Friday, March 30, 2012

Invensys Wonderware Advisory Published by ICS-CERT

This afternoon the DHS ICS-CERT published an advisory outlining two heap-based buffer overflow vulnerabilities discovered in the Invensys Wonderware System Platform. Celil Unuver, of  SignalSec Corporation reported the vulnerabilities in a coordinated disclosure.

The two separate heap-based overflow vulnerabilities would both be exploitable by a moderately skilled attacker using a social engineering attack. There is no known exploit code publicly available for these vulnerabilities. Invensys has developed a patch to mitigate the vulnerabilities and it has been verified by Celil Unuver.

NIAC Meeting Announcement

Today the DHS National Protection and Programs Directorate (NPPD) published a notice in the Federal Register (77 FR 19300-19301) about the upcoming meeting of the National Infrastructure Advisory Council (NIAC). The meeting will be held in Arlington, VA on April 17, 2012. The Council will receive a presentation on the next phase of the infrastructure resilience study being conducted by the NIAC Working Group (previous NIAC studies can be found at:

The public is invited to attend the meeting and provisions have been made to allow comments by the public (limited to 3 minutes) on the infrastructure resilience study at the end of the meeting (Note: registration for making public comments is required and may be done just before the start of the meeting). Written comments on the topic may also be submitted by April 6th (which seems to be just a tad bit early, typically this date is set just a day or two before the meeting) via the Federal eRulemaking Portal (; Docket # DHS-2012-0012).

Thursday, March 29, 2012

HR 2764 Marked-up and Ordered Reported Favorably

Yesterday the House Homeland Security Committee, during a multi-bill mark-up hearing, amended HR 2764, the WMD Intelligence and Information Sharing Act of 2011, and ordered it reported favorably to the Full House by a voice vote. The sole amendment considered was also adopted by a voice vote.

The one amendment considered dealt with a change in wording about the extent of the bio-threat being considered by portions of the bill. So once again a WMD bill almost totally ignores the much more probable WMD threat of an attack on a large scale chemical facility being used as a chemical weapon to attack the adjacent community. Fortunately, to date the terrorists appear to have been a short sighted as Congress.

ICS-CERT Publishes Rockwell Automation Advisory

Yesterday the DHS ICS-CERT published an advisory for the Rockwell Automation FactoryTalk application concerning two vulnerabilities that could result in a DOS if successfully exploited. This advisory is a follow-up to an alert published in January which was based upon an uncoordinated disclosure by Luigi.

The two vulnerabilities are:

• Unexpected Return Value; CWE 389; and

• Read Access Violation, CWE 125.

A relatively low skilled attacker could use the available proof-of-concept code to craft a denial of service attack. Rockwell Automation has provided a security update to address this vulnerability. They also provided a list of TCP ports that should be blocked by a firewall “to prevent traversal of RNA messages into and out of the ICS system” (page 3). This is a valuable extension of information about the initially reported vulnerability.

Wednesday, March 28, 2012

EPA RMP Data Posting Update

Readers will remember that I’ve done blog posts about EPA’s intention to re-post some of the RMP data that was taken off of the web after 9-11 and the late response to that planned action by the House Energy and Commerce Committee. Well I just learned that this morning the EPA notified a number of industry groups and government agencies that they will be postponing the implementation of that plan pending further discussions with the various communities of interest.

An email sent this morning outlines the security concerns that they have heard in response to the notification of their planned action. It notes:

“Reasonable concerns have been raised that certain types of non OCA [off-site consequence analysis] data should not be posted. We have heard, and are sensitive to these concerns. The Agency has also received comments that non OCA data should not be made available on the Agency’s website in lieu of the current access regime – which requires more personal contact to obtain the information than if it was freely available on the internet – makes it less likely that someone seeking to misuse RMP information will use government sources to obtain it. Again, we understand the concern and would like to consider other approaches if such can be found.”

The email goes on to explain that the EPA also has a legal responsibility to ensure that local communities have reasonable access to data that can be used to formulate protective plans for accidents [and potential terrorist attacks on these facilities; though that isn’t specifically mentioned]. The memo notes:

“We are also aware of and sensitive to local community “right to know” about certain risks that are present within them, and that reasonably easy access to such information is preferred when that makes sense. For this reason, the EPA is looking to continue the dialogue on how we might more easily allow access to share some portions of RMP data in a way that balances the public’s right-to-know about the chemical risks present in their community, with the need to protect our national security.”

It will be interesting to see how this plays out in the coming months.

CVI Training Access Problem Solved

I just got a very nice email from the folks at the CSAT HelpDesk concerning my reported inability to access the CVI Training site. They haven’t fixed the site because they couldn’t replicate the problem; fair enough.

They didn’t let it end there, however. They suspected that the problem was with my computer and offered a suggestion to correct the problem that worked very nicely. Here is their suggestion:

“Also, if you are using Internet Explorer to access CSAT/CVI, make sure the internet security is enabled within the browser settings by performing the following actions:

- Launch Internet Explorer web browser

- Under the "Tools" menu, select "Internet Options"

- Select the "Advanced" tab

- Scroll down to the "Security" heading (towards the bottom)

- Select the following option:

-- "Use TLS 1.0." (Ensure you place a check mark in the box for the setting.)

- Select "Apply" to save this setting.”

Actually, these instructions seem very familiar; I think they used to be in one of the CSAT manuals (may still be, but I can’t find it in a quick search). Oh, yes and they work.

I suppose that I probably should have contacted the HelpDesk folks {CFATS Helpline, 866-323-2957; Monday-Friday 7:00 a.m. – 7:00 p.m., Eastern Time}, but the last time I contacted them I was told they couldn’t talk with me because I was ‘The Press’. Fair enough; that is a standard procedure for business and government; limit the people who can talk to the press so that bad (incorrect not embarrassing) information doesn’t go out in the name of the organization. Unfortunately, I no longer have a working PAO contact at ISCD; they get changed more often than Acting Directors.

If you are not the press, but a harried chemical security person at a high-risk or potentially high-risk chemical facility, you should certainly try to contact them with any CSAT/CFATS related problems that you have. They have the standard answers for standard questions, know how to fix problems like this, and can put you in touch with the appropriate person when necessary.

Thanks for the Help today.

Supply Chain Security

I mentioned in a blog post this weekend that HR 4251 addressed supply chain security issues and noted that what it looked at was very different from what the cyber security community was concerned about when it talks about ‘supply chain security’. With that in mind I read an interesting article over on about cyber supply-chain security concerns in the Federal government that is well worth looking at.

The Threats

The article is based, in large part, on information provided by a recent GAO report on IT Supply Chain security. That report lists the following threats to the IT Supply Chain (pg12, 16 Adobe):

• Installation of hardware or software containing malicious logic;

• Installation of counterfeit hardware or software;

• Failure or disruption in the production or distribution of critical products;

• Reliance on a malicious or unqualified service provider for the performance of technical services; and

• Installation of hardware or software that contains unintentional vulnerabilities.

While the next couple of pages in the report discuss each of these threats in some detail, nowhere does it mention control systems. This is not terribly surprising since most of the Federal government does not make anything, so non-military control systems are few and far between. Even so a quick look at the descriptions by someone with a control system background will see that there are potentially clear links between these types of threats and control systems.

