Sunday, July 31, 2011

OMB Receives TSA TWIC ICR Renewal Request

On Friday the Office of Management and Budget announced on its website that it had received the renewal paperwork for TSA’s Transportation Workers Identification Credential (TWIC) information collection request (ICR). Readers will recall that TSA published their Federal Register notice that this was being sent to OMB over two weeks ago.

Current Approval Expired

Interestingly, the current OMB authorization expires today. As explained in the Federal Register Notice in “accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.), an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid OMB control number”. Technically that would mean that TSA cannot require TWIC applicants to complete the necessary paperwork for that application. In the short run I expect that this will have no practical effect on the program.

Personally, I would prefer to see OMB enforce this law and notify TSA that it could not process TWIC applications until the ICR was approved in normal course at OMB. It does not seem to me that it should be that difficult for a Federal Agency to process the appropriate paperwork for this ICR renewal process in time enough to get the process completed before the current approval expires. After all, the deadline is known three years in advance.

TSA Explanation

One part of the Federal Register notice that I didn’t report on earlier was the comment that: “TSA will directly respond to the individual submitting this feedback.” (76 FR 41510) Since I was the individual submitting the referenced feedback, I can report that TSA has, as of yet, failed to make that response. I’m looking to see their explanation for the changes in processing times and costs.

ICS-CERT Updates Siemens PLC Alert

Friday afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an update of the alert for Siemens PLCs that had been published the previous weekend. This new information comes from Siemens. They have confirmed the existence of the vulnerability that Beresford found in certain S7-300 PLCs (a list is included in the revised alert) and claim that it does not affect any of the S7-400 PLCs.

A number of bloggers and Tweeters have questioned the timing of this information; it seems that too often the information from ICS-CERT concerning Siemens products comes out late Friday afternoon. It isn’t clear if the timing is ICS-CERT or Siemens driven, but it does look like it is being designed to come out too late for most organizations to react to the release in a timely manner.

It seems odd to me that Siemens started fixing this issue in some version of the S7-300 PLCs as early as June 2009 and has yet failed to let their customers know about the vulnerability so that older versions of the PLC’s could be updated. As recently as earlier this month Siemens was publicly claiming that there were no known security issues with the S7-300 or S7-400 PLCs. Is it any wonder that many people are questioning the truthfulness of the claim in this updated alert that the S7-400 PLCs are not affected by this latest vulnerability?

There is one other oddity about this update. Typically, ICS-CERT issues an alert when it has just some preliminary information about an identified vulnerability. Once the vendor has confirmed the issue and provided mitigation measures, ICS-CERT will then issue an ‘advisory’ to replace the alert. Publishing this new information as an update to the alert rather than publishing it as an advisory would seem to indicate that ICS-CERT has not been able to verify this information.

Friday, July 29, 2011

Coast Guard to Webcast Meeting

A couple of weeks ago I did a blog posting about a couple of public ‘listening sessions’ the Coast Guard had planned for August to get public input on the ‘Certain Dangerous Cargos (CDC) Security National Strategy’ currently being drafted for maritime transportation systems. In closing that posting I suggested that:

“It would seem to me that, with the limited number of meetings currently scheduled, that the Coast Guard should maximize public access to these discussions by making one or both of these meetings available as a webcast.”
Well a post yesterday by Debbie Whaley over at MSPINT.com notes that the Coast Guard is actually going to do that. She provides a link to the CG Flash Player site (http://trial4.cdn.level3.net/USCGLivePlayer_040611.htm) where the meeting will be broad cast, but there is nothing there now. Nor can I find anything on the Coast Guard web pages for the Office of Port & Facility Activities about the meetings (actually nothing much there but contact information).

In any case, I am glad to see that at least one office in the Department of Homeland Security is moving their public meetings into the 21st Century. To keep this kind of public access available, I urge anyone with an interest in the Certain Dangerous Cargos program to log on to at least one of the two meetings; both at 8:00 am to Noon (I’m assuming CDT; it wasn’t specified in the Federal Register notice) on August 2nd or August 18th.

For further information about the two meetings send an email to CDC@uscg.mil.

SOCMA Looks at CFATS Legislation

Earlier this week Alexis Rudakewych, the Manager for Government Relations at SOCMA, had an interesting post on the SOCMA blog concerning the passage of a CFATS reauthorization bill this session. She included a very cogent analysis of the timing for passage of such legislation making the point that there is now just a very short window when it is politically possible for such legislation to be considered. This political calculation does not really look at anything but the calendar and the other issues that will occupy Congressional attention.

What’s interesting is that I made almost exactly the same points two years ago concerning the potential for Congress passing HR 2868. The main difference between then and now was that were still waiting on the House Energy and Commerce Committee to take up the legislation. A year ago I did a similar blog posting on HR 2868 waiting on Senate action, but had to include a discussion of the consideration of the upcoming election.

Oh, there is one other important difference, in both of those previous analyses one of the main forces leading the opposition to the CFATS legislation was SOCMA. To be fair, there were provisions in HR 2868 that SOCMA and most of the rest of the chemical industry thought would severely detrimental to the profitable operation of chemical facilities.

The point that I would like SOCMA to consider is that basically the same political tools that they and the rest of the chemical industry used last session to block passage of HR 2868 are being used by Greenpeace and the rest of the ‘blue-green’ coalition to oppose the passage of HR 901/HR 908/S 473 in this session. Political pressure is being applied to a relatively small number of Senators to prevent the consideration of the legislation.

In both cases action in the House is/was a foregone conclusion. The political party in clear power will/was able to overcome inter-Committee rivalries to bring legislation to the floor where it will/was able to easily pass. The rules in the Senate, however, allow a strong minority to block consideration of legislation where there is not a clear need for the legislation, in some form, to pass. With the safety valve of the one year extensions of CFATS in the Homeland Security appropriations bills there is no need for the Senate leadership to exert the political effort to force a CFATS authorization bill to the floor for a vote.

This year in the Senate there are probably enough votes from moderate Democrats to allow passage of one of the three industry favored CFATS bills if it came to an actual floor vote on the bill. It is also clear that the green lobby has enough votes to block such consideration; much the same way that last year the chemical industry had the votes to block consideration of HR 2868.

There is no reason to believe that this basic political calculus will change anytime soon. The country is ideologically pretty evenly divided. While we can expect to see periodic changes in the majority control in both Houses of Congress, it is unlikely that we will see a large enough scale change in the Senate to eliminate the minority’s ability to prevent consideration of legislation like the CFATS authorization. The legislation is just not important enough to the vast majority of Americans to make a fight to get it to the floor worthwhile.

The sad thing is that both sides of this controversy want to see CFATS succeed. Almost everyone agrees that there needs to be a formal Federal oversight over the management of security at high-risk chemical facilities. Everyone also pretty much agrees that the current annual extension of the CFATS program is not helping DHS effectively manage the program. Nor is it allowing industry to effectively manage their response to the program.

But, until whichever side currently has the political upper hand realizes that they are going to have to make some reasonable compromises with the opposition to get a CFATS authorization bill to the floor in the Senate, we will be stuck with the current appropriations reauthorization process.

Thursday, July 28, 2011

Ammonium Nitrate Bombs

The right-wing terrorist attack, probably by a lone wolf or very small group of conspirators, in Norway last Friday sounds very similar to the attack in Oklahoma City in 1995. The most common denominator between the two attacks was the use of a large improvised explosive device based upon ammonium nitrate. The use of ammonium nitrate, a common fertilizer used on farms around the world, as an explosive, by terrorists of all political persuasions is very common because it is widely available and extremely easy to use.

News reports about the Oslo attack indicate that European Union rules about registering the sales of ammonium nitrate fertilizer did flag the sale of the material used to make that bomb. That did, apparently, result in Breivik, the apparent mastermind of the attack, being placed on a law enforcement watch list. Since he was a farmer, it appears that no subsequent detailed investigation of his background was done.

Currently the US does not even have rules in place (some state rules exist) that would ensure that similar sales of ammonium nitrate are reported to authorities. DHS has been required by Congress to have such rules in place since 2008, but the notice of proposed rulemaking has yet to be published. That NPRM was approved by OMB earlier this month so we are expecting to see it published any day now.

It is clear that, even if the final rule authorized by Congress were currently in place in the United States, a homegrown lone-wolf extremist like Breivik would be able to buy significant quantities of ammonium nitrate fertilizer. A farmer will be required to register with DHS and some sort of background check will be required, but an extremist that has not come to the specific attention of the government and that has an apparent legitimate use for the material will be able to register and buy whatever quantities they desire.

