Friday, December 31, 2010

Additional DOT Rules Pending

Yesterday I looked at the additional DHS rules under development that could be of interest to the chemical security community. Today I would like to look at a similar list of rules that are being developed by the Department of Transportation. For the most part these rules are not directly security rules, but they may still be of interest to our community because they deal with the handling and shipping of hazardous materials. Few of these rules will be covered in any detail in this blog.

DISCLOSURE NOTE: Most of my writing done on hazardous materials transportation issues is done for the Journal of Hazmat Transportation. Since I am being paid for those articles I have to be careful about the duplication of writing efforts here.

Proposed Rules

The regulations in the ‘proposed rule’ stage have either had an advance notice of proposed rule making (ANPRM) published or have a notice of proposed rule making (NPRM) being written or reviewed. The next action to be expected would be the publication of an NPRM.

The following is a list of regulations in the proposed rule stage at DOT:

2130-AC11 (FRA) Risk Reduction Program

2137-AE58 Hazardous Materials: Adoption of American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code Section XII and the National Board Boiler and Pressure Vessel Inspectors Code

2137-AE66 Pipeline Safety: Safety of On-Shore Liquid Hazardous Pipelines

2137-AE36 Pipeline Safety: Completing Regulation of Hazardous Liquid Pipelines Operating at Low Stress

2137-AE37 Hazardous Materials: Bulk Loading and Unloading Operations

2137-AE52 Hazardous Materials: Combustible Liquids

2137-AE53 Hazardous Materials: Safety Requirements for External Product Piping on Cargo Tanks Transporting Flammable Liquids (Wetlines)

2137-AE55 Hazardous Materials: Incorporation of Certain Rail Special Permits Into the Hazardous Materials Regulations

2137-AE59 Pipeline Safety: Miscellaneous Amendments to the Pipeline Safety Regulations

2137-AE65 Hazardous Materials: Limiting the Use of Mobile Telephones by Highway
Final Rules

The regulations in the ‘final rule’ stage have had an NPRM published and the public comment period is closed. DOT is reviewing those comments and making the appropriate adjustments to the rule. The next action to be expected would be the publication of a final rule.

The following is a list of regulations in the final rule stage at DOT:

2105-AD59 Protection of Sensitive Security Information

2130-AC14 Emergency Escape Breathing Apparatus

2137-AE06 Hazardous Materials: Requirements for Storage of Explosives During Transportation

2137-AE13 Hazardous Materials: Enforcement Regulations

2137-AE32 Hazardous Materials: Combination Packages Containing Liquids Intended for Transport by Aircraft

2137-AE33 Pipeline Safety: Updates to Pipeline and Liquefied Natural Gas Reporting Requirements

2137-AE45 Hazardous Materials: International Harmonization

2137-AE56 Hazardous Materials: Incorporation of Certain Cargo Tank Special Permits Into the HMR

2137-AE57 Hazardous Materials: Revision of Special Permits Procedures

2137-AE63 Hazardous Materials: Limiting the Use of Electronic Devices by Highway
Long Term Actions

‘Long Term Actions’ are those rules that DOT is considering developing. Some of these are congressionally mandated rule makings that are going to require a great deal of time to complete for technical or political reasons. Others are existing ‘interim final regulations’ that need to be made permanent. Others still are items that DHS has internally identified as areas potentially requiring regulatory action. Items on this list may never be introduced into the regulatory process.

The following is a list of regulations (only one in the DOT Unified Agenda) in the long term action stage at DOT:

2137-AE46 Hazardous Materials: Miscellaneous Amendments

Thursday, December 30, 2010

SAR Training

There is an interesting blog post over at ISE.org (Information Sharing Environment, the lead organization for managing the Suspicious Activity Reporting (SAR) project at DOJ). The blog briefly describes a new training program for ‘front line officers’ to support the SAR goal of helping to “detect and prevent terrorism-related criminal activity in a manner that rigorously protects the privacy and civil liberties of Americans”. It also provides three separate links to the training program.

Training Program Review

I watched the 18 minute presentation on the Law Enforcement And Public Safety (LEAPS.tv) channel and was pretty satisfied with the above average presentation. The audio-slide show format was well done and provides a smooth presentation at a relatively low bandwidth. It provided a good overview of the SARS process and the place of the police patrol officer within the process. It did provide a pretty good balance between suspicious activity reporting and protecting civil liberties. It even hit on the issue of photographers, a problem that I talked about in an earlier blog. It also provides a number of real-world examples of instances where police patrol officers discovered information that directly led to the arrest of terrorists or prevention of terrorist attacks.

I would have liked to have seen more information on how a police officer should approach individuals in those borderline cases that might be suspicious activity or it might be constitutionally protected activity. That might be too much to expect from a SAR program overview like this. I would like to see someone do a video presentation on how those situations could be recognized and how to best deal with them.

Program Management

I understand that this is a training program for police officers. I was concerned, however, when I went to view this at Memorial Institute for the Prevention of Terrorism site and as part of the registration I was expected to “Swear or Affirm” that I was either a police officer or an intelligence analyst before I could watch the presentation. That seemed to me to be a bit much. The registration process at the NSI [Nationwide Suspicious Activity Reporting (SAR) Initiative; that’s a strange acronym for that name; maybe they wanted to sound like those TV folks] site implies that it is strictly limited to police officers. The registration process at the LEAPS.TV site specifically includes ‘Company’ in the description of the organization to which you belonged, so I felt ‘safe’ registering on that site. All three sites do require registration to view the program.

The NSI site does offer a post-training testing and certification process (including awarding Continuing Education Units), but there is a charge for that. Otherwise the training program is free.

Alternative Use

I think that this would be a pretty decent training program for security personnel at high-risk chemical facilities to take. I understand that there are some very real legal differences between security guards and police officers, but those are not germane to a discussion of suspicious activity reporting. As I have mentioned on a number of occasions, all personnel and particularly security personnel at high-risk facilities are going to have to be actively watching for suspicious activity if the terrorist planning cycle is going to be interrupted before an attack is initiated.

The only problem is I have seen nothing in the discussion of the SAR process that deals with reporting by security professionals who are not members of law enforcement. Now I am fairly sure that a security manager at a Tier 1 or Tier 2 high-risk chemical facility will not have any problem with working out a reporting system with the local Joint Terrorism Task Force. At many Tier 3 or 4 facilities where the security manager may not be a security professional, may have a more difficult time getting routine SARs accepted into the formal system. They may have more pull though with the local police intelligence unit.

As I have mentioned on a number of occasions, it would seem to me to be a good idea to have a Chemical Fusion Center that would specifically address this issue. They would have the trained personnel to evaluate the SAR and the pull to get additional follow-up investigation by the JTTF where it was warranted.

In any case, however you work out your SAR submission process, I recommend that any security manager at a high-risk chemical facility should consider having the security guards at that facility sit down for this 18 minute training program. It may help them to understand the importance of making timely reports of suspicious activity.

Additional DHS Rules Pending

Periodically over the last couple of weeks I have discussed various aspects of the Fall 2010 Regulatory Agenda that was published in the Federal Register on December 20th. The reader who has been following the regulatory process at DHS will recognize that the list of proposed regulations that I listed as being in the Agenda on my blog about the release of the Regulatory Agenda is not a complete list of regulations that DHS has proposed. This is because the regulations listed in the RISC Agenda document are only those that are ‘economically significant’; have a significant economic impact on a large number of small businesses.


Today I would like to briefly look at some of the less ‘economically significant’ rules in the regulatory process that might be of interest to the chemical security community. I will list the rules actually in process and rules that DHS is currently looking at introducing in the future. The information on these rules can be found on the Unified Agenda page on the RegInfo.gov website. Each of the rules listed below will be preceded by an RIN number; this is the tracking number used by OMB to plot the progress of rule through the regulatory process and serves as a link to the current status of that rule.

In this posting I’ll just provide listings of the rules in the various stages of development. In later posts I’ll take a closer look at some of the more important (to chemical facilities) rules in more detail.

Proposed Rules

The regulations in the ‘proposed rule’ stage have either had an advance notice of proposed rule making (ANPRM) published or have a notice of proposed rule making (NPRM) being written or reviewed. The next action to be expected would be the publication of an NPRM.