The GAO report goes on to look at specific examples of cyber supply-chain vulnerabilities (pgs 16-17 Adobe 20-21). They include:

• Acquisition of information technology products or parts from independent distributors, brokers, or the gray market;

• Lack of adequate testing for software updates and patches;

• Incomplete information on IT [cyber] suppliers; and

• Use of supply chain delivery and storage mechanisms that are not secure.

Once again it is clear that these vulnerabilities would also apply to control systems applications.

Government Response

The GAO report looks at how well three ‘National Security-Related Agencies’ (Defense, Homeland Security, Energy and Justice) have addressed these supply chain security issues. They note that DOD has the most complete program in place, but even it has not yet developed outcome-based performance measures to track their performance. DOJ has identified protective measures, but has not yet put forth a plan for implementing those measures or developed a tracking system to gauge performance. According to the report DOE and DHS have not yet done even that much.

Private Sector Requirements

To date, Congress has completely ignored this issue whenever the subject of cybersecurity has come up. I have yet to see any significant mention of requiring the private sector to look at IT supply chain security issues in any of the cybersecurity bills introduced to date.

It is possible that DHS could require supply chain security issues to be addressed in cybersecurity plans required under HR 2102. It is unlikely, however, given the Department’s poor record on developing and implementing in-house plans for their IT resources.

One would like to think that responsible owners and operators of control systems would already have such measures in place, or were at least developing such measures. I would be surprised, however, if any but the largest organizations have even considered this issue in developing the minimalistic cybersecurity plans that actually exist. I would bet that the vast majority of control systems owners, most of which have no cybersecurity efforts to speak of anyway, have not even considered the threats listed above as part of their facility security plans.

We already have a large number of control system security issues that are going to have to be addressed. This is just one more that needs to be added to the list.

Tuesday, March 27, 2012

Subcommittee Passes HR 4251 with Amendments

Today the Subcommittee on Border and Maritime Security of the House Homeland Security Committee favorably reported HR 4251, as amended, by a voice vote. In addition to the amendment in the nature of a substitute that I described in a posting this last weekend, two other amendments were adopted, also by voice vote. All three voice votes a sure sign of bipartisan support for this legislation within this subcommittee.

The two new amendments, one by Rep. Rigell (R,VA) and one by Rep. McCaul (R,TX) dealt with ‘supply chain’ security issues related to inspections at foreign ports; nothing of particular interest to the chemical security community.

As I mentioned in the earlier post, it will be interesting to see if Chairman Miller’s (R, MI) enthusiasm for this bill will carry it to an early consideration by the Full Committee.

CVI Training Link Still Dead

It has now been more than two weeks since I reported that the link {}for the ISCD Chemical-terrorism Vulnerability Information (CVI) Authorized User Training does not work. Since completion of the CVI training is a pre-requisite for using many of the CSAT tools, not having this training available is certainly going to put a crimp in many organizations’ implementation of CFATS.

Monday, March 26, 2012

ISCD Updates CFATS Knowledge Center

Today ISCD had a promising update on the CFATS Knowledge Center web page. They removed the “Helpful Tips for Completing a Chemical Facility Anti-Terrorism Standard (CFATS) Site Security Plan” document from the ‘Documentation’ section of the web page (it is still available as of this writing at: They note in the ‘Latest News’ section of the page that the document is being updated “updated to reflect lessons learned from the SSP Interim Review process. A revised version will be re-posted at a later date”.

This is encouraging news. I think that it would probably be helpful if there were some substantive changes made to the SSP submission tool at the same time, but that is probably too much to ask for.

DHS Updates Chemical Sector Training and Resources Page

Earlier today the folks at the Chemical Sector Office in NPPD updated their training and resources web page. Alert readers might remember that this is the page that I received premature notification of the change to this web page almost two weeks ago. Most of the changes are editorial in nature but there is one fairly substantive change and a major overlook on the page.

The editorial changes are simply changes in wording or style. For instance on of the old headers was ‘Publications’; it is now ‘Chemical Sector Publications and Resource Kits’. It may be slightly more informative, but hardly a necessary change.

The substantive change that justifies the changed web page deals with the Chemical Sector Security Summit. The previous version of this page (dated August 8, 2011) still carried information on the then recently held meeting from last July. That information has long since been updated on other DHS pages, but it is just now being updated here. Not a problem since it will still be just a short while (hopefully) before the registration process starts and requires further modification of this page.

The section where needed corrections were overlooked actually comes just before the CSSS information on the page. The section on the ‘Security Seminar & Exercise Series for Chemical Industry Stakeholders’ still shows scheduled exercise dates for long past exercises from August and September of last year. At the very least these should have been deleted when the page was updated today. What is of real concern is that apparently there have not been any of these exercises executed or scheduled since the Fairview Heights, Il exercise on September 15th. That’s really a shame.

Congressional Hearings – Week of 3-26-12

This week the battle for the FY 2013 budget officially begins with a hearing before the House Rules Committee. There will also be two markup hearings before the House Homeland Security Committee concerning port security and WMD intelligence. Finally there will two hearings about TSA; one looking at ‘Security Theater’ and one looking at ‘Rightsizing’.

Budget Hearing

While there have been a large number of hearings looking at the President’s budget request for FY 2013, no real action has been taken to date on the FY 2013 budget. The House Rules Committee will be meeting Tuesday to set the rule for the consideration of the as of yet un-numbered House Concurrent Resolution on the Budget for FY 2013. Once (if) this is passed it will form the basis for setting the amounts in the spending bills for each Departments of the federal government for next year.

It goes without saying that there will be some lively debate on this resolution and it will almost certainly pass in the House. If the past couple of years are any indication the Senate will not take up the resolution.

Markup Hearings

The Subcommittee on Border and Maritime Security of the House Homeland Security Committee will be meeting on Tuesday to mark up the recently introduced HR 4251, the Securing Maritime Activities through Risk-based Targeting for Port Security (SMART Port Security) Act, that I discussed in an earlier blog. While Chairman Miller has a proprietary interest in seeing her bill move forward, it will be interesting to see how fast the Full Committee takes up this bill. The longer it takes the less likely it will be for DHS to meet the nearly impossible deadlines imposed in this bill.

On Wednesday the House Homeland Security Committee will be marking up four separate bills in a single hearing. They are:

• HR 2179; transferring unclaimed funds recovered by TSA to the USO;

• HR 2764; the WMD Intelligence and Information Sharing Act of 2011;

• HR 3140; the Mass Transit Intelligence Prioritization Act; and

• HR 3563; the Alert and Warning System Modernization Act of 2011.

The bill most likely to be of interest to the chemical security community is HR 2764. This is an intelligence and information sharing bill dealing with WMD issues. While it’s main focus is bioweapons it does provide some general guidance on intelligence collection for the whole range of CBRN weapons. The Subcommittee on Counterterrorism and Intelligence took no action on this bill beyond reporting it with a favorable recommendation by a voice vote; it wasn’t even discussed before the vote.