This is one of the inherent security issues that an open society is going to have to deal with. There are any number of chemicals that can be used to make improvised explosive devices. Even common household cleaning agents can be used to make bombs or chemical weapons. There is no way that a free society can prevent the misuse of all of these chemicals.

Having said that, a chemical that can have massive effect when misused, like ammonium nitrate, do have to have some sort of controls in place to keep that misuse to a minimum. In most cases the requirement for registering with the Federal government to be able to buy ammonium nitrate will have a chilling effect on illegitimate users. It will be a relatively minor inconvenience to legitimate users that will cause some to switch to alternative chemicals (many of which are also able to be used for making improvised explosive devices; that is the nature of nitrogen fertilizers).

But, the American public and their politicians must realize that, even with registration requirements in place, there is a very real chance that a Breivik or McVey will be able to buy ammonium nitrate and construct a bomb of catastrophic proportions. More importantly, ammonium nitrate is just one of a large number of chemicals that can be used to construct similar devices. In a free society that is just one of the risks that we are going to have to live with.

ICS Security Posture

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an interesting announcement on their web page concerning an upcoming project being coordinated by the Industrial Control Systems Joint Working Group (ICSJWG). According to this announcement this project will be a ‘focused effort’ to produce a ‘cross-vendor position paper’ that “discusses the current security challenges and a path forward for a more effective industrywide approach to ICS security".

With more and more security vulnerabilities being identified in industrial control system software, it is becoming clear to anyone that is watching that there are significant shortcomings in the industry’s security posture. It is only a matter of time before someone (a terrorist, a disgruntled ex-employee, a criminal organization, or even a foreign power) takes advantage of one or more of these vulnerabilities to attack an industrial control system in the United States with ‘catastrophic consequences’ (I’m sorry; it is just too nice a phrase. I’ll try to come up with another in the near future).

It is also clear that there is no magic bullet that is going to cure the problem overnight. The responsibility for the current situation is the product of too many variables to enumerate and everyone in the business, vendors and users alike, share a fair measure of the blame for getting here.

It is also clear that the politicians have no clue about the extent of the problem and are focused on the (admittedly) larger cyber security issues of the protection of privacy, financial transactions, and intellectual property.

So, the idea of various members of the community getting together to take an organized look at the problem and come up with suggestions for its resolution is a good one. The ICSJWG is probably as good a venue for this as any. It already has a very open structure in place that can accommodate an evolving level of participation. And most of the major players already have links established to this group.

I’m not sure how detailed a proposal can come out of this group (or any group attempting this type of dialogue) because of rules concerning business competition, collusion and market manipulation. But anything that gets a positive dialogue started will be of benefit to the control system community and the country as a whole.

One warning however, the ‘Green’ community has already targeted the Critical Infrastructure Partnership Advisory Council (CIPAC; the actual parent organization for ICSJWG) as an industry lobbying organization with undue influence on DHS. While this is an exaggerated accusation (in my opinion) it is a very real problem that must be dealt with. Unless ICSJWG takes pains to ensure that this discussion is open and inclusive, the political response to the final product will be colored by these types of accusations.

The ICS-CERT announcement invites interested parties to contact them at ics-cert@dhs.gov. They stress that this includes all “ICS vendors, standards bodies, and ICS partners”. With ‘ICS partners’ obviously including owner and operators, I would like to encourage the participation of organizations like SOCMA, ACC and NPRA (to name just a few) that represent many of those owners and operators. And let’s not forget the security researcher (black, white and gray hat) community; they should be participating as well.

Wednesday, July 27, 2011

PHMSA Pipeline Safety Advisory – Flooding

Today the Pipeline and Hazardous Material Safety Administration (PHMSA) published an advisory bulletin in the Federal Register (76 FR 44985-44986) for pipeline operators describing the “actions that operators should consider taking to ensure the integrity of pipelines in case of flooding”. A copy of this bulletin (ADB-11-04) is supposed to be available on the PHMSA Pipeline Safety web page (http://phmsa.dot.gov/pipeline), but as of 7:00 am EDT it was not listed on that site.

The preamble to this advisory makes it clear that PHMSA is publishing this because of the Laurel, Montana release earlier this month. The cause of that release are still not known, but the timing of the release and the flooding of the Yellowstone River ensure that most people believe that the flooding caused the release. The wording of the preamble does not explicitly adopt this assumption, but the implication is clear.

While I am certainly not a pipeline safety expert, the measures outlined in this advisory seem to be common sense measures that a reasonable person would assume that a pipeline operator would be taking in the event of flooding near their pipeline. With the extent of flooding seen across the Midwest this year I suppose that it is prudent to publish an advisory of this sort, but this really should be part of a comprehensive pipeline safety program since flooding is not that unusual an event.

ICS-CERT Issues Wonderware Advisory

Yesterday DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory for the Invensys Wonderware Information Server that had previously been posted in restricted release on the US-CERT Portal. The Advisory describes a stack-based buffer overflow vulnerability in two different ActiveX controls used by that product.

This vulnerability is remotely exploitable by an attacker with moderate skills. It does require a user to open a malicious file or website so a social engineering attack is required. A successful attack could allow remote code execution on the affected system.

Invensys has developed a patch for this vulnerability.

Tuesday, July 26, 2011

Detection vs Response

There is an interesting discussion underway on the Linkedin group for pipeline security. A group member noted that he was working on a proposal for a pipeline security project and asked for input from the group. As one would expect a number of vendor representatives jumped in with response touting their product lines. One of the more interesting responses came from Ed Clark, a long time reader, commenter and financial supporter of this blog (Contributions are graciously accepted – see donation box to the right). He noted:


“OK, quiz time, after we spend a ton of money to detect a potential threat, how do you respond? If you cannot stop the intruder, you are just recording the crime.”
This points out a clear problem for many security plans, intrusion detection is covered in some detail, usually with multiple overlapping programs, but intruder interception is not provided for as well. This is a subject that I have dealt with in a number of different blog posts (see my series on security forces at chemical facilities), but I want to come back to it once again; the use of armed guards in a security plan.

First off, it is clear that not all facilities need to have an armed response force to adequate protect their facility against a terrorist attack. Facilities with only theft/diversion COI on site do not really need to stop the theft of those chemicals (though it is certainly preferable). If the theft is identified quickly enough that the local police agencies can stop the chemicals in transit, that certainly prevents subsequent attacks using those materials. Armed guards are not needed for this type response; recording/reporting the crime is adequate.

For facilities with release COI, particularly release – toxic COI in significant quantities, any security plan that does not provide for a means to stop an armed attacker is a waste of time and resources. Some sort of armed response force is going to be necessary. The question that must be addressed in the site security plan is whether the facility will maintain that force (typically with a contract guard company) or whether they will have to rely on local law enforcement agencies.

There are two major draw backs to using law enforcement personnel. The first and most obvious is the response time issue. To effectively use the local law enforcement agency (LEA), a facility will have to have a good understanding of the response time for both a single patrol car and a tactical team (SWAT). Then the physical security measures must be designed to delay an attacker long enough to allow for that known response time. It takes lots of barriers to slow an attacker long enough to identify the attack and allow for SWAT to arrive.

The second major problem is a training issue, hazard communication and facility lay out. An LEA response force needs to be fully aware of the chemical hazards on site and their potential effects on their response plan. They need to be tactically aware of what tanks and process equipment may absolutely not be penetrated by flying bullets and what areas may be expected to present a flammable atmosphere where the simple discharge of a firearm might lead to a catastrophic fire and or explosion. Simply giving them a facility map with those areas designated will not provide the situational awareness necessary to avoid these problems in a live fire response situation.

A tactical response force is going to need to have frequent, comprehensive access to the facility to effectively respond to an armed attacker. Anything less at a high-risk chemical facility will just make that armed response part of the terrorist attack. This certainly suggests that a private, dedicated armed response force is needed.

CFATS Knowledge Center Correction

OOPS. The 'Ammonium Nitrate' Tab has now been removed from the CFATS Knowledge Center web page. I guess that its addition was premature. I just hope that my expectations of an early release of the ammonium nitrate NPRM was not also prematrue.

HR 963 – SAR Immunity – Passes in Committee

As was expected last week, the House Judiciary Committee passed HR 963, the See Something, Say Something Act of 2011. After defeating four amendments from Democrats, three by voice vote and one by a lopsided 16-4 vote (which may have been closer if more Democrats had showed up for the hearing), the bill was approved by a voice vote.