The following is a list of regulations in the proposed rule stage at DHS:

1601-AA56 Petitions for Rulemaking, Amendment, or Repeal

1625-AB21 Transportation Worker Identification Credential (TWIC); Card Reader Requirements

1652-AA54 Sensitive Security Information: Disclosure in Federal Civil Court Proceedings

1652-AA61 Standardized Vetting, Adjudication, and Redress Services
Final Rules

The regulations in the ‘final rule’ stage have had an NPRM published and the public comment period is closed. DHS is reviewing those comments and making the appropriate adjustments to the rule. The next action to be expected would be the publication of a final rule.

The following is a list of regulations in the final rule stage at DHS:

1601-AA01 Production or Disclosure of Official Information in Connection With Legal Proceedings

1651-AA70 Importer Security Filing and Additional Carrier Requirements
Long Term Actions

‘Long Term Actions’ are those rules that DHS is considering developing. Some of these are congressionally mandated rule makings that are going to require a great deal of time to complete for technical or political reasons. Others are existing ‘interim final regulations’ that need to be made permanent. Others still are items that DHS has internally identified as areas potentially requiring regulatory action. Items on this list may never be introduced into the regulatory process.

The following is a list of regulations in the long term action stage at DHS:

1625-AA87 (Coast Guard) Security Zone Regulations

1652-AA08 Protection of Sensitive Security Information (SSI)

1652-AA16 Transportation of Explosives from Canada to the United States Via Commercial Motor Vehicle and Railroad Carrier

1652-AA50 Drivers Licensed by Canada or Mexico Transporting Hazardous Materials To and Within the United States

1652-AA58 Freight Railroads--Vulnerability Assessment and Security Plan

1652-AA66 Reporting of Security Issues

Wednesday, December 29, 2010

PHMSA HAZMAT ICR Renewals

Today the Pipeline and Hazardous Materials Safety Administration (PHMSA) published a notice in the Federal Register of their intention to submit to the Office of Budget and Management (OMB) a number of hazardous material related information collection requests (ICRs) for renewal. Approval of these ICRs by OMB would allow PHMSA to continue to collect this information from the regulated public.

The ICRs that PHMSA intends to renew are:

• Requirements for Cargo Tanks (OMB # 2137-0014) This includes: Registration Statements; Requalification and maintenance reports; and Manufacturers’ data reports, certificates and related papers

• Hazardous Materials Incident Reports (OMB # 2137-0039)

• Radioactive (RAM) Transportation Requirements (OMB # 2137-0510)

• Flammable Cryogenic Liquids (OMB # 2137-0542)

• Rail Carrier and Tank Car Tank Requirements (OMB # 2137-0559) This includes: Approvals of the AAR Tank Car committee; Progress Reports; FRA Approvals; Manufacturer Reports and Certificate of Construction; Quality Assurance Program; and Inspection Reports.

• Container Certification Statement (OMB # 2137-0582)

• Hazardous Materials Public Sector Training and Planning Grants (OMB # 2137-0586)

• Response Plans for Shipments of Oil (OMB # 2137-0591)

• Hazardous Materials Security Plans (OMB # 2137-0612)

• Inspection and Testing of Meter Provers (OMB # 2137-0620)

• Requirements for United Nations (UN) Cylinders (OMB # 2137-0621)
Comments on any of these ICRs should be submitted by February 28, 2011. Submissions may be made via the Federal eRulemaking Portal (www.regulations.gov, Docket Number PHMSA-2010-0373) or by mail to:

Docket Operations
U.S. Department of Transportation
West Building, Ground Floor, Room W12-140
Routing Symbol M-30
1200 New Jersey Avenue, SE.
Washington, DC 20590

National Maritime Security Advisory Committee Meeting 1-19-11

The Coast Guard published a notice in today’s Federal Register announcing a meeting of the National Maritime Security Advisory Committee (NMSAC) on January 19th and 20th. The meeting in Arlington, VA will be open to the public. While there will be very limited seating available at the meeting site, the public will also be able to hear the meeting via teleconference or observe the meeting on-line.

The Agenda for this meeting includes:

• Port Security Grants
• Global Supply Chain Security Policy Efforts
• Update to the Maritime Infrastructure Recovery Plan and the Maritime Transportation System Security Recommendations
• Results of Maritime Transportation Security Act Tasking
The teleconference will be available at 866-717-0091 (Access Code - 3038389#). The on-line access will be available via the Homeland Security Information Network (HSIN) at https://connect.hsin.gov/uscgnmsac/.

Members of the public wishing to make oral presentations at the meeting or provide written comments to be distributed to the committee members must contact the ADFO (ryan.f.owens@uscg.mil) by January 11th, 2011. Written comments may also be submitted via the Federal eRulemaking Portal (http://www.regulations.gov/, Docket Number USCG-2010-1005).

DHS Addresses Two Ecava IntegraXor Vulnerabilities

Yesterday evening the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) took the unusual action of publishing two documents on vulnerabilities in the same SCADA system, the Ecava IntegraXor. The first is a follow-up to an earlier Alert and the second is a new alert about a newly reported vulnerability.

Directory Traversal Vulnerability

Last week ICS-CERT published an alert about a directory traversal vulnerability in the Ecava IntegraXor Human Machine Interface (HMI). At the time of the alert there were no specific mitigation measures available to respond to the vulnerability. Yesterday ICS-CERT published an Advisory on this vulnerability providing newly released information on a patch (along with a point of contact for additional support information) made available by Ecava Sdn Bhd, the Malaysia-based software development company that provides the IntegraXor product.

Additionally ICS-CERT makes their routine recommendation to “Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be used.” They also provided their standard risk assessment caveat for both this standard mitigation technique and the patch.

ICS-CERT notes that this vulnerability would allow an attacker with a low skill level to add an arbitrary path and files to the system and to read any file within the system. The vulnerability is exploitable using publicly available tools from a remote system.

DLL Hijacking Vulnerability

DHS published an Alert on a second vulnerability, this one dealing with a susceptibility to DLL hijacking attacks. The Alert reports that there are tools publicly available to exploit this vulnerability and that ICS-CERT is working with the Ecava on mitigation options. When more information becomes available, ICS-CERT will issue the appropriate advisories.

Tuesday, December 28, 2010

DHS Updates Critical Infrastructure Protection Website

Today the DHS Office of Infrastructure Protection (OIP) updated the landing page for Critical Infrastructure Protection. This is part of their information sharing effort as part of the President’s proclamation of December as Critical Infrastructure Protection Month. There are links to four pages that have been revised/updated with new information on critical infrastructure protection. They are:


Bombing Prevention Training
Information Sharing for Critical Infrastructure Protection and Resilience
Information Sharing: A Vital Resource for a Shared National Mission to Protect Critical Infrastructure
More About the Office of Infrastructure Protection
Regional Directors and Protective Security Advisors

This page used to just refer to Protective Security Advisors and I briefly addressed their duties last spring. The first change to this page deals with the title and that it now explains that Regional Directors are “Supervisory PSAs”. I’m not sure if these are new positions or if they were just overlooked in the earlier version of this page. The total number of field operatives, 93, has not changed since the earlier version of the page was posted.

This page does note that the PSA’s are responsible for three program areas and provides a brief description of the these responsibilities. They are:

● Enhancing Infrastructure Protection
● Assisting with Incident Management
● Facilitating Information Sharing
The information sharing portion of this page does provide a new section on ‘Strengthening Regional Resilience’. This is keeping in-line with the Departments increased focus on ‘Resilience’. The most important part of this new section is the link to the two new pages on ‘Information Sharing’ that I discuss below.

Bombing Prevention Training

The only change to this page is that it now references ‘Regional Directors and Protective Security Advisors’ instead of just ‘Protective Security Advisors’.

Information Sharing

The first of these two pages that focus on information sharing provides an overview type description of the various players in the field of ‘Infrastructure Protection’ with some links to more information. Of interest to the chemical security community is the brief description of the ‘Chemical Facility Inspectors’ (CFI). The ‘additional information’ link provided for there does not pertain much to the CFI, but to the CFATS program in general. It would be nice to see a more detailed page of information about the CFI program (organization, training, etc).

