Saturday, April 30, 2011

ICS-CERT Publishes 7-T IGSS Advisory

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a new advisory for the 7-Technologies (7-T) Interactive Graphical SCADA System (IGSS) describing a remote stack overflow vulnerability in that system that was initially reported by a security researcher.

The advisory notes that an attacker with an intermediate skill level could develop an exploit for this vulnerability that would enable a denial of service attack and possibly remote execution of ‘arbitrary code’. An updated version of the software is available from 7-T that eliminates this vulnerability.

Coordinated Release

ICS-CERT included an unusual sentence in their advisory, describing how the public disclosure of this vulnerability was handled. ICS-CERT noted (page 1):

“ICS-CERT has confirmed that Insomnia Security and 7T coordinated this vulnerability prior to public release of this report.”
As I have noted in a number of earlier blogs there is an on-going debate in the cyber security research community on effectiveness of coordinating vulnerability information releases with the vendor so that the vulnerability and effective mitigation measures can be announced at the same time. ICS-CERT, who offers their services to help in the coordination effort, prefers coordinated releases (all other things being equal).

It was obvious without this notice in the advisory that a coordinated release had happened. The information on the 7-T update of the IGSS program was the give away. The addition of this sentence appears to be directed at the security research community as a reminder that ICS-CERT is available to conduct the coordination, and may actually prefer to be the coordination agency.

Chemical Sector Training and Resources Page Updated

The DHS Chemical Sector Specific Agency (Chemical SSA) updated their Chemical Sector Training and Resources web page on Friday. They added a new section that deals with information concerning the security of industrial control systems.

The new ‘Industrial Control Systems (ICS) Security’ section at the bottom of the page provides a link to a new document produced by the Chemical Sector Coordinating Council; “Securing Industrial Control Systems in the Chemical Sector: A Case for Action”. This document is part of an awareness campaign being conducted to make chemical manufacturing facilities aware of the ongoing implementation of the ten year ICS security program outlined in the Roadmap to Secure Control Systems in the Chemical Sector, a document available upon request to the Chemical SSA (ChemicalSector@DHS.gov).

The new section on this web page also briefly describes a DVD that is available from the Chemical SSA that provides additional resources available to help facilities to increase the security of their ICS. The web site indicates that the following information is included in the DVD:

• ICS Security Training Resource – A guide of available training designed for professionals who work in areas relevant to the process control and automation industries.

• Standards and Guidelines - A guide designed to facilitate research on existing standards in the area of control systems security.

• Incident Response and Reporting - A document that illustrates the importance of a chemical company reporting a cyber incident to ICS-CERT, and how this can positively impact the Chemical Sector.

• ICS Procurement Language - A document that provides example language to incorporate into procurement specifications.

• Cybersecurity Tabletop Exercise – This resource is scalable and includes all materials and templates needed to conduct a tabletop exercise with minimal planning.
The Case for Action document also notes that the DVD contains a copy of the Cyber Security Evaluation Tool that I have previously described in this blog.

It would seem to me that any cyber security officer responsible for industrial control system security ought to email the Chemical SSA and request a copy of this DVD, It would be an invaluable resource. That and downloading the Case for Action document are two simple steps that could lead to increased ICS security awareness.

Friday, April 29, 2011

Revising RBPS 13 for NTAS

I have been mentioning for the last couple of weeks now that ISCD needs to revise the Risk-Based Performance Standards Guidance document to reflect the change from Homeland Security Advisory System (HSAS) to the new National Terrorism Advisory System (NTAS) that was implemented earlier this week. Of course it is easy to complain about someone not doing something; it is more productive to actually suggest something so that is what I am going to do.

I’m going to do a minimalist revision of the RBPS 13 section of the Guidance document; keeping as much as possible the DHS-ISCD flavor of the document. I’ll explain the changes as I make them here in the blog and then I will post the revised version on my web site. Then, I’ll open the floor to a public discussion. We’ll do the same with the Metrics at the end of the section in a separate blog.

Cut and Paste

The first thing we will do is to use the cut and paste feature of the word processing program to replace ‘Homeland Security Advisory System’ with ‘National Terrorism Advisory System’. Next we will do the same with ‘HSAS’, replacing it with ‘NTAS’. Then we will replace references to ‘Color-coded Threat Level System’ with ‘National Terrorism Advisory System’. Then we go back and remove redundant references to ‘NTAS and ‘National Terrorism Advisory System’. We also removed the changes made in the name of the ASIS reference at the end of the section.

Explanation of NTAS

Next we would remove the section describing the out-dated ‘Color-coded Threat Level System’ and replace it with a description of the NTAS Alerts from the NTAS Public Guide.

Discussion of Sample Security Measures

We will change the description of the conditions that call for the additional security measures, replacing the ‘High Condition (Orange)’ description with one reflecting an ‘Elevated Threat Alert’. The second category; ‘Severe Condition (Red)’ description will be replaced with one for ‘Imminent Threat Alert’.

Length of Period of Elevated Threat Level

One of the major changes in moving from the HSAS to the NTAS systems is the elimination of open ended periods at elevated threat levels. The NTAS system includes a requirement for specific time limits that are included in the Alert when it is issued. While it is still possible to be at an elevated threat level for a lengthy period of time (probably only measured in weeks), it will remain at the specified level only for the specified time. The discussion under the section for the ‘Length of Period of Elevated Threat Level’ will be revised to reflect this change in philosophy.

References

Finally, we will change the URL for the DHS web site for the advisory system to reflect the new URL for the new NTAS system.

Minimal Revision

The revision described here is a minimal change to the RBPS 13 section of the Risk-Based Performance Standard Guidance document. The only things changed were those necessary to properly reflect the change in the DHS advisory system from the old color-coded system to the new system of National Terrorism Advisory System Alerts

It wasn’t a difficult re-write; it took less than two hours of work. Of course in the ISCD environment there would be multiple levels of approvals that would require at least a couple of additional re-writes. Then there would be the public publishing and comment period that would extend the time necessary to actually require facilities to implement the change.

One would like to think that the work on the RBPS 13 revision was started shortly after Secretary Napolitano signed off on the revised alert system. That would have allowed for the shortest amount of time where there would be discrepancies between the provisions of the advisory system and the requirements for the CFATS site security plan. Maybe this will allow ISCD to catch up.

Thursday, April 28, 2011

HR 1540 Introduced – DOD FY 2012 Appropriations

Yesterday the GPO finally made available a copy of HR 1540, the National Defense Authorization Act for Fiscal Year 2012. The bill was introduced by Rep. McKeon on April 14th and outlines the Defense Department programs that would be funded for the next fiscal year.

Interestingly, there is no specific mention of cyber defense programs in this bill. The spending numbers proposed in this legislation do not get down to the program level so the lack of spending numbers is not unusual. Because of the discussion about the role of the military in cyber defense, I would have expected to see some mention of the programs in the bill.

I do expect that the issue will be addressed in the hearings and final committee report on this bill.

EPA Methyl Bromide Critical Exemptions Proposed Rule

Today the Environmental Protection Agency (EPA) published a notice of proposed rule making (NPRM) in the Federal Register (76 FR 23769-23781) proposing uses that qualify for the 2011 critical use exemption and the amount of methyl bromide that may be produced, imported, or supplied from existing pre-phase-out inventory for those uses in 2011. This rule would confirm letters sent to manufacturers earlier this year that the EPA would allow the production of 1500 MT of methyl bromide this year for critical uses of that toxic chemical outlined in this NPRM.

Due to the late publication of this proposed rule, EPA is providing a shortened comment period for this NPRM. Public comments are solicited and may be filed via the Federal eRulemaking site (www.Regulations.gov; Docket # EPA-HQ-OAR-2008-0321). Comments need to be filed by May 31st, 2011. If a public meeting is requested (that request must be submitted by May 3rd) in this comment process it will be held on May 13th. That would extend the comment period to June 13th.

Methyl Bromide COI Status

Once again, I am posting this information on this chemical security site because DHS did not list methyl bromide in its final list of DHS Chemicals of Interest (COI) in Appendix A to 6 CFR part 27 because of the assurances provided by EPA that this toxic inhalation hazard chemical was being phased out of use. While that “phase-out” is being extended on a now routine basis, the facilities that produce, store and use methyl bromide are not covered by the CFATS security rules because of the presence of methyl bromide.

Because of delays in this rulemaking process the EPA essentially already authorized the production of 1500 MT of methyl bromide for this year (76 FR 23774), an amount that will probably exceed the amount needed for uses proposed to be authorized in this rule. This means that there will be an increased amount of excess methyl bromide stored in US facilities at the end of this year; an increased amount exposed to potential terrorist attack at potentially unregulated facilities.