Readers may remember that I had commented on the fact that a nearly identical version of this bill (HR 495) had been introduced earlier by Rep. King (R, NY). That bill was passed over by the Committee to take up this bill that had been subsequently introduced by Chairman Smith (R, TX). This was obliquely addressed by Smith’s official statement on this markup of HR 963. He said:

“I’d like to thank Chairman Peter King of the Homeland Security Committee, who has long advocated for this and other measures to keep America safe.”
With that left-handed endorsement buried in the historical record, Chairman Smith’s name will now be the sole name associated with this legislation, a fact that will almost certainly show up in future campaign literature. Unless, of course, the Senate takes up S 505, the companion bill to HR 495, that was introduced by Senators Lieberman (I, CT) and Collins (R, ME) before the whole House passes HR 963.

This bill will almost certainly pass in the full House. Democrats will again attempt to get anti-profiling language added to the bill, but that will not be successful. Senate passage is also likely, but the lack of restrictions on racial profiling could interfere with the bill being considered there. It is hard to see how such restrictions could be effectively worded when dealing with suspicious activity reports by civilians since ‘profiling’ definitions typically depend on patterns of activity not individual cases.

Monday, July 25, 2011

CFATS Knowledge Center Update 07-25-11

There was an unusual change made today to the DHS CFATS Knowledge Center web page. They added a new tab to the list of subjects across the bottom middle of the page. The is currently no information associated with this new tab.

So what is the new tab? It reads ‘Ammonium Nitrate’ and presumably it will provide links to information about the ammonium nitrate notice of proposed rulemaking that we are expecting to see published in the Federal Register anytime now.

Sunday, July 24, 2011

Congressional Hearings Week of 07-25-11

Both Houses in Washington, but there are too many distractions for much in the way of chemical or cyber security hearings this week. In fact, there is only one hearing scheduled that might be of interest to the cyber security community. On Tuesday the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee will meet to look at entitled “Cybersecurity: An Overview of Risks to Critical Infrastructure.”

The soon to be (maybe) Assistant Secretary of DHS for the Office of Cyber Security and Communications, Ms Bobbie Stempfley, will join Sean McGurk from the National Cybersecurity and Communications Integration Center (NCCIC) on the single panel currently scheduled to testify. They will be joined by Mr. Gregory Wilshusen, the Director of Information Security Issues from GAO. The GAO representative, along with the inevitable GAO report that he will be presenting will probably ensure that the hearing will concentrate on information security rather than control system security.

ICS-CERT Publishes Saturday Alert for Siemens PLCs

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an alert for the Siemens S7-300 and S7-400 PLC’s. There is not much information in the alert (which is not unusual, if more information was available and or ICS-CERT was able to confirm the details it would have been published as an ‘advisory’). The core information of the alert is found in two sentences:

“On July 23, 2011 an independent security researcher publicly announced a vulnerability affecting the Siemens S7-300 and S7-400 PLCs. The researcher claims that he was able to achieve a command shell using credentials he was able to acquire from the PLC.”
As of the publication of the alert yesterday, no body was officially confirming or denying the existence of the reported vulnerability. This isn’t surprising with the underlying information being made public on Saturday.

It looks like the disclosure was made in a TWEET® by Dillon Beresford on Saturday. He posted:

“All S7-300/400s contain a hard coded password as I suspected, I decrypted the firmware image and located the password. We have a shell! WEWT”
It’s not clear yet if this ‘hard coded’ credential (its hard to accept the concept of a hard wired ‘password’) is a substantial part of the security measures that Siemens recently claimed protected these two PLC series from Stuxing. If it is, Siemens severely underestimated the ability and determination of security researchers (of both hat colors).

It will be interesting to see how Siemens deals with this tomorrow.

Friday, July 22, 2011

How Simple Can Stuxing Be?

Over the last week or so I have been talking about how easy random stuxing of a control system could be. Yesterday Ralph Langner, the man responsible for identifying the man-in-the-middle component of the Stuxnet attack, demonstrated in his blog just how easy that attack could be. He provided us with just 4 lines of code for a Siemens PLC that would shut down the output of the PLC on a predetermined date.

This is, in effect, the bullet that an attacker would use to Stux a control system. Additional code could be hung on this bullet to make it more effective, but this could certainly disrupt manufacturing operations.

If this is the bullet, the attack still needs a method of getting it to the PLC. Ralph shares some thoughts on how that could be accomplished, but it is clear that little more than access to the network upon which the PLC resides is all that is required to deliver that bullet to the intended target.

Stuxing is moving just this much closer to reality.

Thursday, July 21, 2011

DHS Updates 2011 CSSS Page – Presentations Available

Today the DHS Office of Infrastructure Protection updated their web page for the 2011 Chemical Sector Security Summit, adding links to many of the presentations from the CSSS. It will take a while before I have a chance to review all of the presentations; I’ll report on the ones that appear to be of interest.

There are limitations, however, in these presentations. They are the slide presentations that were shown at the Summit, not the actual presentations. A good presenter provides much more detail in the verbal portion of their presentation than can be put into a slide. This is the reason that I have been banging the drum to encourage DHS to make videos of the presentations and putting them up on the web.

I wrote in an earlier post about an indication that DHS was going to be attempting to do this for one of the presentations at the CSSS. Well, there is nothing on the new page that indicates that DHS has done so. It could be that the post-production work on the video is still underway and it will be posted at a later date. If that is the case, I am happy to have DHS post the easier to process slide presentations. Of course, it would be nice if they mentioned that the video was in progress. At the very least it would keep people like me from picking at them.

As always, if there are readers who were present (or even better presenters) that want to share their views about any of the presentations, drop me a line or post your comments to this post.

NPPD Cyber Security Evaluation ICR – 30 Day Notice

Today DHS NPPD published a 30-day information collection request (ICR) notice in the Federal Register (76 FR 43696-43697) for their new Nationwide Cyber Security Review (NCSR) Assessment.

As I noted in my earlier post about the 60-day ICR the NCSR will be targeted at Federal, State and local government computer networks. According to this notice the NCSR will be used by the folks at the Cyber Security Evaluation Program to “examine relationships, interactions, and processes governing IT management and the ability to effectively manage operational risk”.

Public comments on the ICR are being solicited. Comments can be made via the Federal eRulemaking Portal (http://www.regulations.gov/; Docket # DHS-2011-0012) and should be addressed to: OMB Desk Officer, Department of Homeland Security, Office of Civil Rights and Civil Liberties. Comments need to be submitted by August 22, 2011.

CFATS Reauthorization Update

There is an interesting blog post over at ChemicalProcessing.com by guest blogger Alexis Rudakewych from SOCMA. She looks at the status of three CFATS authorization bills that are wending their way through the legislative process. She pays particular attention to the procedural issues related to their passage.

SOCMA Deadline

She notes in her closing paragraph the concern of SOCMA that a reauthorization bill should be passed before Congress takes its scheduled fall recess on September 23rd. I’m not sure why SOCMA is setting this artificial deadline of getting reauthorization legislation passed this fiscal year. The House version of the DHS appropriations bill that is waiting Senate action contains a standard one-year extension. One would suppose that similar language would be included in any Senate bill that might finally make it through the inactive Senate Appropriations Committee (okay, ‘inactive’ may be misleading; how about ‘otherwise occupied’?). Such language was formally requested by Sen. Lieberman as I noted in an earlier posting.

In any case, the appropriations process will certainly ensure that the CFATS program continues through FY 2012. There is no reason that passage of a one-year extension in the appropriations bill should have any affect on implementation of any of the CFATS bills currently before Congress. Such an extension would take the pressure off any CFATS bill and that could make it easier to work out a compromise or it may stop work on the process. Its hard to tell at this point.

Now I certainly understand SOCMA’s concern that the CFATS program should be put on a firmer footing than depending on the politically charged appropriations process for authorization. While no one has suggested that the CFATS program should be canceled, money managers at covered facilities are concerned about making large security expenditures for a program that might not survive the depreciation schedule for their capital expenditures.

Political Issues

While Ms Rudakewych addresses the procedural issues involved in passage of a CFATS bill, she does not touch on any of the political issues involved. SOCMA has been a vocal industry critic of proposals for including such provisions as IST and public law suits. Such industry opposition was responsible for the failure to pass HR 2868 last session. Failure to address these issues may allow environmental and labor activists to stop passage of HR 901/908 or S 473 this session.

Interestingly it seems that this year the issue that may control final action in the House will have nothing to do with actual security measures. The reason for three separate House bills that essentially do the same thing (different lengths of time for the authorization being the closest thing to a difference in security measures) is that there is an internal House issue about personal political power; which Committee gets the authority to oversea the CFATS program.

SOCMA has been very careful not to pick sides in this debate as has most of the industry. Unfortunately ignoring this issue has done little to solve the problem. It is about time that this power sharing issue is publicly discussed.