TSA in the Spotlight

The House Transportation Committee and the Oversight and Government Reform Committee will hold a joint oversight hearing Monday looking at the TSA; “Effective security or security theater”. A Transportation Committee press release notes that one of the foci of this hearing will be the TWIC program. Should be an interesting if not necessarily informational hearing; the security blogger Bruce Schneier will be one of the witnesses.

The House Homeland Security Committee’s Subcommittee on Transportation Security will be meeting on Wednesday to look at “Rightsizing TSA Bureaucracy and Workforce Without Compromising Security”. There is no information available yet on witnesses, but I suspect that this will be a further look at reducing the size of the TSA’s airport security operation by allowing, even encouraging, airports to hire their own security screeners. I will be very surprised if there is a mention of the surface security inspection force; it’s just too small to attract attention or really accomplish anything. Come to think of it I hope that isn’t a ‘rightsized’ inspection force.

Sunday, March 25, 2012

HR 4251 Introduced – Port Security

On Thursady, Rep Miller (R, MI), Chair of the Subcommittee on Border and Maritime Security of the House Homeland Security Committee, introduced HR 4251, the Securing Maritime Activities through Risk-based Targeting for Port Security (SMART Port Security) Act, a bill introduced to  authorize, enhance, and reform certain port security programs through increased efficiency and risk-based coordination within the Department of Homeland Security. Interestingly an ‘amendment in the form of a substitute’ has already been published on the Committee web site for this bill as it is already scheduled for Subcommittee markup next week; more on that in a later post.

Port Security Programs

Title I of this bill deals with security coordination efforts between various agencies within DHS under the maritime operations coordination plan. This has little to do specifically with chemical security so I’ll leave commenting on these provisions to those commentators with more knowledge of DHS CBP operations where this Title is principally focused.

Section 104 may end up having some sort of passing effect on the CFATS program. This section requires the Comptroller General to review and report on: “port security and maritime law enforcement operations within the Department to identify initiatives and programs with duplicative, overlapping, or redundant goals and activities, including the cost of such duplication” {§104(1)}.

Since the Department is trying to harmonize the chemical coverage of the MTSA and CFATS programs, it is possible that, depending on how advanced that harmonization efforts has become, the Comptroller’s General report may decide that the harmonization constitutes overlap that should be discouraged. I don’t think that that will be likely, not so much because of the lack of overlap issues, but rather there still won’t be a real harmonization effort for anyone to report upon.

TWIC Issues

While Title II of this bill is supposed to deal with maritime supply chain security (not the type of ‘supply chain security’ being addressed in the cyber security community, but rather the timely and safe flow of materials into this country without accompanying weapons of mass destruction), the last three sections of this title have nothing to do with maritime supply chain security. Instead, they address Congressional concerns about the Transportation Workers Identification Credential (TWIC) program.

Section 205 requires TWIC process reform, directing that the Secretary shall reform the TWIC application process “by not later than the end of 2012, when hundreds of thousands of current TWIC holders will begin to face the requirement to renew their TWICs” {§205a}. The specific reform being mandated in this section is that during the “enrollment, activation, issuance, and renewal” of a TWIC will not require “in total, not more than one in-person visit to a designated enrollment center” {§204(b)}.

It matters not that an independent investigation by the GAO last year recommended against the mailing of TWICs to applicants, citing security concerns. Ms. Miller and other members of Congress on both sides of the aisle are responding to complaints from both labor and management about the time consuming and complicated TWIC application, activation and issuance process. With the vast majority of TWIC holders facing going through the process again in the next two years as their current TWICs expire, these complaints are reaching a thunderous level during an election year. Similar provisions are now found in at least three separate pieces of legislation (HR 1143, HR 3116, and HR 3173).

Since there are regulations that will have to be changed to effect these reforms, it is unlikely that the Department would be able to meet the 270 day deadline provided in §205(b), even if it wanted to. It’s not a big problem any way, I suppose, TSA has not met a Congressional deadline yet that it couldn’t ignore.

Section 206 puts another deadline on DHS to complete a TWIC related regulation. It would require the final regulations for TWIC Readers to be completed by December 31, 2014. This time the affected agency is the Coast Guard and this is an acknowledgement that the August 20, 2010 requirement set by Congress in the Safe Port Act is dead and gone. In a silent acknowledgement that it has no practical means to enforce this deadline, Miller’s staff inserted a Stay of Expiration provision that TWICs could not expire until after such final regulations were issued. Of course this ignores the fact that according to a recent Coast Guard announcement, the TWIC chips shut down on their expiration dates.

To make matters more interesting the revised version of this bill to be considered next week in a subcommittee mark-up hearing changes the date from ‘December 31, 2014’ to ‘June 30, 2014’. Additionally, it adds a new paragraph (perhaps to address the dead chip issue) that requires the Secretary to reduce the cost to the applicant of re-issuing the cards (if it is determined that re-issuing is required to maintain the security value of the TWIC) “to the maximum extent possible while ensuring that the Transportation Worker Identification Credential program maintains adequate funding” {§206(c)(2)}. Since the application fee is supposed to cover the costs of administering the TWIC program this requirement only looks like Congress is doing something to reduce the costs to applicants.

The final section of this bill, §207, deals with TWICs and illegal aliens. It sets forth another new mandate for the DHS TWIC program that the Secretary shall put into place a process to ensure “to the maximum extent practicable, that an individual who is not lawfully present in the United States cannot obtain or continue to use a Transportation Worker Identification Credential” {§207(a)(1)}. Applicants would be required to prove identify (already required) and provide proof of “lawful presence in the United States” {§207(a)(2)(A)(ii)}. Additionally, ‘trusted agents’ (who actually process TWIC applications for TSA) must “receive training to identify fraudulent documents” {§207(a)(2)(B)}.

Finally §207(b) provides that TWICs will now also expire “in [certainly a typo for ‘on’] the date on which the individual to whom such a TWIC is issued is no longer lawfully present in the United States. There is no information about how TSA is expected to determine that a person is ‘no longer lawfully present’. Privacy rules would presumably prohibit the proactive sharing of TWIC status and/or citizenship status between government agencies, even within the Department.

Moving Forward

Since this bill was introduced last Thursday and will undergo a markup hearing this coming Tuesday, it appears to have the full endorsement of the Homeland Security Committee leadership. This frequently indicates that there will be a rapid movement of the bill to the floor of the full House. I don’t see anything here that would impede passage of either this original bill or its subsequent pre-hearing revision.

Saturday, March 24, 2012

Ecava IntegraXor ICS-CERT Advisory Published

Yesterday the DHS ICS-CERT folks published an advisory for a Path Transversal vulnerability in the IntegraXor application from Ecava. The vulnerability was reported by Billy Rios in a coordinated disclosure and he has validated the subsequent patch from Ecava.

This vulnerability would allow a moderately skilled attacker to manipulate files on the system or execute arbitrary code. A social engineering attack would be a necessary component of any such remote attack as it would require the opening of a specially crafted HTML file on the server to be successful.

It is interesting to note that the Advisory reports that:

“This vulnerability is only exploitable while using Internet Explorer due to the proprietary Active X component. No other web browsers are affected by this vulnerability[.]”