ISCD has been reporting that they have been working with industry on revising the Appendix A list for over a year now. There has been no public reporting on what additions to the list are being considered, but I once again urge the addition of methyl bromide to that list. If and when methyl bromide is actually phased out of use/production it won’t make any difference if it is still on the list as no stocks will require reporting and protection under the CFATS regulations.

Wednesday, April 27, 2011

Homeland Security Bibliography

Thanks to the folks over at the Homeland Security Digital Library Blog for pointing to a recent US Army War College publication; “Homeland Security – A Selected Bibliography”. The preface to this 35 page document describes the bibliography this way:

“This bibliography includes topics that reflect some of homeland security's many challenges: borders and immigration, cybersecurity, organization, policy, response capabilities, and resourcing.”
This bibliography is heavily weighted to government policy documents, and may be one of the best sources for information on this type of document. There is less detailed coverage of publications from non-government sources. For instance, under Critical Infrastructure, the bibliography lists two Congressional Research Service reports and one GAO report on CFATS, but doesn’t include any other listings for chemical facility security.

Most entries include links to the documents, making this a valuable resource for people without access to a government library.

2011 ChemSecure Conference

Earlier this week the American Chemistry Council announced the publication of the agenda for next month’s ChemSecure Conference in New Orleans. The three day event (May 9th thru 11th) looks at chemical security issues from more of an industry perspective, though there will certainly be significant DHS participation. In fact, I noted that Rick Driggers will be representing ISCD in the Regulatory Update presentation, the first time since he became the Acting Director of ISCD that I have seen his name on a presentation list for ISCD.

The presentations will cover:

● Legislative update
● Regulatory update
● CFATS inspection update
● Voluntary initiatives
● Cyber security
● State and local fusion centers
● Transportation and CFATS issues
● Supply chain security
● Responsible Care Security Code
Following the wrap up presentation on Wednesday there will be a stand alone DHS presentation on explosives awareness training; separate registration is required. The session will provide information on IEDs and VBIEDs as well as how to respond to explosives incidents.

Further information and registration links can be found at the Conference web site.

Tuesday, April 26, 2011

TSA Errors in ICR Notice

In regards to my earlier blog post about the TSC TWIC ICR Renewal notice posted in today’s Federal Register, I ignored an obvious administrative error in the notice; I was sure that anyone reading the document would have figured out what was going on. It has been brought to my attention, however, that at least one industry reporting organization misread the mistake as a statement of current fact. So I feel bound to point out the error so that TSA can correct the misinformation.

Cut and Paste at Your Own Risk

In the Summary section of the notice (76 FR 23326) it states: “OMB approved the collection of information for six months and TSA now seeks the maximum three-year approval.” Anyone with a modicum of sense would realize that the TWIC program has been around for much longer than ‘six months’.

The ‘emergency six-month approval’ was granted for this ICR back in October of 2007. In April of 2008 TSA filed for a standard 3 year ICR approval that was granted by OMB in July of that year. That standard three-year ICR expires this year and that is the reason that TSA has come back to start the process for re-approving the ICR for another standard 3-year approval.

What obviously happened is that the action officer for this notice took the Federal Register Notice for the 60-day notice for the second ICR (72 FR 67945) and played cut and paste to make this notice. This is a common technique for bureaucratic publications and would have been fine except that the initial ICR was an emergency 6-month ICR that had to be mentioned in the second ICR. It obviously should have been deleted from this request.

Burden Information

It is interesting what you find when you start to dig through records. To go back and document the obvious I had to look at the RegInfo.gov historical site on the first and second ICR requests. There is an interesting discrepancy between the burden data in the 2008 request and this request

● 2008 Hours: 1,018,277; Cost: $109,242,010

● 2011 Hours: 2,630,719; Cost:   $57,002,236
Now I have no problems with the change in the number of hours involved in the collection though it would have been nice for TSA to tell us if this was due to changes in the survey or the number of expected responses (923,457 quoted in the earlier ICR record; no data on the number of expected responses in this ICR notice). What would be really interesting to see explained is how TSA expects to better than double the number of hours spent collecting the data while almost halving the cost of the collection. If true, this increase in efficiency needs to be duplicated throughout the government.

Perhaps it would just be best if TSA started this over with a new and more appropriately prepared 60-day notice.

BTW: I will be submitting a copy of this blog to the TSA PRA Officer as outlined in the notice.

TSA TWIC ICR Renewal – 60-day Notice

Today the Transportation Security Agency published a 60-day ICR renewal notice in the Federal Register (76 FR 23326-23327) as the first step in their renewal of the information collection request authority for the Transportation Workers Identification Credential (TWIC). The ICR covers both the information collected to process the background checks necessary for issuing the TWIC and the information collected in optional customer satisfaction surveys used to ensure that the program is working in an effective manner.

Public comments on the ICR renewal are solicited. Comments may be emailed to TSAPRA@dhs.gov and need to be submitted by June 27, 2011 for proper consideration before the 30-day ICR notice is posted.

Workplace Security Awareness Training

Last night I completed the on-line FEMA Workplace Security Awareness (IS-906) training program. This course presents information on how employees can contribute to their organization's security. It covers much of the same information as the chemical sector security awareness training program provided by DHS but includes additional information on areas such as cyber security and the handling of bomb threats.

The format for the training program is much more traditional than the chem. sector training program. Once you get passed the introductory material most of the material is presented as written matter. I’m not sure why this is the case, but even with most of the video presentations this training program contains a dearth of audio material.

The lack of audio for most of the videos makes them practically worthless. I recommend skipping any video that includes the notation that it does not include audio; you get a better understanding of the scenario from the written description provided than from the audio-less video.

As with almost all on-line training programs this is designed to be completed by individuals. There is a 15 question test that can be taken at the end of the training; successfully completing the test (75% to pass) provides the individual with certificate of completion that can be used to document training completion for various regulatory training requirements. Note: the email provided the link to the actual certificate is not a clickable link, you need to copy/paste it into your browser for it to work.

Group Training

For facilities that prefer to conduct their regulatory required training in a classroom environment, this program could be used, but the reliance on reading the information really does make it impractical. FEMA has provided a summary of the course material that could be readily turned into a slide presentation that could be used for a traditional classroom presentation. They also provide a copy of the test that could be used to document the training for meeting regulatory requirements.

Since government publications are not covered by copyright laws, I will not be surprised to see enterprising consultants adapting this summary into pretty PowerPoint® presentations. It could be worth the cost if it were pretty enough.

Valuable Information

There is some good supplementary information provided in the training program that any security manager ought to keep handy. The Additional Resources page of the presentation is a good example, providing links to all sorts of good information. This page is certainly worth copying.

Finally, there is a link to the DHS Bomb Threat Checklist. When I was in the Army we had a similar form at every phone. I have not seen them since I got out of the Army in 1987. Every corporate telephone should have one underneath it for ready access in the event a bomb threat is received. It provides an excellent reminder of how to handle such telephone calls and a ready form for recording critical information.

Training Resource

Personally I prefer the more innovative training program produced by the Chemical Sector Office, but this training program is certainly a worthwhile addition to any organization's security training program.

Monday, April 25, 2011

DHS Laws and Regulations Page Update

Friday afternoon some time, DHS updated their Laws and Regulations web page in the Counter-Terrorism section of their web site. I watch this page because it contains all of the references to the legal documents supporting the CFATS program. No changes were made in the CFATS portion of the page.

Human Trafficking Section Removed

The only change that I can find is that the section on ‘Human Trafficking’ that was added last year has been removed. Since all of the old links still work, and I assume that this program is still a priority for Secretary Napolitano, I would bet that this information was moved to a more appropriate location on the DHS web site. In any case, it is not a specific interest of the chemical security community.

CFATS Authorization Info

I have been surprised that DHS has not updated the information on the §550 authorization for the CFATS program. If one were to rely on this page for information, one would have to conclude that the CFATS authorization expired last October without any Congressional action. The earlier extension in the Department of Homeland Security Appropriations Act, 2010 is listed and an updated version of §550 is provided up through that amendment.

I was disappointed but could understand why the extensions in the two ‘short-term’ continuing resolutions were not referenced on this page. But, now that the FY 2011 budgeting is complete and the CFATS authorization continued through until the beginning of FY 2012, I would have thought that at least the final extension of the authorization would have been listed.

Oh, well; just another example of the general deterioration of the DHS web site.

Terrorist Words

The folks over at the Law Enforcement and Public Safety Network (LEAPS.TV) have an interesting project underway and they are looking for some assistance from the various security communities. They are preparing a CD with a variety of words and phrases associated with terrorism in the native language of a variety of terrorist organizations.


