Friday, September 30, 2011

DHS to Hold Ammonium Nitrate Security Program Meetings

Thanks to a TWEET® from ADTchemical I found out that DHS had updated their Ammonium Nitrate Security Program web site. The revised page provides a list of cities in which DHS will be holding public meetings to discuss the proposed ANSP described in the notice of proposed rulemaking published last August. The dates and cities are:

• October 6, 2011; Savannah, Ga.;
• October 11, 2011; Jackson, Miss.;
• October 13, 2011; Lubbock, Texas ;
• October 18, 2011; Sacramento, Calif.;
• October 20, 2011; Knoxville, Tenn.;
• October 25, 2011; Overland, Kan.;
• October 27, 2011; Oklahoma City, Okla.;
• November 3, 2011; Charleston, W.Va.;
• November 10, 2011; Washington, D.C.; and
• November 15, 2011; Denver, Colo.

The web site provides addresses for the meeting sites, but there is no contact information for further information from DHS, nor is there any mention of a registration requirement.

I would suspect that there should be a notice published in the Federal Register in the near future about these meetings since they support the public review and comment process for the establishment of this proposed rule.

EPA Publishes 2011 Methyl Bromide Exception Final Rule

Today the Environmental Protection Agency published the final rule in the Federal Register (76 FR 60736-60748) for the critical use exception for the use of methyl bromide. It provides legal authorization for the production, importation or use from the existing pre-phaseout inventory of methyl bromide for 2011. The regulation has an effective date of today, but EPA has been giving a nod-nod-wink-wink unofficial approval for this since January.

The OMB approval for this action was received a week ago. The latest delay in publishing the rule comes from the EPA having to make some last minute changes that were included in the OMB approval. The biggest delay in getting this rule published has been the EPA’s unexplained delay in getting the initial NPRM published in April of this year. This has been an annual exercise since 2005 so there does not appear to be any rational explanation for that delay.

Waiting Action of 2012 Rule


Readers may remember that I reported earlier this month that the OMB had approved the notice of proposed rulemaking for the 2012 exemptions. That NPRM has yet to be published. That OMB approval was also ‘consistent with change’, but I suspect that the changes were probably very similar. After all this is a pretty much cut-and-paste submission and I doubt that OMB was actually making any changes in the actual methyl bromide numbers. In fact the only changes to the numbers in this final rule are based upon comments received on the NPRM about a typographical error in the allocation table.

In any case, any continued delays in the publication of the 2012 NPRM will certainly put the EPA in the position of having to provide users and producers of methyl bromide with ‘unofficial’ authority to proceed with its use in the 2012 season.

Methyl Bromide and CFATS


Once again, all of this once again points out that DHS inappropriately took the EPA at its word that methyl bromide was being phased out when it removed this toxic inhalation hazard chemical from the proposed list of DHS chemicals of interest. Furthermore, the continued exemption process just makes it that more likely that some nut job from the fringe of the eco-activist movement will decide that an attack on a methyl bromide storage facility would be a good way to bring world-wide attention to the continued use of this ‘banned’ chemical.

Thursday, September 29, 2011

The Rules Committee to hold Hearing on HR 2608 – FY 2012 CR

The House Rules Committee web site today announced that they would be holding a hearing on Monday afternoon at 5:00 pm to prepare the rule for the consideration of HR 2608, the Continuing Appropriations Act, 2012. The rules for two other bills are also scheduled to be considered at the same time;



It looks like the Rules Committee is planning on approving a closed-rule for the House debate on HR 2608. The web pages for the other two bills provide a link for instructions on how to submit amendments for floor consideration. There are no such instructions linked to the HR 2608 hearing page. Nor is there a deadline for getting amendments to the Committee for consideration during the hearing. Of course, amendments would violate the ‘DEAL’ made to get the two bills passed in the Senate and hopefully the House.

Confusion in the Staff


I noted in an earlier blog posting there is a certain amount of confusion to be expected next week because the two ‘continuing appropriations’ bills passed by the Senate last week had the same title. We can see evidence of that confusion in the staff of the Rules Committee. On their page listing bills to be considered next week they list HR 2017, the (short-term) Continuing Appropriations Act, 2012 as a bill to possibly be considered under a rule. HR 2017 was passed yesterday in the ‘whole’ House. It will be HR 2608, the other (middle-term) Continuing Appropriations Act, 2012.

Procedural Problem


Because clause 6(a) of House Rule XIII requires a two-thirds vote to consider a rule on the same day it is reported from the Rules Committee, a Committee hearing on Monday means that the rule resolution and HR 2608 cannot be brought to the floor before Tuesday. Last week there was an approved House Resolution, H. Res 409, that would have allowed for same day consideration of a Rule concerning continuing appropriations for FY 2012. That rule expires tomorrow.

This is cutting things a little tight, providing the appearance that the government is once again at the brink of a shut down. The House Republican leadership obviously thinks that they have the votes to pass this bill (probably with substantial Democratic support to off-set the inevitable Republicans that won’t be satisfied with the spending cuts). They are almost certainly correct, but short deadlines give people bargaining positions that they wouldn’t normally have.

This could have been easily been avoided by having the House Rules Committee meet today since the House wasn’t formally out of session. The House could have then considered the rule Resolution any time on Monday; easing the appearance of a last minute move to avoid a shutdown.

Oh, that’s right; that would not be practical. It would have deprived too many people of their political theater; the casting of stones at political appointments for their temerity in providing for the potential shutdown of the Federal government. Oh, my!

By the Way


Oh, did I mention that the House passed HR 2017? They did; the entire session of the House today lasted a grand total of 6 minutes 11 seconds according to the Clerk of the House web site. And that included a prayer and the recitation of the Pledge of Allegiance. The actual consideration of HR 2017 took a total of 24 seconds. Only two representatives were named as being present; Rep. Harris (R,MD) who was appointed Speaker Pro Tempore for today; and Rep. Culberson (R,TX) who managed the ‘debate’ on HR 2017; so many owe so much to so few....

FEMA SAR Privacy Exemption NPRM

Yesterday I wrote about a new Privacy Act system of records being established by the Federal Emergency Management Administration (FEMA) to support that agency’s implementation of the Department of Homeland Security’s ‘See Something Say Something’ program. Today, FEMA published in the Federal Register (76 FR 60387-60388) the notice of proposed rulemaking (NPRM) that I mentioned in that posting proposing the standard law enforcement Privacy Act exemptions for disclosure of personal information be applied to this new system of records.

Generally the Privacy Act provides that if a Federal government agency is keeping personal information on an individual that agency has a responsibility for notifying the individual of that record keeping, allowing the individual access to the information in those records, and providing a method for the individual to correct any incorrect information in that record.

The Privacy Act provides guidance on when those rules may legitimately be ignored by Federal agencies upon notice of proposed rulemaking. One of the typical examples is for records maintained for law enforcement or national security related investigations. Obviously law enforcement and intelligence type agencies cannot be forced to disclose information obtained in the process of an investigation while that investigation is on-going; that would allow subjects of investigation to better hide their illegal activities.