The second page on information sharing has a great deal more information and many more links to other programs. The most valuable part of this page can be found in the last section, “Tools to Support Information Sharing”. This section provides links to a number of important information sharing sites, including:

● Homeland Security Information Network-Critical Sectors (HSIN-CS)
● Homeland Infrastructure Threat & Risk Analysis Center (HITRAC)
● National Infrastructure Coordinating Center (NICC).
● DHS Daily Open Source Infrastructure Report
● Office of the Director of National Intelligence
More About the Office of Infrastructure Protection

This page provides information on the operation of the OIP. It has been completely reworked, providing more links to web pages describing the groups that work within the OIP. A great deal of additional information has been provided through this page.

Reader Comment MTSA-CFATS MOU

Laurie Thomas left a comment on yesterday’s blog post on the Maritime Transportation Security Act (MTSA) regulation update discussed in the recently updated Regulatory Agenda. Laurie questions whether the federal government is agile enough to include the purported ISCD-Coast Guard memorandum of understanding on CFATS-MTSA harmonization in the planned update of the MTSA regulations.

Laurie certainly has a legitimate point. If the Coast Guard were to publish their MTSA update notice of proposed rule making (NPRM) in March as stated in the Regulatory Agenda, it would be very surprising for it to include anything new in the MOU.

There is no inherent reason why such information couldn’t be included in the new draft regulations, but most of us do not expect federal bureaucracies to be able to respond that quickly. Physically writing the appropriate language into the proposal wouldn’t take more than a day or so. Determining the details of how to implement an MOU, determining just what parts of the Code of Federal Regulations (CFR) need to be addressed to implement the MOU and getting political approval for making those changes are what takes so much of the time.

One would like to think that most of that decision making process would have been included in the development of MOU itself. Unfortunately, this is not the case in practical politics. This is because there is a completely different level of political commitment involved in actually changing regulations, which is inherently a public process, and obtaining an internal DHS agreement to change regulations which is not a public at all.

There is, of course, a perverted sort of hope that there still will be a chance that the harmonization issue will be addressed in the update to the MTSA regulations. Since this proposed rule has had its NPRM publication date slip a number of times (according to the 2010 Spring Regulatory Agenda it was supposed to be printed last November and that represented a substantial delay from the 2009 Fall Regulatory Agenda) it will probably slip once again. DHS has had a poor record of living up to its public estimates of how long the regulatory process takes to get something accomplished.

I suspect that these delays are not limited to DHS, but that is the only agency that I track closely. And from what I hear through the grapevine, these delays are not entirely the fault of DHS. It seems that the political approval process at the White House relegates these issues to the bureaucratic back burner while the Administration focuses on its own political priorities. And this is certainly not new to the Obama Administration. I am afraid that this is an inherent part of our political process.

It is just possible that the pressure from the Senate (the last two Senate Appropriation Committee reports on budget bills have included a requirement for DHS to report back to Congress on the progress of the harmonization issue) to get some sort of chemical security harmonization agreement implemented will drive the next revision of the proposed NPRM to include implementation of at least some of the provisions of the as yet unseen memorandum of understanding.

OMB Approves TSA Pipeline Security Reporting

Last week the Office of Management and Budget (OMB) approved the information collection request (ICR) submitted by the Transportation Security Administration (TSA) to support their revised voluntary pipeline security program. This program will be outlined in a revised Pipeline Security Guidelines document.

Two specific types of information collection were approved in this ICR. First is the reporting of ‘security incidents and suspicious activity’ information to the Transportation Security Operations Center (TSOC). In their 30-day ICR notice TSA made it clear that they wish “to be notified of all incidents which are indicative of a deliberate attempt to disrupt pipeline operations or activities that could be precursors to such an attempt” (75 FR 49943).

The second type of information that TSA is now approved to collect is the voluntary submission of contact information for security managers and operations centers. This will enable TSA to provide timely updates of security related information to pipeline operators.

Once again, this ICR supports a voluntary security program. Congress has not provided TSA authority to mandate pipeline operator participation in a security program. Recent attacks on pipeline facilities in Canada and Mexico have not yet made sufficient impression on legislators to convince them that such attacks could actually occur in the United States.

Monday, December 27, 2010

DHS NIAC Meeting 1-18-11

The DHS National Protection and Programs Directorate published a notice in today’s Federal Register that the National Infrastructure Advisory Council (NIAC) would be holding a public meeting on January 11th in Washington, D.C. The Council will receive an interim report on information sharing from a working group and may provide additional guidance on how that study should proceed.

The meeting is open to the public but discussion on the report will be limited to Council Members, DHS personnel and invitees. There will be a limited time available for public comments on the subject at the end of the deliberations. Those comments will be limited to 3 minutes. Due to the limited time available for the public comment portion of the meeting, pre-registration is required and only a limited number of commentors will be able to make their presentations. Commentors will be taken in registration order until the allotted time expires.

Written comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov Docket Number DHS-2010-0094) or by email to NIAC@dhs.gov (the Docket number must be included in the address line). Written comments must be submitted by January 11th.

Fall 2010 Regulatory Agenda – Updating MTSA

Last week I looked at the publication of the Administration’s updated regulatory agenda. I looked at the general documents involved and then looked at promised ammonium nitrate regulations and training requirements for the freight rail industry. I had planned to look at updating of the Maritime Transportations Security Act (MTSA) this week. Unfortunately for me, but perhaps fortunately for my readers, this week end an expert on MTSA training issues, Laurie Thomas, addressed that topic on her blog, MTSA News. I highly recommend reading Laurie’s blog posting.

CFATS – MTSA Harmonization

One item not mentioned by Laurie in her blog, nor addressed specifically in the Regulatory Agenda is the issue of harmonizing the chemical security requirements in the MTSA and CFATS regulations. There are a number of water-side chemical facilities that are exempted from the CFATS regulations because they are covered under the MTSA rules. There has been some concern expressed in Congress and in industry about the fact there are two different standards for security that might apply to similar facilities depending on where they are located in port areas. Congress has asked DHS to look at ways of harmonizing the two sets of security rules.

I understand that ISCD and the Coast Guard have essentially completed a memorandum of understanding on how they will coordinate their regulation of high-risk chemical facilities under the two rules. Unfortunately, I have been unable to get anyone at ISCD to discuss that MOU on the record. I understand that there had been some discussion of allowing the Coast Guard to use the CSAT tools to identify those MTSA covered chemical facilities that might require additional security measures. I don’t know if that was included in the final MOU.

I would suspect that an update of the MTSA regulations might include the implementation of this MOU that may have been recently agreed to between these two DHS organizations.

Stuxnet Updates

I hope everyone had a good holiday. I did take a short break from writing about chemical security issues, but not from reading about them. Over the extended weekend I came across two new Stuxnet reports. The first was an update of a previous Stuxnet report, “Stuxnet Under the Microscope, v.1.3”; the second is an analysis of the effectiveness of Stuxnet in attacking centrifuges in Iran, “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?

I was pointed at the second report by a Christmas day blog by Ralph Langner which was appropriate since Ralph was one of the early proponents of Stuxnet being a specific attack on Iranian nuclear facilities. Ralph’s blog specifically points us at the concluding paragraph from that report. The last couple of sentences from that paragraph, reproduced below, provide an important segue to Ralph’s second blog of the holiday weekend.

“It is important for governments to approach the question of whether using a tool like Stuxnet could open the door to future national security risks or adversely and unintentionally affect U.S. allies. Countries hostile to the United States may feel justified in launching their own attacks against U.S. facilities, perhaps even using a modified Stuxnet code. Such an attack could shut down large portions of national power grids or other critical infrastructure using malware designed to target critical components inside a major system, causing a national emergency.”
Ralph and a number of other commentors have noted that the effectiveness of Stuxnet against a specific target is due in large part to knowledge about the specific equipment and programming protocols found at that target location. This requires, in addition to programming skills, some fundamental intelligence information and a detailed understanding of the process being attacked. Many have argued that the requirement for this level of information means that most process owners are, practically speaking, immune to such attack.

Ralph’s “Dirty Digital Bombs”

Ralph has come up with a descriptive new term for a concept that I have previously discussed here; the ‘Dirty Digital Bomb’. As I have noted before, random changes in PLC coding will be disruptive to modern manufacturing, including chemical manufacturing, processes. While they are unlikely to cause catastrophic failures, they are very likely to upset schedules or adversely impact product quality.

While I have looked at this type of attack as a method for industrial extortion, Ralph has taken a larger industrial view. He notes that: “The dirty digital bomb is a cyber weapon that inflicts low to medium damage to a large number of random targets.” He then goes on to explain that “small damage in many power plants may be worse than big damage in one specific power plant”. It would seem to me to be particularly true in a situation where there is a carefully crafted, interconnected power grid. A number of nearly simultaneous small failures could have a catastrophic effect on the grid as a whole.