They are looking for input from the law enforcement and security communities as to what words and phrases should be included on the CD as well as suggestions as to what languages should be covered.

If you have any suggestions, contact Jim Cavanagh at Jim@leaps.tv.

FULL DISCLOSURE: I have a training program that I have developed with LEAPS.TV and have other programs under development with them.

NTAS and Enhanced Security Planning

This weekend I did a blog posting on enhanced security planning, or contingency planning, looking at the reasons that it is important to have these plans in place and providing some examples of what might be included in that planning. Today I would like to take a look at how enhanced security planning should work with the new National Terrorism Advisory System (NTA). For high-risk chemical facilities tying these two things together is an important component of the facility site security plan and meeting the standards (yet to be revised) of RSBP 13.

NTAS

Officially starting tomorrow, the NTAS replaces the old, and controversial, color-coded Homeland Security Advisory System. Instead of the old five levels of the HSAS, the NTAS will see DHS issuing specific alerts that will come in two levels; elevated and imminent. Then new alerts will include specific information about the duration, potential targets, and other details of the threat. An example of the alert format can be found on the NTAS website.

Copies of current alerts will be found on the NTAS website. Individuals and organizations can sign-up to receive information on these alerts via email, Twitter® and Facebook®.

Since these alerts are public information, they will not include classified information. I would like to assume that ISCD has made some sort of provisions for providing detailed information, including classified information, about threats to CFATS facilities, either by chemical, industry or specific facility. Though, since ISCD is a program enforcement organization, they might not be included in the intelligence loop. Additionally, there is the problem of sharing classified information with un-cleared personnel; I have heard nothing about efforts to obtain security clearances for security officers at CFATS facilities.

CFATS Facilities and NTAS

Generally speaking a CFATS covered facility can expect to be affected by an NTAS alert under three circumstances; an alert for a geographical area, an alert for their industry, or an alert for their specific facility. With each alert coming in two possible levels that makes a minimum of six NTAS alert situations that need to be addressed in the RBPS 13 portion of the site security plan.

Of course the situation can get a lot more complicated for facilities with multiple COI especially if they cover more than one type of hazard. For example facilities with both a theft/diversion problem and a release toxic threat might expect to have separate enhanced plans for each under the facility specific and industry specific alerts.

Sunday, April 24, 2011

STB Looking at Special TIH Rail Handling Rules

This week the conflict between the railroads and chemical industry over the shipping of toxic inhalation hazard (TIH) chemicals via railcars has gone back to the Surface Transportation Board (STB) in the form of a new complaint by filed by a variety of industry advocacy groups and a TIH shipper. On Tuesday the STB received a complaint (NOR 42129) from American Chemistry Council, the Chlorine Institute, the Fertilizer Institute, and PPG Industries concerning the new tariff and standard operating practice (SOP) implemented by RailAmerica, a railroad holding company owning and controlling 40 short-line and regional common and contract railroads (including AGR, the railroad specifically named in the complaint), for handling TIH railcars.

STB Complaint NOR 42129

The complaint challenges the following provisions of the tariff (AGR Tariff 9000) and the RailAmerica TIH/PIH Standard Operating Practice:

• That all TIH commodities will be moved only in dedicated train service;

• That all TIH movements will be handled only by special permit that must be requested and tendered to AGR five days in advance of movement;

• That no more than 3 cars loaded with TIH commodities will be transported in the same dedicated train at any time;

• That the minimum fee for special train service is $15,000 per train;

• That all TIH shipments in dedicated train service shall be moved at no more than 10 miles per hour;

• That a qualified mechanical employee of the RailAmerica railroad accepting a TIH shipment for interchange inspect every TIH car before pulling the car from the interchange track; and

• That employees of the RailAmerica subsidiary railroad accompany the TIH shipment at all times as long as the shipment is on RailAmerica property and until the receiving entity acknowledges receipt of the shipment.
Additionally, the complaining parties filed a request that the STB order RailAmerica to stop enforcing its tariff and SOP until the Board has a chance to act on the original complaint. As of Friday evening the Board has not received a reply from RailAmerica.

Common Carrier Obligations

In recent years the railroads have been attempting to get TIH chemicals exempted from their common carrier obligation to accept all properly packed and tendered shipments. They complain that the potential financial risks from a rail accident resulting in a large scale release could wipe out even the largest Class 1 railroad. The STB has rebuffed previous attempts to establish a specific TIH exemption to this obligation and to charge higher tariffs for TIH chemicals based upon this risk.

The actions described in this motion appear to be a combination of risk reduction measures (for example: slower train speeds reduce the risk of catastrophic release in the event of an accident) and efforts to discourage the shipment of TIH chemicals by railroad (for example: only three TIH railcars per train reduce the number of railcars large scale producers can ship in a given period of time).

TIH Rail Security

As described in the complaint some of the RailAmerica procedures appear to violate the limited number of rail hazmat security requirements that do exist. The complaint notes that the requirement to hold rail cars for the formation of a ‘dedicated train’ is in violation of 49 CFR §174.14(a) and §174.14(b). Additionally the five day shipping notice provides potential attackers with a significant planning window for an attack if they can gain access to the permit request via insiders on either side of the request procedure.

TIH Precedents

If the STB upholds any of the provisions of the RailAmerica TIH handling procedures, we can expect that those procedures will be adapted by other railroads. Depending on the wording of any decision adverse to RailAmerica there is the possibility that only minor modifications to the SOP and tariff will be made to test the limits of the STB ruling as was done in the tariff case between UP and USM.

This is an STB case that will bear following.

Saturday, April 23, 2011

Enhanced Security Planning

Well, unless you were living way further out in the backwoods than I do, you have undoubtedly heard about the new Homeland Security National Terrorism Advisory System (NTAS) that was announced this week by Secretary Napolitano. If you’re associated with the CFATS program you will also be aware of the thundering loud silence from ISCD about how to adapt the RBPS 13 portion of your site security plan to the replacement for the old color-coded HSAS system that formed the basis for RBPS 13 in the Risk-Based Performance Standards Guidance document.

To be fair to Director Driggers, he and his staff have larger problems to deal with. Besides, there is probably no one left in the Directorate that was part of the team that wrote the guidance document in the first place. So with that in mind I’ll give a little support and update the comments that I posted earlier this week.

Why is Enhanced Security Planning Necessary?

I don’t need to tell security managers working at CFATS-covered facilities that security equipment, personnel, training and maintenance are very expensive. And with the realization that no security system is impregnable, there is always one more widget that can improve the situation. Unfortunately the rate of return (increased security/dollar spent) on those widgets also starts to fall off rather quickly.

The dark side of security planning is that security measures are a pain in the butt. A comprehensive security system interferes with the day-to-day operation of the facility in countless little ways. Sooner or later employees, especially the good ones, will find ways to circumvent the security processes to make their jobs easier. This is especially true if there seems to be no immediate prospect of an attack on the facility; I mean, what could it hurt????

So the security planner, knowing all of this, and under pressure to keep costs down because security is not a profit center, walks a fine line in trying to have enough security in place but not too much. So they look at the threat picture for chemical facilities (or whatever facility, this applies to everyone, but we are the chemical security community here) in the United States and its easy to see that the vast majority of terrorist attacks in the last ten years have been executed by less than effective terrorist wannabes.

Now this is good news as wannabes are much easier to defend against than the al Qaeda A team. To be on the safe side you plan your defenses for the Wannabe All Stars. You get that program in place, you train and practice, just to keep everyone sharp and everyone stays happy. And you have a facility security system that will deter, detect and delay the wannabes; the best of the wannabes maybe, but still wannabes.

The smart facility security officer knows, however, that the counter-wannabe security plan isn’t really good enough to prevent someone with truly evil intent, determination and a decent level of training and equipment from walking right through the security measures and capturing the flag. Hopefully it will be good enough to convince the A Team (from what ever league; trust me there are more evil doers than just al Qaeda out there) to go play at the next plant down the road with less proficient security.

No security manager worthy of the title can rest with just a defense against wannabes. They loose sleep at night worrying about what happens if they win the terrorist-site-selection lottery; if the A Team moves them to the top of their hit parade. Then the intelligence pukes (security guys and intel guys never really get along, they don’t trust each other too much) drop a message in the in-box saying that the bad guys have been talking about how lovely your facility would be with a large fireball in the center of the tank farm. Oh, and the ‘chatter’ sounds a lot like their visit is imminent. Have a nice day.