It is not clear, to me at least, if the IE Active X component that is involved in the vulnerability in the IntegraXor application would have similar effects on other similar SCADA HMI or HMI development applications. I would suspect that Billy Rios is probably looking into this issue with other systems. In fact, I would not be surprised to see similar vulnerability reports coming out of ICS-CERT in the coming weeks.

Friday, March 23, 2012

Chemical Facility Attacks May Not Be Effective

From time to time I have been accused of being alarmist about the potential damage that could result from a successful attack on a high-risk chemical facility. It is true that I tend to focus on the worst case scenarios when discussing such risks; that is a necessary point of view for anyone involved in security or safety planning efforts. From time to time, however, we do need to sit back and see the broader picture, remembering that modern chemical facility planners and managers do put a great deal of effort into chemical process safety.

Yesterday’s explosion and fire at the Westlake Chemical’s Geismar, La Vinyls Complex is a good case in point. According to a news report at the unit involved in the conflagration produced millions of pounds of vinyl chloride monomer (VCM) every year. VCM is a highly flammable liquid and one of the 300+ DHS chemicals of interest (COI). Chemicals involved in its manufacture include chlorine gas and hydrochloric acid, both also COI. In short, this facility was almost certainly a CFATS covered facility, probably in Tier I; by definition a facility at high-risk of terrorist attack.

A Hypothetical Terrorist Attack

No one has mentioned terrorist attack with respect to this incident. First off it is just too early in the incident investigation process for anyone to have any clear idea what caused the initial explosion. Secondly, it appears that the incident occurred during process startup after a scheduled shutdown, the most likely time for an accident to occur for a whole host of reasons. Whatever the cause, an explosion occurred, a huge fire resulted, dangerous chemicals were almost certainly released into the environment and the world did not end.

People at the plant were almost certainly injured, though there are no reports of serious injuries and no fatalities. People living around the plant were certainly inconvenienced and scared; a shelter-in-place warning was issued for the area around the plant. Traffic, both road and Mississippi river, was disrupted in the area as emergency response personnel shut down the area in what appears, from an outsider’s point of view, to be a very well-rehearsed emergency response plan.

Westlake Chemical will obviously feel some large financial impact as the damaged unit is made safe, its damage is assessed and repairs are made. Facility employees and the local economy will be affected while the unit is out of operation (though the local economy will receive a slug of money during the repair and reconstruction effort). There will be some economic disruption as supply of vinyl chloride products will be reduced as a major supplier of this basic chemical it temporarily out of action. And, I’m sure that there will be a number of people living near the plant that will re-think their living arrangements and move out of the shadow of the large chemical complex.

But, if this had been a very hypothetical terrorist attack, one would have to rate its success as mixed. If it was a designed event, either an explosive device or even a cyber-attack, it was successful on a tactical level; an explosion resulted in a large, very visible fire. On the strategic level, however, it was a failure of epic proportions. There were no deaths, no immediate off-site effects that would call for repressive responses from the government, no catastrophic environmental consequences that could lead to large scale public indignation that would result in major regulatory changes. In short, nothing occurred that would justify the operational expenses associated with an attack of this scope. More importantly, there was nothing that would cause a terrorist planner to sit-up quickly in front of a TV set with an aha moment that would start the planning process of a copy-cat attack on another chemical facility.

Federal Government Response

The Chemical Safety Board has not yet announced if they will be investigating this incident. Since no deaths or serious injuries have been reported, it is very possible that they will not spend their limited investigational assets on a detailed look at this explosion and fire. That is an unfortunate consequence of their underfunding by Congress. This is the organization that is best suited to determining a root cause of the explosion and producing the valuable ‘lessons learned’ reports for the remainder of the chemical manufacturing community to utilize in making their facilities safer.

One would like to think that the Chemical Facility Security Inspectors responsible for this facility would spend some time looking at this incident. Preventing a terrorist attack on a chemical facility is not the only goal of the CFATS program, ensuring that a successful (from a tactical point of view) attack is not a strategic success through appropriate mitigation strategies is equally important. Reviewing what mitigation efforts worked and which didn’t would provide a wealth of real-world information that could improve chemical facility security programs at other facilities.

Unfortunately, I would be shockingly surprised if ISCD had done any work on developing such a review capability. They have had more than enough problems putting into place an inspection program that can evaluate the theoretical effectiveness of a plan. They do not have the time or expertise to do an appropriate post-incident evaluation of security or mitigation efforts. This is another area that Congress needs to address when they get around to creating a real program authorization bill.

Personal Response

Having lived through much smaller-scale incidents of this sort, both in the military and in industry I have an appreciation of what is going on today in that plant and that community. No words can describe what is going on in the minds of the plant personnel today as they start their recovery process. There is a complete feeling of awe at the destructive nature of such events and there is the awful, sinking realization that, if I had just been standing right there no one would ever have found a trace of my remains. The engineers and process safety people are just beginning the painful self-flagellation necessary to determine what they could have done to prevent this specific incident.

I can only offer these words of encouragement to the plant personnel, their families and the surrounding community; this too shall pass. You will come out of this as a stronger, safer facility and community. It will be hard to see that in the coming days, but it is true. Your friends and compatriots in the chemical process industry stand with you, knowing in our hearts, that there, but for the grace of God, go I.

Wednesday, March 21, 2012

PHMSA Publishes Pipeline Registrations Advisory Notice

Today the Pipeline and Hazardous Material Safety Administration published an advisory notice in the Federal Register (77 FR 16471-16472) concerning its plan for implementing the national registry of pipeline and liquefied natural gas operators. This notice updates information provided by PHMSA in a similar notice published on January 13, 2012 (77 FR 2126).

Operator Identification (OPID) Numbers

Starting on January 27th of this year the Online Data Reporting System (ODES) is being used by affected entities to obtain OPID numbers. Before that date PHMSA had collected the required registration information on .PDF forms and is currently in the process of using that form data to complete the online database and plans on notifying those entities that completed those forms of their OPID Number.

In accordance with 49 CFR §191.11b operators of master meter systems or petroleum gas systems that serve fewer than 100 customers from a single source are not required to file annual reports. Those systems in existence on or before December 31, 2011 will have OPID Numbers issued based upon information already in the possession of PHMSA. Covered operators should be notified of their OPID Number by May 1, 2012. An operation established since December 31st, 2011 will be required to apply for an OPID Number once the ODES is modified on May 1st.

OPID Validation

As of March 27th, 2012 the OPID validation process will be completed using the ODES. PHMSA is providing notification in this advisory that all OPIDs issued prior to January 1st, 2012 should be validated using the ODES. PHMSA notes that “master meter and small LPG operators in existence prior to December 31, 2011, are not required to complete the validation process” (77 FR 16472). Because of the delays in getting the ODES operational the regulatory deadline for validation is being changed from June 30th, 2012 to September 30th, 2012. PHMSA is recommending that 2011 annual reports be filed at least 5 working days before the validation process is completed.

Section 191.22(c) and Section 195.64(c) Notifications

Since January 1st, 2012 PHMSA has been collecting Notification information on a .PDF version of Form F 1000.2. Starting on March 27, 2012 such notifications will be made using the ODES. PHMSA will be responsible for transferring the previous .PDF submitted data to the ODES.

