Friday, December 30, 2011

Another Look at ISCD Problems – Who Misled Who?

There is an interesting piece over at CEN.ACS.org about the recent news that there are problems at ISCD. Since the author, Glenn Hess, has not seen the actual DHS report that started this discussion (nor apparently has anyone outside of Fox News and NPPD) the news focuses on the response of Sen. Collins (R,ME) and Bill Almond, a VP at SOCMA; both of whom have been vocal supporters of the current CFATS structure.

Congressional Oversight


Not surprisingly Sen. Collins is upset that DHS “mislead Congress about the effectiveness” of the CFATS program. Now I don’t know what information DHS provided to Congress in private, but I have watched most of the public testimony before the three respective committees looking at CFATS and any member of Congress that was misled by Under Secretary Beers’ testimony just wasn’t paying much attention.

For almost the last two years now Beers has dutifully reported the painfully slow progress in proceeding with the completion of the site security plan review and approval process. Rather than questioning him in detail about the problems at ISCD almost all of the Congresscritters involved in multiple hearings have focused their questions on the IST debate. Political critters from both sides of the aisle have patiently and persistently tried to get him to make one statement or another in support of their pet stance on that issue. IST, pro and con, has been the focus of Congressional oversight, not the performance of ISCD and progress of CFATS implementation.

For instance, the article quotes Collins as saying that the report “contradict the official testimony of department officials”. She was referring to the March 2010 hearing where Beers told the Committee that ISCD had started the pre-approval inspection process. What no one on the Committee considered asking was why DHS found it necessary to add a ‘pre-approval’ inspection process that was never explicated in the original regulations. The answer to that question (that had been provided to industry in multiple forums) would have nearly completely explained the continued slow pace of site security plan approvals today.

If one were to look back at the first couple of rounds of CFATS hearings that Beers testified at he always had Director Sue Armstrong at his side. As one would expect from one in Beer’s position as Under Secretary for National Protection & Programs Directorate he would answer the questions dealing with overall policy and the grand sweep of the program. When questions were asked about the details of the operation of the program he would let Armstrong provide the answers.

Lately however, he has been a solo act. His role as explicator of the grand strategy has not changed. But the usefulness of his testimony without the active support of a knowledgeable ISCD Director at his side has been limited. Fortunately for him (in the short run), Congress did not notice because they were more interested in political theater instead of overseeing the chemical security program that they handicapped in the first place.

Lack of Leadership


The Chemical Engineering News article notes a couple of interesting points by Bill Almond. He noted that the arrival of the Obama Administration initiated a lot of management turnover in NPPD in general and ISCD in particular. While this type problem affected large portions of the Executive Branch it was particularly devastating at a small, underfunded and understaffed agency like ISCD that was trying to put together a completely new and innovative regulatory program.

I am surprised that Bill did not take his argument one-step further. One of the reasons that DHS had problems finding qualified people to take the slots that kept coming open was that Congress could not find a way to reach a consensus on how to make this critical security program a permanent part of DHS. Imagine how hard it must have been to attract up and coming managers to a program that could die at the end of the fiscal year just because of Congressional inaction. This is yet another reason SOCMA and other industry organizations could use to support their demand for a long-term authorization of the current CFAT program.

Added to that, there was the continued in-fighting within the Administration about how important sub-programs (like the CFATS personnel surety program, the ammonium nitrate security program, and the MTSA harmonization program) would be implemented. Drafts of the ammonium nitrate security program rule were circulated within the Administration for almost three years before the NPRM was introduced this fall.

It was little wonder that there was a lack of effective leadership at ISCD to handle the inevitable problems that would arise with implementing an new regulatory program.

Moving Forward


As a true-believer I am saddened to see the problems that ISCD has been having with the completion of the implementation of the CFATS program. It is somewhat encouraging to hear that they have looked at the problems and come up with an extensive program to correct their shortcomings. I would be more encourage, perhaps, if there were a more public discussion of the details in the report.

I suspect that the appropriate place for that discussion will be before the three congressional committees that have been ‘exercising’ such poor oversight of the program in the first place. That doesn’t provide me with much hope however. This coming year (just a couple of days away now) is an election year and that will encourage more political theater, not less.

Thursday, December 29, 2011

DHS Publishes New ICR for IP-SSARSAT

Today DHS published a 60-day Information Collection Request (ICR) notice in the Federal register for a new ICR to support the NPPD’s IP Sector Specific Agency Risk Self Assessment Tool (IP-SSARSAT). This is the first step in the Department’s efforts to get approval from the Office of Management and Budget for the voluntary collection of information from private sector entities to support the operation of this program.

This program is administered by the Office of Infrastructure Protection’s Sector Specific Agency Executive Management Office (SSA EMO). It is an automated information collection and assessment tool (apparently existing) that allows owner/operators of critical infrastructure and key resource (CIKR) facilities to ‘assess the risk of the evaluated entity’. It allows for the:

• Calculation of a vulnerability score by threat;

• Evaluation of protective/mitigation measures relative to vulnerability;

• Calculation of a risk score; and

• Reporting the threats presenting highest risks.

The only information that is required to be shared with DHS in this evaluation process is “venue identification information (e.g., point-of-contact information, address, latitude/longitude, venue type, or capacity)” (76 FR 81956). The results of the risk assessment may be shared with the SSA EMO at the discretion of the owner/operator.

I’m pretty sure that this is an existing program, but I cannot find any mention of it, or link to it on the Department’s web site. The ICR notice provides point of contact information (Jay Robinson, jay.robinson@hq.dhs.gov) but that POC is typically about the ICR submission not the associated program.

The ICR claims that the start-up costs for this program are $0 with annual operating costs of $14,400. This would tend to support my supposition that this is an existing program. The ICR estimates that there would be 4,000 respondents annually and that each assessment would take about 8 hours to complete.

Public comments on this ICR can be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2011-0069). Comments should be submitted by February 27th, 2012.

NIAC Meeting Announced

Today DHS published a notice in the Federal Register (76 FR 81956-81957) announcing a meeting of the National Infrastructure Advisory Council on January 10th, 2012. At this public meeting the Council will receive a working group report on a recently conducted Public/Private Sector Intelligence Information Sharing Study.

There will be a brief period for public comment after the working group makes its report and recommendations for further work in this area. After that comment period the Council will deliberate on the topic and make decisions on further actions to be taken by this working group.

Written comments on the topic may be submitted through the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2011-0117) and must be submitted by January 3rd if they are to be considered by the Council in their deliberations.