In the Senate the political issues actually revolve around the CFATS issues that have been plaguing the chemical security discussion since almost 2001. IST has been probably the largest single sticking point with the two sides taking an all or nothing stance on the issue. Given the Senate rules it doesn’t appear that either side will be able to get enough votes to allow a straight up or down vote on IST.

This session industry appears to have a stronger political position in the debate, but it still looks like the environmental and labor advocates for IST have enough votes to prevent the passage of a cloture motion on the bill. I still think that compromise language is possible and I believe that industry is in a better position to push for compromise. Greenpeace and their friends have spent too much time demonizing the chemical industry to be able to justify compromise to their supporters.

Failure to publicly address these issues is going to insure that we will continue to rely on the DHS authorization process to keep the CFATS program working.

Wednesday, July 20, 2011

Updated Pending DHS Security Rules Page

Well, I finally got around to updating the page on this site where I track the various rules pending at DHS. The information on this page is taken mainly from the latest Unified Regulatory Agenda though the lists of blog posts all refer to blog posts on this site.

Most of the changes made to this page deal with updating the “NEXT EXPECTED RULE MAKING EFFORT” entry for each regulatory action. I did remove two entries completely because I felt that they really weren’t appropriate for the topics associated with this blog. Those were:

● 1651-AA70: Importer Security Filing and Additional Carrier Requirements

● 1652-AA53: Large Aircraft Security Program
Another proposed action (1652-AA66: Reporting of Security Issues) was removed because DHS has completed action on that rule making since the Fall 2010 Agenda was published. So, it is no longer covered under the Unified Agenda and there is no need to track it any longer.

I did add the new Coast Guard action (1625-AB64 Top Screen Information Collection from MTSA-Regulated Facilities Handling Chemicals) that I discussed in an earlier blog. It was added to the ‘Proposed Rule’ section.

Finally, one action (1652-AA58 Freight Railroads--Vulnerability Assessment and Security Plan) was moved from the ‘Long Term Action’ heading to the ‘Proposed Rule heading. This reflects the intention of TSA to start to take action on this rule sometime in the not too distant future. Supposedly they expect to publish a notice of proposed rulemaking (NPRM) in November; we’ll see.

Chemical Spam

Last Friday Steven Partridge from ADT had an interesting blog posting over at ChemicalProcessing.com concerning an alert from the FBI about a bogus FBI letter that had been sent to at least a couple of chemical facilities. The letter asked for money for a ‘Clearance Certificate’ and threatened legal action if the money was not forthcoming.

Apparently this was an example of one of the more outrageous types of cons typically seen more often in electronic mail boxes than snail mail boxes. Most of us have seen at least a few of these leak past our spam filters. They are typically so over the top that one wonders how these folks ever get a response that makes their efforts pay off.

The only reason that I even mention this is that the electronic counterparts of these silly messages may actually pose a risk to chemical facilities. These emails may be so over the top that individuals might investigate the links in the message just to see ‘how stupid people really are’ just for the fun of it.

People need to be constantly reminded that their surfing through a properly crafted web site may be all that is necessary to place malware on their computer and the corporate network. Inadvertently inviting these folks behind the corporate firewall can be a first step along the road to compromising the manufacturing control system.

S 1342 Introduced – Bulk Power Cybersecurity

Last week Sen. Bingamen (D, NM), the Chairman of the Energy and Natural Resources Committee, introduced S 1342, the Grid Cyber Security Act. When introduced the bill was accompanied by the Report from his Committee favorably reporting this bill. (NOTE: the actual bill is not yet available from the GPO but the Committee Report is. Makes sense huh? BTW: The report includes the text of the bill.) This means that this bill could be considered by the Senate at any time as committee actions are now complete.

This bill would amend the Federal Power Act to expand the official definition of what electrical infrastructure would be covered by cyber security rules. A new §224 would define the term ‘critical electric infrastructure’ that would include physical and virtual assets involved in the ‘generation, transmission, or distribution of electric energy’. The critical factor determining coverage would be the requirement that the incapacitation or destruction of the assets would “have a debilitating impact on national security, national economic security, or national public health or safety” {§224(a)(1)}.

The bill would have the Federal Energy Regulatory Commission (FERC) determine if current §215 reliability standards are adequate to protect the critical electric infrastructure from cyber security vulnerabilities. Those vulnerabilities are defined as “a weakness or flaw in the design or operation of any programmable electronic device or communication network that exposes critical electric infrastructure to a cyber security threat” {§224(a)(5)}. Unless FERC specifically determines that the current standards are adequate, they will be required to order the Electric Reliability Organization (ERO) to update those standards within 180 days.

There are no specific requirements for security for control systems in this bill; it leaves the establishment of those requirements to the ERO.

BTW: It would help spell checkers everywhere if Congress would decide if ‘cyber security’ was one word or two. I vote for a single word – cybersecurity.

Tuesday, July 19, 2011

Cybersecurity Markup – HR 2096

Well, it really did have to happen sooner or later, a congressional committee is actually going to take some action on a cyber security bill. According to the Science, Space and Technology Committee web site, there will be a full committee markup of HR 2096, the Cybersecurity Enhancement Act of 2011 on Thursday, July 21st.

This will probably be a real yawner for control system security personnel. As I noted in my earlier blog about the introduction of this bill:

“While the findings section of this bill specifically mentions “critical infrastructures for electric power, natural gas and petroleum production and distribution, telecommunications, transportation, [and] water supply” {§102(1)} there is not a single mention of control systems in the bill. The clear focus of this bill’s studies, research programs and grant programs remains the conventional cyber security areas of information technology, information and identity assurance, and networking systems.”
I suppose that we can always hope.

Fixing the Site Security Plan – Changing Questions

In a blog post this weekend on CFATS spending, I may have mentioned in passing that ISCD is having problems with their SSP approval process. In fact, I may have mentioned the same thing in a couple of other posts as well (okay, I apologize for the sarcasm, kind of anyway). It’s always easy to criticize, so I thought that I’d try to take the high-road and suggest how that problem might be addressed in a relatively easy manner.

Background Information

But first, I’d like to suggest that my readers go to ChemicalProcessing.com and download their latest CFATS publication (actually ADT’s latest publication on their site) “CFATS: Surviving the Site Security Plan”. It provides a brief description of the current SSP situation and their recommendation for how facilities can help to overcome the problems. In particular everyone should read the short “Painting a Picture” section on page 3. To save you some time, I’ll share the first paragraph here:

“Rather than simply answering 'Yes' for a question, answer 'Other' and take the opportunity to give an expanded written answer. The information in the 'Other' boxes should describe, in detail, the facility’s security posture, including physical security as well as specific procedures and policies. Take credit for measures already in place, even if those measures do not fit perfectly within the scope of the question, and use the 'Other' box to provide sufficient detail.”
Now this is not really new information, Last December DHS published a new CFATS pamphlet, “Helpful Tips for Completing a Chemical Facility Anti-Terrorism Standards (CFATS) Site Security Plan”. It included the following as the introduction to its first tip; “Appropriate Level of Detail”:

“An SSP must include sufficient detail to allow DHS to exercise its responsibility to determine whether the SSP satisfies the CFATS risk-based performance standards (RBPS). To date, many of the SSPs submitted have provided simple Yes or No answers (or similarly brief, non-descriptive responses) to many questions in the CSAT SSP application. Such answers typically do not provide enough information for DHS to make an informed judgment on whether the facility’s security measures satisfy the applicable RBPS.”
All of this makes perfect sense if one realizes that the people making the decisions about the approval or disapproval of the SSP will probably never see the facility. The information that they need to determine whether or not the facility security measures will adequately address the Risk-Based Performance Standards (RBPS) will have to come completely from the SSP submission.

One final point that must be kept in mind is that Congress has specifically prohibited DHS from requiring specific security measures as a basis for the approval of a site security plan. This means that a simple checklist will never provide enough data to allow for an adequate evaluation.

Revise SSP Questions

All of that is good to know but DHS turns right around and does its best to insure that during the SSP submission process, they ask for less information than they need. If you look at the latest version of the SSP Question Manual published last month you’ll see what I mean.

For example turn to RBPS 1 – Restrict Area Perimeter and look at page 65. You’ll see two questions about perimeter fences. The first question asks for a description of the fence and provides selection buttons (‘Yes’, ‘Partial’, and ‘No’) for a list of common fence types. The second question addresses the Fence Top Guard installed on that fence. For both questions one of the available selections is ‘Other’. There is also a text box to provide additional information.

Unfortunately, the instructions for that box continues to read: “If ‘Other’ is selected, enter a description:”. A more reasonable instruction, given the need for the facility to ‘paint a picture’ of the fence, would be: “Enter a description of the ‘Fence Barrier’:”.

