, if held by any significant portion of the user community (and I’m afraid that it does), provides the best argument of adding vigorous control system security requirements to any comprehensive cyber security legislation. If industry does not now recognize the potential threat to their control systems, and their completely inadequate preparations to prevent such an attack, then voluntary programs will no longer suffice.

S 3480 Status

On a final note, Sen. Lieberman did provide a brief, undetailed (I know that word is not in the dictionary, but I’m sure you know what it means) explanation of why S 3480 has not been (nor won’t be this session) brought to the floor of the Senate even though it has been ordered reported by his Committee. He noted that there were on-going negotiations with other committees with legitimate interests in the cyber security arena. He did promise that the bill would be re-introduced early in the 112th Congress.

When they hold hearings on that bill next year I hope that they bring Mike Assante back to testify. He has the necessary technical background, regulatory experience and the passion for control system security that will help Congress formulate the necessary legal framework for the regulation of industrial control system security in critical infrastructure applications.
/* Use this with templates/template-twocol.html */