He also points out that many modern industries are interconnected in a similar manner. Specifically he points at the German automotive industry with their interconnected web of suppliers. Again he points out that “small damage at many automotive suppliers may be worse than big damage at one specific car maker”.

I would further suggest that attacks of this sort, executed in fragile economic situations like we are currently undergoing, would have a further cumulative effect. The additional economic strain of having to recover from this type of attack could be catastrophic. Even in good times, having an entire industrial sector shut down for the weeks or months necessary to cleanse their control systems at the PLC level would have a cascading effect on the economy.

Chemical System ‘Dirty Digital Bombs’

To understand how easy it would be to adversely affect a wide variety of chemical processes with a single chem-stuxnet weapon all one has to do is to consider the ubiquitous valve in the chemical industry. Valves are used to control the flow of liquids, solids, and gasses and there are only a limited number of different PLCs that are used to control these devices. The timing of the opening and closing of valves is critical to the quality of chemical product manufacturing and, in many cases, the safe operation of chemical process facilities.

If the programming for one of the valve-control PLCs were changed by a chem-stuxnet worm to add even a 30 second delay in the execution of a ‘close’ command for that PLC there would be a wide variety of potential consequences ranging from improper raw material ratios (product quality impact), to overfilled containers (chemical spills), application of too much heat (or cooling, or vacuum or pressure) leading to a difficult to control process which could lead, in turn, to any number of quality and/or safety issues.

None of these would necessarily have dangerous consequences (though there certainly could be catastrophic consequences in some applications), but even the most benign result, an off-spec batch, can have significant economic consequences particularly if identifying the root-cause of the problem is complicated by the man-in-the-middle attack methodology used in Stuxnet.

Since the same type controller may be used in dozens, or hundreds of locations within a single facility, it would be inevitable that this single programming change would result in a complete stoppage of production at the facility while the problem was diagnosed. Once the problem was identified as being a programming issue, the process of completely removing the worm from the control system could entail weeks or months of work. If the worm was spread through a significant number of facilities, the shortage of trained experts to effect the removal and system restoration would cause additional delays in bringing all of the facilities back on line. Furthermore, once a multi-facility attack was identified, all facilities using the same controller would be taken off-line to ensure that they had not also been infected.

Such an attack would not require any specific process knowledge or any other kind of facility specific intelligence collection. All it would take is the knowledge of what type of PLC’s are used in valve control situations and an understanding of the programming of that particular PLC. All of that information is readily available.

Furthermore, valves are just one of a number of possible attack vectors that are found throughout a variety of chemical processes. Modules for the control of key process variables of weight, flow, temperature, and pressure could be similarly affected.

Cyber Security

To date the bulk of interest in the political community with cyber security has been focused on the information control side of things. This is because most people are at least partially affected by information systems in their everyday lives. It is easy to understand why it is necessary to protect personal, commercial or governmental information; we see the consequences of the failure to protect that information frequently in the news.

With the advent of the Stuxnet worms and its inevitable future variants and cousins, it is becoming increasingly clear that the protection of industrial control systems will be even more important to our industrial and economic safety. A systemic attack on the chemical process industry would have far reaching economic impacts on all other industries and our country as a whole.

When Congress returns in January, they are going to need to expand their interest legislating minimum standards for industrial control system security measures. To be effective those measures are going to have to span the entire gamut of the industrial control system community, from software and hardware vendors, to manufacturers that use such systems, and to the enforcement organizations that are going to become responsible for tracking down the perpetrators of attacks on these systems.

Effective legislation and regulatory action takes time to craft. The sooner that work is started the sooner our vulnerability to these types of attacks will become manageable.

Friday, December 24, 2010

111th Legislation Page Final Update

I just posted the final revisions that I will be making to the 111th Congress Legislation page. There are still a couple of links that are not available because the GPO does not yet have copies of the reports, but I won't bother going back to provide those links. The report numbers are posted for those who want to track down this now historical information.

Thursday, December 23, 2010

Chemical Sector Intelligence

I ran across an interesting document at PublicIntelligence.net, a sort of Wikileaks-lite that publishes a wide variety of unclassified but restricted distribution documents; documents marked with FOUO (for official use only) for example. This one purportedly came from the Colorado Information Analysis Center. The “Signs of Terrorism: Chemical Sector” is, basically a standard two-page flyer describing the types of suspicious activity that might suggest the possible preparation for an attack on a chemical facility or an attempt to gain access to weapon precursor chemicals. I would like to think that the CIAC has distributed this flyer to chemical manufacturing and distribution facilities through out the state.

The interesting thing about this document is that it includes abstracts from what were apparently suspicious activity reports submitted to law enforcement agencies in Colorado. The abstracts have been sanitized to avoid giving facility identifiable information (though one example should be readily recognizable by anyone who follows the national news). The illustrative SARS summaries are pretty well selected and are relatively recent.

I only have two minor negative comments about the incidents used to illustrate the indicators. First the incident used to explicate the ‘Elicitation’ indicator could be fleshed out some to show why it was a suspicious inquiry rather than a rather typical first call from a potential new customer. Next the second incident used for ‘Supplies’ could have been better used for ‘Impersonation’ which has no example provided.

Intelligence Reports

These five SAR summaries are great examples of the kind of intelligence information that could be provided to chemical facilities across the country; high-risk chemical facilities in the CFATS program in particular. I would expect that a little additional information would be used to flesh out the information. Even if subsequent investigations showed that the incidents were totally innocent (and most will turn out that way, such is the life of an intel analyst) the information could serve as an exemplar of the type information that facilities should be routinely reporting.

Even innocent incidents have good intelligence value. If for example the first facility ‘investigated’ by the Greenpeace ‘security inspection team’ had turned in a SAR about the visit, followed up by an explanation of what the folks were actually doing, it would have made the next facility security manager’s job that much easier when they showed up there. The investigation of ‘suspicious people taking pictures’ would quickly change into a ‘no problem just those Greenpeace folks’; a situation of no concern to security guards, just plant management. It would help decrease tension by presenting the security staff with a known and understood situation.

Chemical Sector Fusion Center

I doubt that the people at ISCD have the excess manpower or specialists available to produce such intelligence reports. I’m not even sure that they have set up a mechanism for security managers at CFATS facilities to submit such reports to a central agency or whether they would just go to the local Joint Terrorism Task Force or the local police intelligence unit (or just the cop on the beat?). While the JTTF would love to receive these reports, they may not have some one with the chemical expertise to recognize the significance of some of the reports. The disappearance of a gallon of thiobisenthanol (a precursor for a form of mustard agent) might not raise terrorism alarm bells, for example, at the local fusion center.

What is really necessary is the formation of a fusion center with the expertise to collect and evaluate SAR’s related to chemicals and chemical facilities. They could produce the kinds of intelligence reports that would be of special interest to the chemical security community. These would include the types of SARS summaries discussed above, but also intelligence products that would identify specific threats to specific areas of the chemical community. Their work could help to inform the efforts of chemical security inspectors and to provide technical information and support to police and JTTF investigations.

Signs of Terrorism are FOUO?

The Seven Signs of Terrorism (Colorado forgot to mention ‘Dry Run’ and ‘Deploying Assets’) are a well known and publicly available program to get people to get people to report suspicious activity. I suspect that the folks in CIAC marked this document ‘FOUO’ because of the SARS report summary information that was included. This is typical of the over-classification problem that afflicts most intelligence related information.

But let’s get serious here. There is nothing in this flyer that should cause any intelligence collection manager to think twice about the potential disclosure of intelligence assets or collection methods/technology. Putting the ‘FOUO’ markings on this will ensure that some of the people who need to see this (everyone that works at or around a chemical facility) will not get to because of someone took the vague classification overly seriously. Additionally, it will make some paranoid activist (not all activists are paranoid, nor are all paranoids activists) sure that they were included in a SAR because they were taking pictures of chlorine railcars and are thus marked for life.

People need to take a hard look at their markings of documents such as this. Additionally, every organization (like CIAC) should have someone whose job it is to remove excessive markings from documents. It will make information sharing easier and make documents that actually require restricted distribution more likely to receive that protection.