I would suggest that even that would not really insure that ISCD receives all of the information that they need to evaluate that ‘Fence Barrier’. With ‘Partial’ coverage an expected response about a particular type fence, there should also be a prompt to explain that partial coverage. Additionally, there should be a prompt to provide a basic idea what information a description of the ‘Fence Barrier’ should include.

Here is how I would write the instruction for the Fence Barrier text box.

“Describe each type of fence barrier selected. Include information on materials of construction, footings, and physical size and configuration of fence. Explain the extent of any partial coverage.”
Additionally, since everyone knows that a picture is worth a thousand words, I would add a specific provision here for uploading pictures of the Fence Barrier. Digital photography is so ubiquitous that there is no reason why one would not want to include photographs in the SSP submission. Some photos would be better than others, but a really bad photo could just be ignored by the evaluators.

There is an alternative way of looking at the information requirements for questions like this. DHS could just add an additional layer of questions. For example, if a facility selected the ‘Yes’ button for ‘Chain Link’ the following additional questions could pop up that would require a short text entry answer:

• How tall is the fence?

• How far apart are the support poles?

• How are the support poles anchored to the ground?

• Is there a top bar along the top of the fabric?

• Is there a bottom bar along the bottom of the fabric?

• Are there privacy slats in the fence fabric?
The problem with this type of questioning is that there is always just one more question that could elicit just that one last piece of additional information. For example privacy slats can go in one direction or two and bi-directional slats make it more difficult to climb or cut the fence. They can be made of metal, plastic or wood. And on and on and on.

I think that for most of the questions in the SSP submission it will be more than adequate to change the wording of the current ‘Other’ text boxes to solicit descriptive information for the pertinent questions. Adding provisions for photo submissions would also be a good general move. There may, however be places where there will need to be additional questions added to ensure that ISCD personnel have adequate information to conduct their evaluations.

Writing Site Security Plans

I want to take this opportunity to point out to facility security managers something that I have said on many occasions. The current DHS SSP submission is misnamed. It is not a ‘Site Security Plan’. It is just a really extensive series of questions about how the facility manages its site security.

A real ‘Site Security Plan’ would be a document that describes in even greater detail the actual structure and organization of the security of the facility. It would include the types of descriptive detail I mentioned above, but it would also assign responsibility for various parts of the plan and describe how temporary problems with the plan would be dealt with.

For example the part of the plan dealing with the perimeter barrier would:

• Describe how the barrier fits into the security program;

• Describe the actual barrier;

• Describe who is responsible for inspecting the barrier;

• Describe who is responsible for repairing the barrier;

• Describe what compensating measures will be used while the barrier repair is being scheduled and completed; and

• Describe the procedures for making changes to the barrier.
If a facility had such a detailed Site Security Plan, they could use that document to provide the information required to complete the ‘new’ text boxes that I am proposing that DHS include in their SSP submission questions.

Monday, July 18, 2011

Stuxing Tools

Earlier today I wrote in a blog post that:
“While I noted that this type of stuxing would not require as much process knowledge as the classic Stuxnet attack, it is still a fairly sophisticated attack mode (at least until stuxing tools become readily available).”
This evening I ran across an interesting Tweet ® that bears on that statement:

From @D1N
“Finished testing all of the Siemens Simatic S7-300 and S7-400 aux modules for Metasploit. New attacks read/write/delete data blocks on PLC.”
I haven’t seen the Metasploit modules yet (actually I probably never will; after all, I wouldn’t know what to do with them in any case) but I doubt that they are really the ‘stuxing tools’ that I mentioned. They are almost certainly an important step to constructing such tools, and will probably be included in the tools, but they are not yet the tools.

Don’t get too comfortable, though. No telling what the blackhats are doing.

Committee Hearings Week of 07-18-11

Congress continues on a streak this week with both Houses in Washington. Lots of hearing action but very little of specific interest to either the chemical security or cyber security communities. In fact there is only one hearing this week that will be mentioned hear and that is a markup hearing that will cover multiple bills with only one being of any interest.

On Wednesday and Thursday the House Judiciary Committee will be conducting a full Committee markup of seven bills including HR 963, the See Something, Say Something Act of 2011. I discussed this suspicious activity reporting (SAR) immunity bill in an earlier blog when it was introduced.

BTW: If anyone is keeping track I won the bet (I doubt that there were any takers on this suckers bet). Chairman Smith’s bill will be considered before his Committee looks at the earlier and substantially identical bill introduced by Rep. King (R, PA). Actually King’s bill will never get considered. So much for the dispassionate and fair exercise of personal political power. Hopefully, this won’t be one of those silly things that poisons relationships between Committee Chairmen.

The Risk of Random Stuxing

Last week I did a blog post where I discussed in some detail how a Stuxnet-like attack could be used to disrupt operations at a chemical facility. While I noted that this type of stuxing would not require as much process knowledge as the classic Stuxnet attack, it is still a fairly sophisticated attack mode (at least until stuxing tools become readily available). So, since the result of a simple stuxing attack is not usually spectacular or maybe even not readily recognizable as an attack, why would any one bother to execute such an attack? As with most types of cyber attacks there could be a number of different motivations in play.

Hacker Status

Let’s never forget the most basic motivation for a cyber attack, hacker status. It’s been years (okay, decades) since I personally knew a hacker, but it is apparent that one of the basic motivations for many (if not most) of them is simply the desire to be recognized by their peers to be the first, the fastest or what ever –st. As always, the more complex the challenge the more status is to be gained from achieving the goal.

With everyone in the cyber world talking about the size and complexity of the team that developed Stuxnet, there is obviously a substantial challenge to be the first individual to turn this complex attack into a hacker toolbox item. The identity of the first target really doesn’t make a difference, so it will probably a readily accessible target to be hit first. After that it will be a matter of ringing up successful attacks on increasingly difficult targets.

Even after the next level of complexity has been reached the stux attack will remain a measure of advancement in the hacker world particularly as advanced defenses against the attack mode are developed. We will continue to hear about successful attacks for years to come.

Financial Gain

As if the pure hacker threat wasn’t bad enough the problem of extortionists using this type of attack cannot be discounted. Since the affects that I outlined in my earlier blog are more financial than anything else, the random-stux attack mode certainly lends itself to criminal elements using this as a source of money. The criminal organization infects the system causes some batch upsets and then offers to turn-off the attack for a fee.

The economics of this type attack are very complex. The earlier in the attack development cycle described above that criminal elements can adapt the stux attack the more likely they are to make good money from it. Early in the attack cycle large organizations may be more likely to buy time, but as defenses become more available larger organizations are more likely to have the sophisticated cyber support necessary to employ those defenses and responses.

As the attack cycle progresses smaller facilities will be come the more likely targets because of the generally lower technical sophistication of in-house support personnel. The per attack financial return will be lower, but there will still be substantial profits possible because the lowering cost of conducting the attacks will make it easier to attack a larger number of facilities.

Terrorism

The lack of a spectacular result from a random-stux attack would seem to make it a poor attack mode for the typical terrorist organization. There are, however, two major exceptions to that truism; anarchist and hacktivist organizations may find this to be a very desirable attack mode.

Anarchists may find this to be an almost ideal tool in their fight against multi-national corporations. It would allow them to disrupt production and exact a financial impact on these organizations with minimal threat to the safety of employees and the surrounding community. It would allow them to conduct their attacks from the relative anonymity of the internet while still clearly marking their targets.

Recent years has seen the rise of the hacktivist organization. While many of these are clearly cyber anarchists we are seeing more of them taking up more conventional social and political causes. A recent article at SCMagazineUS.com noted that the hacktivist organization Anonymous has declared their intention to take on ‘Big Oil’ over the exploitation of the Alberta Oil Sands and to attack Monsanto over their ‘business practices’.

The combination of any of a number of different causes (animal rights, anti-abortion, global warming, racial/social purity, pollution prevention, environmental equality, and even labor disputes are all potential examples) with people that have the clear technical expertise necessary to develop this stux-attack mode may make a wide variety of hacktivist organization the most likely source of these attacks in the near future.

Sunday, July 17, 2011

CFATS Spending

One of the things that I enjoy about this blog is some of the questions that people send to me. Last week I received an email from a reader who wanted to know what I knew about CFATS spending patterns. It turns out that it was really an investment question about delays in spending on CFATS security measures and how that related to income patterns for security companies.

Now I certainly don’t have any investment grade information on how much facilities are spending on CFATS related security measures, either in individual cases or even just gross industry estimates. Given the diversity of the types of facilities covered and the way that the Risk-Based Performance Standards are set up, I don’t think that anyone has a real good handle on this information. On the other hand, the question does provide an rather interesting way to look at the CFATS program and the progress of its implementation.