This NPRM is proposing that the FEMA Suspicious Activity Reporting system of records be exempted from four specific requirements related to the processing of requests for information under the Privacy Act. Those exemptions would be applied on a case-by-case basis when such requests are received by FEMA. Those exemptions cover:

• Accounting for disclosure of information to other Federal, State and local investigational agencies;

• Allowing individuals access to personal information being held about them in the system of records;

• Justifying the relevancy and necessity of the information being held in the system of records; and

• Maintaining rules and procedures for allowing access to the information being exempted.

As with all NPRM’s, public comments are being solicited. Comments may be posted to the Federal eRulemaking Portal (www.regulations.gov; Docket Number: DHS-2011-0091) and need to be submitted by October 31, 2011.

HR 2017 to be Considered in the House

Today the House Rules Committee web site was updated to announce that HR 2017, the Continuing Appropriations Act, 2012, is “likely to be considered pursuant to a unanimous consent request” this week. With tomorrow the only remaining day that the House is supposed to meet this week, one would have to conclude that this consideration will take place in that almost pro forma session. It would have been completely pro forma if the Senate had just gone along and passed HR 2608.

Don’t shed any tears for your Representative having to cut their one week working vacation short by a couple of days. I would be surprised if very many of them show up for the consideration of HR 2017. As long as no one officially recognizes that a quorum is not present and no one asks for a vote, this bill will be passed by just a handful of congresscritters.

It will start with an important member asking for unanimous consent and that will start the political ballet that will end with the words, “In the opinion of the Chair, the Ayes have it.” Then everyone will go home for a long weekend and worry about passing HR 2608 on Monday or Tuesday.

Oh yes. Everyone will hold their breaths during that ballet. You see; a single political bomb thrower (‘political bombs’ are always more of a problem than mere explosives) can derail the whole process by muttering the words “I object” or noticing that a quorum is not present. Either will stop the proceedings and we’ll be exposed to the spectacle of most of 435  representatives scrambling to get a flight in to Washington D.C. that would allow them to vote on Friday. That circus might almost be worth the price of admission.

Wednesday, September 28, 2011

ICS-CERT Issues Alert on a New Luigi Vulnerability

This afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued an alert for multiple vulnerabilities in the PcVue HMI-SCADA product. The vulnerabilities include:

• Control of a function pointer – DOS and possible remote code execution;
• Arbitrary memory write – Potential to write memory;
• Directory Traversal – Possible file corruption; and
• Array Overflow – DOS and possible remote code execution

All of the vulnerabilities are reportedly remotely executable and there appears to be exploit code publicly available. ICS-CERT doesn’t say this in their Alert, but this is another Luigi uncoordinated disclosure on Bugtraq.

Hazmat Fire Points to Possible Security Issues

An interesting article from NBCChicago.com points out a limitation of the current list of chemicals used to trigger CFATS compliance; even relatively low risk chemicals can cause security issues.

The Article


The brief article describes a recent fire in a storage tank at a Rhodia plant Dixmoor, IL. The storage tank contained sulfur (not a COI under CFATS) and the fire produced sulfur dioxide (among other things of course). Sulfur dioxide is toxic and evacuations around the plant were ordered. There were no injuries reported in the article and the cause of the fire “remains under investigation” but no one is apparently mentioning the ‘T’ word even in dismissing the possibility.

CFATS Implications?


Now sulfur dioxide (anhydrous) is a CFATS COI, both as a release – toxic (5,000 lbs) and a theft/diversion – WME (500 lbs). The fire may have produced amounts in excess of both quantities, but no one in their right mind would expect Rhodia of having to report this on a Top Screen for this facility. At the very least they would reasonably argue that they did not have an ‘inventory’ of this material or that the material was never really on-site; it was in a dissipating smoke cloud with concentrations below the minimum reporting requirements (1% and 84% respectively).

The potential issue is that there are a number of processes like fire that can happen at a chemical facility that would produce COI. Many of these processes could be manipulated by a terrorist attack (or more likely a disgruntled employee attack) and result in the same type damage that would be expected from an attack on a facility with similar amounts of the COI in storage.

Does this mean that all of these potential processes require action under CFATS? Absolutely not. While DHS has included a class of ‘Sabotage’ COI; that class is very restricted in the chemicals it applies to; generally only chemicals that produce toxic gasses upon the addition of water.

Should these processes be regulated under CFATS? Almost certainly not; though please note that there is a significant semantic difference between ‘absolutely not’ and ‘almost certainly not’. First off trying to write a rule that would reasonably limit the inclusion to the most dangerous chemicals or define the ‘processes’ in a reasonable manner would be extremely difficult and subject to lots of legitimate complaints about over reaching regulations.

Besides which, managing the list of COI for chemicals that would be potentially affected by this rule would be ridiculous. Just listing the chemicals that could produce sulfur dioxide in the event of a fire would be exhausting.

Look at Potential Consequences


Having said that, this incident in Illinois points out that there are potential consequences that could create a security issue. At the very least there ought to be some mechanism that identifies the facilities that would produce the worst effects when one of these processes is triggered, either accidentally or deliberately.

I’m not sure how you would reasonably do it, but because of this news report about this incident, the topic becomes something that facilities that store sulfur at the very least must consider. There is no telling what wackos read the news.

FEMA SAR Privacy Act Notice

Today, the Federal Emergency Management Agency (FEMA) published a notice in the Federal Register (76 FR 60067-60070)that they were establishing a new system of records covered under provisions of the Privacy Act of 1974; the DHS/FEMA – 012 Suspicious Activity Reporting System of Records. In general this system of records would allow FEMA to implement a formal system to support the Department’s ‘See Something Say Something’ program.

This FEMA SARs program would be operated by the Office of the Chief Security Officer’s Fraud and Investigations Unit. Suspicious activity reports received by FEMA elements would be forwarded to this office for analysis. Reports determined to have a ‘nexus to terrorism or hazards to homeland security’ would be shared with the FBI Joint Terrorism Task Force, Federal Protective Service or other appropriate federal agency with the responsibility to investigate and respond to terrorist threats.

In addition FEMA will be publishing a notice of proposed rulemaking (these NPRMs are normally in the same issue of the Federal Register, but I don’t see it today) providing this new system of records with the standard law enforcement exemption from certain disclosure provisions of the Privacy Act.

While certain elements that see FEMA black helicopters supporting the new world order will be alarmed about this notice, this is a standard bureaucratic notice supporting a minor program of a small office within FEMA. Every DHS agency that doesn’t have existing law enforcement systems of records will eventually get around to issuing similar notices. This will almost certainly include the CFATS program at ISCD.

Public comments are being solicited on this notice. They may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2011-0090). They need to be submitted by October 27th, 2011.