111th Congress Adjourns Sine Die

Yesterday the 111th Congress closed up shop, heading home for the holidays. Unless some emergency calls them back into session before hand, the next time the Senate and House meet will be on January 5th, 2011 at noon that being the date set for the first meeting of the 112th Congress. The Senate has all ready signaled that it expects to work that day.

Fall 2010 Regulatory Agenda – Security Training

On Monday I looked at the Fall 2010 Regulatory Agenda and the pending regulations that might be of interest to the chemical security community. Yesterday I addressed the ammonium nitrate rule listed in the DHS portion of that Agenda. Today I would like to look at the TSA rule that would look at security training for freight rail employees listed in the RISC portion of the Agenda (75 FR 79563-4).

Background

Actually this is just one of the three rules listed in the Agenda where TSA will be developing security training standards but the other two deal with passenger transport modes, so they will not be of direct interest to the chemical security community. All three rules were required by different sections of the Implementing Recommendations of the 9/11 Commission Act of 2007 (PL 110-53). Section 1517 is the section that required TSA to develop these training regulations within 6 months of the enactment of that law. Since that law was passed on August 3, 2007, TSA is late, especially since they don’t currently plan to have even a notice of proposed rulemaking until March 2011.

According to the Agenda the “rulemaking will propose general requirements for a security training program to prepare freight railroad employees, including frontline employees, for potential security threats and conditions”. Any requirements will have to be justified by a cost-benefit analysis. TSA intends to look at the following potential costs:

• Creating or modifying a security training program and submitting it to TSA;
• Training (initial and recurrent) all security-sensitive employees;
• Maintaining records of employee training;
• Being available for inspections;
• Providing information on security coordinators and alternates; and
• Reporting security concerns.
DHS will then evaluate these costs against the potential benefit by using a ‘break-even analysis’ to determine the degree that the training requirements would reduce the overall risk of a terrorist attack. The risk assessment would be based upon scenarios included in the TSA Transportation Sector Security Risk Assessment.

I’m not sure how many of the scenarios might reach a break-even point for the costs of training, but I am sure that at least one scenario would clearly justify, by this type of analysis, an attack on a toxic inhalation hazard (TIH) chemical rail car in a major urban area. The number of people potentially at risk in such an attack is very large.

Delays in Rulemaking

I haven’t talked with anyone at TSA about the delays in this rulemaking, but I can make an educated guess as to at least some of the reason. First and most obvious is that surface transportation risks have always been a lower priority at TSA than air transportation. The specter of the 9/11 hijackings is the obvious reason for this as is the long history of plane hijackings. Add to that the relative ease of securing an aircraft vs a train or bus, and it is easy to see why TSA has concentrated on the low hanging fruit.

Even within the surface transportation area, freight rail is a lower priority than public transit. This too makes a certain amount of sense since it is much easier to successfully attack a passenger train than chlorine rail car. A terrorist armed with no more than a handgun or even just an acid filled squirt-gun could successfully attract world-wide attention. There would be a much higher level of technical expertise required to cause a catastrophic release of a TIH gas from a railcar.

To date TSA has limited their freight rail security regulation efforts to establishing actual standards for security of TIH rail shipments. Many will argue that the security measures are inadequate and TSA does have problems with providing acceptable measures of the actual risk reductions achieved.

Finally, TSA has included limited training requirements in their freight rail security rule. Those requirements are primarily limited to identifying improvised explosive devices. In fact TSA has produced a video that can be used in that training.

Security Training

As my readers will probably expect, I have definite ideas about what types of things should be included in any security training regulations for freight railroad employees. First and fore most, TSA has to be careful of how they define ‘security-sensitive employees’ that will be required to be trained. If they limit this training to just the ‘front-line’ employees that physically deal with trains and railcars, they will do a severe disservice to the American public. Any employee of a railroad that handles TIH chemical shipments should be considered a ‘security-sensitive’ employee for purposes of this regulation.

TSA should probably take a page from the safety training requirements used by PHMSA for hazmat shippers. The security training should follow the same two tier level of general awareness training and position specific training. Everyone should be trained on the general awareness of the terrorist threat, including:

• Explanation of current threat level,
• Discussion of potential attack consequences,
• Review of history of terror attacks on freight rail assets,
• Identification of pre-operational surveillance techniques, and
• Discussion of suspicious activity reporting procedures.
The position specific training needs to be tailored to the duties of each employee that may be required to accomplish security related task in support of the railroads efforts to prevent a successful terrorist attack on TIH railcars. The inclusion of the word ‘successful’ is very important because it needs to include emergency response measures and evacuation procedures that would be used in the event of both catastrophic and relatively ‘minor’ releases of a TIH chemical in the event of an attack (NOTE: these would mostly be the same for an accidental release).

Typically there would be a generic requirement in any rule of this sort for employees to be specifically trained on the requirement of the job outlined in the railroad security plan. Since TSA has yet to establish a requirement for railroads to have a security plan (there are only vague ‘requirements’ to conduct a vulnerability assessment), it would be difficult for TSA to include such language in a training regulation. To be fair, I suspect that most railroads do have security plans.

A key component of the job specific training would be communications measures to be used in the event of a suspected or actual attack. Not only does this need to include internal communications, but communications with local first responders. This is particularly important for train crews since they will typically transit many different jurisdictions during any train movement of any length. Being able to contact, and provide applicable information to, the local response agencies would be critical for any effective emergency-response to an attack on a TIH railcar.

Finally, any railroad employee that could reasonably be expected to be exposed to a TIH chemical release in the event of a terrorist attack (or accidental release), needs to be trained in the specific hazards associated with each TIH chemical transported by that railroad. This must include information on how the employee can identify that a release has occurred and determine how best to avoid critical exposure to the toxic cloud.

Training is a key component of any security plan. The best plan in the world will be absolutely worthless if the employees that must execute the plan are inadequately trained in its implementation. TSA has a responsibility to ensure that effective security plans are in place and that the employees are properly trained to execute those plans.

Wednesday, December 22, 2010

112th House Homeland Security Subcommittee Chairs

The HomelandSecurityNewswire.com web site reported yesterday that Rep. King (R, NY), the Chairman of the House Homeland Security Committee in the 112th Congress, announced the sub-committee chair for that committee. Additionally, the Sub-Committee names have apparently been changed to reflect a slightly different focus. The Chair and revised sub-committee names are:
• Rep. Candice Miller (Michigan)[Corrected 8:48 pm 12-23-10], chairman, Subcommittee on Border and Maritime Security (Formerly - Subcommittee on Border, Maritime and Global Counterterrorism)

• Rep. Patrick Meehan (Pennsylvania), chairman, Subcommittee on Counterterrorism and Intelligence (Formerly - Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment)

• Rep. Dan Lungren (California), chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies (Formerly - Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology)

• Rep. Gus Bilirakis (Florida), chairman, Subcommittee on Emergency Preparedness, Response, and Communications (Formerly - Subcommittee on Emergency Communications, Preparedness, and Response)

• Rep. Michael T. McCaul (Texas), chairman, Subcommittee on Oversight, Investigations, and Management (Formerly - Subcommittee on Management, Investigations, and Oversight)

• Rep. Mike Rogers (Alabama), chairman, Subcommittee on Transportation Security (Formerly Subcommittee on Transportation Security and Infrastructure Protection)
There is a fairly substantial re-working of sub-committee assignments reflected in the new list of Chairs. Only two of the newly appointed Chair (Miller and Lungren) served as Ranking Member in the same Sub-Committee in the 111th Congress. The remaining Chair listed were not even members of the respective Sub-Committee in the current Congress.

All of these sub-committees will have some coverage of issues of interest to the chemical security community. The two major sub-committees for chemical security legislation, however, will be the subcommittees chaired by Rep. Lungren and Rep. Rogers.

Fall 2010 Regulatory Agenda – Ammonium Nitrate

Long time readers of this blog knew that this post was coming; my twice a year note that the most recent Regulatory Agenda once again slipped the expected date of the publication of the notice of proposed rule making for the control of the sale and distribution of ammonium nitrate. It now lists (75 FR 79542) the expected date of the publication of the NPRM as March, 2011; the law mandating the development of this regulation required the NPRM to be published by May 26, 2008.

