Thursday, May 31, 2012

HR 2764 – WMD Intelligence – Passes in House

Yesterday the House considered HR 2764, the WMD Intelligence and Information Sharing Act of 2011, under a suspension of the rules. The bill passed without apparent opposition by a voice vote.

The entire process took just a little over six minutes to complete; using much less than the authorized 40 minutes for debate. The ‘debate’ consisted of short speeches in favor of the bill by just three members; the Homeland Security Chairman, Rep. King (R,NY); the Ranking Member, Rep. Thompson (D,MS); and Rep. Jackson-Lee (D, TX).

If the Senate gets around to taking up this bill, and that will become less likely as we get closer to election season, it will probably pass with similar bipartisan support. There is no indication that there will be any significant attempts to amend the bill to expand its coverage beyond the bio-security concerns found in its present version.

ICS-CERT Publishes Advisory and sKyWIper JSAR

Yesterday the folks at DHS ICS-CERT published an advisory on multiple vulnerabilities on a number of Emerson products as well as a Joint Security Awareness Report (JSAR) on sKyWIper/Flame.

Emerson Advisory

The Emerson Advisory was published describing multiple vulnerabilities in the DeltaV, DeltaV Workstations, and DeltaV ProEssentials Scientific Graph applications. The vulnerabilities were reported in a coordinated disclosure by Kuang-Chun Hung of the Security Research and Service Institute - Information and Communication Security Technology Center (ICST). The Advisory (along with an earlier version) had been previously posted to the US-CERT secure portal.

The five reported vulnerabilities are:

• Cross-site scripting - CVE-2012-1814;
• SQL injection - CVE-2012-1815;
• Denial of service - CVE-2012-1816;
• Buffer overflow - CVE-2012-1817; and
• File Manipulation - CVE-2012-1818.

(Note: Those links are not yet active as of 06:30 EDT 5-31-12, give them a day or two)

These vulnerabilities are remotely exploitable by a moderately skilled attacker. The potential results vary from DOS to execution of arbitrary code. Emerson has distributed (no link available in ICS-CERT Advisory) notification about a hotfix to resolve these vulnerabilities, though the Advisory does not specifically state that either ICS-CERT or the originating researchers have verified the efficacy of the hotfix.

Dale Peterson made a very interesting point last night in a TWEET on this Advisory. He noted that the Emerson DeltaV applications are “very critical DCS software that's widely used in refineries & other CI [Critical Infrastructure]”. As such I am slightly disturbed that ICS-CERT did not publish a link to the Emerson notification; relying instead on a push of that information to owner-operators. I would be willing to bet that there are a number of installations where the point of contact information in the Emerson files is out-of-date.

NOTE: There is a typo in the link for this Advisory on the ICS-CERT web page. It reads, but should read .

sKyWIper/Flame JSAR

Over the long Memorial Day weekend the big cybersecurity news was the discovery of a new cyber-espionage ‘tool’ (no consensus yet on what to describe it as) called sKyWIper or Flame. It has been reported upon by CrySyS, Symantec, and Kaspersky. The JSAR provided by ICS-CERT provides no new information and a very weak summary of the information currently available on this malware.  It does make one important point however when it states that “no evidence exists that sKyWIper specifically targets industrial control systems”; at least yet.

If you want to read a good summary article about what is currently known about sKyWIper you can click on the link under the ‘Critical Infrastructure News’ tab on the ICS-CERT web page for the Tofino Security blog post on the topic. Eric Byres does his typical good job explaining cybersecurity information. This is an interesting bug with lots of implications. We’ll be talking about it for some time to come.

Wednesday, May 30, 2012

2012 CSSS Registration Open

Thanks to a TWEET from SOCMA we know that the registration is now open for the 2012 Chemical Sector Security Summit, July 30 thru August 1st. Since SOCMA is an co-sponsor of this event it seems proper that they beat DHS to the punch in announcing the opening of registration, providing a link to the registration page, the preliminary agenda for the event and the location/accommodation information for the event.

I expect that we will see an update of the DHS CSSS page with this info later this week.

House Rules Committee Sets Rule for HR 5743

Yesterday I noted that the House Rules Committee would meet today to set up the rule for the consideration of HR 5743, the Intelligence Authorization Act for Fiscal Year 2013. I promised to look at the bill and the associated Committee Report for mentions of cybersecurity issues; and as I expected there were none; after all, most of the bill is classified. Fortunately, the nine amendments that have been cleared to be considered during the floor debate under a ‘structured rule’ are not classified, and two of them deal with cybersecurity.

Cleared Floor Amendments

Rep. Farr (D,CA) introduced an amendment that would add a rather short §306 to the bill. It would have no real force of law because it is a ‘sense of Congress’ resolution telling intelligence community leaders to “take into consideration foreign languages and cultures during the development by such element of the intelligence community of training, tools, and methodologies to protect the networks of the United States against cyber attacks and intrusions from foreign entities”. I’m not sure what the crafter of this bill intended to mean by the phrase ‘to take into consideration’. I am just as sure that it isn’t important in any case, it is after all just a ‘sense of Congress’ statement.