Tuesday, September 27, 2011

Senate Passes HR 2017

Reading the Daily Digest of the Congressional Record this morning it looks like the Senate passed the DHS Spending bill, HR 2017 with the amendment that I discussed in an earlier blog. Actually Sen. Reid (D,NV) used HR 2017 as the vehicle for a very short term continuing resolution to give the House time to consider the revision for HR 2608 that was also passed last night.

Short and Very Short CR


There is only one difference between the two bills that I can see at first glance. That is in §106(3) the end date for the CR is October 4th, 2011 for HR 2017 and November 18th, 2011 for HR 2608. The October 4th (a week from today) date is the deadline for the House to pass HR 2608. The November 18th date is the deadline for Congress to pass the regular spending bills for FY2012.

For the chemical security community §129 of both bills provides for the extension of the §550 authority for the CFATS program to the date specified in that §106(3) discussed above. Its interesting that this was included in HR 2107 since that authority already had an expiration date of October 4th, 2011. This is really just a measure of how automatic the extension of CFATS has become; the staffers that drafted Senate Amendment 666 (conspiracy nuts and ‘end of days’ nuts note that number) did not realize that this was not necessary; they just automatically included it.

Oh, just to make things really confusing there is one more identicallity (that may be a made up word); both bills will be known as the ‘Continuing Appropriations Act, 2012’.

No DHS Appropriations Bill


One final point, HR 2017 was used by Sen. Reid as the ‘vehicle’ for the short term spending extension because a House passed bill was needed. The Constitution requires spending bills to originate in the House. Of course, it could have been any House passed bill, it did not need to be a spending bill; just look at HR 2608.

This does create an interesting problem. There is now no DHS spending bill for the Senate to take up and pass. There are two options. First the House could pass another spending bill (oh wouldn’t that be fun), or the Senate could take another House passed bill and tack their version of HR 2017 passed in Committee onto that bill. This could be done either as an amendment (to another spending bill for example) or as an amendment in the form of a substitute (effectively killing the original House passed bill). It will be interesting to see how this is handled.

PHMSA Sends Two Pipeline Safety Rules to OMB

Yesterday the OMB web site announced that the Pipeline and Hazardous Materials Safety Administration submitted two rules for OMB review. The first is a notice of proposed rulemaking (NPRM) providing for PHMSA enforcement of State anti-excavation laws. The second is an advance notice of proposed rulemaking (ANPRM) to require the installation of excess flow valves (EFV) on gas service lines in structures other than single family residences.

State Anti-Excavation Laws


According to the abstract for this NPRM published on the RegInfo.gov web site:

“The PIPES Act provides PHMSA with the authority to enforce excavation damage laws in those states that have inadequate enforcement. This rulemaking would consider standards for excavators and operators to follow when conducting excavation in a vicinity of a pipeline and the administrative procedures to be used for enforcement proceedings.”

The ANPRM for this rule was published in October 2009.

Excess Flow Valves


According to the abstract for this ANPRM published on the RegInfo.gov web site:

“This rulemaking would require excess flow valves (EFVs) be installed in all new and renewed gas service lines, for structures other than single family dwellings, when the operating conditions are compatible with readily available valves. These changes would be in response to NTSB and PHMSA investigations of current EFV installation practices. The intended effect of the rule is to increase the level of safety for structures other than single family dwellings currently subject to Federal pipeline safety regulation.”

Sunday, September 25, 2011

HR 2608 Update – Continuing Resolution

HR 2608, the Continuing Appropriations Act, 2012, will continue to be considered in the Senate on Monday. Popular news reports on Friday that the Senate voted down the bill were not technically correct.

The Senate on Record


In an interesting parliamentary move, Sen. Reid (D,NV) allowed the Democrats to have a symbolic vote against the House approved version of the short term continuing resolution. The actual vote was on a motion to table a proposed amendment to the House version of the bill. The amendment was proposed by Sen. Reid and it made a minor technical change to the House language. So a vote in favor of the motion to table was politically, but not technically, a vote against HR 2608 as amended by the House.

The final tally was 59-36 (page S5922). This vote allowed Democrats (and a number of Republicans) to voice their displeasure with the House version without actually killing further consideration of the bill.

Next Move


Having established, for the record, that the Senate does not agree with the House, the Senate will next consider an amendment in the nature of a substitute to HR 2608 that was proposed by Sen. Reid. The language in Senate Amendment 656 (pages S5954-6) is essentially the same as HR 2608 except that it removes mention of the two ‘rescissions’ that House Republicans put in to off-set the increased FEMA emergency spending in the bill.

NOTE: SA 656 does include the same §130 extension of the CFATS authorization until November 18th that was found in the House version of the bill.

Debate will resume on the amendment to HR 2608 on Monday at 4:30 pm (EDT) with a vote on a cloture motion to begin at 5:30 pm and it could be a lengthy vote. Additional amendments to the bill may be subsequently considered. There is a 5:00 pm Monday filing deadline for such ‘secondary’ amendments.

If/when the Senate passes an amended version of HR 2608 it will have to go back to the House for approval. The House is currently scheduled for essentially pro forma sessions on Monday and Friday (though there are some tentatively scheduled Committee hearings), but that schedule could be changed relatively quickly.

For the vast majority of governmental operations Congress has until midnight Friday to complete work on this bill to avoid a possible shutdown. FEMA may (probably will) run out of money sooner because of the numerous and large-scale flooding events this year.

Saturday, September 24, 2011

S 1596 Would Increase PHMSA Funding

On Wednesday Sen. Murray (D, WA), Chairman of the Subcommittee on Transportation, Housing and Urban Development of the Senate Appropriations Committee introduced S 1596, the Senate bill that would provide FY 2012 funding for the Department of Transportation (DOT), the Department of Housing and Urban Development and related agencies. Title I of the bill is the Department of Transportation Appropriations Act, 2012.

PHMSA Funding


The bill would provide the following funding for programs of the Pipeline and Hazardous Material Safety Administration (PHMSA):

• Operational Expenses - $22,158,000
• Hazardous Material Safety - $41,520,000
• Pipeline Safety - $118,364,000

Each of these amounts is greater than the amount provided in the FY2011 budget and the two safety accounts were less than the amount requested by the President. The Operational Expenses account funding is the same amount as requested by the Administration. One would presume that the as of yet not introduced House version of this spending bill would not increase this funding.

Pipeline Design Reviews


Section 180 of the bill would amend 49 U.S.C. 60117 to allow the DOT Secretary to “prescribe a fee structure and assessment methodology that is based on the costs of providing these reviews and shall prescribe procedures to collect fees under this section” {§60117(n)(1)}. Language in the Senate Report filed by the Appropriations Committee notes that “the Committee directs PHMSA to implement the fee within the parameters of section 18 of S. 275, The Pipeline Transportation Safety Improvement Act of 2011 as reported by the Senate Committee on Commerce, Science and Transportation on July 7, 2011” (pg 90).

Moving Forward


Since all spending bills must originate in the House, this bill will not actually be considered in the Senate. When the House passes their appropriations bill (the DOT/HUD bill is the only spending bill not yet introduced in the House), the language in this bill will be substituted for the House language when the House bill is considered by the Senate. A conference committee would then work out the differences between the two versions of the bill.