Too bad, you have a wannabe security plan in place and the pro’s are on the way. Too late to hold committee meetings, or get security upgrade requests onto the CEO’s desk for approval. Hell, the security widget salesman has heard the same news and isn’t returning your calls; he doesn’t want his product associated with a successfully attacked facility because his widget was half-installed. Besides, your insurance company is not going to pay the net-30 invoice anyway after the smoke clears.

Now, if you had a plan in place for how to deal with the pro’s; with all the approvals signed and purchase orders okayed, with everyone read in on what they had to do when you screamed ‘the A-Team is coming’; then you just might have a chance. If not, then just have them chisel your resignation letter on your headstone.

How do you do Enhanced Security Planning?

First off, you have to realize that security planning, just like any other kind of planning never stops. In production planning for instance, you formulate your plan then you monitor production and orders and modify your plan accordingly. In security planning you hope you never have to actually execute your A-Team plan. So to maintain proficiency you keep making new plans all of the time. Each new plan makes you more proficient at the planning and response process and makes you look at your overall site security plan from a slightly new perspective.

So the first thing you do is to identify your most important target at the facility. Then you determine the most common way that an A-Team terrorist would attack that target. Then you formulate a plan to counter that attack; simple enough, right? Oops, I forgot to tell you that you have to plan for 24-hour notice of the impending attack (hope you get more, pray you get at least that much), so scratch installing a new building around that target as part of your A-Team response plan.

So, you are going to have to depend on security upgrades that can be put in place quickly. Typically this is going to mean increased security personnel and changes to procedures. Installation of fixed equipment is too time consuming and expensive. If the supporting security company has portable security devices/equipment that can come into the facility when needed, this should certainly be examined. For the most part, however, the security equipment you have when you receive The Call, is what you are going to have to deter, detect and delay the attack.

Perimeter Patrolling

One good thing to remember in this planning effort; if you are within 24-hours of being attacked by the A-Team, you are under surveillance. They want to succeed real bad (at least as bad as you don’t want them to succeed) so they are not going to take chances that a small last minute security change will disrupt their attack plan; this is how they got to be the A-Team.

This means that visible up-grades to perimeter security are almost always a good idea. The fastest, easiest and cheapest security upgrade is increased patrolling inside and outside of the perimeter. The folks outside should be looking for the watchers; identify them, catch them, or disrupt them. If they are more worried about their own security than upgrades to your security you have probably prevented a successful attack. Oh, and don’t forget to include increased police patrols as part of your outside the perimeter patrol plan; they are very cost effective.

The increased interior patrols will make it harder for the A-Team to avoid early detection in their penetration of the facility perimeter. Just remember to keep your patrols following random routes and random patrol frequencies. This makes it harder to figure timing necessary to avoid even the increased patrols. You’re never going to have the funds or manpower necessary to eliminate all patrol gaps; adequately (not perfectly; see my blog on randomizing security patrols) randomize your patrols so that the attacker can only identify an adequate patrol gap after it has effectively closed.

Interior Patrolling and Guard Posts

Most high-risk facilities, in a low-risk, wannabe-threat environment are not going to need security patrols roving through operational areas of the facility. Nor will they typically feel a need to have much in the way of internal guard posts. These security tools are just too much of an intrusion into production areas and get in the way. They also require much more in the way of chemical hazard communications training for the guard force.

With the A-Team outside the gates, however, this is going to be the only real cost-effective way of increasing the delay factor inside of the facility perimeter. Again, you have to remember that you are being watched. In this case the counter surveillance tactics work just a little bit different. You probably want the A-Team to know that you have increased the number of security personnel inside the perimeter; have the new security personnel show up in a van or bus for instance. You almost certainly don’t want them to know where the security personnel are at or what they are doing. If you are using internal patrols, the patrol plan needs to try to keep them invisible from outside of the security perimeter as much as possible.

If you are going to use security patrols in the operational areas of the plant, they need to be adequately protected against the production hazards found in those areas. This will mean the proper issue, fitting and use of personal protective equipment as well as being trained to be able to detect the specific hazards associated with the areas in which they are operating. This argues for not using new security personnel for this type duty. There are two obvious solutions; first use the newbie augmentation personnel on perimeter duty and facility experienced personnel for internal patrols; or have production personnel accompany these internal patrols to help keep them out of operational harms way.

Internal guard posts are much trickier to use than it would seem at first glance. Putting a guard out in the middle of nowhere, even with communications, is inherently ineffective. A guard post is only going to be effective when there is a physical structure that naturally channels attacking forces through that point and the guard has some way of controlling movement through that area of restricted movement. Typically, this is a locked door or gate that the guard controls.

If an attacker must mover through that portal to effectively complete their assault, this makes the security guard an obvious target. Protecting the guard from attack increases the effectiveness of the portal at preventing unauthorized access. Using video cameras and electrically operated locks makes a door monitor in the security control room effectively a guard post at that portal.

One last thing to remember, to a trained combatant, a wall is just slightly more of an impediment to entry than a closed, unlocked door. If you’ve ever seen a violent drunk put a fist through a wall, you have a good idea of what I mean.

Executing the Plan

Now there are certainly other tools and techniques that can be used for enhanced security measures and I’ll discuss some of them in upcoming blogs. I certainly would like to hear from the community on their unique ideas about temporary security measures that can be easily put into place at relatively short notice during periods of high threat. But for the purposes of this discussion this should be enough to take a look at how these increased patrolling measures can be put into a enhanced security plan and executed when The Call is received.

First off, the resources to implement the plan need to be carefully determined. Lets say that it will require two three-man patrol teams and a patrol supervisor on each shift to execute the enhanced perimeter patrol plan. Every facility that I have seen uses an outside security company to provide their security guards. The security company contract would then need to be modified to include the responsibility for providing the augmented security force on some sort of minimal notice. I would also include provisions for periodic implementation for short periods to exercise the augmentation plan for training and evaluation purposes.

Where increased police patrols are made a part of the external patrol plan the same sort of agreement needs to be reached with the local police department. One doesn’t normally contract for these services (someone please correct me if I’m wrong), but some sort of written agreement is certainly in order, if just to clarify the requirements.

Then when the call comes in, the facility security manager makes a single call to the security company and says ‘execute security augmentation plan 14’ or something simple like that that allows for immediate movement without a lot of discussion. A similar call is made to the local police department. And everyone starts to move into the higher security mode called for in the facility site security plan.

A Fast Response is better than the Right Response

OOPS. The Call says that it is a group of radical defenders of the lives of Rainbow Darters in a nearby stream that will be attacking not al Qaeda. This group is not interested in attacking your tank of tetramethyldeath (the tank that you identified as your number one target), rather they are after a storage tank where you store a flammable chemical that interferes with the breeding instincts of the Rainbow Darter. The Call goes on to explain that this is the A Team of radical environmentalists with skills and training comparable to anyone that the radical jihadists could send at you.

Oh my, that tank was never considered to be an enhanced target. Oh my, what to do? Don’t sweat it. Initiate the plan for the tetramethyldeath storage tank. Get the cavalry on the way. You can modify the internal patrol plan as necessary (if it was considered necessary in the first place) and the perimeter patrol plan is almost certainly fine without modification other than to tell everyone to look out for hippies in t-shirts and ratty-jeans instead of ‘arabs in flowing desert robes’ (Oh, you didn’t assume that al Qaueda would look like someone out of Lawrence of Arabia? Good for You).

There is an old military adage that says “No plan survives contact with the enemy”. No plan is going to properly predict what the attacker is going to do. The important thing to remember about any sort of contingency planning is that it is easier to modify an existing plan than it is to start a plan from scratch. The important thing is to get people responding and moving. Just the arrival of additional security personnel on the site may be enough to prevent an attack from taking place. This is why enhanced security planning is so important.

DHS S&T Cyber Forensics ICR – 30 Day Notice

On Monday DHS Science and Technology (S&T) Directorate will be publishing (actually available on the web today) a 30-day information collection request (ICR) notice on their proposed CyberForensics Electronic Technology Clearinghouse (CyberFETCH) program. According to the Notice:

“CyberFETCH is responsible for providing a collaborative environment for cyber forensics practitioners from law enforcement, private sector and academia. This clearinghouse will enable its users to share information, best practices and lessons learned within a secure collaborative environment. In order for a user to access this clearinghouse, he/she must complete a registration form to establish a user account.” (76 FR 22910)
More detailed information on the program was available in the 60-day notice published back in February. Public comments on this ICR are solicited. Comments may be filed via the Federal eRulemaking Portal (http://www.regulations.gov/, Docket # DHS-2011-0021). Such comments should be filed by May 25, 2011 to ensure consideration.

Friday, April 22, 2011

ICS-CERT Updates Alert on Agora SCADA+

Late yesterday or early today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published updated version of it’s alert on the Agora SCADA+ Exploit Pack for Immunity’s CANVAS system. This coincides with the latest release of the Exploit Pack (ver 1.1).