Rep. Myrick (R,NC) and Wolf (R,VA) introduce the last amendment that will be considered on the Floor for this bill. It required the Director of National Intelligence (DNI) to prepare a report to Congress on supply chain security issues related to foreign suppliers of “of information technology (including equipment, software, and services) that are linked directly or indirectly to a foreign government” {§502(a)(1)}. The DNI is required to assess the “vulnerability to malicious activity, including cyber crime or espionage, of the telecommunications networks of the United States due to the presence of technology produced by suppliers identified” {§502(a)(2)}. If the ‘linked directly or indirectly to a foreign government’ didn’t make the scope of this report large enough, the definition of ‘telecommunications networks’ solved the problem; it includes:

• Telephone systems;

• Internet systems;

• Fiber optic lines, including cable landings;

• Computer networks; and

• Smart grid technology

Nothing about the kitchen sink though.

Passed Over Amendments

There were three more cybersecurity related amendments offered to the Rules Committee that did not make the cut for being allowed to reach the Floor during the debate later this week. Those amendments included requirements for:

A threat assessment for cyber threats to critical infrastructure; Clarke (D,NY);

• Each agency that deals with classified documents to report back in 1 year potential security risks associated with the acquisition of computer hardware; Cuellar (D,TX); and

• The Civil Liberties Protection Officer to review on an ongoing basis, and prepare, as necessary, privacy impact assessments on, the cybersecurity policies, programs, and activities of the Intelligence Community; Hahn (D,CA).

It is interesting that two different amendments would address the supply chain security issue.

Oh, and special kudos to Ms. Clarke. She has tried to get this amendment made to every bill that looked like it might relate to cybersecurity, both in Committee and on the floor. Readers of this blog will know that I am not a big fan of reports to Congress, but this one sure seems legitimate to me. Keep plugging Congresswoman Clarke.

Moving Forward

According to the Majority Leader’s web site this bill will come to the floor tomorrow afternoon with work carrying on until it concludes sometime tomorrow night.

TSA’s Surface Inspection Program – Hearing Witness List

The Subcommittee on Transportation Security of the House Homeland Security Committee has published the witness list for their hearing tomorrow on the effectiveness of the TSA Surface Inspection Program. I was wrong yesterday in suggesting that there would be someone from TSA testifying; all of the announced witnesses are from the private sector. The witnesses represent the railroads (freight and passenger), trucking, and bus travel.

The hearing web-site describes the purpose this way:

“Given the reality that terrorists see surface transportation as a very attractive target, we owe it to taxpayers to take a close look at TSA's inspectors program and determine whether this is a good use of limited resources, or if this funding would be better spent on other surface initiatives designed to prevent an attack.”

The currently scheduled witnesses are:

• Mr. John O’Connor, Chief of Police, Amtrak;

• Mr. Skip Elliott, Vice President of Public Safety and Environment, CSX, Testifying on behalf of the Association of American Railroads;

• Mr. Philip L. Byrd Sr., President, Bulldog Hiway Express, Testifying on behalf of the American Trucking Associations;

• Mr. William C. Blankenship,Chief Operating Officer, Greyhound Lines, Inc.; and

• Mr. Doug Morris, Director, Safety and Security Operations, Owner-Operator Independent Drivers Association

While the TSA provides counter-terrorism support to the passenger railroad industry in the form of VIPER teams, the only real surface transportation program that the TSA currently has in place that calls for inspectors is the transportation of hazardous chemicals by rail. The only other ‘inspection’ activity is the Corporate Security Reviews conducted on a voluntary basis. Of course, even if there were the congressionally mandated security programs in place it is almost certain that the small size of the surface transportation inspection force would not be able to ‘inspect’ even a statistically significant sample of the covered organizations.

It will be interesting to see what alternatives might be available to protect the vast surface transportation network in this country that so many people rely upon every day.

HR 5856 Introduced – DOD Appropriations

Just before the Memorial Day Weekend, during a proforma session, Rep. Young (R-FL) introduced HR 5856, the Department of Defense Appropriations Act, 2013. While DOD has a major measure of responsibility for cybersecurity actions, there is nothing in the bill that mentions cybersecurity or cyber operations.