That presumes, of course, that a DOT/HUD appropriations bill is passed as a stand-alone measure. The current delays in the appropriation process make it likely that there will be an omnibus bill that would include funding for DOT.

Friday, September 23, 2011

Sunway Force Control Alert

This morning the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an alert for multiple vulnerabilities in Sunway Force Control Version 6.1. They note that there is exploit code publicly available for these vulnerabilities. According to the alert the vulnerabilities include:

• Stack overflows;
Directory traversal and arbitrary file reading; and
Various denials of service vulnerabilities

ICS-CERT is coordinating with the Chinese based Sunway and will provide additional information when it becomes available.

HR 2608 Passes on Second Try - FY2012 CR

Last night the House passed an amended version of HR 2608 that included the continuing resolution previously voted down by the house with one relatively minor change that should not directly impact the chemical security or cyber security communities; unless, of course, your company plans to get a DOE Title 17- Innovative Technology Loan Guarantee in FY 2012.

You remember HR 2608; it failed on Wednesday night on a bipartisan rejection of the continuing resolution. That version was further amended by adding a rescission of $1 Million of ‘unobligated funds’ from that DOE program. The revised bill passed 219-203.

The bill does include an extension of the §550 authorization for the CFATS program until November 18th {§130}.

Thursday, September 22, 2011

Lone-Wolf Attacks

There is an interesting article over at Stratfor.com about lone wolf terrorists. The author, Scott Stewart, does a very good job of looking the historical context of lone wolf attacks in this country and the reasons for the recent rise in calls for lone-wolf attacks from leaders of a number of different types of terrorist organizations.

Pros and Cons of Isolation


He makes two important points and conflicting points about the potential for these types of attacks. The main reason that these types of attacks have been getting so much attention from the security politicians and the mainstream press is that they are inherently more difficult to detect prior to their attack taking place. Since there is no group to infiltrate or communications to intercept the law enforcement and intelligence communities has to work much harder to detect this threat in order to pre-empt an attack.

The second point is that the individual with no or very little contact with a terrorist training and motivational group is going to find it very difficult to plan and execute a successful attack. Even the basic needs for target selection and surveillance require a modicum of training. There is some basic training on these techniques available anonymously over the internet, but the effectiveness is questionable. More advanced techniques like explosives manufacturing or IED preparation absolutely require hands-on supervised training or you have a very-high loss-rate for newby attackers.

Insider Attacks


The one area that Scott failed to address in his artilce is the problem of insider attacks by lone wolfs. Again the lone wolf has an advantage in this situation; that lacking membership in an infiltratable organization or participation at an observable training camp, it is difficult for background checks to pick up these individuals. Even when individuals espouse radical causes, as we saw in the Hasan case, there is a tendency to avoid believing that these individuals are actually a threat.

Again, the lack of training in target selection and planning, and the long time that it takes to work into a place in the organization where the most damage can be done limits the potential effectiveness of these attackers. However, where relatively simple attacks (gun fire for example) can have a large secondary effect (certainly possible at many types of chemical storage facilities) this drawback is much less of hindrance to conducting a successful attack.

The biggest problem for facilities trying to detect and prevent insider attacks is establishing the internal procedures to identify individuals that are potential threats. Excessive care is required to ensure that a simple politically-incorrect comment is not made the basis for deciding that an individual is a possible lone-wolf attacker.

It is typically much more effective to set up procedures that limit the ability of any one individual from having the unrestricted or unaccompanied access to critical systems and areas that would be necessary for executing a successful attack lone wolf attack. Preventing anyone from bringing weapons on site is easier to justify than limiting freedom of expression. Procedures limiting access to critical systems and strict implementation of management of change rules for control systems are easier to effect than evaluating political and psychological stability.

Mitigation More Cost Effective


Scott also made the point in his article that the number of incidents of insider attacks has been very small, even if you count the relatively ineffective attacks. This means that the risk for any particular facility or organization experiencing such an attack, lacking a major change in the threat picture, is relatively low.

The low risk of attack makes it harder to justify the cost and inconvenience of really extensive security systems. Since it is practically impossible to absolutely prevent all determined, trained and supported attacks; particularly insider lone-wolf attacks, some cost-benefit tradeoffs will have to be made by all facilities.

One thing that can be done to reduce the need for security processes to prevent an attack is to reduce the potential consequences of a successful attack. While much recent discussion has been centered on pros and cons of inherently safer technology and replacing very hazardous chemicals with less hazardous alternatives (certainly effective mitigation measures if possible), other mitigation techniques may also be used to reduce the effects of such attacks, particularly for release chemicals of interest. Such measures could include:

• Fire suppression systems;
• Additional containment systems;
• Neutralization systems; and
• Chemical knock-down systems.

What’s more important is that in many cases these same mitigation techniques make the facilities safer to work in and make them less susceptible to the negative effects of accidental or weather related releases in addition to protecting against the effects of deliberate attacks. Either would make it easier to justify the cost of the mitigation measure and potentially reduce the need for protective security measures.

HR 2937 Amended and Passed in Committee – Pipeline Safety

The House Energy and Commerce Committee took up HR 2937, Pipeline Infrastructure and Community Protection Act of 2011, as the first of three bills considered in their mark-up hearing yesterday. The Committee passed the amended language (that I briefly reported on yesterday) introduced by Chairman Upton (R,MI) by a voice vote and ordered the bill reported favorably by a vote of 55-0, a vote anyone would consider bipartisan.

If/when this comes to the floor of the House this bill will almost certainly pass by a substantial bipartisan majority. A bill with similar language (S 275) is working its way through the Senate. Some sort of pipeline safety bill will almost certainly pass this session.

Explanation of OOPS

Last night I made one of those errors of reporting that strikes humans every once-in-a-while, I didn’t fully understand what I was reporting about. I briefly amended that post explaining the mistake, but I didn’t go into much in the way of explanation.

HR 2608


On Tuesday evening the House Rules Committee met to write the rule for the floor consideration of HR 2608, the Small Business Program Extension and Reform Act of 2011, that had been amended and then passed in the Senate. There was nothing in the original bill nor the Senate version that would normally attract my attention in the way of chemical or cyber security measures, so I didn’t closely follow those proceedings (you can’t watch everything).

Between the time that the Rules Committee approved the rule for HJ Res 79 last week and the time of their HR 2608 hearings someone apparently discovered an issue with the wording of HJ Res 79. For various parliamentary reasons the appropriate changes could not easily be made to HJ Res 79 so an amendment in the form of a substitute was crafted for HR 2608 that would generally duplicate HJ Res 79 but correct those issues.

An explanation of that amendment explained that the difference between this amendment and HJ Res 79 included: “clarifies that the across-the-board cut should be applied to the amounts provided for discretionary advance appropriations, rather than to the “rate for operations” for advance appropriations to ensure that the Office of Management and Budget apportions the advance appropriations consistent with program requirements”. Legislatively this was a fairly minor issue, but for some agencies it could have meant serious, unintended budget cuts.