This advisory notifies hazardous liquid pipeline operators to “disregard the notification requirement in §195.64(c)(1)(iii)” (77 FR 16472) as “PHMSA only wants notification of hazardous liquid pipeline facility construction projects with a cost of $10 million or more and plans to remove §195.64(c)(1)(iii) in a future rulemaking”.

Tuesday, March 20, 2012

MS RDP Advisory Issued by ICS-CERT

Yesterday the DHS ICS-CERT issued a short, very-understated advisory about the Microsoft Remote Desktop Protocol (RDP) memory corruption vulnerability. They note that while this is not an ICS specific vulnerability, that it will almost certainly have a major impact on ICS security because of the widespread use of RDP in control systems applications. The vulnerability was reported in a coordinated disclosure by Luigi (almost certainly his most important vulnerability report to date in his prolific career) through the ZDI program. Luigi’s proof-of-concept exploit code was leaked, apparently as part of the MS information sharing process.

The vulnerability would allow a relatively low skilled attacker to use publicly available exploit code to remotely attack a system to cause a ‘blue-screen of death’ (the ultimate DOS attack) or execute arbitrary code. Microsoft does have a patch available (and distributed on their automated system).

There are all sorts of interesting side stories about this particular vulnerability and we will certainly be hearing more about MS 12-020 in the future.

Sunday, March 18, 2012

Congressional Hearings – Week of 03-19-12

The House is back from a week on the home front and the Senate is done with their transportation bill, but there still isn’t much on the hearing schedule that looks to be of much interest to the chemical- and cyber-security communities; just one previously postponed budget hearing and two threat hearings.


Secretary Napolitano will get her chance to defend the President’s FY 2013 budget request for DHS one more time; this appearance on Wednesday will be before the Senate Homeland Security and Governmental Affairs Committee. This is her fourth appearance this year on this topic so I don’t expect much in the way of surprises in her testimony.

What might be interesting is to see what questions, if any, get asked about the CFATS problems at ISCD. Both Ranking Member Collins (R,ME) and Chairman Lieberman (I,CT) have a long history of interest in chemical facility security issues {as does, to a lesser extent, Sen. Levin (D,MI)} so any of the three might take this opportunity (ahead of an as of yet to be announced oversight hearing) to ask the Secretary about the problems within this very small part of her Department. I would be surprised if the answers would provide any major new insights.

Threat Hearings

There will be two House Homeland Security hearings this week on terrorist threats to the United States. The first will be a field hearing by the Counterterrorism and Intelligence Subcommittee on Monday with an interesting slant. The second will be a full Committee hearing on Wednesday on the potential terror threat from Iran and Hezbollah.

The interesting slant on threats deals with the closings of 30 petroleum refineries in the Northeast over the last decade. While the folks at Greenpeace and their allied organizations would probably argue that the closing of a refinery in the densely populated Northeast is a net counterterrorism gain (reducing the targets), Chairman Meehan (R,PA) would seem to disagree. According to the Homeland Security Committee web site:

“This hearing will help us understand the homeland security consequences of refinery closures, both in terms of threats to critical infrastructure and our dependence on imports from unstable parts of the world.”

I would suppose that the argument is that, with less production capacity in this high-population area, any successful terrorist attack on a refinery would have large economic consequences beyond the ‘mere’ cost of off-site casualties and mangled metal. This would appear to be especially true if the attack were fomented by a State actor like Iran.

This petrochemical refinery threat isn’t specifically mentioned in the write up about the second hearing, but I would bet that Meehan will bring it up in his questioning of the panel of witnesses. Interestingly enough the only current government employee on the list of witnesses comes from the NYPD. Of course Chairman King has been a strong and vocal supporter of the counter-terrorism intelligence activities of the NYPD so the inclusion of the Director of Intelligence Analysis for the NYPD should not come as a surprise.

The other three witnesses now work in the private sector but used to work in the intelligence arena of a variety of Federal agencies. I suppose that current intelligence types from those agencies would prefer to testify behind closed doors about current intelligence matters, which leaves the question about how much real actionable information can be presented in an open forum like this. The quick and easy response is ‘not much’.

Friday, March 16, 2012

Gasoline Theft Probably Not Terror Related

There is an interesting chemical theft story over on about the bulk gasoline theft from three retail stores in New York. It seems that someone drove a tank truck into three separate closed-for-the-night gasoline stations and pumped gasoline out of the in-ground tanks into the tanker. Given the high cost of gasoline (apparently $6.40/gal in NY; $6400 for 1000 gallons) this was almost certainly an economic crime not a terror related incident, but…..

Bulk Gasoline as a Terror Weapon

Much to the chagrin of some of my reader’s in the petroleum distribution industry, I have long maintained that gasoline is a much underestimated potential terrorist weapon due to its flammability and potential explosive nature. Unloading a tank wagon of gasoline into a high-profile target like a shopping mall or church could possibly create an impressive explosion, but at the very least would result in a catastrophic fire.

Parking tank wagons underneath freeway overpasses during rush hours and igniting the material would certainly produce an impressive fire and news reports have shown that the heat damage caused by such prolonged fires can damage overpass structures to the point that they are unusable. Hit two or three key overpasses and you can paralyze an urban area for weeks or months.

Finally (for this short list of examples, this is clearly not an exhaustive list), if you can place a hose in a tank to pump it out you can emplace an explosive device. It wouldn’t take too much of a bomb to turn the tank into a flame projection weapon endangering an entire neighborhood.

Gasoline Security

The gasoline distribution industry is another large group that has demanded, and in many cases received, special attention in the CFATS process. They have semi-successfully argued that since a gasoline explosion is so hard to create (and there are certainly a number of technical hurdles that a terrorist would have to overcome to turn a fuel tank farm into a fuel-air explosion) that they deserve special consideration when ISCD makes a determination that the facility is or is not a ‘high-risk’ facility under CFATS definitions. And retail gasoline facilities are not even required to complete Top Screens unless they have some other chemical of interest on site in excess of the screening threshold quantity.

Both DHS and industry have ignored the theft potential of gasoline as a portable terrorist flame weapon. Some have pointed to the difficulty of stealing gasoline in bulk, but articles like this show just how easily it can be done.

Thursday, March 15, 2012

OMB Approves PHMSA NPRM for Excavation Damage Enforcement

Yesterday the Office of Management and Budget announced that it had approved the PHMSA NPRM that implements the PIPES Act provided authority to enforce excavation damage laws in those states that have inadequate enforcement. According to the web page:

“This rulemaking would consider standards for excavators and operators to follow when conducting excavation in a vicinity of a pipeline and the administrative procedures to be used for enforcement proceedings.”

This bill has been languishing in PHMSA for a while; the NPRM was published in October of 2009 (74 FR 55797). Part of the problem is that PHMSA will not have any additional resources available to undertake any of the enforcement actions contemplated in the proposed regulations. There certainly won’t be any pipeline safety inspectors driving around the countryside looking at construction sites to see if they are complying with the standards. This will be another rule that will only be enforced after the fact with sanctions that will only be effective against small construction firms that won’t be fully aware of the rules in any case.