Individuals wishing to make public comments at the meeting will need to register at the site no later than 15 minutes before the start of the meeting. Comments will be limited to 3 minutes per person and a total of 30 minutes has been allotted for comments. Commenters will be accepted on a first registered basis.

Wednesday, December 28, 2011

ICS-CERT Upgrades Another Advisory

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) upgraded another alert to an advisory as the vendor provided appropriate mitigations for the reported vulnerability. This time the vendor was ScadaTec. The original alert described a buffer overflow vulnerability in the ScadaPhone and Modbus TagServer products and was published back in September.

Today’s advisory identifies the researcher as Steve Seeley and notes that ScadaTec has produced a patch to ‘resolve the vulnerability’. It turns out that the actual vulnerability was in the Abbrevia ZIP file handler. Newer versions of that software do not contain the same vulnerability. As always I have to ask what other vendors are still using the vulnerable versions in their software packages.

An interesting side note; the Advisory notes that the affected ScadaTec products are used principally in water treatment facilities in the United States and Australia.

Another Look at CFATS and Weapons

A topic that comes up from time to time in discussing security plans at high-risk chemical facilities covered under the CFATS program is the question of whether or not security personnel should be armed. Generally speaking chemical facility management is against fire arms and security personnel (myself included) tend to favor their use. The issue came up again in a rather odd context last week in the first of two FoxNews.com reports by Mike Levine.

Mike quoted from the as of yet unseen internal DHS report on problems in the implementation of the CFATS program:

’Despite their lack of law enforcement authority, some still actively seek the right to carry a firearm,’ the internal report reads.”

The reason that I mention this here is that it is very important that everyone at DHS, especially the CFATS inspection force, understand why chemical facility managers are typically so adamant about no firearms being allowed on their property. It is not because they are anti-gun nuts (I personally know at least a couple that are card-carrying NRA members), but rather they are scared to death of what a gun can potentially do on site.

Flammable Atmospheres


Almost every chemical facility worthy of the name houses one or more flammable chemicals. A very safe chemical facility will take excruciating pains to ensure that those chemicals remain confined in the appropriate storage or processing systems. Even so, they know that small spills and releases are almost inevitable. Less safe facilities will, almost by definition, have more and larger such releases.

Even the smallest spills of flammable chemicals (ones so small that even the most rabid environmentalist would ignore it) result in a small cloud of flammable vapors. Under the right atmospheric conditions even those small clouds can be ignited by stray sparks and open flames. This is the reason that hot work permitting and flammable gas testing procedures are such an important part of chemical safety programs.

Before any work is done at a chemical facility that could produce sparks (drilling, grinding, etc) or introduce open flames (welding or cutting) a gas test meter is used to determine if there is the presence of a flammable atmosphere. A flammable atmosphere is defined as any concentration of a flammable vapor above the lower explosive limit (LEL) and below the upper explosive limit (UEL). Every flammable chemical has its own characteristic LEL/UEL combination.

These are called ‘explosion limits’ for a very good reason. The flammable vapor/oxygen ratio is so favorable for burning that the cloud ignites easily and burns very quickly, producing heat and a rapidly expanding cloud of combustion products that produce a pressure wave that can cause extreme damage at quite some distance for the site of ignition.

Generally speaking the larger the amount of the flammable chemical that is released into the environment the larger is the chance that at least some portion of the vapor cloud will be within the explosive limits for that chemical. And the larger that explosive portion of the cloud is the larger is the area that will be affected by the resulting explosion.

Firearms


Handguns, rifles and shotguns are often generically referred to as firearms. The reason for this is clear; it is the burning of a propellant charge in the chamber of the weapon that causes the expansion of gasses in the barrel that, in turn, cause the projectile to fly towards its intended target at high-speeds.

Anyone that has seen a firearm discharged at night will have had a clear vision of the muzzle flash that accompanies the firing of the bullet. That muzzle flash (and cylinder flashes from revolvers) is nothing more than gasses that are still burning as they leave the confines of the weapon.

Those burning gases are almost certainly hot enough to ignite a vapor cloud that is within the explosive limits for that particular chemical. Depending on the size of the vapor cloud (which is again dependent on the size of the chemical release) the discharge of a single round from even a small handgun could result in a catastrophic explosion.

Bullet Holes


As it that weren’t problem enough, the projectile that leaves the barrel just before the muzzle flash is going to travel some considerable distance from the weapon before air resistance and gravity combine to bring it to earth. That can be quite some distance, something that even the most ardent shooter frequently forgets. Unless, of course, something gets in the way first.

Most people have no concept of the penetrating power of modern bullets. Having seen their favorite cop or detective on television hiding behind car doors in a gun fight, they assume that thin pieces of sheet metal are impervious to bullets. Nothing could be further from the truth. Even the rounds from small pistols can easily penetrate the walls of most storage tanks and smaller chemical storage containers.

If the bullet penetrates the container or tank below the liquid level the chemicals inside are going to come out the bullet hole. The rate will be dependent on the caliber of the bullet and the viscosity and flow characteristics of the chemical. Most really dangerous flammable chemicals will flow out of even a 0.22 caliber hole at quite an astounding rate.

For flammable liquid storage tanks, the higher the liquid level inside the tank above the bullet hole the faster the chemical is coming out. Under the proper conditions of bullet hole size, and pressure the liquid will convert to a vapor upon exiting the tank, greatly increasing the chances for forming a flammable atmosphere.

Consequences


If an armed security guard or responding police officer encounters and armed terrorist who has penetrated the perimeter security measures of a high-risk chemical facility it is very likely that a gun battle will ensue. While every attempt will certainly be made to just hit the intruders with the bullets, the sad truth is that in any gun battle most bullets miss their intended targets.

The larger the chemical facility, the more likely it is that the ‘missing’ bullets will hit storage tanks, containers or process equipment resulting in the release of chemicals. If flammable chemicals are on site, the longer the gun battle runs the more likely it is for a flammable chemical storage tank or container to be hit by a stray bullet. And sooner or later it is likely that a firearm will be discharged within a flammable atmosphere. Then the probability of a successful terrorist attack will increase dramatically.

Guards Must be Armed


I am firmly convinced that if a security force is going to have any chance of preventing a successful armed assault on a high-risk chemical facility it is going to have to be armed. But, as I have explained here, arming them with firearms can be counterproductive to say the least. A security force manager is going to have to look for alternative weapons for facilities with significant amounts of flammable chemicals on site.