Background

As part of the 2008 Consolidated Appropriations Act (Subtitle J, §563, PL 110-161), Congress required DHS to “regulate the sale and transfer of ammonium nitrate by an ammonium nitrate facility. . .to prevent the misappropriation or use of ammonium nitrate in an act of terrorism”. This requirement was recognition of the ease of converting ammonium nitrate into explosive devices, particularly the large, vehicle borne improvised explosive devices that were used in Oklahoma City and New York. In fact, ANFO (an ammonium nitrate fuel oil mixture) is a widely used commercial explosive and is already federally regulated.

Various forms of ammonium nitrate are included in Appendix A to 6 CFR part 27, so individual facilities that use, manufacture or store ammonium nitrate are potentially covered by the CFATS regulations. But the CFATS regulations cover facility security measures not the sale or transfer of ammonium nitrate. And because of the §550 restrictions on CFATS, there would be no way that a registration regime could be established under that program.

DHS issued an advance notice of proposed rulemaking (ANPRM) for this regulation back on October 29, 2008 (73 FR 64280). I blogged about the ANPRM and did a number of postings about the public comments received (11-07-08, 12-05-08, 12-12-08, 12-22-08, 12-29-08, 01-09-09, and 01-30-09). There were a number of interesting and complex issues addressed in those public comments and it was obvious, to me at least, that Congress had under estimated the complexity of the ammonium nitrate issue. Even so, a regulation (probably both an NPRM and final rule) should have been able to have been written in the almost two years since the close of the comment period on the ANPRM.

Political Issues

About twice a year I make an official request to DHS about the status of the Ammonium Nitrate regulations and I get told by highly placed officials in ISCD that the NPRM will be published in a couple of months. When I ask about the delays to date, I get vaguely worded comments about the current draft being reviewed by the Administration. Now, I trust these people to be giving me the correct information, as far as they know it. They have not been reticent about telling me that they can’t tell me something when it was appropriate.

So what could cause the people working directly with the regulation to be so unsure of when it will be published? The short answer is simply politics; and as usual the simple answer is very complex. First one has to realize that this is inevitably going to end up being another bureaucratic requirement that will provide no discernable benefit to the regulated community. So industry will have some amount of added costs without any appreciable benefit.

The manufacturers and distributors of ammonium nitrate will have a new record keeping burden imposed upon them. The actual cost of registration and recording and storing the transaction histories will be relatively minor (‘relatively minor’ is perhaps a stretch in an economy as challenged as the current one is). There will be the additional burdens of keeping up with a new set of regulations, inevitable inspections (if there are no inspections there is no regulation) and the potential for stiff fines. In addition there is increased legal liability for any use of ammonium nitrate as a terrorist weapon (instead of a ‘reasonable person’ standard there will now be a detailed regulatory standard that will be used to determine if a company took appropriate precautions to prevent the terrorist’s use of the ammonium nitrate).

Another side of the political issue rests with additional burdens imposed on the largest users of ammonium nitrate, farmers; both large agribusinesses and smaller family farmers and co-ops. The cost of registration should be relatively low (assuming that there is a registration fee and that seems to be inevitable). The bigger problem is having to go through the registration process, particularly if individual farm workers, who will physically pick-up the ammonium nitrate from the distributor, have to be registered and have an Ammonium Nitrate Registered User ID.

One other party that may be affected by the ammonium nitrate regulations will be the State agencies that currently regulate fertilizer use/sales. It currently looks like they may be the people that actually administer the registration program. The added program would impose additional costs on those agencies. In the current economic climate States can ill afford to have any additional regulatory burdens imposed upon the by the federal government.

Agriculture Lobby

The three groups identified above (manufacturers/distributors, farmers, and State regulators) are all a part of the great amorphous political blob known as the agriculture lobby or more commonly, the farm lobby. They are one of the most powerful political powerbases in Washington, DC and they wield their power fairly effectively. One only has to look at how they forced DHS to cave on the propane screening threshold quantity issue and the ‘temporary top screen’ exemption that they forced ISCD into issuing to see how effective a lobbying force they are.

They have also forced the Department of Transportation to provide hours-of-service exemptions for the delivery of farm supplies and commodities and to exempt farmers from the Hazmat Endorsement requirements for hauling hazardous materials like ammonium nitrate and anhydrous ammonia. They have ensured that safety and security will take second place to the hallowed rights of the yeoman farmer.

Full Disclosure Note: For years my father operated what can only be called a hobby sheep ranch (no more than 50 head of pure-bread sheep) and every year he filled out the paperwork for and cheerfully cashed his wool subsidy check. And typically took my mother out to dinner with the small proceeds.

Political Inaction

With the Obama administration concentrating on a number of controversial economic and social issues, it is not surprising that there has been little effort to move this regulatory process forward. They have little to gain in opening another contentious issue to public discussion, even when required to do so by law.

Meanwhile, the career folks at ISCD are playing the part of the dutiful soldiers. They don’t complain when their political bosses put politics above protecting the public from potential terrorist attacks using legally obtained ammonium nitrate. Unfortunately, they will also probably be the ones getting the lion’s share of the blame when the next ANFO VBIED goes off in an American city.

Tuesday, December 21, 2010

House Passes Revised HR 3082

This evening the House passed the Senate revised version of HR 3082 by a roll-call vote of 193-165, a nearly party-line vote. This bill amended the continuing resolution passed this last September, extending the expiration date of the CR until March 4, 2011. This also extends the CFATS authorization to the same date.

The 112th Congress will have just about two months (including a 29-day February) to complete the development of 12 spending bills that will be able to be passed in a Senate more evenly divided between the two parties. If the Republicans push the budget cutting envelope too hard, the bill will not pass the majority Democrat Senate; the Republicans will need a number of Democratic defectors to get their legislative agenda passed. Even then they will face the prospects of an Obama veto which they won’t have the votes to overturn in either house.

January and February look to be a very contentious political time unless moderates in both parties can find a way to work together against the more extreme members representing ‘the base’ of each party. I expect that we’ll see more partisan fireworks and not much bipartisan cooperation. I predict that we’ll see at least one more continuing resolution extension before a budget bill is passed.

Oh yes, remember that every day spent working out the details for the FY 2011 budget will take away from preparing for the FY 2012 budget; on the Hill and I suspect at the White House. I’ll have plenty of political fodder for this blog next year.

DHS ICS-CERT Issues New Alert for Ecava IntergraXor

DHS ICS-CERT has issued an alert for a newly reported vulnerability in the Ecava IntergraXor web server. They report that a security researcher discovered the susceptibility to a directory traversal attack and that an exploit is available. ICS-CERT is working with the vender on developing mitigation measures. No further details are available at this time.

This is a new vulnerability in addition to the earlier Ecava IntergraXor advisory that I reported upon last week.

Photographer Rights

Long-time readers of this blog will certainly have seen me comment on the importance of detecting the surveillance phase of a potential terrorist attack. Alerting the police and FBI of a potential attack is one of the best security measures that a facility has to prevent a successful terrorist attack. I have also mentioned that one of the indicators of possible pre-operational surveillance is someone taking pictures of the facility. I have tried to make it clear that ‘an indicator’ is not proof of terrorist surveillance and that someone taking pictures from public areas is not doing anything illegal.

There is an interesting blog posting over at NetworkWorld.com that addresses this issue from the point of view of a photographer. It should be required reading for all security managers and front-line security personnel. Now the blog is not a legal opinion, and some will consider the author to be an anti-government zealot (a appellation which the link associated with the picture accompanying the blog post would encourage), but it is a clear statement of the point of view of legitimate photographers.

I have been pleasantly surprised that there have been no reports of confrontations between facility security staff and Greenpeace activists conducting their photographic ‘security inspections’ of high-profile chemical facilities. These Greenpeace activities have clearly been part of their politically protected free speech rights. While I expect that their activities have discomforted the applicable security personnel, the lack of complaints about harassment by security personnel indicate that the security managers at these facilities have well understood the situation and had appropriately trained their security personnel.

Potential Surveillance Must be Investigated

Unfortunately, these types of photographic activities could also be used by terrorist planning an attack on a high-risk facility. As such they need to be investigated and reported. Investigational procedures must be developed that take into account to potential dual nature of such incidents.

Anyone talking with a photographer on public property must be well trained in their responsibility for positively representing the facility owners and workers. They need to be polite and respectful in the limited questioning that they conduct. Physical contact must be strictly prohibited and intimidation should be avoided at all costs. Politely requesting that the individual stop photographing the facility is acceptable, but anything that leaves the impression that the person is required to stop taking photographs leaves the facility vulnerable.