The Mistake


I missed all of this in my normal course of reviews of what goes on in that distant city of Washington. I did note in my original post that there was a news report about a vote on the CR, but there was no mention of a bill number in that report. That report raised a flag that did make me pause in making my post. I did check the House Clerk’s web site and the Thomas Library of Congress web site for information to verify the information that I reported, but I failed to check the House Rules Committee site.

I discovered my error when I looked at the Majority Leader’s web site for an advance look at today’s program in the House. Unfortunately, by that time I had already made my post about the death of HJ Res 79.

I briefly considered removing that post, but once something is put on the web it can’t really be removed. So I added a brief prefatory note to the post and left it at that.

Again, I’m sorry for the mistake and any possible confusion. I hope that this explanation sheds a little more light on how Congress works. That is one of the secondary purposes of this blog.

Wednesday, September 21, 2011

Another Luigi Vulnerability Falls

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an Advisory today on a stack overflow vulnerability in the AzeoTech DAQFactory SCADA/HMI Product. This is the third Luigi vulnerability identified earlier this month that has had follow-up action published by ICS-CERT. AzeoTech responded by publishing an updated version of the software .

The vulnerability would allow an attacker with minimal skills to execute a denial of service attack on the system by sending a specially crafted message to an undocumented port on the system. A more experienced attacker could probably execute arbitrary code.  Both types of attacks could be executed remotely.

HJ Res 79 Dies Without Action

OOPS - HR 2686 was amended to be a new version of the continuing resolution so the stuff written below is more or less crap. Sorry about that... (09-21-11 23:15)

Apparently the Republican leadership in the House decided that there weren’t enough votes to pass the FY 2012 continuing resolution they drafted last week so it was killed today without action; ‘placed on the table’ in legislative speak. Actually it was killed yesterday when the House Rules Committee adopted H Res 405, the rule for the consideration of HR 2608, the Small Business Program Extension and Reform Act of 2011.

Section 2 of H Res 405 states that “House Resolution 399 is laid on the table.” Readers will remember that I wrote last week that H Res 399 was the rule that would allow for the consideration of HJ Res 79. Killing the rule effectively kills the bill without forcing a vote that might embarrass people. Hiding the move to kill a rule in another rule just provides additional cover.

Interestingly TheHill.com web site is reporting that “House stunned Republican leaders Wednesday by rejecting a temporary spending bill allowing the government to operate through November 18” by a vote of 195-230. While the official Congressional Record won’t be published until tomorrow morning, the web site for the Clerk of the House reports that the only vote with that tally this evening was taken on HR 2608 not HJ Res 79. HR 2608 provides for a temporary extension of “programs under the Small Business Act and the Small Business Investment Act of 1958”, not the government.

Updated Information on HR 2937 Markup

Last night the Energy and Commerce Committee updated their web page on the markup hearing that is being conducted for HR 2937, the Pipeline Infrastructure and Community Protection Act of 2011. Yesterday opening statements were made and this morning the actual work of marking up this bill (along with two other bills, both dealing with EPA matters) will begin. As one would expect the updated page provides copies of the opening statements from the Committee and Subcommittee chairs. There is also a link to an ‘amendment in the nature of a substitute’ for the bill along with a link to a memo explaining that substitute.

No major changes that I can see in a quick review of the substitute, just lots of clarifications and a bunch of extra studies to be conducted by PHMSA and DOT. The ‘odd’ study is found in a new §31 and it requires a report on “the number of minority-business enterprises, woman-business enterprises, and disadvantaged-business enterprises that have been granted permits to build or operate pipeline facilities” {§31(1)}. While most people would agree that small businesses by a wide range of owners are to be encouraged, it would also be interesting for someone to do a study on how many of these types of ‘set-aside’ businesses are really just fronts for non-targeted owners.

Tuesday, September 20, 2011

ICS-CERT Issues First Advisory for Recent Luigi Vulnerabilities

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published their first Advisory for one of last week’s Luigi vulnerability disclosures; this deals with the multiple vulnerabilities reported in Measuresoft ScadaPro Server. Measuresoft has produced a new version of their software that corrects these three vulnerabilities by disabling the identified port common to these vulnerabilities.

Vulnerabilities


There is a little more information available in this advisory about the three vulnerabilities in this system. Those three vulnerabilities, all remotely exploitable, are:

• Path Traversal – could lead to information leaks/disclosure;

• Insecure Method Call - could lead to information leaks/disclosure; and

• Stack Overflow – could result in DOS, possible remote execution of code.

The first two vulnerabilities require little skill to exploit (especially with exploit code already available) as would a denial of service attack using the third. Remote code execution would take much more skill.

No Attribution


Not only does ICS-CERT not provide attribution for the discovery of these vulnerabilities, but they go so far as to stomp their feet and cry about the lack of coordination from Luigi. Okay, that description is a bit over the top, but it does seem to be more than a bit childish. Here is what ICS-CERT published in this Advisory about the disclosure process:

“Attribution for the discovery of these vulnerabilities is not provided in this advisory because no prior coordination occurred with the vendor, ICS-CERT, or other coordinating body. ICS-CERT encourages researchers to coordinate vulnerability details before public release. The public release of vulnerability details prior to the development of proper mitigations may put industrial control systems (ICSs) and the public at avoidable risk.”

Granted, the way that Luigi communicated these vulnerabilities provides an excessive level of potential risk, but effectively dissing him because he doesn’t share the same opinion about coordinated disclosure is very short sighted. This is especially true since the security research community read the Bugtrac release the same as ICS-CERT did and knows full well who discovered these vulnerabilities.

Besides, the quick response from Measuresoft and the earlier response from Rockwell were motivated in at least some measure by the fact that these vulnerabilities were publicly disclosed. On the other hand, Siemens doesn’t seem to respond well to either coordinated or uncoordinated disclosures, so public disclosure is not the whole answer either.

System Distribution


There is one final issue raised, in passing, in this Advisory. In the ‘Background’ section of Advisory ICS-CERT notes:

“According to Measuresoft, ScadaPro is sold in multiple countries by various third-party distributors, making total deployment difficult to quantify.”

If it is hard for Measuresoft to quantify it’s total deployment, it will also be difficult for them to contact the users/owners of the vulnerable software to warn them about the vulnerability and the mitigation. Anyone that believes that each of the owners of this (and all of the other SCADA systems deployed worldwide) read the ICS-CERT web site, or this blog, or the blogs of the major reviewers of control system security issues is in for a rude awakening. I would suspect that a significant majority of the systems will never get the word about these vulnerabilities.

These are relatively minor vulnerabilities by all comments that I have been hearing. But they are a definite warning about the general problem that the control system community is going to be facing in the future. And part of that problem, a part that hasn’t been addressed as of yet, is how we communicate the vulnerabilities and their mitigations to the users instead of just each other.