Interestingly, just yesterday the folks at PublicInteligence.net published a copy of a DOD Non-Lethal Weapons Reference Book. While many of the weapons discussed in this book are firearms based, most are not. I strongly recommend that any security force manager should look over this reference for ideas for alternative weapons for interdicting terrorist attacks.

Reader Comment – More on PLC’s

An interesting comment was posted on yesterday’s blog about ICS misconceptions. It seems that I missed one of the underlying points about another way to go about securing control systems at their points of action; the PLC. The Anonymous readers suggest that instead of allowing for reprogramming of PLC’s via the hard wired connection (which is a potential source of attack through the networked control computer) that the reprograming could be done by physically changing the memory card for the PLC like one does with the memory card on a digital camera.

While this novel suggestion would certainly avoid the in situ reprograming of the PLC that was seen in the Stuxnet attack (for instance) it has some limitations on its applicability in large scale control systems like those found in chemical plants. It also ignores the fact that the programing of the PLC memory chip still takes place using the same workstation that would allow the Stuxnet type attack in the first place.

Large Number of PLCs


A large scale chemical manufacturing facility can have thousands of PLC’s in operation. The relatively small specialty chemical manufacturer that I last worked at had one reaction vessel (the one I spent the most of my time working with) with over 100 controllers on it alone. While most of these operated valves (a fairly simple operation) a great deal of time was spent over the years on tweaking the specific interlock rules and valve operation timing (including how fast the valve opened and closed) instructions. And that was with processes that were still largely operator controlled. As we moved to increased process automation the programing got even more complicated and time consuming.

For the vast majority of PLC’s in use in a modern manufacturing facility I don’t think that the physical changing of program memory cards is practical. While the act of switching a memory card is fairly simple when one looks at the number of PLC’s involved in a fairly simple process adjustment the number of card changes involved almost ensures that a wrong card will be put in an inappropriate slot.

Physical Security Issues


There is also a physical security issue that must be addressed, a fact frequently overlooked in discussions of cyber security. If programing changes are now going to be physically implemented at the PLC we now have to provide protections that will prohibit the unauthorized change of cards as a means of cyber-attack. The current centralized programming operation only requires physical security measures for the control computer and its associated hardware. And physical security measures are frequently more expensive than cyber-security measures.

Programming Vulnerability Remains


Finally, the programming still has to be done at the facility level, even if that means hiring an outside consultant to handle that job. This leaves the programing control workstation as the point of attack on the PLC’s. It would avoid the problems associated with the wireless network capabilities that vendors are adding to their PLC’s (and are apparently being sucked up by system owners), but the computer that allowed the networked attack on the PLC in the Stuxnet attack is still the point of vulnerability.

Safety Systems


Having noted all of these shortcomings in this proposed solution, there is certainly one area where a control system owner might want to consider this methodology; safety control systems. These stand-alone systems are tweaked infrequently at worst and are relatively simple systems. Their strong points are reliability and inaccessibility. It would seem that only allowing programing changes via firmware substitution would be ideally suited to these types of systems.

Since these systems backstop security systems by not allowing for catastrophic failure of the process, separating them from the potential for a Stuxnet type attack would seem to be a smart idea. Their limited use and infrequent need for updates would also seem to be ideally suited for the design of a single use programing work station that would only be able to program these devices and have no ability to connect to the internet or corporate networks. Device signing could be used to ensure that only trusted drives and memory cards could be used on the system.

Safety system designers may well want to consider this methodology to increase the reliability and security of those systems.

DHS Announces HSAC Closed Door Meeting

Today DHS published a notice in the Federal Register (76 FR 81516-81517) that the Homeland Security Advisory Council will be holding a closed door meeting on January 9th, 2012. The meeting is closed to the public because the sensitive nature of the reports being made by DHS to the Council might disclose information about counter-terrorism plans and activities; reveal intelligence information and techniques; or provide information about on-going criminal investigations.

A number of generic topics (lack of specificity will protect sensitive information) are listed in the agenda portion of the notice. One would be of potential interest to readers of this blog would that they could be flies within the secure walls; cyber-security. According to the agenda in the notice:

“The members will also receive a briefing on recent Cyber-attacks and the potential threat of an electromagnetic pulse attack. Both will include lessons learned and potential vulnerabilities of infrastructure assets, as well as potential methods to improve the Federal response to a cyber or electromagnetic pulse attack.” (76 FR 81517)

One would think that the closed door briefing would not address recent cyber-attacks that have been beat to death in the press and blogosphere. So are there new attacks out there that we don’t know about yet? Or maybe it’s just new information about old attacks? Or maybe they just don’t like airing dirty laundry in public? We’ll probably never know.

Tuesday, December 27, 2011

ICS-CERT Updates an Advisory and Upgrades an Alert

The DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two advisories today. One was an update of a previously issued advisory (Sielco Systemi Winlog) and one was an upgrade of an alert to an advisory (Siemens Automation License Manager).

Sielco Systemi


The original Sielco Systemi Winlog Advisory was published on December 6th, 2011. The new information in this update is the link to a new release of Winlog that eliminates the vulnerability. Actually, the new link replaces separate links to the two different product (Winlog Lite and Winlog PRO) updates that were listed in the original advisory; that may have been because the earlier links were directly to .EXE files.

To make matters more interesting, the page on the Sielco Systemi web site mentions that the new version of Winlog Pro Scada and Winlog Lite SCADA just became available on December 20th; not the 6th and no mention is made of correcting the buffer overflow vulnerability. And there is only a link to the download of Winlog Lite; no link for Winlog Pro. I’m confused.

Siemens


The original alert for this particular Siemens vulnerability (there have been so many of late) was published on November 28th and updated on December 2nd, 2011. The original alert was based upon four vulnerabilities in the Siemens Automation License Manager reported by Luigi in an uncoordinated disclosure.

In a very timely manner Siemens has issued a patch for the ALM and the Advisory does provide a tiny bit more information about the vulnerabilities over what was provided in the Alerts.

ICS-CERT continues to have some problems reporting CVE links in this Advisory. Three of the four links provided will eventually link to CVE files on the NIST /US-CERT web site. The third of the four listed has an extra character (an X) that essentially destroys the link. When the CVE report becomes live the legitimate link will be:


BTW: ICS-CERT has quietly corrected their link errors that I reported last week.

Reader Email – ICS Safety Misconceptions

I got an interesting email from a reader of my post yesterday on Digital Bond’s SCADA Security Portal. I’m not sure what the reader’s background is, but I am assuming that it isn’t control system engineering. The misunderstandings that form the basis of the questions are so important that I thought that I would address them in a post instead of an email reply.