Pre-CFATS Security

Most high-risk chemical facilities prior to the April 2007 publication of the CFATS regulations had basic security measures in place. This would typically include perimeter fencing, maybe gate guards and the like. But most companies were more focused on safety issues rather than real security. Certainly after 9-11 the larger facilities put more emphasis and spending on security measures, but it was the rare facility that made serious efforts maintaining a high-profile security program.

There were exceptions of course. Refineries and large chemical complexes, particularly those owned by companies with overseas exposures always took security more seriously than their smaller counterparts. They stepped up that security even more after 9-11. And there were some facilities that had security concerns unrelated to terrorism that had significant security measures in place all along. But, in general, physical security measures were relatively low on the list of corporate spending programs.

Pre-SSP Spending

After the publication of the CFATS regulations in the spring of 2007, but before the implementation of the Top Screen program in late December of that year, I think that we can assume (I haven’t seen any data so I’m making assumptions here) that there was some increase in the spending on security consultants and the like, but most facilities were taking more of a wait and see approach to the CFATS program; holding their breath and hoping that they weren’t going to become covered facilities.

After the Top Screen submissions and facilities began receiving notifications from DHS that they were ‘preliminarily’ declared to be high-risk facilities, security spending certainly increased, but again, this was mainly for consultants to help facilities do their security vulnerability assessments. For many facilities though, those SVAs were eye openers about security matters, particularly when they were being guided by outside consultants that really understood security matters. Spending on basic security measures probably started increasing significantly at this point.

Major security spending, however, was put on hold in most cases until DHS published their Risk-Based Performance Standards Guidance document in May of 2009. At this point facilities had a better (but certainly not good) understanding of the types of security measures that DHS was going to be looking for in the site security plans (SSP). There was a major drawback to this document however. Because of Congressional limitations on DHS CFATS authority, DHS could not clearly specify which security measures would be required.

On one hand this was a good thing. It was intended to provide facilities the largest possible latitude in designing effective security measures tailored for their specific situation. It clearly recognized that the diversity of the chemical industry prevented the establishment of cookie cutter security programs.

Unfortunately, it also introduced a lot of uncertainty into the security planning process. Without clear delineation of what was required and what was not management was going to be reluctant to authorize spending on high-dollar value security projects.

DHS made provisions for this uncertainty in their SSP submission program. Facilities did not necessarily have to have all security measures physically in place when they submitted their SSP for review. They could include in their SSP submission projects that only existed on paper. There were two levels of these paper projects. The first was “Planned Projects”; ones that were firm plans and had budget commitments clearly documented. The second was “Proposed Projects” that the facility was considering but not yet committed to. Both of these type projects required the expenditure of planning money up front, but avoided the actual expenditure of capital funds until their actual status became clearer after the DHS review of the SSP.

SSP Delays

Unfortunately, the SSP review and approval process has not proceeded in the way that either industry or DHS had desired. For a variety of reasons that have not been clearly delineated DHS has not had adequate information to approve site security plans based upon the information submitted via the on-line Chemical Security Assessment Tool (CSAT). Originally the plan was for DHS to review the SSP submissions using a combination of computer analysis and expert reviews to determine if the plan was adequate. After giving a preliminary approval based upon that plan, DHS would then send out their limited staff of trained Chemical Facility Security Inspectors (CFSI) to inspect the implementation of that plan. Only after the actual implementation was okayed would final approval be given to the SSP.

Unfortunately, the inadequate information provided in the SSP submissions required DHS to institute another intermediate inspection process where the CFSI went to the facility to work with the security management team to develop the information required for the evaluation of the written plan. According to unofficial information I have heard from the recent Chemical Sector Security Summit, DHS has reportedly only done 175 of these pre-approval inspections to date. The last official word from DHS that I have heard was that only four SSP submissions have been approved and were pending final inspection.

The big problem here, from a facility perspective, is that security capital spending plans are in limbo. Problems in the automotive and home construction sectors have hit the chemical industry particularly hard and there is a reluctance approaching inability to spend unnecessary capital funds. Capital spending on nebulous security requirements is particularly hard to justify. Where possible these projects have been put on hold, where necessary they have been canceled.

At some point this has got to have an adverse impact on the security industry. The CFATS program has had to result in an expansion of many portions of that industry, particularly in the consultant and planning portions. The delays and cancelation of high-dollar security projects has had to have an impact on the income of consultants and suppliers alike. At some point, many of these people are going to have to get out of the business that they got into because of the CFATS program.

This will inevitably cause implementation delays. Projects that were planned by people that are no longer in the business will have to be re-thought, planned and justified by consultants and planners that have remained in the business. New suppliers will have to be found to replace those that have gone out of business. In some cases no replacements will be available for innovative products and services from companies that are no longer around.

Continued Delays

There does not seem to be any significant relief in sight for the delays in the pre-approval and approval process for the Site Security Plan program. DHS has been in the reactive mode trying hard to get the 200 some odd Tier 1 facilities through the SSP process in an inevitably manpower intensive manner. The recent turnover in managers and supervisors in the home office have complicated the problem resolution process. Meanwhile, over 3,000 Tier 2, 3 and 4 facilities have their security planning process placed entirely on hold, wondering when their SSP submissions are even going to be looked at.

I would like to assume that DHS is doing every thing that they can to resolve this issue, but I can’t see any clear indications from the outside one way or the other. I know that there is significant dissatisfaction in the inspection force and many of the mid-level people at headquarters, but it is not clear whether this is more of an issue of personalities or serious dysfunction or just the stress of being in an untenable organizational situation.

I do know from personal experience that when you’re fighting alligators that it is hard to remember that your original job was to drain the swamp. It is easy to criticize people who are in the middle of a reactive battle to keep their heads above water as they are prone to make mistakes. It is the nature of the beast; the situation is not conducive to careful consideration and long-range planning.

Congressional Inaction

Congress has done nothing to help this process. Recent hearings have glossed completely over the delays, focusing on the ‘success’ of the program to get facilities to this place in limbo. There have been no investigative hearing into what needs to be done to solve this problem; no examination of what additional resources or guidance might be necessary. Even the opponents of the current program want to extend the responsibility and coverage of the program without thinking about addressing the causes of the delays in the present program.

The most supportive thing done by Congress to date is the offering of an amendment to one of the three reauthorization bills moving through the legislative process that would require DHS to respond to an SSP submission within 180 days. This would only mean that DHS would have to formally disapprove the plans that they are currently working with facilities to improve. At best this would result in further delays in the approval process as cursory attention must be paid to lower tiered submissions to meet the arbitrary time limit. At best this is going to involve DHS in extensive litigation as facilities demand to be told what the deficiencies are in their plan that resulted in the disapproval and DHS is only able to give them vaguely worded answers because of Congressional prohibitions against requiring specific security measures. DHS does not need a congressionally mandated adversarial atmosphere to be established in this program.

What is needed is a thoughtful outside appraisal of the problem and help with establishing realistic solutions. The DHS IG, the GAO and more importantly the Congressional oversight committees should conduct a detailed look at this problem. Properly done this could provide DHS with some much needed help.

Of course, we could just continue down this current path. Sooner or later an attacker (probably home-grown and non-Islamic) will successfully exploit the current security confusion and execute a relatively unsophisticated attack against one of these facilities. It will most likely be a chemical diversion attack on a Tier 3 or 4 facility to gain access to chemicals necessary for a larger attack somewhere else. When that happens, we’ll see some action on security measures, you betcha. Too late to be of any good, but they will be impressive.

Saturday, July 16, 2011

PHMSA Submits Pipeline Safety ANPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) published a notice on their web site that the Pipeline and Hazardous Material and Safety Administration (PHMSA) had submitted a draft advance notice of proposed rulemaking (ANPRM) to OMB for a new rulemaking effort on the safety of gas transmission pipelines.

According to the abstract on the RegInfo.gov web site for this new rulemaking (RIN: 2137-AE72):

“In this rulemaking PHMSA will be revisiting the requirements in the Pipeline Safety Regulations addressing integrity management principles for Gas Transmission pipelines. In particular, PHMSA will be considering the definition of an HCA ( including the concept of a potential impact radius) and the repair criteria for both HCA and non-HCA.”
This rule making was published for the first time in the Spring 2011 Unified Agenda.