Since this approval came ‘consistent with change’ we can probably expect to see PHMSA publish this proposed rule within the next couple of weeks.

Wednesday, March 14, 2012

Website Problems at NPPD

There is something odd going on at the NPPD shop with regards to a  number of their web sites. Yesterday I got an email message from notifying me that they had updated their Chemical Sector Training and Resources web page, but the page is still the one last updated on August 8th, 2011. Then this morning when I did my standard check of links on the Critical Infrastructure Protection web page I found a number of dead links; including

I just re-checked all of the above and the problems remain. Either the folks at NPPD have gotten really sloppy with the maintenance of their web sites (possible I suppose) or their systems are under some sort of ‘attack’, or maybe it’s just a problem related to the recent solar flares.

NOTE: I did sign up for page change notifications through DHS specifically so I would get notified of changes with certain web pages. This program is a good idea and anyone that follows any of the specifically covered sites should sign up for the notifications. There is typically a link near the top of the page taking you to a real simple sign-up page; just provide your email address where you want the email notification sent.

UPDATE 3-15-12: As of about 5:00 am EDT the NPPD web site dead links seem to be corrected. Still no new Chemical Sector Training and Resources web page.

ICS-CERT Issues Three GE Proficy Advisories

Yesterday the DHS ICS-CERT published three advisories for three separate GE Proficy applications, with a total of four vulnerabilities identified. The advisory is the result of a coordinated disclosure by Luigi via the Zero Day Initiative (ZDI). None of the current vulnerabilities are currently listed on the Luigi web site or the ZDI Published Advisories web page. The three GE Proficy applications are:

Historian – A memory corruption vulnerability;

Real-Time Information Portal – A directory transversal vulnerability; and

Plant Applications – Two memory corruption vulnerabilities.

All four of the vulnerabilities are remotely exploitable by a moderately skilled attacker. The Plant Applications vulnerabilities could allow an attacker to “gain control of the systems”. The Historian vulnerability could allow for arbitrary code execution. The Real-Time Information Portal vulnerability would only allow some modifications of configuration files on the server.

Separate security advisories outlining specific mitigation measures have been issued by GE Intelligent Platforms for each of these ICS-CERT advisories. None of the ICS-CERT advisories contains any information about whether or not these mitigation measures resolve the reported vulnerabilities.

There is an interesting and encouraging note in the Plant Applications advisory from ICS-CERT. In the ‘Mitigation’ section it notes:

“Proficy Plant Applications customers using unsupported Versions 4.3.1, 4.2.3, 4.2.2, and 215.8 should contact GE Intelligent Platforms Support for assistance with obtaining and applying a patch.”

With the long useful life of control systems it is nice to see an organization that provides security support to out-of-date applications. GE Intelligent Platforms is to be commended for this service.

Tuesday, March 13, 2012

CFATS Knowledge Center Update 03-12-12

Yesterday the good folks at the CFATS Help Desk updated one of the frequently asked question (FAQ) responses on the CFATS Knowledge Center. The FAQ (# 1253; NOTE there are no permanent links to these FAQ responses) dealt with requesting that ISCD to provide a CFATS presentation for an organization. A little blurb in the ‘Latest News’ section of the page describes the update this way:

FAQ 1253 has been updated. Requests for CFATS presentations should include information regarding whether the event is open to the press. In the past, DHS has called requestors to obtain this information, but is now asking that it be included in the initial presentation request.”

The same information was also changed on the CFATS Request a Presentation web page.

Classified Information Sharing with the Private Sector

One of the standard complaints that security managers in the private sector routinely have with DHS is the near complete failure to provide real intelligence information about the various threats that may face high-risk chemical facilities or other critical infrastructure installations. The response of DHS and the rest of the federal security community has always been that this is due to the classified nature of the information. Unless they have worked in a position in the Federal government where routine access to classified information is required, most people have little idea how seriously the professionals (as opposed to the politicians and most political appointees) take their responsibility to protect classified information.

In a small way that was changed last week when DHS published the implementing directive for their “Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities”. This is the DHS implementation of the new program under Executive Order 13549 and provides direction for their formal program for sharing classified information with people outside of the Federal government (and its contractors). As we have come to expect with DHS programs the 180-day time limit for setting up this program was missed by a huge amount, but since this had to be vetted with the DNI and DOD, that is hardly surprising.

While this document does not specifically deal with how private sector entities will handle and store classified information we can expect that the detailed requirements in this document for State, local and tribal programs will be closely mirrored by the DOD requirements under their expanded National Industrial Security Program. All private sector entities not directly contracting with the Federal government will now fall under that program when it comes to routine dealing with classified information.

What is clear from this document that there will be relatively few private sector organizations that will be willing to spend the time, money and effort necessary to set up areas and programs for the storage of classified information or establish facilities for handling classified communications with the Federal government. I would urge anyone considering the establishment of such a capability to seriously review this DHS publication.

Individual Security Clearances

Having said that, I think that every high-risk chemical facility under CFATS (or that would be under CFATS if it weren’t covered under MTSA regulations) should have at least one person that has gone through the paperwork and training requirements for receiving a security clearance. That way if/when DHS fnally gets around to providing classified intelligence briefings for such organizations there will be someone cleared to attend such a briefing.

Before submitting that application, however, that individual applying for a Personnel Security Clearance (PCL; okay that is the DHS acronym; it is not my typo) and all of the people above him in the corporate hierarchy need to pay special attention to paragraph 2-102b2(a), in particular where it says:

“PS [Private Sector] personnel to whom a security clearance is issued under the SLTPS Program shall execute a “Statement of Understanding Relative to the Protection of Classified National Security Information.” The purpose of the form is to inform and impress upon the signatory that the protection of classified information takes precedence over corporate loyalty and influence [emphasis added]. As such they are legally obligated to abide by Federal standards for the safeguarding of and access to classified information and must resist and report any undue influence on the part of uncleared personnel [emphasis added], regardless of their position, to gain knowledge of classified information to which the signatory has been given access.”

Oh yes, the document clearly states that PCLs will only be given to US citizens {paragraph 2-101e5} and implies that personnel working for foreign owned companies may have additional difficulties obtaining a security clearance.

Exigent Circumstances

One of the things that the Executive Order did was make clear that there could be exigent circumstance where access to classified material could allowed for personnel without a PCL. This is briefly addressed in para 2-101e2 where it states:

“Agencies shall take into consideration that pursuant to Executive Order 13526, under exigent circumstances classified information may be released by designated Federal officials to personnel who are not otherwise cleared for access. Therefore, the granting of a security clearance strictly in support of potential contingencies is not necessarily justified or warranted.”

It is disappointing that this document does not provide more details about the how, when and who of the establishing of ‘exigent circumstances’. This is particularly true when that exception is intended to be used to deny PCL’s for otherwise eligible individuals. Hopefully that will not affect the PCL awards to security managers at high-risk chemical facilities or other critical infrastructure installations.

Monday, March 12, 2012

ISCD Updates CVI Pages?