Role playing exercises are probably the most effective component of training for security personnel to deal with public encounters of all types, and would be particularly appropriate for situations of this sort. Clear identification of inappropriate responses in such training will go along way in avoiding inappropriate confrontations along the facility perimeter.

Site Security Plan

Now this is not something that I have seen covered in the Risk Based Performance Standard guidance document, and is probably not something that the DHS Chemical Security Inspectors will check when they visit a facility (though I might argue that they should). Having said that, this is certainly an example of the type of situations that Security Managers will to have to deal with in developing their security programs.

DHS-ISCD Publishes New CFATS Pamphlets

Today the folks at ISCD published links to two pamphlets on their CFATS Knowledge Center web page. Its not clear that these are really ‘new’ pamphlets (one has a publication date of ‘July 2010’ printed on the cover), but they have not been available on the CFATS web site before today. The two informational pamphlets are:
CFATS Colleges and Universities Brochure
CFATS Tri-fold Brochure
These are the types of brief informational brochures that you would expect to find at a trade-show booth. In fact, I would not be surprised to hear that they were available at the sign-in desk at the 2010 Chemical Sector Security Summit. The tri-fold brochures are not really the best format for information on the internet, so DHS has also made these brochures available in a more conventional format in Articles 1718 and 1719 on the CFATS Knowledge Center web page.

Once again there is nothing in the ‘Latest News’ section alerting the casual web surfer to the existence of the new documents. Someone deliberately looking for information would find these documents listed in the ‘Documentation’ section of the main page as well as in the ‘Documentation’ section of the following pages on the web site:

● Top-Screen
● SVA
● Inspection
● CVI (CFATS brochure only)
● Appendix A
There is no real new information in any of these brochures, but they do provide brief, factual overviews of the CFATS program. I would not be surprised to see security contractors, integrators, and consultants using these brochures on their tables at trade shows.

Suspicious Activity Reporting Final Rule

The Department of Homeland Security published their final rule to amend its regulations to exempt portions of a newly established system of records titled, “Department of Homeland Security/ALL – 031 Information Sharing Environment, in the Federal Register today. This rule goes into effect today.

This follows the submission of an NPRM back in September, upon which I previously reported. DHS received a few comments, mostly supportive, on that NPRM and they address those comments in the preamble to this final rule, clarifying a number of issues.

Justice Department Program

One important area of clarification that DHS makes in this rule document is that the underlying program that this rule supports, the Nationwide Suspicious Activity Reporting Initiative (NSI), is overseen by the Department of Justice (DOJ). Thus DHS is required to adhere “to the requirements established by the NSI requiring participants to apply the ISE-SAR Functional Standard Version 1.5 in determining whether a suspicious activity is an ISE-SAR” (75 FR 79947).

This clarification also has applications to the definition of one of the controversial terms used in the NPRM. The NPRM described the people who might have access to the collected information as “federal departments and agencies, state, local and tribal law enforcement agencies, and the private sector [emphasis added]” (75 FR 55290). In the preamble to this rule DHS explains that it “does not maintain a list of private sector partners or entities who are authorized NSI participants” as that responsibility rests with the DOJ system managers.

FOIA

One commentor wanted DHS to clarify which items of information would be protected under the Freedom of Information Act, requesting blanket exception be described for certain classes of information. DHS responded that this rule does not provide any exceptions to the FOIA disclosure rules. They also note that the “FOIA currently does not provide for a standard “blanket exception” for ISE-SARs data filed by a private-sector entity reporting an information-security related attack” (75 FR 79949).

DHS does note that that if an FOIA request was received asking for disclosure of information about a reported cyber security attack by a private sector organization that the current FOIA rules, for example “Exemption 4 which applies to trade secrets and commercial or financial information obtained from a person that is privileged or confidential may apply in this instance), would be applied when processing that request.

Personally Identifiable Information

A comment was received questioning the protection of personally identifiable information in the DHS ISE-SAR program. Again, DHS reminds the commentor that the use of personally identifiable information in the NSI is not governed by DHS rules. DHS does maintain that the information that it enters into the system will be via the “Summary ISE-SAR Information format, which excludes privacy fields or data elements that contain PII as identified in Section IV of the ISE-SAR Functional Standard”.

Further Questions

DHS notes that anyone with additional general questions about this rule and the associated “Department of Homeland Security/ALL – 031 Information Sharing Environment Suspicious Activity Reporting Initiative System of Records” should contact the DHS Office of Intelligence and Analysis or the DHS Privacy Office.

Monday, December 20, 2010

Middle Length Continuing Resolution

The current plan in the Senate to solve the appropriations situation is offer an amendment (S. Amdt 4885; the text can be found on pages S210742-4 of the December 19th Congressional Record) in the form of a substitute for HR 3082. That amendment would, in turn, amend the Continuing Appropriations Act, 2011 (Public Law 111–242) that was passed in late September. It will extend the date for that Continuing Resolution to March 4, 2011, and will make some relatively minor spending changes.


As of this evening, it does not appear that there will be anything in the S. Amdt 4885 that will directly affect the chemical security community other than the extension of the current CFATS authorization to March 4, 2011. There will be a cloture vote to cut off debate on the amendment tomorrow (12-21-10), and hopefully the bill will pass soon enough to allow the House to vote on agreeing to the amendment before the midnight close of the current continuing resolution.

If Sen. Reid cannot get the necessary votes for cloture on this Amendment (he will almost certainly get the votes in my opinion as this amendment is essentially what both the Senate and House Republicans asked for in the first place, to allow them to set the spending program for the remainder of FY 2011 when the House Republicans come into power in January), the House will have to pass another short term CR (probably until Christmas Eve) to allow a better deal to be worked out.

Helpful Tips on CFATS Knowledge Center

This morning DHS-ISCD updated their CFATS Knowledge Center web page to include links to the “Helpful Tips for Completing a Chemical Facility Anti-Terrorism Standards (CFATS) Site Security Plan”. The link can be found on the ‘Documentation’ section of the main page (lower left corner on ‘3rd page’). When you click on the ‘Site Security Plan’ button, the link is also displayed in the ‘Documentation’ section. There is no notice in the ‘Latest News’ section, but a person looking for SSP help would reasonably be expected to find this helpful document.

Fall 2010 Regulatory Agenda

Today the Obama Administration published their Fall 2010 Regulatory Agenda in the Federal Register. Each Department in the Executive Branch published a summary of all current and projected rulemakings, existing regulations, and completed actions for their agency. A separate listing for the Regulatory Information Service Center provided a more detailed regulatory plan listing specific rules currently in the regulatory development process.

Regulatory Agendas of potential interest to the chemical security community include:

Department of Homeland Security
Department of Transportation
DHS Regulatory Plan

The following regulations in the DHS portion of the RISC regulatory plan (75 FR 79536-79571) may be of specific interest to the chemical security community

• Secure Handling of Ammonium Nitrate Program – 75 FR 79542
• Updates to Maritime Security – 75 FR 79554
• Importer Security Filing and Additional Carrier Requirements – 75 FR 79556
• Large Aircraft Security Program, Other Aircraft Operator Security Program, and Airport Operator Security Program – 75 FR 96561
• Freight Railroads—Security Training of Employees – 75 FR 79563
• Air Cargo Screening – 75 FR 79567
DOT Regulatory Plan

The following regulations in the DOT portion of the RSIC regulatory plan (75 FR 79606-79626) may be of specific interest to the chemical security community

• Hazardous Materials: Limiting the Use of Mobile Telephones by Highway – 75 FR 79624
• Hazardous Materials: Limiting the Use of Electronic Devices by Highway – 75 FR 79625
I plan on looking as some of the specific rule makings in future blog postings.

Senate Chemical Security Committee Reports

There have been a number of pieces of legislation in the 111th Congress that have been of some potential concern to the chemical security community that have stalled in the Senate after the appropriate committee ordered the bill to be reported favorably. After months of seeming inactivity, the following such bills were reported last week:
• HR 2868 – Chemical and Water Security Act of 2009
• S 773 – Cybersecurity Act of 2009
• S 1274 – A bill to amend title 46, United States Code, to ensure that the prohibition on disclosure of maritime transportation security information is not used inappropriately to shield certain other information from public disclosure, and for other purposes.
• S 1649 – Weapons of Mass Destruction Prevention and Preparedness Act
• S 3480 – Protecting Cyberspace as a National Asset Act of 2010
Amendment in form of Substitute

Each of these bills was passed in committee with bipartisan support. They were also amended with a significant re-write of the wording of the legislation in what is called an “amendment in the form of a substitute”. In each case there was no public record of the final form of that proposed legislative wording; that public disclosure is typically made in the report the committee files on the bill. That report also contains a detailed explanation of what the committee expects that legislation to accomplish; what is known as ‘congressional intent’.