Friday, July 15, 2011

NARA Announces Advisory Committee Meeting for July 27th

Today the National Archives and Records Administration (NARA) published a notice in the Federal Register (76 FR 41826) announcing a meeting of the State, Local, Tribal, and Private Sector Policy Advisory Committee (SLTPS-PAC). The SLTPS-PAC was chartered last December to “advise the President, the Secretary of Homeland Security, the Director of the Information Security Oversight Office (ISOO), and other executive branch officials on all matters concerning the policies relating to access to and . safeguarding of classified national security information by U.S. State, Local, Tribal, and Private Sector Entities, as specified in Executive Order 13549 and its implementing directive.” (SLTPS-PAC Charter, pg 1)

The July 27th meeting will be open to the public. The notice is remarkably reticent about the agenda for the meeting; saying simply that the “meeting will be held to discuss the matters relating to the Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities”.

There is limited public seating available for this meeting, so individuals planning on attending are being required to provide the ISOO (ISOO@nara.gov) with their name and phone number by July 25th.

With an increasing emphasis on the sharing of intelligence information with private critical infrastructure and key resource (CIKR) facilities, there will be more of a push for private entities to be able to handle classified information. This group could provide a valuable resource for ensuring that the Federal government understands the problems associated with the private sector meeting the requirements for handling this information.

Thursday, July 14, 2011

2011 ACS Conference

If you are interested in the field of industrial control system security and have been watching the standard sources on the Internet, then you have probably seen the announcement listed below. But on the off chance some of my readers with an ICS bent rely just on this blog for their information, I’m posting this at the request of Joe Weiss (he’s a hard man to say no to).


“Registration is now open for the 2011 ACS Control System Cyber Security Conference at www.realtimeacs.com . This is the 11th in the series. The details of the presentations can be found on the website. Highlites include discussions of the recent Brazilian power plant control system network compromises, the San Bruno natural gas pipeline failure, control system vendor contractual language that could prevent cyber disclosures, and means to secure combustion turbine vendor links. “If you have any questions, please call (408) 253-7934” Joe Weiss
Actually, this is probably the longest running ICS conferences and the agenda posted on the Applied Control Solutions web site gives a good indication why. Joe remains able to pull together a wide variety of experts to provide presentations on a wider variety of subjects. The list below provides the list of topic areas along with a single specific topic (selected by me) for each area; the complete agenda is available on the ACS web site.

● Industry - State-sponsored cyber activities against ICS (Night Dragon, etc)

● Government - Air Force discussion on CyberWar

● Hackers/Disclosures - IT hacker experience with Siemens controllers and VxWorks

● ICS Cyber Incidents - Control system incidents that could be caused by cyber attacks

● Equipment Issues - Microsoft perspectives on ICS cyber security

Preview of Energy and Power Hearing on Pipeline Safety

As I noted in my blog post on this week’s hearing schedule, the Energy and Power Subcommittee of the House Energy and Commerce Committee is conducting a hearing tomorrow morning to look at a draft of a potential bill to update the laws governing pipeline safety. When I wrote that earlier post there was no information available about the witnesses for that hearing. That has since changed.

Witnesses

This hearing will have three separate panels. The first will consist of two members of Congress that represent districts impacted by pipeline releases; Rep. Jackie Speier (D-CA) and Rep. Denny Rehbergy (R-MT). They will certainly express the concerns of the members of their respective districts that the two accidents will not be repeated.

The second panel will consist of two Government witnesses. The first and most obvious will be Administrator Quarterman representing PHMSA. The second witness in the panel, Randall S. Knepper, Director of the New Hampshire Public Utilities Commission, who is representing the National Association of Pipeline Safety Representatives whose members form the bulk of the State and Federal pipeline inspection force.

The third panel includes representatives from various pipeline industry organizations, ExxonMobil and a public interest group.

Testimony on Line

In a refreshing move, the Energy and Commerce Committee has published the prepared testimony of the witnesses on their web site before the hearing begins. For every other hearing that I have covered, the testimony has not been posted any earlier than after the witness has provided their initial oral presentation to the Committee.

It has always been obvious that committee members (and their staffs, of course) have always been provided copies of the testimony in advance. This allows them to ask more intelligent (some times a very relative term) questions. It is refreshing to have the same chance to review the testimony in advance.

I’ve had a chance to do a very quick review of each of the testimonies provided (the two members of Congress do not, apparently, have prepared remarks available). Each witness professes general support for the provisions of the discussion draft, while taking some exception to a couple of provisions. The panels seem to present a fairly balanced look at the provisions of the proposed bill. It should be an interesting hearing.

TSA TWIC ICR Renewal – 30-day Notice

Today the Transportation Security Administration published in the Federal Register (76 FR 41510) a 30-day information collection request (ICR) for the renewal of the ICR for the Transportation Workers Identification Credential Program. The ICR covers both the information collected to process the background checks necessary for issuing the TWIC and the information collected in optional customer satisfaction surveys used to ensure that the program is working in an effective manner.

This notice explains that a commentor on the 60-day ICR notice for this program (76 FR 23326-23327) reported errors in the length of the collection process and the subsequent results for the calculation of the total collection burden and costs. That report of the error originated in my blog posting of March 26th that was subsequently submitted to TSA. The following revised data was provided in this ICR::

• Annualized number of respondents – 401,330
• Estimated burden hours -919,110
• Annualized cost burden - $53,866,023
Public comments on this ICR are solicited and should be submitted to the Office of Management and Budget (OMB) by August 15th, 2011. Comments can be emailed to oira_submission@omb.eop.gov and must be addressed to Desk Officer, Department of Homeland Security/TSA.

ICS Attacks as Process Problem

There is an interesting post over at Digital Bond's SCADA Security blog about a subject that I have been discussing since Ralph Langner started describing the operation of the Stuxnet malware. Dale looks at an issue recently raised by Michael Toecker; should the search for a root cause of unexplained process problems include a look at possible ICS attacks?

Data Historians and Root Cause Analysis

As a process chemist in a specialty chemical manufacturing facility for many years, I have spent a great deal of time looking at various process upsets to determine the root cause so that the facility could correct those problems before subsequent batches were run. Process upsets normally lead to off-spec material being produced, a very large cost for any manufacturing facility. In many chemical facilities process upsets could lead to catastrophic consequences. So, root cause analysis is very important.

The addition of process historians to control systems made the root cause analysis task of chemical engineers and process chemists much easier. Chemical manufacturing processes are very complex and are influenced by a wide variety of factors; temperatures, pressure, heat transfer, the ratio of reactants, and even the rate at which raw materials are added to the process can play critical roles in the modern chemical manufacturing process. Detailed tracking of all of these variables (and more) and identifying which ones are most critical at various places in the process was not possible before the advent of data historians. The high productivity and quality of products made in modern chemical plants can be directly traced to the detailed use of process historians.

The ability to use data historians to track process variables and conduct root cause analysis for process upsets is closely dependent on the quality of the information being exported to these systems. This is one of the reasons that the maintenance folks in a modern chemical manufacturing facility spend so much time doing testing and calibration of sensors. But, this still assumes that what the sensor detects is accurately reported and recorded in the control system.

Compromised Control Systems

The point that Toecker was trying to make, and Dale was highlighting, was that because of the advent of Stuxnet, process people are now going to have to question whether their system had been stuxed (sounds better than ‘attacked by a Stuxnet like malware) if they start to see process equipment failing in unexpected frequencies and failure modes. Since this is what happened in the much publicized Stuxnet attack one would hope that this would be something that control systems engineers would consider when confronted with unusual equipment failures.

DEFINITION: Stux: Verb. To attack an electronic control system in such a way as to remotely change the output of one or more pieces of production equipment while making the equipment appear to be functioning properly by simultaneously spoofing the control system data.

I have been maintaining for almost a year now that this is not the real problem of Stuxnet. The deliberate destruction of process equipment is certainly possible (which even the Iranians have admitted), but it does require a significant understanding of the particular equipment and its failure modes. This means that the development of an attack on any particular facility will require detailed malware tweaking that will be time consuming and require a relatively high-level of expertise. This is certainly possible and will almost as certainly be seen in the near future, but the instances will be relatively few and far between.

A much easier way to attack a modern manufacturing facility will be to randomly stux the system. This would cause random changes in the manufacturing process while hiding those changes from the process control team. Some of the changes would have no significant effect. A larger number would cause process problems that would result in increased production times or off-spec products, both very costly. A small number of situations would result in serious safety problems like chemical releases, over-pressure vessel failures, or fires.

I am much more concerned with this type of attack. Randomly stuxing a manufacturing facility would be much harder to detect in the normal process of root cause analysis. Random problems would have to be real high-frequency for even the most suspicious process control engineer to start to question if the facility had been stuxed. Such out-side-the-box thinking would not be found at most facilities because of a standard focus on solving each problem in turn and ignoring a more holistic approach.