Here is what the Reader wrote:

“We read your blog on Digital Bond about the various legislative efforts to make ICS safe. We would like to ask your opinion about how can any ICS/SCADA be safe when the programmed memories of the controllers are corruptible, that is, endlessly rewriteable?

“Cannot the process control engineer pause the system for, say, 2 minutes to change to another preprogrammed no-write memory?”

There are three basic misconceptions here and I’ll address them in turn. They are:

• Legislation can make something safe;
• Re-writeable memories are corruptible; and
• Un-rewriteable controllers are possible.

Legislation


One of the great misconceptions of the modern liberal era is that government legislation or regulation can make anything safe. At the most legislation or regulation can mandate that something should (or should not) occur, that certainly does not make it happen. A perfect example of that can be found in the illicit drug trade; numerous laws and regulations at the local, State, Federal and international level make the transport of, for example, cocaine illegal. Has it stopped or even seriously slowed that trade? Not hardly.

Even in the safety realm, OSHA regulations have not stopped companies and facilities from allowing unsafe conditions to exist. OSHA, even including State and local inspection officials, does not have enough manpower to go around and ensure that everyone is following the rules. What the OSHA regulations have done to increase workplace safety (and they have certainly done that on a gross basis) is to provide a basic set of guidelines for safe practices and provide sanctions for violations of those guidelines when those violations result in worker injuries and deaths. Avoidance of those sanctions have made most companies follow most of those guidelines on a fairly consistent basis (lots of deliberate weasel wording there). And the worst violators are sanctioned out of business.

ICS security legislation at its best will not make control systems secure or safe. At most it can establish a program for determining minimum standards for security in the design and implementation of control systems and provide incentives for (or disincentives for not) applying those standards. They would help provide a level playing field for those companies that design, install or maintain a secure control system. That would raise the general level of security in the control system community, but it WOULD NOT SECURE CONTROL SYSTEMS. I don’t think that that is actually possible.

Corruptible Memories


Okay, I guess that I will have to concede that re-writeable memories are inherently ‘corruptible’. Whether or not that is a good thing or a bad thing depends on how those memories are deployed. In a “properly” designed system only the owner of the system (through their engineering staff of course) will have the ability to re-write the memory. In an adequately designed system the owner will know when the re-writeable memory is re-written and will be able to react in a timely manner when it is re-written by an unauthorized individual or re-written in an unacceptable manner (either accidentally or purposefully).

PLC’s Require Re-writeable Memories


The modern control system is predicated on the ability of the owner to buy a programmable [emphasis added] logic controller (PLC) and make it perform a specific function in his system (and perhaps change that function as his process changes). There is no way that PLC manufacturers can make a controller for each specific function in every process.

Okay, technically they could. They would be prohibitively expensive (thousands of times more expensive than they now are) and they wouldn’t work. That’s because no design engineer has successfully documented the requirements of more than a single controller system (and I would be surprised if even one single-controller system was successfully specified in advance) without there being a need for tweaking the controllers to perform properly in the real world. Controllers must be programmable at the installation where they are put into use and that requires re-writeable memories.

Even if a controller could be specified and produced for a single purpose application at a reasonable cost, no one would buy it because it would not allow for process improvements or process changes.

Process Control Systems Must be Modifiable


Modern manufacturing processes require control systems that can be modified to meet changing conditions. This means that systems engineers must be able to modify the actions of the various components of the systems. This can only be done with some sort of programmable logic controller.

Security for PLC’s has to be designed to limit communications to and from the PLC’s to routing through a secure network to a protected control system computer. The more levels of protection provided to the system the more likely it will be that an attacker will be unable change the programing of the PLC’s. That is how you protect the operating end of an industrial control system.

PHMSA Pipeline Safety Webinar

Today the Pipeline and Hazardous Material Safety Administration published a notice in the Federal Register (76 FR 81015-81016) about an upcoming webinar concerning the recently implemented distribution integrity management plan (DIMP; 74 FR 63906) inspection program. As of August 2nd, 2011 distribution pipeline operators were supposed to have implemented a DIMP program and Federal and State regulators have begun their inspections of these programs. This webinar will allow PHMSA to share general information gleaned from these inspections. The webinar will also address the initial analysis of Mechanical Fitting Failure Reports being submitted under the DIMP regulations.

The webinar will be held on January 25th, 2012 from 11:00 a.m. to 12:30 p.m. EST via LiveMeeting. The notice provides a link to the PHMSA DIMP web page claiming that there is additional information on the webinar on that page, but as of 7:00 a.m. EST this morning there is no link to any upcoming webinar on that page, only links to old webinars [NOTE: new link on that page now points to registration page PJC 18:25 EST 12-27-11]. The notice also provides a link to a web page for submission of questions before or during the webinar, but that page only provides a link for email submissions to DIMPsupport@cycla.com. The referenced page does request submitters to provide their name, affiliation, as well as phone and email contact information with their submitted questions.

Please note that a Privacy Act notice is provided for information submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2004-19854) but not for email submitted questions and those are being submitted to a Contractor; Cycla Corporation.

The notice provides contact information for Chris McLaren (phone 281-216-4455; Chris.Mclaren@dot.gov) as the POC for the webinar. Hopefully McLaren will have more information than the links provided in the notice.

Monday, December 26, 2011

Are Control Systems Safe and Reliable?

Joe Weiss has an interesting blog posting over on ControlGlobal.com that briefly addresses the different issues that affect cybersecurity in IT systems and ICS systems. No new information, just a review of what Joe has been saying for quite some time. What caught my eye though was the title (which has little to do with the subject, BTW); “Industrial control systems are reliable and safe, just not secure”.

In light of recent disclosures about engineering decisions made in the design of control systems from Schneider Electric and Siemens (among others, of course) makes me seriously doubt the assumption explicit in Joe’s title.  While there is certainly a long history of system stability and reliability in industrial control systems (and no one would be investing the money in these systems if they didn’t have that history) the basic insecurity of these systems calls that history’s extension into the future in question.

If systems as currently designed, installed and deployed are able to be attacked by attackers with a wide range of skill sets (and just read the ICS-CERT advisories if you think they are not), it is only a matter of time before one or more systems are successfully hacked and manipulated. Once that happens to one system the whole ‘safe and reliable’ mantra of the industry goes out the window.

How can something be safe when anyone with the proper skill set and access to a modem can change (okay a slight exaggeration) whatever settings they want? How reliable is a system that is readily susceptible to a denial of service attack?