ICS-CERT notes that there are apparently 5 ‘new’ exploits for known vulnerabilities and 2 apparent zero day vulnerabilities in the latest version of Agora SCADA+. The two new vulnerabilities are for the Beckhoff TwinCAT ENI Server and the Iconics GENESIS32 and GENESIS64 GenBroker.exe. It’s been a ‘bad’ month or so for exploits of the Genesis systems if this is truly 0-days. According to Joel Langill over at SCADAHacker this vulnerability has already been patched.

ICS-CERT has notified the affected vendors and contacted Glegg, the Russian research firm responsible for Agora. According to the alert “GLEG has declined to provide further details of the vulnerabilities” (page 1).

Reader Comment – DHS Web Site Mistakes

Readers noted an odd post on this site yesterday addressed to a specific, un-named reader. That reader had submitted a comment earlier this week and, after they pushed the submit button, realized that they had included identifying information in the comment. For whatever reason (I have my suspicions) the submitter wanted to remain anonymous and contacted me to see if I would remove the identifying information. This posting was the only way I had of contacting the individual.

The individual concerned has responded by re-submitting the comment by appending it to my ‘personal message’ posting. It points out some inconsistencies in some of the information provided on one of the CFATS web sites. Anyone involved in the CFATS program ought to take the short time necessary to review the information.

While the corrections suggested might seem to be relatively minor, they do directly address the clarity of the information provided. There are enough inherently confusing things about CFATS that any additional clarity is a good thing.

I’m not entirely sure why my CVI blog (where the comment was originally posted) inspired this comment, but I’m happy to share their attention to detail in the hopes of providing additional clarity about the CFATS program.

Reader Comment – TWIC Delivery Issues

Readers will probably recognize the name of the latest commentor on the blog; John C.W. Bennett, from the Maritime Transportation Security News and Views blog. He provides some additional insight on the comments I made in my posting on the GAO report on TWIC delivery options. His entire comment is well worth reading, but I would like to highlight just a couple of points he addresses in these comments.

Convenience vs Security

John makes the following observations:

“I don’t think the Congressional types who advocate mailing TWICs are knowledgeable about the distinction between delivery and activation. I suspect they think that a TWIC is ready to go as soon as it’s delivered. If they were to realize TWICs need to be activated, the debate would still be over worker convenience versus security. Those still in favor of convenience for their constituents would simply want to see activated TWICs delivered by mail.”
This is always one of the problems that security managers need to deal with. Security measures are frequently an inconvenience. Particularly with regards to terrorist attacks, workers do not fully understand the need for security since there are generally so few attacks that the average worker does not appreciate (or believe) the potential risk. There is a similar problem with management’s appreciation of the risk which frequently results in the failure to enforce security rules where they do exist.

TWIC and CFATS

John points out that one of the impediments to the use of TWICs for access to CFATS facilities is that the current rules specifically limit the use of TWIC to transportation workers. While some facility operators might want to be able to use a TWIC based identification instead of producing their own picture ID system, I don’t think that ISCD will try to authorize the general use of TWIC as a general facility ID system.

What the real push behind the TWIC-CFATS debate has been the issue of truck drivers and how the facility would be able to ensure that they can provide unescorted access for commercial transportation while remaining CFATS compliant. Transportation companies and workers are concerned about the potential need for getting yet another type of ID to be able to access CFATS facilities.

The ISCD personnel surety rules will probably specifically allow facility operators to accept TWIC and Hazmat Endorsed CDLs as ways to authorize truck drivers to have access to their facilities. This will probably lead to more trucking companies requiring their driver’s to have TWICs or Hazmat endorsements as a condition of employment.

Thursday, April 21, 2011

NPPD Cyber Security Evaluation ICR – 60 Day Notice

DHS published an initial information collection request (ICR) in today’s Federal Register (76 FR 22409) to allow them to collect information in support of their new cyber security evaluation program. According to the ICR, this program was mandated by Congress in “House Report 111-298 and Senate Report 111-31” as part of an effort to develop tools for “all levels of government to complete a cyber network security assessment so that a full measure of gaps and capabilities can be completed”.

This a program targeted at government agencies (Federal, State and local) and it has no apparent affect on industry in general or specifically on the chemical security community. I only mention it here because it is an example of the kind of information collection that really needs to take place to establish the current state of cyber security.

Public comments on the ICR are requested. Comments can be submitted via the Federal eRulemaking Portal (http://www.regulations.gov/, Docket# DHS-2011-0012). Comments should be submitted by June 20, 2011.

Reader Question – CFATS Security Bootcamp

Last week a reader posted a question to an unrelated blog post asking: “Haven't seen you mention this course yet. Any comments on content or instructor?” The reader provided a link to the ‘CFATS Security Bootcamp’ that will be conducted in Orlando, FL on June 15th and 16th. Its taken me a while to get around to this, but here is the answer to that question.

First off let me say that I have seen mention of this course and a few other ‘bootcamp’ courses conducted by DHS Campus. My initial response has been colored by the fact that I spent three years as a Drill Sergeant at Ft. Benning; I am immediately suspicious of any training course that calls it self a bootcamp. Most of the them that I have seen over the years have focused on the stereotype of yelling instructors and behavior that borders on physical abuse to justify that name; needless to say, I haven’t been impressed with those courses.

My experiences had led me to more or less assume that the CFATS Security Bootcamp was more of the same. Thanks to this Reader Question I found that I have apparently been doing Jeremy Kelley and his folks at DHS Campus a disservice by not giving them the attention their course appears to deserve.

The Instructor

The first thing that I noticed when I went to the page to which I was directed by the Reader’s question was the name of the instructor, Edward D. Clark. Ed (I keep wanting to say ‘John’; I’m a big fan of the Jack Ryan novels of Tom Clancy) has been a reader and commentor on this blog for sometime now. His comments and questions over the years, both posted as comments or personally emailed, have always been practical and well thought out.

That is to be expected given his Special Forces background and his work on homeland security issues, both inside and outside of the government over the years. Given this background for the principle instructor I decided that the course certainly deserved a closer look.

The Course

The course brochure provides a brief description of the course agenda. The breadth of the topics to be covered is fairly impressive for a two day course. You have a number of the typical topics that one would commonly expect for a CFATS training course, risk-base performance standards, SSP/ASP, CFATS administration and IEDs. There are some interesting topics added to this course that I haven’t seen before including the fundamentals of risk management and crowd control. I asked Ed about the former and he noted that this was a student requested item; “Probably because it is in the regulations” (actually it is a suggested training requirement in the RBPS Guidance Document, pg 190, table C5).

The time for each of the classes is relatively short, just 45 minutes. This certainly doesn’t give enough time to make the students experts in the topic by any means. Ed explains that the course is “directed towards employees with security duties and like most bootcamps, provide them with the basics of what they need to know when they arrive at their first ‘duty station’ ”. I think this is a reasonable approach to CFATS training, especially for a two-day course.

Recommendation

I have not had a chance to sit through any of this training, so I can’t actually tell you that the course is a good course. I can say that, based upon the information provided and Ed Clark’s background, if I had a limited training budget for members of my primary security team that were not trained security professionals, I would certainly consider sending them to this course.

NOTE: As always I would appreciate any reader that attends this course, or any other CFATS related course for that matter, providing me with their assessment of the training program.

Wednesday, April 20, 2011

ICS-CERT Updates another Luigi Vulnerability and Posts New Reference

Earlier today, the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published updated information on another set of vulnerabilities identified in the mass vulnerability release by Luigi last month. Additionally, they published a link to a Control Systems Security Program (CSSP) publication dealing with the evaluation of cyber security in industrial control systems.

RealFlex RealWin Demo Advisory

Back in March, one of the SCADA systems identified by Luigi containing multiple vulnerabilities was the RealFlex Realwin SCADA product. In this advisory ICS-CERT confirms what a variety of cyber security commentors have already noted, the seven identified vulnerabilities exist only in a free demonstration version of the software not any of the systems controlling actual physical processes. In any case RealFlex has an updated version available for demonstrations.

Why be worried about vulnerabilities that only exist in the demonstration version of the ICS Software? One might expect these demo versions to show up on computers of personnel with actual access to the ICS on site. This still makes these vulnerabilities a danger to the ICS, because they provide a potential route of entry into the ICS. If an unpatched version found its way onto a lap top or desktop computer of one of the ICS supporting personnel it could provide a route for the injection of trojans, worms and other malicious software onto the ICS system.