It seems that ISCD is going through a review process on their CFATS related web pages. You can see this by observing the “This page was last reviewed / modified on ….” on the bottom of many of their pages (more on their pages than just about anywhere else in DHS). Today the review took place on the landing page for the CFATS Chemical-terrorism Vulnerability Information (CVI) program. As far as I can tell there were no substantive changes made on this page.

Now this is one of the pages that I try to check every business day, looking for updates on the program; particularly the overdue changes expected in response to President Obama’s Executive Order 13556 on Controlled Unclassified Information (CUI). I don’t typically take time to check all of the links on the page (and they are quite numerous on this particular page) unless the date on the bottom of the page changes; like today.

When I checked each link today, I found that one of those pages had been changed reviewed/changed back in January; the Training for Chemical-terrorism Vulnerability Information page. Again, I didn’t see any significant changes on this page, but I did note something of concern; all of the links to the CVI training program were dead links, returning a “Internet Explorer cannot display the webpage” notice. I don’t know if other browsers can access the sites.

Hopefully someone in ISCD will notice this problem and correct the links. Probably not, they seem to be worrying about other things lately.

HR 901 – A lack-of-power play

The status of HR 901, Chemical Facility Anti-Terrorism Security Authorization Act of 2011, was once again updated on Friday while the House met in a pro forma session. The House Energy and Commerce Committee was granted another extension of time to review the legislation; this time until June 8th, 2012. This is the sixth such extension granted since the bill was co-referred to the Committee in March of last year.

Any reasonably intelligent observer of congressional committee politics knows that the Energy and Commerce Committee will not report this bill. It would give explicit jurisdiction for oversight of the  CFATS program to the House Homeland Security Committee. The current situation gives co-oversight responsibility for that program to the Energy and Commerce Committee. This is part of the legacy of creation of the Department of Homeland Security and the inability of congressional leadership, particularly in the House, to rationalize oversight of that department.

The indecisiveness of the House Republican leadership (not that the Democratic leadership in the previous Congress was any more decisive in this regards) has led us to the point where two house bills, HR 901 and HR 908, attempting to provide long-term extension of the CFATS program, both duly reported, have not, and probably will not, come to a vote on the House floor.

Sunday, March 11, 2012

CFATS Threat Assessment

WARNING: If you are a government employee or a government contractor, reading or discussing the document referenced in this post, under the Obama Administration’s Wikileaks Doctrine, may place your job and/or security clearance/access at risk. You are probably okay reading this blog, just stay away from the links and don’t discuss it with anyone. This post will not self-destruct in 30 seconds. 29..28..27…..

The good folks (unless you work for DHS then they’re the ‘nasty folks’) over at have published yet another FOUO document that might be of interest to folks in the chemical facility security community. This time it is the threat assessment for CFATS facilities published on the day that the CFATS program became active, June 8th, 2007. One would like to think that ISCD sent a copy to each facility that registered for the CSAT tool, but I really doubt it.

Nothing earth shattering in the way of intelligence information in this report, and not a whole lot has changed. An updated version of this report would probably add a couple of relatively new al Qaeda affiliate groups. The section on cyber-attacks would probably include a brief discussion of Stuxnet, Duqu and phishing attacks.

Chemical Mistake

There is one glaring mis-statement of fact in this document. On page 6 (page 7 Adobe) the report makes the silly statement that one of the limiting factors in a chemical release attack is gaining access to an explosive powerful enough to cause a toxic chemical release without destroying the chemical in the process (I’m paraphrasing not quoting so I can get around the FOUO paragraph markings). I can’t think of a non-nuclear explosive device powerful enough to destroy the toxicity of chlorine gas, anhydrous ammonia, or hydrogen fluoride, three of the most common toxic gasses in the US chemical industry inventory today. Besides, there is no real need for a large explosive device to be used when attacking these tanks; while the pressure tanks themselves are relatively well ‘armored’ the various piping and valve connections are not. And a variety of liquid toxic inhalation hazard chemicals are stored in much less well ‘armored’ storage tanks that would easily be successfully attacked by a well-constructed IED.

Importance of Threat Assessments

Threat assessments such as this, particularly since this is an FOUO marked document, not a classified document, presents a summary of the information the intelligence community has on potential attackers. While this is just a high-level summary, lacking in any significant details, it does provide high-risk chemical facilities with some information about the threat against which they must orient their security measures.

This means that it is very important that DHS updates these assessments on a periodic basis and push them down to the targeted community. DHS has an active email address of at least one person (frequently two or more) at every high-risk chemical facility in the United States. Pushing these out to the field should be relatively easy to accomplish. If they are not actively pushed down to the facility security manager level they are useless documents.

Document Markings

The use of ‘FOUO’ markings in documents pushed to the private sector only has effects on government employees and contractors. Once in the hands of individuals in the private sector those markings have no practical effect. If DHS is interested in protecting information about threats to the CFATS community, then they should junk the ‘FOUO’ markings and go with the Chemical-terrorism vulnerability information (CVI) marking. CFATS facilities have rules that they must abide by in protecting CVI information; rules that do not apply to FOUO marked documents.

CVI markings provide less legal protection that classified document markings, but they would allow for disclosure of some nearly classified intelligence information to the folks that would have some use for the information. It should be easier to sanitize intelligence reports to the CVI protection level than to FOUO level of nearly no protection. It would be helpful if someone in DHS were specifically tasked with developing intelligence reports for chemical facilities marked as CVI; a chemical facility fusion center would be the ideal responsible entity.

More on ISCD Hearing – Industry Suggestions

Earlier this week I noted in a blog post on the ISCD hearing held before a subcommittee of the House Homeland Security Committee on Tuesday that the industry witnesses had offered suggestions about how the CFATS implementation could be improved. None of this was directly mentioned in the oral presentations or addressed in the questioning by the Subcommittee (with the exception of one tiny inconsequential question and answer), but it was included in the written testimony of Timothy Scott (DOW/ACC) and Bill Almond (SOCMA).

There wasn’t anything that was really new in these suggestions; SOCMA and ACC have been mentioning most of these for some time now; but this was an appropriate venue to bring them up. It would have been nice if there had been more time for consideration/discussion of these suggestions, but that is a common problem with congressional hearings; just not enough time for a discussion of all of the interesting and important topics.

The suggestions fall into three broad categories:

• TWIC-Personnel Surety Program

• Alternative Security Programs

• Outside Inspectors

TWIC-Personnel Surety Program

There is one area where there is broad agreement between management and labor and Democrats and Republicans is that the personnel surety program being developed (‘being developed’ for a number of years) by ISCD for use by CFATS facilities to fulfill the requirement of the Risk-Based Performance Standard #12 should ‘give full credit’ for the TWIC and other federal identity documents that include vetting against the Terrorist Screening Database (TSDB).

What everyone (except ISCD) wants is for facilities not to be required to submit information to an ISCD Personnel Surety Tool for any employee that has a TWIC or HME (those being the two most common federal programs that would be represented by significant numbers of chemical personnel). ISCD wants information on TWIC/HME holders to be submitted so that they can check that those documents are still current; something that facility security managers can and should do. ISCD has made clear that it wants a list of everyone that is a CFATS employee or has unaccompanied access to a high-risk (CFATS) chemical facility; just not why that list is important or even necessary.