HR 908 Report Published

While yesterday was a pro forma session for the House it did allow for some housekeeping measures to be completed. One of those was the publication of the Energy and Commerce Committee Report on HR 908, the Full Implementation of the Chemical Facility Anti-Terrorism Standards Act, House Report 112-211.

Minority Views


There is very little new information in this report, as one would expect from a document that is supposed to reflect committee action on the bill in question. Probably the most interesting portion of the report is the ‘Minority Views’ portion at the end of the report. Surprisingly there is no mention of the topic of mandating inherently safer technology or even encouraging the replacement of dangerous chemicals with safer alternatives at high risk chemical facilities.

This section of the report does address the concern about the exemption of a number of classes of facilities from coverage under the CFATS regulations continued in this revision. The most obvious case of water treatment facilities is mentioned by not as in as much detail as the minority staff discussion of the exemption for NRC covered facilities or even federally owned facilities.

Another complaint that is addressed publicly for the first time in this report is the concern that the §550 authorization allows the Secretary to approve site security plans that do not meet the standards set forth in the Risk-Based Performance Standards published by the Department. This is based on the permissive language that states that the Secretary “may disapprove” instead of directed language like “will disapprove”.

The remainder of the minority concerns covered in this section are fairly standard objections that the Democrats have had with the existing program. They include worker protections against discrimination in the application of the background checks, whistleblower protections, concerns about the sharing of security information with the public and concerns about the lack of public and worker participation in security planning.

All in all the “Minority Views” section is well worth reading in this report, especially among the supporters of the current program. Addressing some of these concerns might make it easier to pass this legislation in both the House and Senate.

Canexus Says STB Mediation Failed

The Surface Transportation Board yesterday published an Expedited Consideration Request filed by Canexus Chemicals in their TIH rate dispute with BNSF Railway and UP. As I reported in June Canexus had accepted mediation in their dispute, but now report that the mediation effort has not produced any results in resolving the disagreements over the terms of TIH shipments.

Canexus vs BNSF-UP is just one of the disputes currently before the STB asking for a resolution of the inherent conflicts between shippers and carriers when it comes to the shipment of toxic inhalation chemicals via rail. In general, the STB has come down on the side of shippers, requiring railroads to perform their common carrier obligation to ship properly presented shipments.

The case of Canexus vs BNSF-UP is a bit more complicated in that two railroads are involved and it is as much a dispute between them as to which will be forced to provide service over the longest distance for the chlorine shipments from Canexus. At stake is the liability for potential releases enroute and possibly the cost of installing and maintaining a PTC system on portions of lines between the various transfer points.

As I pointed out in my June blog on this topic the STB may be able to narrowly resolve these individual issues (and this will be one of the more complicated ones that they have been called upon to resolve) but real resolution of the more general issues will have to be resolved by legislation and regulation.

Rail Line Relocation Grants

Today the Federal Railroad Administration (FRA) published a notice in the Federal Register (76 FR 58334-58341) outlining the “the application requirements and procedures for obtaining funding for eligible rail line relocation and improvement projects” (76 FR 58334). Only States and political subdivisions of States, and the District of Columbia are eligible for grants under this program.

Eligible Projects


The notice makes clear that the construction projects that are eligible for funding include those “carried out for the purpose of mitigating the adverse effects of rail traffic on safety [emphasis added], motor vehicle traffic flow, community quality of life, or economic development” (76 FR 58335). Projects that relocate rail lines are also eligible for funding without meeting the requirement for mitigating the adverse effects of rail traffic.

TIH Rerouting


I have long maintained that, in many cases, the only way to ensure that railroads will be able to economically route TIH chemical shipments around urban areas is to change the historic location of rail yards where TIH switching activities are often accomplished from those urban centers to less populated areas. Rerouting of TIH shipments out of urban areas is clearly a safety improvement activity.

There is nothing in the grant funding notice that specifically states that TIH rerouting activities will receive any special consideration in determining which projects are funded under this program. It would seem logical (I know, no one has ever accused the Federal government of operating on a logical basis), however, to assume that an otherwise eligible project that also resulted in TIH rerouting around an urban area would receive favorable consideration.

Application Deadline


Applications need to be submitted through Grants.gov by October 19th, 2011. The FRA notes that first time applicants via Grants.gov need to register with that site before they can submit an application and that the registration process can take several weeks to complete. Thus, beginning the registration process early is recommended.

Monday, September 19, 2011

HR 2219 – Senate Language Changes – DOD Appropriations

Well, I finally had a chance to review the Senate substitute language for HR 2219, the Department of Defense Appropriations Act, 2012. While there are wholesale changes in the Senate language they have no appreciable effect on the cyber security provisions of the bill because there were no such provisions in the House language and there are none in the Senate language. Cyber security still remains a miniscule part of the DOD budget.

The cyber security provisions from the House Report on the bill that I discussed in an earlier blog will still apply to DOD, almost regardless of what happens on the Senate floor or in Conference. The various reports to Congress will still have to be made unless DOD wants to incur the wrath of an Appropriations Committee scorned. Fortunately for DOD there are no additional cyber security reports required in the Senate Report on this bill.

We'll see what happens when this comes to the Senate Floor.

ICS-CERT Updates Rockwell RSLogix Alert

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an updated version of the Alert published last week for the Rockwell RSLogix overflow vulnerability. The update provides additional information about the systems affected and interim mitigation measures to be taken pending the publication of a patch within the next two weeks.

Rockwell notes that their RSLogix 5000 supports “Allen-Bradley ControlLogix and GuardLogix family of programmable controllers” (pg 2). They recommend that operators configure firewalls to block a number of specific TCP ports beyond the one identified in the original alert. Additionally, they have published two separate security advisories about the matter at and at.

Rockwell is to be commended for their quick response and their willingness to identify additional TCP ports that are presumably vulnerable to similar types of attacks. Hopefully, they have communicated this information directly to their customers and other vendors that use their RSLogix 5000 in OEM applications.

HR 2937 Published – Pipeline Safety

In my earlier blog on upcoming hearings I noted that the GPO had not yet published the official version of HR 2937. The bill is now available. A quick review of the official version of the bill shows that is essentially the same as the marked-up version from the earlier subcommittee hearing.

One change that I had not noted in my earlier post on the subcommittee markup is the frequent wording change from ‘pipeline’ to ‘pipeline facility’. Since this change is not made everywhere in the bill, it would seem that this was done to expand the coverage of the regulation from just the physical pipeline to include supporting infrastructure. It will take several hundred lawyers, and years of law suits to determine the effective meaning of this change.

ICS-CERT Publishes September Monthly Monitor

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the September edition of their Control System Monitor. Articles in this issue included reports on the latest spear-phishing campaign, hurricane response, and an update on the cross-vendor working group.

Spear Phishing Campaign


The newsletter reports on what appeared to be a focused campaign of spear phishing attacks on the energy, nuclear and government sectors. ICS-CERT reports that their analysis showed that this campaign appeared to be targeting control systems engineers. The article notes that ICS-CERT issued two alerts on this campaign in July.