Cyber Security Assessments of Industrial Control Systems

This new document produced by CSSP and the Centre for the Protection of National Infrastructure is designed to assist “asset owners to maximise the return on their investment when commissioning assessments of their ICSs” (Executive Summary). In short, this publication provides the novice to moderately experienced Control System Security Manager with the basic information necessary to evaluate and select the appropriate cyber security testing regime for their system.

Personal to Anonymous

I do not have the capability to edit your coment, I can either approve or disapprove its posting to the site, and I would like to post your's. Please resubmit it as Anonymous.

GAO Report on TWIC Mail Delivery

Thanks to John C.W. Bennett over at the Maritime Transportation and Security News and Views for pointing out that the GAO had prepared a report to Congress regarding their evaluation of the various delivery options for getting Transportation Workers Identification Credentials (TWIC) into the hands of the registered transportation workers. This report was mandated by §818(b)(1) of the Coast Guard Authorization Act of 2010 in response to concerns about the cost to workers to travel to a limited number of TWIC issuance facilities to pick-up and activate their cards.

This report will have some potential bearing on possible consideration of HR 1143, the TWIC Delivery Act of 2011, which would mandate the establishment of a program for TWIC delivery by U.S. Mail to any applicant that resided more than 100 miles from a transportation security card enrollment center.

Currently a TWIC applicant must go to one of a limited number of enrollment centers to apply for a TWIC because part of the application process is providing fingerprints and a photo that would be electronically imbedded in the card. Once the background check is successfully completed and the individual’s card is produced the individual must come back to an enrollment center to pick-up and activate the card. As part of this process the individual’s finger prints are verified and a pin number is selected allowing the TWIC to be used as part of a two-factor identification process.

If the TWIC was an integral part of an electronic identification verification system, mailing the card to the individual would not be a problem as long as the individual had to go to an approved location to activate the card. Unfortunately, there is not yet a program in place to require the use of an electronic reader with the TWIC due to delays in the testing program for TWIC Readers. The draft rule for this requirement is expected this fall.

Without the use of a TWIC Reader as part of the identification process the TWIC is just another picture ID to be flashed at a guard as part of an entry procedure at a secure MTSA facility. The concern is that the mailing of the TWIC to the authorized user could allow for the interception or diversion of these cards which could then be used to gain unauthorized access to these facilities.

The GAO report is a good summary of the issues of the current debate, but it provides no data useful for resolving the debate. It does not even provide a suggested methodology for evaluating the information provided. So we are left with a political debate about making things easier for workers vs the maintenance of strict security standards.

Future Debate

Once TWIC Readers become part of the identification process, this debate will shift as a mail-delivered would still need to be activated before it could be used to gain access to a secure facility. The debate will then be about the use of alternative activation methods other than going to one of the limited number of enrollment centers.

A further complicating factor in this debate could arise when the folks at ISCD release their personnel surety program for CFATS facilities. Many people have suggested that the use of a TWIC would be a preferable method of allowing access to CFATS facilities. This could greatly increase the number of TWIC applications that are processed, with a large number of these new applicants living far from the current enrollment facilities.

Tuesday, April 19, 2011

DHS CVI Website Updated

Some early today or late yesterday the folks at ISCD updated their Chemical-Terrorism Vulnerability Information (CVI) web page. The landing page now has a reference to the Executive Order that President Obama signed last year concerning Controlled Unclassified Information (CUI). It also includes links to a page addressing the CUI issue as it currently stands at ISCD.

Readers might remember that back in November when the EO was signed I opined that:

“It is clear that chemical-terrorism vulnerability information (CVI) will fall under the provisions of EO 13556. As the CVI category is established by regulation (6 CFR 27.400) it is certain that it will survive the initial review of the Secretary and the EA [Executive Agent]. The disclosure provisions should also remain unchanged. There may need to be some revisions made to the CVI Procedures Manual, depending on the review of the marking and protections provisions by the EA.”
Well this new web page indicates that the National Archives and Records Administration (NARA) (the Executive Agent for this EO) has decided that the CVI program will remain as a CUI program. As such we can expect that some revisions will have to be made to the CVI manual to bring it up to the new standards. DHS will publish the new manual when it is ready and will certainly revise their on-line training program. All of that will happen at some point in the not too distant future (hopefully).

Web Page Dating

ISCD is continuing to have problems with the dating of their web pages. This has been a hallmark of the ISCD web site; page dates show at a glance when the page has been updated saving the casual reviewer (or even the more serious one such as myself) from having to constantly read an unchanging web page, waiting to see if new information becomes available. Until just recently, (not too long after the recent reorganization, coincidentally I’m sure) these dates reflected the dates that the new pages have been posted on the web site.

These two pages have very suspicious dates. The landing page date is certainly wrong; it shows that this page was changed/reviewed on February 24th of this year. I know that is not true, I check this page every morning at about 8:00 am EST/EDT. Yesterday the date read August 6th, 2009. Today it reads February 24th, 2011. I suspect that it was approved on February 24th but not actually posted for some reason until today.

The EO 13556 page shows a date of March 21, 2011. That date may be correct; without the link to page provided on the new landing page I would have no way of knowing that this page even existed to check on it. Still, I doubt that March 21st was when the page actually went live; it is very likely in my mind that it actually went live this morning with the updated CVI landing page that pointed to it.

These page dates are really a very minor thing; in fact only anal-retentive people like me are even probably aware that they exist. It does however reflect a general decrease in the appearance of professionalism in ISCD. The CFATS web site was something that ISCD had always taken pride in and deserved accolades for their innovative use of the web as a communications tool. I really hate to see it slipping down to the standards of the rest of the Department.

National Terrorism Advisory System

It seems that my blog earlier today about the ending of the color-coded, Homeland Security Advisory System was well timed. This afternoon I received an email from DHS (a sign up thing on the Private Sector Office web page, not personal contacts) letting me know that Secretary Napolitano would be making a formal announcement on the National Terrorism Advisory System (NTAS) tomorrow.

Additionally, the Private Sector Office and the Office of Infrastructure Protection will be holding a webinar to fully explain the NTAS on Thursday afternoon from 1:00 to 2:00 pm EDT. While I would expect the information to be made available on-line, here is the webinar information:

Dial-in: 1-888-889-4460

PIN: 6147798

Webinar: https://connect.hsin.gov/ntas_brief_partners/
If you have an HSIN account you can sign in with your normal sign-in information. Otherwise you can opt to sign in as a guest. I doubt that the CFATS RBPS-13 issue will be raised in the presentation, but it would be a good question to ask the briefers.

On a slightly different note, it seems that the TSA Pipeline Security folks have similar issue with their guidance on enhanced security measures. Readers may remember my discussion of the TSA supplemental guidance for HSAS Threat Level Protective Measures back in January. That discussion was based upon the December 2010 document published by TSA. I just received a copy of an April 2011 version of the document targeted to the NTAS.

It is really commendable that the folks at the TSA Pipeline Security Office (a truly miniscule office I’m sure), without an enforceable security program, have managed to update their newer guidance document for the realities of the new terrorism alerting system. I’m sure that the folks at ISCD will be able to get around to doing the same thing when they finish approving the Tier 1 site security plans some time before 2017. Of course, by then, there will be at least two other versions of this alerting system that will have come and gone.

HSAS Elimination and CFATS

Sometime this month the Department of Homeland Security is expected to formally eliminate the Homeland Security Advisory System, the color coded system that was supposed to keep the public updated on the current state of the threat of terrorist attack. I received a reader email yesterday asking the following interesting questions:

“Can you advise very briefly as to how are CFATS Site Security Plan holders revising their SSP security posture change process with the elimination of the DHS HSAS? How or to what are they tying the security level changes too with the termination of that system?”
HSAS and SSP

RBPS 13 in the CFATS process requires facilities to plan for ‘security measures and considerations for elevated threats. The RBPS Guidance document explains:

“The “Elevated Threats” RBPS addresses the need to escalate the level of protective measures for periods of elevated threat designated by DHS. The purpose of the RBPS is to enhance facility and operational security, while reducing the likelihood of a successful attack, through the implementation of scalable security measures and actions in response to changes in the Homeland Security Advisory System (HSAS) threat levels [emphasis added]. The simplest way for a facility to meet the standards sought by RBPS 13 is to have a set of documented and implementable security procedures that provide for a change in the facility’s security posture based on an elevated HSAS threat level. Properly responding to and implementing appropriate security measures in response to different threat levels significantly improves a facility’s capability to “Deter, Detect, and Delay” a threat (see RBPS 4), greatly reducing the likelihood of a successful attack during a period of elevated threat.” (page 101)
The Guidance document goes on to explain that DHS uses a variety of methods of identifying elevated threats including the HSAS, DHS Threat Advisories and DHS Information Bulletins. Having the alternatives, the main part of the discussion in RBPS, as well as the RBPS Metrics clearly tie the expected response to the RBPS to the HSAS. This entire section of the Guidance document will essentially be useless when DHS eliminates the HSAS later this month.