If this is all that the TWIC discussion was really about, this would be a no brainer. Congress should step in and tell DHS that the TWIC fully meets the requirements for vetting personnel against the TSDB. OOPS, congress, in their Section 550 (Department of Homeland Security Appropriations Act 2007) authorization language, specifically told DHS that they could not require any specific security measure. And Congress put nothing in that language requiring vetting against the TSDB; another of the many problems caused by the political failure of Congress to pass a comprehensive chemical facility security bill.

Another problem that has not been addressed in the discussion about TWICs is that many in the chemical industry intend to use the TWIC instead of managing their own personnel surety program. Currently ISCD intends for each facility to do its own background check on each employee and on each guest given unaccompanied access to restricted areas of the facility with ISCD only getting involved in the TSDB vetting. If a facility were to require possession of a TWIC as a condition of employment and require all site visitors and contractors to also have a TWIC, they would not have to worry about the liability issues related to conducting and evaluating criminal background checks.

Some of the facilities (perhaps even most) will reimburse employees for the cost of obtaining a TWIC. There will certainly be a significant number that will not cover that cost, thus passing a portion of the cost of their personnel surety program onto employees. Since (as I understand it) the TWIC fee is an application processing fee will any of these companies reimburse employees that cost if they are denied a TWIC?

And there is the legal issue that has yet to be resolved; TWICs are used by ‘transportation workers’ that require access to MTSA covered facilities. Each applicant is required to affirm on their application that they require access to an MTSA facility as a requirement of their job. Since CFATS facilities are, by law, not MTSA covered facilities, companies requiring TWICs as a prerequisite for employment, will be asking many people to lie when they make that affirmation, a crime under federal law.

Congressman Lungren’s (R,CA) Subcommittee would do well to hold a hearing or two about this specific TWIC/CFATS issue and craft legislation as appropriate.

Alternative Security Programs

Congress in their extensive guidance to DHS about the establishment of the CFATS program (more than just a little sarcasm here) did authorize the Secretary to “approve alternative security programs established by private sector entities, Federal, State, or local authorities, or other applicable laws if the Secretary determines that the requirements of such programs meet the requirements of this section and the interim regulations”. This sounds like a great way for DHS to reduce their review/inspection workload; however, the very next paragraph of §550 says:

“Provided further, That the Secretary shall review and approve each vulnerability assessment and site security plan required under this section” {§550(a)}.

ISCD has set-up on-line tools for submission of data to be reviewed. The Site Security Plan tool is not really a site security plan, but rather a series of questions about the SSP. The answers to those questions are supposed to allow ISCD to evaluate if the SSP meets the risk-based performance standards outlined in 6 CFR 27.230. Since facilities submitting an alternative security plan still have to meet those standards, ISCD needs to review those submittals as well.

The only difference is that there will be a different format used for that data submission. I certainly don’t see how this will make ISCD’s work load any easier to bear. Either the submission will be an actual written ASP (an actual readable document that will explain what security measures are to be in-place, how they will be implemented, and who will have what responsibilities in implementing and enforcing those measures) or it will be another questionnaire about such a plan that ISCD will use in the same manner as they use the responses to their SSP tool.

Now I suppose that it is entirely possible that the ACC, or SOCMA, or any other industry supported organization could come up with an on-line data submission tool that would collect more appropriate data and/or organize the data collected in an easier to evaluate format. If that is the case (and the current SSP tool is very incomplete and poorly organized at best) then the ASP will be helpful. The only problem is that if every different industry organization comes up with a different ASP submission format; that is going to aggravate the current training problems at ISCD. And that isn’t going to improve anything.

Outside Inspectors

There was one relatively new suggestion made by Mr. Scott in the memo attached to his prepared testimony. On page 6 of that testimony/memo he makes the following proposal:

“DHS should consider an alternative self-inspection program for lower tier facilities (Tiers 3&4) using accredited third-party auditors. This alternative inspection program could be monitored with statistical sampling (audit schedule) by DHS CFATS inspectors to verify compliance. This would help streamline the program by lessening the burden on the DHS inspection cadre and allow DHS to focus resources and attention on higher risk facilities (Tiers 1 & 2). Existing private sector programs could be leveraged under this concept including the Responsible Care Security Code Program, which is mandatory for membership in ACC and requires third-party certification by an accredited third-party auditor.”

This idea does have a certain appeal. It would cover the vast bulk of the 4,000+ facilities currently in the CFATS program and it would certainly allow inspectors to spend more time at the highest risk facilities conducting final approval inspections and periodic re-inspections to allow for assurance that the programs are being properly maintained.

This would, however, specifically violate another congressional mandate in §550:

“The Secretary of Homeland Security shall audit and inspect chemical facilities for the purposes of determining compliance with the regulations issued pursuant to this section.” {§550(e)}.

So, DHS could consider this idea, but it would require specific congressional authorization to implement. I can just hear Rep. Thompson (D,MS) complaining about ‘inherently governmental functions’ when this comes up for discussion.

Besides, this will do nothing to address the current problems that ISCD is facing in getting SSPs approved. The compliance inspections have yet to start and we have many years to go before Tier 3 and 4 facilities will have to start to worry about compliance inspections.

The Real Problem

These industry suggestions, and even the Anderson-Wulf report, do not address or even identify the real problem that ISCD is having with the approval of SSPs at Tier 1 facilities. These facilities are huge and complicated and even the most basic security plan for them will also be huge and complicated. ISCD really had no idea how large or complicated an oil refinery (for instance) is or how complex a security plan for such a facility would have to be.

It quickly became obvious to all involved that the SSP tool was nowhere near complex enough to gather the data necessary to determine if the SSP was adequate to cover the 18 risk-based performance standards (RBPS). This is why DHS had to institute the ‘pre-authorization’ inspection program that were never included in the original CFATS program outlined in 6 CFR Part 27. Oh, and by the way, there is no authorization or requirement in those regulations to conduct those inspections.

If (and that is always an exceedingly large word in meaning if not spelling) they now have enough information to make that evaluation they face the second basic problem with CFATS program; ISCD cannot dictate what security measures are necessary to achieve compliance with those RBPS. Thus, ISCD has to negotiate with facility management as to what security measures will meet the requirements of the CFATS program. Again, this negotiation process is not specifically spelled out in the CFATS regulations, but is an inherent result of the congressional restrictions placed on DHS.

Now, I am reasonably certain that ISCD does not have the personnel trained in both security and chemical processing necessary to determine specifically what security measures are appropriate at any given facility. So there is no way that they should be given the authority to dictate security measures. This means that we are stuck with the current, and necessarily slow, SSP authorization process.

Additional inspectors and staff review personnel may help to speed up the process some. Some additional speed will come from the experience gained in previous negotiations on both the industry and government side of the table. And additional speed will be gained when the facilities are smaller and less complex.

But none of the items under discussion in these hearings, or probably anything in the Anderson-Wulf report will address this underlying problem. Until we start discussing this issue nothing can be done to significantly improve the time that it takes to complete the SSP authorization process.
/* Use this with templates/template-twocol.html */