The last bit of information will be news to most readers of this blog, as I certainly didn’t report on those alerts. The reason is that they were published on the US-CERT Control Systems Center secure portal. ICS-CERT explains that limited dissemination by stating that:

“While ICS-CERT strives to make as much information publicly available as possible, the indicators in these Alerts are considered sensitive and cannot be disseminated through public or unsecure channels.”

These alerts would be essentially counter-intelligence reports and there is always a fine line that has to be drawn about releasing such information. Too wide a release will alert the adversary about the means used to detect their attack which would allow the refinement of the attack. Too little release would leave the targeted organizations unaware of the potential threat. It is easy to criticize such decisions in hind sight and without responsibility for protecting the information.

Having said that, I would think that it would have been helpful for ICS-CERT to have published a limited information alert on their open access web page with a note for the potentially affected industries to get more information from the secure portal. That is, after all, what this article in the Monthly Monitor is doing. A more timely alert on the same lines may have protected more systems from potential attack or identified successful attacks earlier. At the very least it would have ensured that bloggers, like me, would have addressed the issue, spreading the word to a wider audience.

Interestingly it appears that this campaign may have been the reason that the previous issue of the Monthly Monitor included an article on the topic of spear phishing. If so, kudos to ICS-CERT for a creative partial-solution to the timely disclosure problem.

Hurricane Response


The article on the ICS-CERT monitoring efforts during Hurricane Irene helps to remind people that a full look at security includes protecting an organization against the effects of natural hazards as well as human attacks. The article provides a brief discussion about the importance of contingency plans for response to interruptions caused by both man-made and natural disasters.

Cross-Vendor Working Group


There is an interesting but brief article on the kick-off meeting of the cross-vendor working group of ICSJWG that is trying to “develop a unified approach for addressing serious security issues that exist across many vendor platforms”. One particular sentence in report may draw some criticism from the control system security blogger community;

“An inaccurate perception exists that the vendor community does not fully understand control system security challenges.”

There will certainly be a disagreement about the extent of the ‘community’ that does or does not ‘fully understand’ the control system security challenge. I think that we all can agree however, that a wider and fuller understanding would be helpful in all parts of the community.

Sunday, September 18, 2011

Congressional Hearings – Week of 9-19-11

Just two hearings this week in Congress that might be of interest to the chemical security community; a pipeline safety bill markup and a DHS authorization markup. Additionally the FY 2012 continuing resolution is scheduled to come to the House floor this week.

HR 2937 Markup


The House Energy and Commerce Committee has scheduled a markup of HR 2937, Pipeline Infrastructure and Community Protection Act of 2011, on Tuesday and Wednesday. This bill is not yet available on the GPO website, but it should be the bill that was discussed in draft form in an earlier meeting before this committee. There are similar bills being considered by other committees in the House (HR 2845) and the Senate (S 275).

There are two other bills that are scheduled to be marked up in the same hearing and both are controversial bills designed to limit EPA actions. The discussion on these, if they go first, could certainly consume all of the available time and might cause a postponement of the consideration of HR 2937. The two day format described on the Committee web site does not really alleviate this potential problem since the first day of the hearing is only for the presentation of opening statements by committee members.

S 1546 Markup


As I mentioned in my blog post on the introduction of S 1546 the Senate Homeland Security and Governmental Affairs will be holding their second day of markup hearings on the DHS authorization bill on Wednesday.

Continuing Resolution Status


Rather than doing a separate very short blog post on the status of HJ Res 79, the FY 2012 CR, I’ll just report here that the Majority Leader’s web site notes that the bill will be brought to the floor for consideration on Wednesday.

Saturday, September 17, 2011

S 1546 Introduced – DHS Authorization Bill

Earlier this week Senators Lieberman (I,CT) and Collins (R,ME) introduced S 1546, the Department of Homeland Security Authorization Act of 2011. A copy of the bill is not yet available from the Government Printing Office, but it is hardly necessary as the Senate Homeland Security and Governmental Affairs Committee printed a copy of substitute language for the bill that is being considered by that Committee in markup hearings conducted this last week and next week. Since that substitute version will be the basis for any other Committee actions, a review of that will be more important than a review of the introduced version.

There is no mention of chemical, transportation, or cyber security in the bill, in fact there is relatively little mention of security in this bill reflecting the current DHS emphasis on recovery. There are still some provisions in this bill that will be of interest to the chemical, transportation and cyber security communities. They include:

• Catastrophic incident planning;
• Guidelines concerning weapons of mass destruction;
• Plume modeling;
• Metropolitan medical response system; and
• Classified national security information program.

Catastrophic Incident Planning


Section 401 sets out requirements for the Department’s responsibilities for “leading, promoting, and coordinating efforts of Federal agencies to conduct catastrophic incident planning” and reviewing plans for “private sector entities for catastrophic incidents submitted to the Federal agencies” {§526(b)(3)}. The Department is specifically tasked with “promoting and supporting appropriate catastrophic incident planning by private sector entities, including private sector entities that own or manage critical infrastructure” {§526(b)(6)}. This should include high-risk chemical facilities.

Weapons of Mass Destruction


Section 413 requires the Department to establish guidelines “for responding to an explosion or release of nuclear, biological, radiological, or chemical material” {§531(a)(1)}. Those guidelines would include:

• Protective action guidelines for emergency response personnel;

• Exposure effects of the biological, chemical or radiological agents; and

• Information about effective treatments for WMD victims for emergency response personnel and mass care facilities.

Plume Modeling


Section 414 requires the Secretary to develop an ‘integrated plume model’ (similar to what we used to call a downwind message in the Army) that would serve as a tool for emergency responders for “the assessment of the location and prediction of the spread of nuclear, radioactive, or chemical fallout and biological pathogens resulting from an explosion or release of nuclear, radioactive, chemical, or biological substances” {§318(a)(2)}. Provisions would be required to be made for the release of the model to “nongovernmental organizations and the public to enable appropriate response activities by individuals” {§318(b)(2)(B)}.

Metropolitan Medical Response System


Section 418 reauthorizes the Metropolitan Medical Response System to continue to assist State and local governments “in preparing for, protecting against, and responding to mass casualty incidents by systematically enhancing cooperation and integration of emergency response providers and public health and medical personnel” {§2042(b)}. Last session similar legislation was introduced as HR 4580 and I made some suggestions then as to how CFATS emergency response planning could be incorporated into MMRS preparations.

Classified National Security Information Program


Section 602 would establish a Classified National Security Information Program which will be designed “to safeguard and govern access to classified information shared by the Federal Government with States, local governments, Indian tribes, and private sector entities” {§210G(b)}. This program would implement the provisions of EO 13526 for classified information (presumably intelligence information).

The program would include responsibility for:

• Tracking the status and final disposition of security clearance requests;

• Developing and maintaining a security profile of facilities that have access to classified information;

• Developing appropriate training for personnel with access to classified information; and

• Preparing an annual report on the status of the Program to Congress.