Schneider and Siemens have essentially forfeited their right to claim that their systems are ‘safe and reliable’. Other manufacturers are seemingly actively working with independent researchers to correct past errors in their system designs, but is anyone actively working on designing a safe, reliable and secure system? More importantly, would anyone be interested in paying a premium for such a system?

Right now these are academic style questions. As soon as a hacker successfully attacks a control system and causes economic damage to a major manufacturer, a community or the nation; or worse yet uses a compromised ICS to turn an industrial facility into a chemical weapon, the questions will become political questions. And anyone that has looked at the post-911 response by politicians will realize that the answers to those political questions could do as much damage to control systems as the attacks themselves do. They will certainly affect a wider swath of control systems.

Cybersecurity Legislation Reviewed

Dale Peterson over at Digital Bond’s SCADA Security Portal was nice enough to ask me to write a review of cybersecurity legislation in the first session of the 112th Congress. I provided and he posted my review of little movement on legislation so far and my prediction of little in the way of ICS cybersecurity legislation for the next session.

Friday, December 23, 2011

ISCD Issues

Yesterday there was a large spike in readers accessing this blog. I’m pretty sure that it was as a result of the blog being mentioned in a follow-up FoxNews.com article about the problems with the CFATS program and ISCD. I mentioned in a blog post yesterday that I had been reporting on these issues since last January and provided a link to the first such report.

Because of the new found interest in the issue, I’m providing the following list of blog posts that have addressed bits and pieces of the problems.













I would certainly be interested (as would most people in the chemical security community) in seeing a copy of the DHS report on these problems.

ICS-CERT Finally Issues Siemens Advisory

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory about the Siemens authentication bypass issues that have been widely discussed in the blogosphere since Tuesday when Billy Rios published his response to the Siemens denial of the existence of a problem.
There is more detailed information about the vulnerability in Billy’s blog, but this Advisory does provide two important bits of information. First Siemens publicly admits the existence of the vulnerability and lists the affected systems. Second that Siemens plans to release a Service Pack next month that will resolve the issue.

Reading through the comments on Billy’s blog it seems that the Siemens statement that started the public disclosure process might have been the result of a misunderstanding between the Reuters person and the Siemens person (and I may be overgenerous in that assumption; I wasn’t there), but Siemens has obfuscated so often on their past vulnerabilities that no one is willing to cut them any slack. Siemens PR has a long way to go and a short time to get there.

BTW: There continue to be problems at ICS-CERT with their handling of CVE links beyond the slow posting of information at NIST. The two CVE links in this report have typos in them that make them useless. Both are missing periods [.] between ‘nvd’ and ‘nist’. In the link for CVE-2011-4508 this causes the link to be truncated to Http://web.nvd. In the second CVE link it becomes http://web.nvdnist.gov/view/vuln/detail?vulnId=CVE-2011-4510. Both links are useless. While neither CVE is active yet, the links should be:

Thursday, December 22, 2011

New ICS-CERT Monitor and 2 Advisories

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the December edition of their Monthly Monitor and two new Advisories for control system vulnerabilities affecting WellinTech’s KingView and 7-Technologies IGSS SCADA systems.

Monthly Monitor


ICS-CERT continues to produce a brief but valuable monthly newsletter that should be widely read in the control system community. The latest issue contains:

• A neat new logo (okay that’s not so important, but it is good graphics design);

• Another overview of the ‘Water System Hack’;

• A good summary of generic malware analysis and mitigation techniques;

• A summary of the ‘latest’ Gleg Agora SCADA release (probably more appropriate here than as an alert)

• A lengthier listing of control system security articles and blog posts (including one by SCADAHacker, a nice response to my comment last month about the lack of bloggers); and

• Their standard listing of Alerts and Advisories and plug for Coordinated Vulnerability Disclosure

WellinTech


This Advisory describes a heap based buffer overflow vulnerability reported by Luigi through ZDI (so it was coordinated) in the WellinTech KingView system. It appears to be a common remotely exploitable vulnerability that allows execution of arbitrary code by an attacker with an intermediate skill level. WellinTech has a patch available. The CVE number provided in the Advisory is not yet active.

Two interesting things here. First ICS-CERT includes a link to the Chinese language instructions for the patch in addition to the English language instructions (multiculturalism at its best). More importantly the Advisory notes that there are no known exploits available. Luigi typically develops and publishes exploit code, though I can’t find a reference to this vulnerability on his web page. Since this is part of the ZDI project I wonder if he provided them with the code and they just haven’t released it.

7-Technologies


7-Technologies seems to be catching it this week. Earlier there was an advisory for their data server and yesterday a new advisory for similar buffer overflow vulnerability discovered by a separate researcher Celil Unuver (SignalSEC LLC). It appears that the same product update will solve both problems. The CVE file on this vulnerability is also not yet active.

More Problems at ISCD

There is an interesting article over at FoxNews.com about an internal report on some management and personnel problems at the DHS Infrastructure Security Compliance Division (ISCD), the people that manage the Chemical Facility Anti-Terrorism Standards (CFATS) program. Many of the areas addressed in the article will not be news to long-time readers of this blog; I started reporting on some of these issues almost a year ago.

I’m glad to hear that Rand Beers, the undersecretary for DHS’ National Protection and Programs Directorate (the home of ISCD), initiated this internal investigation of the issues and problems facing the program. More importantly it appears, from this article at least, that he is attempting to do something about solving those problems.

It would be nice, however if the report were made public, so that we all could see the extent of the problems and the proposed solutions. I’m sure that members of the regulated community would have some valuable input.

Don’t Forget the Accomplishments


While negative reports like this attract lots of public attention and press scrutiny, it is good to remember the good things that have been accomplished by the hard working folks at ISCD. They include:

• Starting a regulatory program from scratch with little guidance from Congress;

• Writing, publishing for public comment and revising the CFATS regulations within the deadline given to the Department to publish an Interim Final Rule without the comment process;

• Developing and beta testing a set of innovative on-line tools for registering potentially affected facilities, collecting chemical inventory and facility data to winnow the facilities that were not at high-risk of terrorist attack;

• Established a training program for a unique security inspection program; and

• Developing, publishing for public comment and revising a Risk-Based Performance Standard (RBPS) guidance document to help facilities to understand the security requirements of the program.

More importantly all of the above were accomplished while maintaining a strong working relationship with the regulated community even while the program was costing facilities large amounts of money to implement the requirements of the program.