Wednesday, July 13, 2011

BIS Considering Amending Concentration Limits for CWC Reporting

Today the Bureau of Industry and Security (BIS) of the Department of Commerce published two notices in the Federal Register (76 FR 41366-41370 and 41372-41373) relating to possible changes to the Chemical Weapons Convention Regulations (15 CFR Parts 713 and 716). BIS is requesting public comment on possible impacts that changes to the mixture concentration thresholds for CWC reporting requirements.

The first notice deals with Schedule 2A (toxic precursor) chemicals under the CWC and the second notice deals with Schedule 3 (other organic chemicals of CWC concern) chemicals. The first of these notices will be of most interest to the chemical security community because DHS has used the list of Schedule 2 chemicals as one of the documents upon which it based the list of DHS Chemicals of Interest (COI), Appendix A to 6 CFR part 27.

Changes to Chemical Mixture Rules

Currently the CWCR exempts Schedule 2A chemicals in mixtures where they constitute less than 30% by volume or weight of the mixture from being counted in the determination of whether or not the facility meets the verification threshold reporting requirements for the CWCR. In many ways this determination was the model upon which DHS based their development of the CFATS Top Screen requirements.

The proposal that BIS is considering is a lowering of the concentration that would trigger the reporting requirements and making it a two tiered concentration rule. The first tier would exempt any Schedule 2A chemical “produced, processed, or consumed at one or more plants on a plant site” if its concentration in a mixture was less than 1%. The second tier would cover mixtures more than 1% but less than or equal to 10% as long as “the annual amount of the Schedule 2A chemical produced, processed, or consumed is less than the relevant verification threshold” (76 FR 41366). Not specifically mentioned in the notice is the fact that the proposal would add all mixtures containing between 10 and 30% of Schedule 2A chemicals to the list of covered mixtures.

This change would almost certainly expand the number of facilities in the US that would be covered by the international inspection requirements of the CWC. Additionally, if these changes are adopted in the CWCR, DHS might find it necessary to revisit some of the concentration requirements for these chemicals that are listed in Appendix A.

Similar types of changes would be made by second notice for Schedule 3 chemicals. Combined the changes in the two notices would make the US declaration requirements consistent with the international agreements adopted by the Organization for the Prohibition of Chemical Weapons (OPCW).

Congressional Action Required

It is interesting that this notice is not an advanced notice of proposed rulemaking. That is because making these changes to the CWCR would require legislative changes to be made to the Chemical Weapons Convention Implementation Act (CWCIA; (22 U.S.C. 6701 et seq.). The CWCIA sets a lower concentration limit of 10%. BIS would need the impact information that it is requesting in these two notices to be able to successfully get Congress to amend that act.

CG Meetings on Cargo Security Risk Reduction

The Coast Guard published a notice in today’s Federal Register (76 FR 41278) about their scheduling of two “public listening sessions” to discuss issues related to their formulation of a CDC Security National Strategy to reduce risks associated with the transport, transfer, and storage of Certain Dangerous Cargo (CDC) in bulk within the U.S. Marine Transportation System. Development of this strategy was directed by §812 of the Coast Guard Authorization Act of 2010.

Certain Dangerous Cargo

I briefly discussed the requirements related to CDC in that legislation in a blog post last year. This new category of hazardous material was broadly described in §812(d)(1) as “anhydrous ammonia, ammonium nitrate, chlorine, liquefied natural gas, liquiefied (sic) petroleum gas, and any other substance, material, or group or class of material, in a particular amount and form that the Secretary determines by regulation poses a significant risk of creating a transportation security incident while being transported in maritime commerce”. Regulations further defining the term have not yet been published.

Agenda

Two meetings will be held, one in St. Louis, MO (8-2-11) and one in Houston, TX (8-18-11). Seating will be limited at both meetings. The notice states that you can “RSVP for the sessions” by sending an email to CDC@uscg.mil, but it is not clear that this actually reserves a seat at one or both of the meetings.

According to the notice: “The agenda for the two sessions will principally consist of a presentation and discussion of certain elements of the working draft of the CDC Security National Strategy and future strategy implementation considerations.” This will include the discussion of the following goals:

• “Provide to internal and external stakeholders realtime (sic) national, regional, and local awareness of the risk of intentional attacks on the CDC Marine Transportation System.

• “Consistently assess vulnerability to threats of intentional attacks on the CDC Marine Transportation System and mitigate the vulnerability to an acceptable level.

• “Dynamically assess the potential consequences of intentional attacks on the CDC Marine Transportation System and capably mitigate, through coordinated response, the impact of a successful attack.

• “Lead the development of national, regional, and local resiliency/recovery capability from successful attacks on the CDC Marine Transportation System.”
Public Comments

Provisions have been made for allowing participation for those who are unable to attend these public meetings. Questions and comments maybe submitted by email to the address above or via the Federal eRulemaking Portal (http://www.regulations.gov/; Docket # USCG-2011-0112).

It would seem to me that, with the limited number of meetings currently scheduled, that the Coast Guard should maximize public access to these discussions by making one or both of these meetings available as a webcast.

Tuesday, July 12, 2011

NTSB Meeting Notice for 7-26-11

The National Transportation Safety Board published a notice in today’s Federal Register announcing a public meeting on July 26th, 2011 at the NTSB Conference Center in Washington, DC. The meeting will review the results of their investigation of a 2009 liquefied petroleum gas (LPG) cargo tank rollover accident and fire in Indianapolis, IN.

Members of the NTSB, the Chemical Safety Board, and PHMSA have all expressed concern about the large number of hazmat cargo tank roll over accidents in the last couple of years. This meeting is about this one particular accident, but we can probably expect some comments on the wider problem during the discussion of the root cause of this accident.

The meeting will be webcast live and the webcast will be available after the meeting on the NTSB home page. The link will be found under the ‘News & Events’ heading.

Pipeline Safety Discussion Draft

Yesterday I reported that the Energy and Power Subcommittee will be looking at pipeline safety in a hearing later this week. I noted that they had a link to a discussion draft of possible proposed legislation on that topic on their web site and that I would try to review that draft before the hearing. It turns out that this was easier than I had imagined since this draft is essentially the same as the reported version of S 275 that I reviewed in some detail on Sunday.

If and when this bill actually gets introduced in the House it will effectively be a companion bill to S 275. Since this is based upon the reported version of the bill, it will be closer to the final version passed in the Senate than would be a typical companion bill that is introduced at about the same time as its counterpart in the other house.

What’s more important here though is that the Republican controlled House Energy and Commerce Committee is considering sponsoring language of a companion bill to one sponsored by liberal Senator Lautenberg shows that this bill has a very good chance of passing in both houses. The Senate bill will inevitably be amended in the floor consideration and the Committee can be expected to make some revisions to their version of the bill.

The one section of the bill where there will almost certainly be differences in the two bills will be in §27, the section that provides the authorization for appropriations. We can expect that the figures in the final House version will generally be lower than in the Senate version, emblematic of the differences in fiscal policy of the two bodies. I expect that spending issue in this bill will be easier to resolve than the larger budget matters currently consuming Congress and the Administration.

It looks like the Senate may actually take up this bill before the House, so the Energy and Commerce Committee language will almost certainly be substituted for the Senate language when S 275 comes up for floor action in the House. Differences will then be worked out in Conference. Given the bipartisan support being shown here, the conference process should not be too difficult as long as this bill doesn’t get buried by the on-going spending and borrowing battle that is going on in Congress.

Monday, July 11, 2011

Congressional Hearings – Week of 07-11-11

Two weeks in a row that both Houses are actually meeting in Washington. Will wonders never cease? There are only three hearings scheduled this week that will be of interest to the chemical security community and nothing of interest on cyber security. Only two topics will be covered in these three hearings; TSA and pipelines.

TSA Authorization

The Transportation Security Subcommittee of the House Homeland Security Committee will be meeting tomorrow to look at industry perspectives of authorizing TSA. It is very encouraging to see that not only will there be surface transportation industry representatives present for this hearing, but that they will form the first of two panels to testify. That panel will include transit, railroad, trucking, and pipeline industry representatives as well as a union rep. This should be an interesting panel to hear from.

The second panel will deal will air security issues, and I guess that those may be important too (reluctant sarcasm).

Pipeline Security

Subcommittees from two different House committees will take a look at pipeline safety this week. Thursday the Railroads, Pipelines, and Hazardous Materials Subcommittee of the Transportation and Infrastructure Committee will hold a hearing; no details are currently available.

On Friday the Energy and Power Subcommittee of the Energy and Commerce Committee will hold a hearing looking at their draft bill; “Pipeline Infrastructure and Community Protection Act of 2011”. No witness list is yet available for this hearing. Hopefully I’ll have a chance to review their draft bill before the hearing.
 
/* Use this with templates/template-twocol.html */