What ever the deficiencies in the HSAS system (and there are many) it did provide something to which a facility could tie their changes in security response. The SSP could be designed for the base condition and enhanced procedures could be defined for each increase in the reported threat level.

No Anchor for Enhanced Security

While the details of the new threat communication system have yet to be published, Secretary Napolitano has made clear that it will be more detail oriented, targeting specific industries or communities that are under an identified increased threat of terrorist attack. The intention is to make the information clear enough and specific enough so that only those people clearly at risk need to respond and may respond in a cost effective manner.

This certainly seems to make sense. There should be no need for most people to worry about most clearly identified threats. And entities under a specifically identified threat probably do not need to take a generic action, but need to formulate a specific, targeted response.

The problem is that security planning and execution take time. The current HSAS allows facilities to identify in advance generic increases in security that would be necessary and make the necessary advanced coordination that would allow for the prompt execution of those measures. When a specific threat is identified further security measures can be developed based upon previously identified measures.

Without the generic threat advisory to which facilities can tie their generic responses, the facility will have to start their security planning from the base case each time a target threat advisory is provided by DHS. Or will they? While the details will depend on the specifics the new DHS alert system, there is a way to address the enhanced threat issue.

Enhanced Security Planning

First we have to assume that the DHS alerts will, in some form, come in both generic and specific forms. The generic forms will still be more targeted than the current HSAS but will apply an area or industry rather a specific facility and will not include much in the way of specifics about expected attack modes. Specific alerts might still address a number of facilities, based upon either area or industry, but would provide more details on the expected form of attack. The most targeted warnings would provide an unusual level of warning about a specific facility.

Now the question becomes, how does a facility provide for these types of alerts in its site security plan? I think the simplest way to do this is to go back to the SVA and look at which terrorist attack scenarios were determined to apply to the facility. Then for each of those scenarios there would be three levels of increased threat that would need to be addressed:

● DHS notification of increased threat to region;

● DHS notification of increased threat to industry; and

● DHS notification of increased threat specifically to facility.
This would give the facility the type of specificity in its threat response that DHS is attempting to achieve with its revised alert system. This should also allow most facilities to reduce their security costs as they should be spending less time in an enhanced security mode.

ISCD Re-write of RBPS Guidance Needed

At least, if I were in charge (and I am certainly not), that is the way that I would organize things. This is an area that ISCD needs to address quickly. Unfortunately, I would suspect that their current focus is more on the completion of SSP pre-authorization and authorization inspections. I would bet that no-one has even considered re-writing the RBPS 13 section of the Guidance document in preparation for the elimination of the HSAS.

That is not a criticism of ISCD, they do have higher priority problems that need to be addressed. Unfortunately, that doesn’t provide much help to people like my reader who need to complete their SSP development or update their SSP submission for the change in circumstances. Fortunately, there are not that many (are there any yet) facilities that have an actual, approved SSP to update (that was a sarcastic criticism).

ICS-CERT Updates Iconics Genesis Vulnerabilities

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory on multiple vulnerabilities in the Iconics Genesis HMI-SCADA products. This advisory provides updated information on the 13 vulnerabilities reported by Luigi back in March as well as providing information on a newly reported vulnerability discovered by a reader of this blog, Joel Langill of SCADAHacker.

Joel was a co-author of a white paper on the Genesis vulnerabilities that I reported on last month. He also discovered that a bundled component of the Genesis system made that system vulnerable to the vulnerability identified in (CVE-2007-6483) the SafeNet Sentinel License Monitor service. Note that this general vulnerability was first identified in 2007 yet is just now being reported in this product.

Iconics has verified all 14 vulnerabilities and has published a software update that addresses the identified problems. Additionally ICS-CERT recommends the following additional mitigation measures:

• Use a firewall to restrict unnecessary or unwanted traffic, specifically to the affected Ports 38080/TCP and 6002/TCP.

• If an intrusion detection system (IDS) is used, update to the latest IDS signatures.

• Minimize exposure of vulnerable systems to external networks. If remote access is required, use secure methods such as Virtual Private Networks (VPNs).

Monday, April 18, 2011

HR 1502 Introduced – Counterterrorism Intelligence

Last week Rep. Wolf (R, VA) introduced HR 1502, the Team B Act. The legislation attempts to address the issue of the intelligence community missing valuable indicators of terrorist intentions or planning because they have become so enamored with their previous predictions that they are unable to recognize the importance of indicators of other actions.

The bill would establish the Counterterrorism Competitive Analysis Council reporting to the Director of National Intelligence. The members of the Council would come from outside of the government intelligence community; it even limits the number of previous members of that community that could be on the Council at any one time.

This ‘B team’ of the bill title would have access to all of the intelligence available to the government intelligence analysts. They would then be required to “prepare a competitive analysis of each national intelligence estimate concerning al-Qaeda and other foreign terrorist organizations” {§3(b)(2)} as well as advising the Director on “threats of international terrorism and domestic radicalization based on all-source information” {§3(b)(1)}.

A non-institutional look at intelligence information is always a good idea as long as appropriate information controls are in place. The $5 Million price tag {§3(g)} authorized for this program (coming out of the current DNI budget – thus no new net spending) is a small price to pay.

I have one minor concern about the composition of this body. Section 3(c)(1) would have all eight members “appointed by the Director of National Intelligence, in consultation [emphasis added] with the Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate”. I would prefer to see the DNI appoint 4 members and the Chairman and Ranking Members of each of the referenced Select Committees appoint a member. I think that this would provide for a selection of personnel with a wider divergence of backgrounds.

While this Council is directed to look at ‘domestic radicalization’ it would seem logical to assume that a group appointed by the DNI would have more of an external focus on Al Qaeda and its wannabes than an internal focus on non-Islamic oriented radical groups in the United States; the real ‘domestic terrorist’ organizations. It might be a good idea to set up a similar shop within DHS to take a second look at domestic counter-terrorism intelligence.

Security Patrol Scheduling

There is an interesting article over at HomelandSecurityNewsWire.com about the theoretical basis for scheduling security patrols. Based upon research conducted at the University of Southern California, the article describes how a new software based technique is being used in places like Boston Harbor to define when and where routine security patrols will appear to ensure that they have the maximum effectiveness in deterring terrorist attacks.

Purpose of Security Patrols

To understand the reason some security managers may turn to patrol scheduling software you first have to understand the purpose of security patrols. The most obvious purpose of this manpower intensive operation is to detect intruders that have penetrated perimeter security. This purpose is based upon the recognition that there is no perimeter security that cannot be penetrated by a properly trained and informed adversary.

The second purpose of conducting security patrolling is less obvious, but probably more important; it is to deter attacks from being executed upon the facility. From a terrorist’s perspective this country is a target rich environment; there are many more targets available than they will ever have the opportunity to attack. The trained teams that will have the best chance of successfully executing a high-profile terror attack will select targets where they have the highest chance of success.

A facility with effective, randomized security patrols in place is much more difficult to successfully attack. An attacker wants to know where and when they would expect to encounter security patrols. This allows them to either avoid those patrols, or to ambush the patrols to neutralize them. If the attacker cannot tell in advance where these patrols can be found, it makes either of these counter-security operations much more difficult. It will be much easier to select a target with more predictable or non-existent patrols.

Randomizing Coverage and Timing

As one digs into the USC website describing their research and the tools they developed one discovers a counter-intuitive extension of this randomized patrol concept; the idea that the areas to be covered by a patrol. In discussing the use of their ARMOR software for scheduling security patrols within the LAX airport they discuss the selection of areas to be patrolled and areas to be avoided.

There are a couple of reasons for this. The most obvious is the fact that security manpower is always a limited resource. Since security is not a profit center for any facility management is always going to place constraints on cost and limiting manpower for security is a common cost management tool. Randomly selecting which areas will be covered by a particular patrol will ensure that the limited manpower available is able to provide maximum physical coverage.

Another common reason that an area might not receive patrol coverage on a particular set of rounds is that there might be non-security related constraints prohibiting patrolling at a particular place-time. At a high-risk chemical there may be chemical operations that make it unsafe for security patrols to operate. Line-breaks, loading or transfer operations frequently require personal protective equipment that is not routinely carried by patrolling personnel. These types of operations need to be taken into consideration when planning patrolling routes.