Moving Forward


The Homeland Security and Governmental Affairs held the first of two markup hearings on the bill earlier this week, but there are no real details beyond a link to the web cast currently available. The second of the two hearings will be held this Wednesday, after which we should find more details on the Committee web site.

Friday, September 16, 2011

CFATS Knowledge Center Update that Wasn’t

Earlier today the folks at DHS-ISCD published an update of one of their frequently asked question (FAQ) responses. Actually it appears that the wrong (the old) version of the response was saved to the web site. The answer was identical with the version that was placed on the site on August 8th, 2008.

Normally I would assume that someone was just checking the response on the server and had changed the date on a ‘last reviewed’ instead of a ‘last modified’ basis. Unfortunately, there is a “glaring” error in the ‘new’ response to FAQ #726; a FAQ that is related to the latest version of the CSAT User Registration User Guide. The link to the guide in the response is correct (actually DHS keeps the same link for their manuals, even when they change versions), but the description of the file “(PDF, 45 pages - 2.01 MB)” is out-of-date by at least two versions. According to the Register to Access CSAT web site the description of the new manual is: “(PDF, 31 pages - 2.22 MB)”.

Fortunately for DHS, I will bet that I was the only person that noticed the discrepancy. It certainly did not affect the utility of the response.

OMB Approves CyberFetch ICR

On Wednesday the Office of Management and Budget announced that they had approved the information collection request (ICR) authorization for the DHS S&T CyberFetch program. Approval of this ICR clears the way for S&T to establish their CyberForensics Electronic Technology Clearinghouse (CyberFetch), a secure on-line information sharing environment for cyber forensics professionals.

The OMB approval comes with a “consistent with change” comment. A review of the OMB documents file for this ICR shows that S&T submitted update copies of their proposed Privacy Act Notice, Routine Uses Notice and the CyberFetch Registration Screen. Presumably these are the changes referred to in the approval notice.

As of this morning there is no mention of the CyberFetch program on the S&T web site. Neither is the CyberFetch.org web site yet functional. There is no telling how much longer it will be for this program to get up and running.

Thursday, September 15, 2011

FY 2012 Continuing Resolution Rule

The House Rules Committee met today to establish the rule for the consideration of H. Joint Resolution 79, Continuing Appropriations Resolution, 2012, by the full House. The Rule established today (H Res 399) provides for limited debate and only a single amendment will be allowed to be submitted on the floor. Once the Rule is approved by the House the consideration of this bill could take less than two hours.

The amendment will be offered by Rep. Rogers (R,KY), Chairman of the House Appropriations Committee. It will be a technical correction to the mathematical adjustment of the FY 2011 spending rates to meet the spending limits found in the Budget Control Act of 2011. The change is necessary because of the Congressional Budget Office scoring of the provisions of the bill was larger than the Appropriations Committee’s staff calculations. The amendment will reduce the FY 2011 spending rates by 1.503% instead of 1.409%.

Since the House has adjourned for the week, the earliest this bill can be considered in the House will be Monday.

HR 2890 Introduced – Water Treatment CFATS Exemption

On Monday Rep. Hansen (D,MI) introduced HR 2890, a bill that would expand the CFATS program to include potential coverage of water treatment plants and wastewater treatment works.

The bill would amend the §550 authorization for the CFATS program by removing the current exemption in §550(a) for “Public Water Systems, as defined by section 1401 of the Safe Drinking Water Act, Public Law 93–523, as amended; Treatment Works as defined in section 212 of the Federal Water Pollution Control Act, Public Law 92–500, as amended”.

It would then require the President to “delegate to the Administrator of the Environmental Protection Agency the authority otherwise provided to the Secretary under this section” for those facilities.

Subcommittee Adopts Amended TSA Authorization Bill

Yesterday the Transportation Security Subcommittee of the House Homeland Security Committee approved an amended version of a draft TSA authorization bill on a party-line 6 to 3 vote. Twenty amendments were considered by the Subcommittee; nine were adopted, one was withdrawn and ten were rejected.

As with most TSA related legislation, the bulk of the proposed bill adopted by the Subcommittee deals with air transportation security issues. There are, however, a number of important surface transportation issues addressed in the bill. They include:

• A review of security credentialing programs;

• Adding hazmat truck drivers to TWIC program;

• Establishing a railroad IED detection program;

• A review of the pipeline security MOU with DOT;

• Establishing a Surface Transportation Advisory Committee; and

• A review of intelligence information sharing.

Security Credential Review


Section 302 would require the DHS Secretary to establish a TWIC review task force that includes representatives of Federal agencies, industry and labor. The task force would review the current list of disqualifying crimes and the potential harmonization of Federal security credentialing requirements.

Hazmat Driver’s TWIC


Section 304 of the bill would amend the Homeland Security Act to require the development of a definition of ‘security-sensitive materials’ (SSM) for motor transportation. It would then require that drivers transporting such materials possess a TWIC and require shippers of SSM to verify the possession of a TWIC before allowing a driver to accept an SSM load. This section would also grandfather current HMEs until they expire. Section 306 would then eliminate the issuance of future HMEs.

Railroad IED Detection


Section 323 would establish a demonstration program to look at possible technologies that would address the use of improvised explosive devices (IEDs) against railroads. First it would look at detecting IEDs “on bridges and in tunnels through the use of foreign object detection programs” {§323(b)(1)}. Next the program would address how to “defeat improvised explosive devices left on rail tracks” {§323(b)(2)}. No mention is made about building on IED detection and response technologies developed by the military.

Pipeline Security MOU

Section 325 would require the Comptroller General to review the current pipeline security annex to the DOT-DHS memorandum of understanding (MOU) dealing with the delineation of transportation security responsibilities. The study would look at the clarity of the delineation of responsibilities for protecting against, responding to, and recovering from intentional pipeline breaches. It would also look at how the government would determine if a pipeline breach was intentional or accidental.

Surface Transportation Advisory Committee


Section 341 would require the establishment of a Surface Transportation Advisory Committee “to assist the Assistant Secretary with issues pertaining to surface transportation security” {§1311(a)(1)}. Membership would come from up to 27 public and private organizations (including labor unions) representing surface transportation security stakeholders. One of the priority issues to be addressed by STAC would be the submission to the Assistant Secretary of “recommendations on improving homeland security information sharing between components of the Department of Homeland Security and surface transportation security stakeholders” {§341(a)(2)(B)}.

Intelligence Information Sharing


Section 342 would require the Assistant Secretary to develop a intelligence information sharing plan that would improve information sharing “with State and local transportation entities that includes best practices to ensure that the information shared is actionable, useful, and not redundant” {§342(a)}. It does not provide for sharing of information with shippers and transporters which would be a prerequisite for adequate security planning.

Moving Forward


The next step for this bill will be a hearing before the full Committee. Typically we would expect to see that scheduled in the next week or two.
 
/* Use this with templates/template-twocol.html */