Congress Should Share the Blame


When Congress added the §550 authorization for the CFATS program to the DHS Appropriations Act FY 2007, they saddled the folks at ISCD with a lot of unnecessary baggage that may have contributed to the problems the program now faces. Two major problems resulted from that authorization process, regulatory uncertainty and unenforceable standards.

With the program clearly being a stopgap measure because of the political inability to reach a consensus on program goals (conventional security measures vs inherently safer technology being the major sticking point), both industry and the environmentalists have been completely amazed at their inability to convince the other side to acquiesce to their minimal program demands and there has been little effort to find a reasonable middle ground.

Industry finds this particularly galling as they are spending or programming for spending large amounts of money on non-productive projects that could become a complete waste of time and money if long-term authorization of the program is based upon the environmentalist agenda.

The unenforceable standards problem more directly relates to the current delays in the site security plan approval and subsequent inspection programs. With Congress forbidding the Secretary from requiring the implementation of any specific security process or tool, the ISCD program managers cannot tell a facility how to upgrade their programs to meet the requirements of the RBPS. They can only explain the deficiencies in the facility’s plans to meet the loosely defined standards and then hope that the facility will subsequently identify a suitable remedy.

Moving Forward


I would certainly extend my support to the comment by Beers at the end of the Fox article; I too “am presuming that this is a program that the American people and the Congress of the United States want, and that we will continue to improve our ability to (implement it)". I would also like to remind people that if a successful terrorist attack on a high-risk chemical facility occurs during this implementation interregnum, political and corporate heads will roll.

Congress needs to make it a high priority to review this DHS report in detail when they return from the end of year holidays and to resolve who is responsible for the oversight of this program and then conduct some real oversight hearings focusing on program accomplishments and shortfalls.

Wednesday, December 21, 2011

CG to Change Some TWIC Policies

Last Friday John C.W. Bennett published a notice on his Maritime Transportation Security News and Views blog about the OMB’s approval of an ANPRM updating the Coast Guard’s Transportation Workers Identification Credential (TWIC) regulations to implement section 809 of the Coast Guard Authorization Act of 2010. That post was an update to his earlier blog (and my blog post) about the rule going to OMB for approval. It appears that John and I both guessed wrong about the document being an ANPRM since yesterday the Federal Register’s Public Inspection page pre-published the Coast Guard’s Notice of Availability of a Policy Letter 11-15 addressing the §809 changes to the TWIC program. That notice will actually be published in tomorrow’s Federal Register (76 FR 79544) [Updated 6:18 EST, 12-22-11].

The Federal Register notice will not contain the actual policy letter, that can be found on the Coast Guard’s Homeport site (for those not used to convoluted military style procedures the Coast Guard’s Homeport is a real treat. There is no permanent link to the letter you have to click through Library > Policy > Policy Letters > Inspection > CG-543 Policy Letter 11-15 to get to the letter). The notice does provide a reasonable summary of the letter’s provisions though.

NOTE: The notice also claims that the letter is available on www.regulations.gov (Docket # USCG-2011-0465) but that docket will not be activated until after the actual notice is published tomorrow.

The letter essentially changes processes not rules. As John pointed out in his blog the rule making process is time consuming and the Coast Guard has found an innovative way to shortcut that process. They are going through the rule changing process to implement §809, but in the meantime they are changing the way that they will enforce two specific provision of the current rules.

TWIC and MMC


The current regulations requires that an applicant (initial or renewal) for a Merchant Mariner Credential (MMC) must first obtain a TWIC. This allowed the Coast Guard to use the TSA TWIC screening process to vet MMC applicants. The new process will only require the applicant to have gone through the TWIC enrollment process, not actually received the TWIC. Since the TWIC fees are paid at the start of the enrollment process this may not seem like a big change, but it will allow applicants to avoid a potentially unnecessary second trip to the TWIC enrollment center to pick-up an unneeded TWIC.

Now the requirement for mariners to have TWICs is still going to apply in many (most?) cases. If a mariner is working on a vessel that is required to have a security plan under the MTSA regulations, a TWIC will still be required. The letter, and the notice, provides a listing of the types of vessels where this new policy will apply.

Inspections


Well, legally, all mariners are still required to have TWICs until the actual regulations are changed. To make this new policy effective what the Coast Guard is doing is providing notice that they are going to “exercise their enforcement discretion” (para 6b of the actual letter) by not pursuing revocation procedures against an MMC holder that does not possess a valid TWIC when they are working on an exempted vessel.

Essentially they are telling their enforcement personnel to not check for TWICs when they inspect vessels that do not require security plans under MTSA. If TWICs are not checked then there is no basis for taking action against the MMC holder that does not have a TWIC.

Consequences


I actually think that the Coast Guard’s action is a relatively innovative solution to a complicated bureaucratic problem. The Commandant is to be commended for putting into writing this policy change; it would have been much easier to either ignore the problem until the rulemaking process was completed or just quietly pass the word to inspectors to stop TWIC checks in appropriate settings.

I am afraid, however, that this could come back and bite the Coast Guard in uncomfortable places. It leaves them open for having a valid TWIC enforcement action challenged on the grounds of ‘unequal enforcement’. Most judges would probably side with the Commandant, but selective enforcement has been successfully used as a reason for appeals in a wide range of cases. I hope the Coast Guard proceeds with their rule making process expeditiously and that the political side of the Administration provides minimal interference in that process.

Unified Agenda


There is an interesting comment in the letter about the Unified Agenda of Regulatory and Deregulatory Actions. It notes that the Coast Guard will complete the rulemaking process “in accordance with the timeline set forth” (para 5b on page 3 of the letter) with the Unified Agenda. Both John and I noted in our earlier blogs that this action was not listed in the Spring 2011 Unified Agenda; so apparently it will be listed in the Fall 2011 Unified Agenda that has yet to be published.

It will be interesting to see what the projected timeline for this rule actually is. Then, of course, few people expect that timeline to actually be met. While I do not claim to have verified the projected timelines of every rulemaking, none of the chemical safety or security rules that I have tracked over the last couple of years have come anywhere near close to meeting the time estimates published in the Unified Agenda.

Tuesday, December 20, 2011

Two New ICS-CERT Advisories

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two new control system advisories; one for Invensys Wonderware, and the other for 7-Technologies Data Server. Both advisories were previously published in the limited distribution on the US-CERT secure portal.

Invensys


The three buffer overflow vulnerabilities described in this Advisory were reported by Kuang-Chun Hung of the Security Research and Service Institute−Information and Communication Security Technology Center (ICST). They would allow a low skilled attacker to execute a denial of service attack and a more skilled attacker to execute arbitrary code on the system. The US-CERT/NIST vulnerability summary is available for these vulnerabilities (Note: The link does work).