Use of Patrolling Software

The obvious question that comes to mind after looking at the USC web site and reading the multiple journal articles available on the subject is: do facilities need to use sophisticated software to ensure that their patrols are properly randomized? The answer is complicated. If the goal is to have a completely randomized patrol schedule, the answer is absolutely yes. The human mind does not handle randomness very well and to ensure that the human penchant for predictability does not intrude on randomness.

The problem is that it is not clear that true, mathematically verified randomness, is really necessary. The purpose of the exercise is to make it difficult for the terrorist attack planner to detect the patrolling pattern and plan accordingly. Mathematical randomness is probably not required as it is unlikely that the terrorist will use advanced pattern detection software that only true randomness can defeat.

Very large facilities, with complex patrolling requirements, managing multiple patrols might find the use of the software like that described on the USC web site a valuable tool. This would be done not so much to ensure randomness, but just to make sure that there is efficient use of the limited patrolling resource. Most facilities, however, will not have a complicate enough patrolling program to make the use of this kind of software necessary.

Patrolling Plan

This is not to say that some sort of patrol planning is not required. All facilities that use security patrols as part of their site security plan need to have some sort of formal patrol planning process. To ensure that there are no readily identifiable patrolling patterns someone needs to plan the schedule and route of security patrols and then check them for their predictability.

Another reason for a written patrol plan is to allow security personnel to avoid those areas of the facility where there are time limited safety considerations. Security personnel do not need to stumble upon a personal exposure situation that could have been avoided with a little advance planning. This of course pre-supposes that operations and security are in close and continuous communications.

Saturday, April 16, 2011

S 813 Introduced – Cyber Security Studies

This week Sen. Whitehouse (D, RI) introduced S 813, the Cyber Security Public Awareness Act of 2011. The bill would require the publication of a number of executive branch reports on cyber security issues.

Now I am not a big fan of government reports on a problem as extensively reported as is cyber security, but I do have to sympathize with Sen. Whitehouse’s concern as expressed in the findings section of the bill. After summarizing what is publicly known about the attacks on the US information infrastructure, public and private, the bill notes that:

“As of 2011, the level of public awareness of cyber security threats is unacceptably low. Only a tiny portion of relevant cyber security information is released to the public. Information about attacks on Federal Government systems is usually classified. Information about attacks on private systems is ordinarily kept confidential. Sufficient mechanisms do not exist to provide meaningful threat reports to the public in unclassified and anonymized form.” {§2(a)(8)}
To correct this information deficiency, Senators Whitehouse and Kyle (R, AZ; the cosponsor of the bill) go on to require a number of Federal agencies to prepare unclassified reports (an initial report with annual updates) to Congress on various aspects of the problem. Each report could include a classified annex to protect sources, methods, proprietary or sensitive business information, and national security

Cyber Attacks on Federal Agencies

For successful cyber attacks on the Federal government (§3) the required reports would be prepared by the Secretaries of DOD (breaches against networks of the Department of Defense and the military departments) and DHS (breaches of networks of other executive agencies). The reports would include:

• The aggregate statistics on the number of breaches of networks of executive agencies;

• The volume of data exfiltrated;

• The estimated cost of remedying the breaches; and

• A discussion the risk of cyber sabotage.
Interestingly, there are no requirements for similar reports on cyber attacks on the Federal Judiciary, Congress, State and local governments. I guess that those agencies have been blessed with adequate cyber security measures. Either that or Sen. Whitehouse doesn’t think that there is anything in their systems worth protecting.

Cyber Attacks in the Public Sector

Section 5 of the bill would require the Secretary of Homeland Security to prepare a report to Congress that “describes policies and procedures for Federal agencies to assist a private sector entity in the defending of the information networks of the private sector entity against cyber threats that could result in loss of life [emphasis added]or significant harm to the national economy or national security” {§5(a)}. I suppose that Sen. Whitehouse, in including the ‘loss of life’ consequence must be referring to potential attacks on control systems. It would be helpful if ‘or industrial control systems’ were added to this sentence.

A new and, in my opinion, important consideration in the consequences of cyber attacks is addressed in a report required in §6. This section requires the Securities and Exchange Commission to provide a report on the “the extent of financial risk to issuers of securities caused by cyber intrusions or other cybercrimes, and any resulting legal liability” {§6(1)} and “whether current financial statements of issuers transparently reflect” {§6(2)} that risk.

Section 7 provides guidance on the reports required to reflect the cyber attacks that have been conducted against selected critical industries. Those listed industries are:

• Energy industry;
• Financial services industry;
• Air, rail and ground transportation industry;
• Communications industry;
• Food supply industry;
• Water supply industry; and
• Any other element of the economy determined to be critical by the Secretary of Homeland Security.
The bill then requires the “primary regulators responsible for the physical and economic security” to report on the cyber security of those critical industries. The ‘primary regulator’ is different for each industry listed and for the most part are the agencies one would expect. The one odd ball, however is the ‘any other element’ category; the listed agency is the Federal Trade Commission. With the chemical industry fairly obviously falling under this listing, I cannot find any way that someone would expect the FTC to be responsible for their ‘physical and economic’ security.

The other interesting element of §7 is that the term ‘information networks’ is not found in this section; neither are the terms ‘industrial control system’ or ‘SCADA’. The lack of specificity could allow the EPA, for instance, to look at cyber attacks on the control systems for water treatment facilities in their reporting. I would find it a major stretch of imagination, however, for the FTC to consider control system security in their look at the cyber security status of the chemical industry; they’re just too focused on the boardroom.

Preventing Attacks in the Private Sector

Section 8 requires DHS to enter into a contract with the National Research Council, or a similar Federally funded research group to prepare a report to Congress “on available technical options, consistent with Constitutional and statutory privacy rights, for enhancing the security of the information networks of entities that own or manage critical infrastructure” {§8(b)(1)}. Again the focus is specifically on ‘information networks’ and the security of control systems is completely ignored.

Cyber Supply Chain Security Issues

Section 11 requires DHS to report on the issue of how cyber security is affected by foreign suppliers of “of information technology (including equipment, software, and services)” {§11(b)(1)}. The areas of concern are the ‘public and private telecommunications networks of the United States’, which §11(a)(2) says includes:

• Telephone systems;
• Internet systems;
• Fiber optic lines, including cable landings;
• Computer networks; and
• Smart grid technology under development by the Department of Energy.
The concern is not so much about equipment coming from some place like Germany. It is focused on suppliers that are linked directly or indirectly to a government that might be inimical to the United States. The section specifically mentions suppliers that have “ties to the military forces of a foreign government” (can anyone say ‘China’). The concern is that such suppliers might make networks containing such equipment vulnerable to politically directed cyber crime or espionage.

I almost said that this section once again ignores control systems, but that would be less than true. Since ‘smart grid technology’ is specifically addressed, at least that narrow representation of control systems is included, though I suspect that Sen. Whitehouse is more concerned about the information system aspects of the smart grid.

Protecting the Electrical Grid

The last section, §12, deals with an analysis of the threat of a cyber attack on the electrical grid. The there are a couple on anomalies in this section. First is that the responsibility for this report rests with the Secretary of Homeland Security and the Director of National Intelligence; no one from an agency with oversight responsibility for the energy sector is mentioned in this section.

The two responsible parties may be well versed in two of the four areas (threat analysis and determining the ‘national security implications’ of such an attack) required to be included in the report. One would have to question their level of expertise, though, in final two areas to be addressed;

• The “options available to the United States and private sector entities to quickly reconstitute electrical service” {§12(3)}; and

• A “plan to prevent disruption of the electric grid of the United States caused by a cyber attack” {§12(4)}
So Many Reports

Even accepting for the moment that control systems are ignored in the series of reports that would be required by this legislation, I have to commend Sen. Whitehouse for describing one of the most complete looks at cyber security issue from a national perspective that I have ever seen. The one thing that is lacking is the production of a compiled report that brings everything together for the public; and Sen. Whitehouse was supposedly specifically trying to engage the public.

The way that this bill is constructed is that there would be a large number (I did not bother to try to count them) of reports submitted to ‘Congress’. The first problem is that ‘Congress’ is a relatively nebulous term. One would assume that the reports from DHS would go to the two Homeland Security Committees; the reports from EPA would go to the two environmental committees, and so on. There would be not single body responsible for looking at the totality of the problem.

The second problem is that the reports would be dropping into public awareness at random intervals. While all of the reports have ‘required’ submission dates of 180 days after passage, anyone familiar with the operations of the Federal government know that that means that the first such report would probably arrive no earlier than that date and most of the remaining would come trickling in for a number of years. I mean we no longer even expect Congress to produce spending bills in a timely manner.
 
/* Use this with templates/template-twocol.html */