In the three bills reported by the Senate Homeland Security and Governmental Affairs Committee (HR 2868, S 1649, and S 3480), the bills were reported with a Senate Report number provided, though as of this morning, there is no copy of that report available through the Government Printing Office. The two remaining bills (S 773 and S 1274) were reported by the Commerce, Science and Transportation Committee without a written report. In other words, starting the final week of the 111th Congress, we still don’t know what the final amended versions of these bills looks like.

No Further Action Expected

While each of these bills passed in committee with bipartisan support, they were controversial enough in their provisions to have garnered significant opposition; enough opposition that, in all but one case, there was little chance of the bill actually making it to a floor vote in the Senate. This was part of the reason for the delay in the reports being filed; there were significant behind the scenes negotiations being made to find accommodations that could be made to allow the bills to be passed.

The exception in this list is S 1274. This bill, as long time readers will remember, was introduced by Senators Rockefeller and Byrd, both from West Virginia. It was introduced in reaction to the disclosed efforts made by Bayer CropScience to hide information about a fatal chemical accident at their Institute, WV from the Chemical Safety Board by declaring the information to be protected from disclosure by the Maritime Transportation Security Act (MTSA). Wording effectively similar to this bill was successfully included in the FY 2010 DHS appropriations bill.

At this late date, no further action is expected on any of these bills. The filing of these reports just officially closes out the committee action on these bills. The Homeland Security Committee reports will eventually be printed by the GPO to become part of the historical record. When the Senate adjourns for the last time later this week, any future action on these legislative efforts will have to start all over again in the 112th Congress, and most of them will probably re-appear in early 2011.

Saturday, December 18, 2010

No Change in CFATS Knowledge Center

Its not often one takes the time to write about something that hasn’t changed, unless of course it should have. That’s the case in this blog post; I’m reporting that in the last week there has been no change in the CFATS Knowledge Center web page and I think that it would have been reasonable to expect a change.

A week ago yesterday, DHS added a rather short but valuable document to the list of CFATS supporting documents, the “Helpful Tips for Completing a Chemical Facility Anti-Terrorism Standards (CFATS) Site Security Plan” pamphlet. I covered this pamphlet in some detail an earlier blog. Needless to say it is a document that I recommend that every facility in the CFATS program out to have and use.

Unfortunately, there is not a single mention of this document on the CFATS Knowledge Center web page. Since this page is, without a doubt, the single, most-valuable, go-to source of information about all things CFATS this is a very unusual oversight.

I suspect that it is an internal information-sharing issue where the SSP people aren’t sufficiently talking with the people that maintain the CFATS Knowledge Center. If that is the case, and it wouldn’t be an unusual occurrence with all that is going on in the ISCD offices, it is an issue that needs to be resolved quickly.

The regulated community should be able to rely on the CFATS Knowledge Center as a one-stop shop for CFATS information. The remaining web pages are great, but most people in this business don’t have the time to conduct daily reviews of all of the pertinent chemical security sites on the web. The CFATS Knowledge Center should be the one page that everyone goes to on a daily basis to see if there are any changes in the information that DHS wants to share with the chemical security community.

Friday, December 17, 2010

ICS-CERT Updates Netbiter WebSCADA Advisory

This afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an updated version of their advisory on multiple vulnerabilities in Intellicom Netbiter WebSCADA. The revision provides information on the software update made available by Intellicom.

Intellicom’s patch for their WS100/WS200 products “limits the ability to read system files and eliminates the ability to perform directory traversals”. The “ISFR-4404-0010.npb” patch is available http://support.intellicom.se.

Another Continuing Resolution

The House is preparing to pass another short term continuing resolution, H. J. Res 105 [Note: Corrected typo on Resolution Number 9:19 pm EST]. This rule recognizes that that the Senate and House will almost certainly not complete action on an FY 2011 budget before midnight tomorrow and will provide for funding of the federal government at the current levels until midnight Tuesday, December 21, 2010. As with the two previous CR’s this resolution would extend the CFATS authorization until the same date.

Republicans in the House are providing pro-forma opposition to this resolution, but it will ultimately pass in the House and Senate this afternoon. The form of funding past the new time limit has yet to be decided; it could (but is unlikely to) be the previously described Omnibus Appropriations Bill, Senate concurrence with the House version of HR 3082, or possibly a longer version of this type of resolution continuing current funding until some time in February.

More Chem Security Details from Omnibus Appropriations Act

NOTE: While I was working on this blog posting last night AP began reporting that Sen. Reid (D, NV) was no longer planning on bringing this amendment to a floor vote due to the lack of enough Republican votes to get a cloture vote. It now appears that the Senate Appropriations Committee will be working on a short term Continuing Resolution with a termination date sometime next February. This whole appropriations thing is far from resolved. I’m still posting this to show what has been under consideration.

As promised I have had a chance to review the DHS explanatory statements from the Congressional Record for December 14th. The Senate Appropriations Committee web site now has a link to the 2nd part of that statement covering the remainder of the bill. The DHS portion of the statement can be found at pages S9709 to S9733 (to view individual pages go to this page and insert the specific page number in the block at the bottom of the page).

Reports Required

The explanatory statement includes requirements for number of reports to Congress about various parts of the CFATS program and other chemical security related programs. The required reports include specific reports listed in the statement and reports included by reference to the Senate Report on S 3607 (Senate Report 111-222). Subjects include:
• Status of expedited hiring of chemical facility inspectors (delayed again this year because of the lack of a DHS spending bill) (Senate Report pg 98)
• Status of “the plans to resolve the differences between and standardize risk evaluations for chemical facilities regulated under Chemical Facility Anti-Terrorism Standards and the Maritime Transportation Security Act” (S9709)
• The “the feasibility and merits of establishing a Deputy Assistant Secretary for Surface Transportation to lead the security programs and personnel for non-aviation transportation security” (S9714)
• The process to expedite industrial control system security standards development (S9717)
CFATS Requirements

The Senate Report specifically mentions the amount of money to be spent on the ‘infrastructure security compliance’ within the Infrastructure Protection Mitigation Programs budget listing. This is the $105 million figure that I have previously reported. The Report notes (pg 97) that this funding “includes the chemical facility and ammonium nitrate security programs”. Interestingly the Department has yet to produce the first draft of the regulations establishing that ammonium nitrate security program, a program that Congress directed to be in place in 2008. The problem that ISCD is having with the political reviews within the Administration bodes ill for the public consideration that this program will receive when the NPRM is finally published.

Both the explanatory notes (page S9716) and the Senate Report (pg 98) take the unusual step of looking at a specific CFATS SSP review measure. While Congress has specifically denied the Secretary the authority to require specific security measures, Senate would direct the Secretary (under RBPS #9) to “consider whether or not a covered facility has an effective communications mechanism between the facility and local law enforcement and other first responders”. The Report goes into some level of detail about a ‘dedicated telecommunications system’ between the covered facility and the ‘local public safety answering point’. These provisions have undoubtedly been inspired by the problems of public-private emergency communications that have been seen in the many recent chemical release incidents in and around Institute, WV.

Moving Forward

As I mentioned in the prefatory note to this post, it looks like the Omnibus Appropriations Act has been still born. It will be interesting to see if any of this language makes it into the Continuing Resolution that is being developed in the Senate. There is a deadline of Saturday for getting something done. It could include a very short term CR to give people time to draft an intermediate term (February) CR, or it could even end up being a vote to pass the House version of HR 3082.

The open question is how many of these provisions from the deceased Omnibus Appropriations Act will make it into any new Continuing Resolution. There are obviously people on the Senate Appropriations Committee (and perhaps its staff) that really want these measures to be included in an appropriations bill. Since there is an open question about how these provisions might survive in the 112th Congress, the provisions may yet make their way into any legislation funding DHS, no matter what the time fram.

At this point there is no telling what is going to happen.
 
/* Use this with templates/template-twocol.html */