Invensys has developed software updates for the affected Wonderware InBatch systems.

7-Technologies


The second advisory involved another buffer overflow vulnerability that was discovered in the 7-Technologies IGSS Data Server by UCQ from the Cyber Defense Institute, Inc. A moderately skilled attacker could use this vulnerability to execute a DOS attack on the system. A CVE number has been assigned to this vulnerability, but it is not yet live on the US-CERT/NIST site.

7T has developed a patch to address this vulnerability and it is currently available on the IGSS web site (NOTE: This link is to a .ZIP file).

Cyber Security Evaluation Tool


The ICS-CERT web page also contains a link to version 4.0.1 of the Cyber Security Evaluation Tool (CSETTM). There is no indication when exactly that new version became available nor is there any explanation on the CSET web site of how the new version differs from version 4.0; though one would expect the differences to be relatively minor.

Hazmat Legislation Introduced in Senate

Earlier this month Sen. Lautenberg (D,NJ) introduced S. 1952, the Hazardous Materials Transportation Safety Improvement Act of 2011. This legislation, co-sponsored by the Chairman of the Senate Commerce, Science and Transportation Committee, addresses a number of issues concerning hazardous materials transportation and operations by the Pipeline and Hazardous Materials Safety Administration. It is essentially the PHMSA reauthorization bill.

The provisions of this bill address the following areas:

• Accounting for the results of grant supported training programs for emergency responders;

• Conducting a Paperless Hazard Communications Pilot program trial;

• Reporting to Congress on improving the data collection, analysis and reporting on hazmat accidents and incidents;

• Initiating rulemaking on the loading and unloading of bulk hazardous materials;

• Establishing a hazardous material enforcement training program;

• Making minor revisions to regulations regarding inspections;

• Increasing civil penalties;

• Modifying the authority to issue special permits, approvals and exclusions; and

• Requiring State reporting of hazmat highway routing designations.

• Authorizing spending for the hazardous materials regulations programs.

The Senate Commerce Committee met last week in executive session and adopted this bill without changes. Chairman Rockefeller mentioned that this bill would probably be rolled into a larger surface transportation authorization bill in the second session of the 112th Congress.

Saturday, December 17, 2011

Senate Approves [New] Continuing Resolution FY 2012

Today the Senate approved HR 2055, the [New] Continuing Resolution FY 2012 by a much more nearly party-line vote of 67-32. Having said that, the bill would not have passed (a 3/5 majority was required under the unanimous consent process) were it not for the 16 Republicans that voted for the bill. It’s interesting that the Republican House needed Democrats to pass the bill because of defections. In the Senate only one Democrat (and one Independent) voted no, so the Dems needed the votes because of the closer division that body.

So we did pass the necessary FY 2012 spending bills before Christmas. Of course, in less than three weeks the FY 2013 budget process will be getting started. Of course we still need to see what was in that lengthy bill that the Senate shipped to the President; patience.

Continuing Appropriations Continuing Saga

Yesterday the House passed HR 2055, the [New] Continuing Resolution Act of 2012 by a bipartisan vote of 296-121. Bipartisan is kind of a tricky word here, more Democrats (149) than Republicans (147) voted in favor of the bill. The Senate will take up the bill today under a unanimous consent agreement so no cloture vote is necessary.

To keep the government operating through today, both the House and the Senate approved H. Joint Res. 94 yesterday. That resolution amended the existing Continuing Resolution Act of 2012 by extending the expiration date until midnight tonight. The form of that amendment also extended the CFATS program for the same time period.

Politics


Before the House adjourned for the weekend yesterday they also passed H. Joint Res. 95, another amendment to the current Continuing Resolution Act of 2012, that would re-extend the deadline of that measure until Friday, December 23rd. This was done just in case the deal on HR 2055 fell through in the Senate. The Senate is not currently scheduled to take up this second Resolution.

Now what I just described for these two resolutions does not exactly track with what I reported in yesterday’s blog. Thursday night Chairman Drier (R,CA) explained (at least three times) that the reason for a short term continuing resolution was the need to get the formal copy of the cobbled-together bill properly prepared for the President’s signature. If that had truly been the case, then HJ Res 94 would have been for more than one day.

An alternative explanation of the purpose of the two part resolution process would be to force the Senate to act today on HR 2055. A full week extension would have allowed for more wheedling, politicking, and deal-making in the Senate. This would also account for why the two resolutions were not brought to the floor of the House until after HR 2055 passed.

The lack of listing H. Joint Res. 95 on the unanimous consent agreement kind of supports this thinking. That would only be true though if the Senate leadership had such a low opinion of the average Senator that they thought they wouldn’t be aware that the House passed the second resolution.

Moving Forward


Oh well, the debate in the Senate today should be short. The Unanimous consent agreement only allows for 15 minutes of debate.

I still haven’t had a chance to closely look at the bill for chemical- and cyber-security provisions. Yesterday was a travel day and it’s hard to read to read while you are driving.

BTW: HR 1540, the DOD authorization bill, passed Thursday in the Senate and should be on the President’s desk.

Friday, December 16, 2011

House Rule for HR 2055

I mentioned in last night's blog post that there were some strange sounding provisions in the Rule that the House Rules Committee adopted last night for the consideration of HR 2055. After I got to bed the Committee staff finally (it was a long night for them, I hope they get overtime pay, probably not) go the tule posted on the web site. Those odd-ball provisions do not really concern the considetation of HR 2055, but deal with HR 3672, the Disaster Relief Appropriations Act of 2012, and H. Con. Res. 94, a resolution dealing with that bill. Those games are interesting (if you're a political junky), but not really germane to this blog.

There are two interesting additions to the rule that do apply to HR 2055, the first authorizes consideration of a continuing resolution today and the second provides for same day consideration of a bill (well, some specific type bills including HR 2055) under a rule. Both are essentially waivers of current House Rules to allow Congress to actually complete action on the spending bills before the end of the first session of the 112th Congress.

The conintuing resolution should be a short term, probably a week, resolution, but that is not specified in this rule. Chairman Drieer (R,CA) explained last night that the 2200+ page document submitted by the Conference Committee is not a documant that can really go to the President. Glancing at the documents on-line it is clear that they are a hodgepodge of printed documents with hand written corrections and modifications. It could take a couple of days to get the final document in a proper state for the President's signature. And the bill can't go into effect until the President signs it.

The 'same day' provision in the rule will allow the House to consider HR 2055 today and is necessary because the Rule was published (even agreed to) after midnight this morning. Actually, House Rules {clause 6(a) of rule XIII} do provide for same day consideration, but it requires a 2/3 vote to authorize that consideration. The leadership, probably correctly, decided that they could not guarnatee a 2/3 vote so they waived the Rule.

CG Publishes LNG-LHG Letter of Recommendation NPRM

Today the Coast Guard published a notice of proposed rulemaking (NPRM) in the Federal Register (76 FR 78188-78193) clarifying procedures for seeking reconsideration of a Captain of the Port’s Letter of Recommendation (LOR) regarding the suitability of a waterway for liquefied natural gas (LNG) or liquefied hazardous gas (LHG) marine traffic. The rulemaking also clarifies the role and purpose of the LOR.

Purpose and Role of LOR


The current rules for the LOR process were revised last year (75 FR 29420). Since then several LOR’s have included statements that the recipient could request a reconsideration of the LOR using procedures outlined in 33 CFR 127.015. Since these procedures were designed to be used to appeal an ‘agency action’ by the Coast Guard, the implication was that the LOR was an ‘action’ or ‘final agency action’ under 5 U.S.C. 551 et seq.

The Coast Guard does not have the authority to approve or disapprove an LNG/LHG facility siting, construction or start-up they are not able to take an ‘action’ or ‘final action’ on such actions at a waterside LNG/LHG facility. The LOR is simply an advisory action taken by the Coast Guard to assist the authorized ‘jurisdictional agency’ in making their decision.

In formulating this NPRM the Coast Guard considered the elimination of the reconsideration process for LORs as it is not required by statute. The preamble notes, instead that “consistency and governmental transparency are best served if a defined set of stakeholders has the ability to ask the Coast Guard to reconsider its recommendation” so it decided to retain and revise the process, but put it in a separate section (§127.010) and add clarifying language to the description of the purpose and scope of the LOR in §127.009 and added clarifying language as to what issues the COPT or District Commander could potentially include in their reconsideration.

Procedure

The process would be started with a request to the COPT explaining why the LOR should be reconsidered, outlining the specific “waterway safety and security topics set forth in §§ 127.007 and 127.009”. A copy would also be sent to the jurisdictional agency by the requestor. The COPT would look at the issues raised and either confirm the current LOR or issue a revised LOR.

If the requestor disagreed with the COPT’s reconsideration decision a second request for reconsideration could be submitted to the District Commander for that port. No other ‘appeals’ are provided for in this process.

There are no time limits for the submission of requests for reconsideration or for the Coast Guard’s response to such requests. The NPRM does note that the Coast Guard does not “expect to continue to reconsider an LOR after the jurisdictional agency has reached its decision”, even if a reconsideration is in progress.

Public Comments


Public comments on this NPRM are being solicited. Comments may be filed via the Federal eRulemaking Portal (www.regulations.gov; Docket #  USCG-2011-0227). Comments must be filed by March 15th, 2012.

HR 2055 – The [New] Consolidated Appropriations Act 2012

The 112th Congress is getting to be the experts in last minute deals. Apparently the Senate was not interested in the new language in HR 3671 that the House drafted. A deal was then brokered on language more acceptable to the Senate and still reasonably acceptable to the House. So to make it easy to get it passed in both houses of Congress they had the Conference Committee for HR 2055, the Military Construction and Veterans Affairs, and Related Agencies Appropriations Act, 2012, substitute the new appropriations language for the Senate amendment to HR 2055. Who says that there are no creative people in Congress (well more likely their staffs)?

As with HR 3671, the two divisions of this bill (out of a total of 9) that will probably contain provisions of the most interest to the chemical- and cyber-security communities are Division A (DOD) and Division D (DHS). This bill has an identical Division D, Title V, §540 that would extend the CFATS authorization until October 4, 2012.

NOTE: I have never understood why Congress doesn’t just change that date to reflect the end of the fiscal year like almost everything else in the appropriations bills. It would result in a four-days-less-than-a-year extension when they did it, but those four days are meaningless without the appropriations that take effect on October 1st.

I’m glad I didn’t waste any time today (waste in hindsight) reviewing the details of HR 3671 as it is now dead in the dusty files of the Library of Congress.

As I write this the House Rules Committee is finishing up their rule hearing, which started at 11:45 pm EDT. The rule is a closed rule (as with the standard post-Conference Committee rule), but it includes a couple of interesting details which I’m not sure that I understood from the part of the discussion that I heard. It will be interesting to read the rule.

In any case Chairman Drier (R,CA) noted that he expected the debate on the rule on the House floor to begin at about 10:00 am EST tomorrow morning.

Thursday, December 15, 2011

House Consideration of HR 3671

With tomorrow being the current deadline for funding the government for the remainder of the year, there isn’t much time to consider HR 3671 in ‘regular order’. The House Rule Committee web site early this morning added the bill to the list of legislation that is ‘likely to be considered pursuant to a rule’ this week, but no hearing has yet been set to formulate that rule.

NOTE: There ‘appears’ to be a typo on that listing. It says that the bill was added to the site on “12/14/2011 at 12:37 AM”. I’m sure that it should read “12/15/2011 at 12:37 AM” as I was checking the site last night at 11:00 pm EST.

The rule hearing will almost certainly be held this afternoon, allowing for a vote on Friday. The is an alternative procedure that the leadership could use to bring this measure to the floor and that is to consider it under a ‘suspension of the rules’ which requires a 2/3 majority vote instead of a simple majority. Usually this is not allowed under House Rules on Thursdays and Fridays {Clause 1(c) of rule XV}, but a provision of H Res 493, the rule for the consideration of HR 1540, allows the ‘suspension of the rules’ provision to be used on any day for the remainder of the first session of the 112th Congress.

I would suspect that the leadership will use a closed rule to consider this bill so as to limit debate and the amendment process. It would be very difficult (but not impossible) to be assured of a 2/3 vote for a final spending bill in this Congress. Of course since the initial vote on suspension of the rules is not actually a vote on the bill, if it fails to achieve a 2/3 majority the bill can still be brought up again in ‘regular order’.

There is still a possibility that we might see a short (1 week) continuing resolution to allow for a more extended debate/amendment process on the bill. It is unlikely since this bill was worked out between the Senate and House Appropriations Committees and any significant amendments may make passage more complicated (possible conference committee requirements for instance).
 
/* Use this with templates/template-twocol.html */