Last year we saw a number of items in the Appropriations Committee report on that DOD appropriations bill, but there are no programs mentioned in the report for HR 5856. Interestingly though, there is a rather lengthy comment about the lack of mention found in the Committee report (pg 208 – Adobe 218):

“The Committee acknowledges the threat to and from the cyber realm and believes it has been well documented; however, the resources being expended against the threat have not. In order to better evaluate the planning and resourcing for Department of Defense cyber activities, the Committee directs the Commander, United States Cyber Command, in coordination with the Secretary of Defense and each of the Service Secretaries, to provide the congressional defense committees separate budget justification material, in the form of budget documents as defined in the Department’s financial management regulation, that details the year-toyear budgets, schedule, and milestone goals over the Future Years Defense Program for the individual programs that support the goals of cyber initiatives. The programs detailed must include cyberspace operations, computer network operations, information assurance, and full spectrum cyber operations for the Department of Defense and the Services. Further, the Committee suggests that the Department continue to refine what activities, budget lines, and programs should be considered cyber in order to better coordinate and track these budgets.”

With the level of DOD responsibility for defending against cyber-attacks and conducting cyber-operations, this is certainly something that should show up in the documentation for both the President’s budget request, but also in the appropriations bills written by Congress.

It still wouldn’t be surprising to see amendments offered to this bill that address specific cybersecurity or cyber operations when it comes to the floor of the House next month.

PHMSA Extends Deadline of Pipeline Damage Protection NPRM

Today PHMSA published a notice in the Federal Register (77 FR 31827) announcing that they were responding to requests for extension of the comment period on their recently published notice of proposed rulemaking (NPRM) for revisions to the Pipeline Safety Regulations concerning their pipeline damage prevention program. PHMSA has extended the comment period from June 1, 2012, to July 9, 2012.

Support for Methyl Bromide Fumigation of Cottonseeds

Early in April the EPA published an notice of proposed rulemaking proposing to establish a new pesticide tolerance standard for methyl bromide on cottonseed to be imported into the United States as cattle feed. A pre-requisite for establishing that tolerance would be the establishment of a treatment schedule in the Department of Agriculture’s (DA) Plant Protection and Quarantine Treatment Manual. Yesterday the DA published a notice in the Federal Register (77 FR 31564-31566) announcing that they “have determined that it is  necessary to immediately add to the Plant Protection and Quarantine  Treatment Manual a treatment schedule for methyl bromide fumigation of  cottonseed for the fungal plant pathogen Fusarium oxysporum f. sp. vasinfectum (FOV)” (77 FR 31564).

The adoption of the proposed amendment to the PPQ Treatment Manual effectively clears the way for EPA to proceed with their NPRM allowing this new use of methyl bromide. While I am certainly not an agricultural specialist and couldn’t even identify a cottonseed, it seems that this appears to be a justified use of this material.

What is not clear is the effect this new critical use of methyl bromide will have on the phase out of that material under the Montreal Protocol. I would suspect that this will extend the lifetime of the use of methyl bromide in the United States for some indeterminate time.

Once again, I would call upon DHS to add methyl bromide back to the list of DHS chemicals of interest (COI) requiring reporting under the CFATS program (6 CFR Part 27, Appendix A). That methyl bromide is a toxic chemical meeting the requirements of a toxic release COI has never been in dispute. DHS removed methyl bromide from the final list for Appendix A simply because they had assurances from the EPA that methyl bromide was being phased out of use and production making it a waste of time to include it in the CFATS program. DHS clearly misunderstood how long the phase out of methyl bromide was going to take.

Tuesday, May 29, 2012

Reader Comment 5-28-12 – Alternate Explanation for HR 5802

Laurie Thomas, one of my go-to-sources for MTSA information, posted a comment on my recent blog about Port Security Grant legislation. She offered this alternative explanation for the purpose of HR 5802:

“I have a slightly different slant on HR 5802. I see this as an attempt to grant industry some relief on TWIC readers. PAC 01-11 states that industry stakeholders who have purchased TWIC readers that subsequently do not meet regulatory requirements will not be reimbursed for the cost of replacement.”

This is a very likely source of Rep. Richardson’s (D,CA) concern about equipment replacement costs since she represents areas supporting two of the largest ports on the West Coast. If this was the sole intent, however, it is not properly reflected in the language of the bill. The bill does not restrict the grant support to just replacement TWIC Readers, so it may end up diluting the funds available for that purpose by a number of grant requests for supporting the replacement of other, even more expensive, port security equipment.

Laurie’s comment also takes a well-deserved dig at DHS for having been slow to implement provisions of the Safe Port Act. Like a number of other security requirements established by legislation, the current (and to be fair, the previous) Administration has been slow to develop regulations supporting the requirements of the Safe Port Act. Perhaps Congress ought to look at cutting funding for other DHS offices the way the House Appropriations Committee has proposed for the CFATS program.

Congressional Hearings – Week of 5-29-12

The House took off the week before the Memorial Day Weekend and the Senate is taking the week after off. So we only have to worry about hearings in the House this week. Those will include a hearing on the TSA Surface Security program and a rules hearing on a number of spending bills. Additionally the House is scheduled to consider a WMD bill on the floor.

TSA Hearing

The Transportation Security Subcommittee of the House Homeland Security Committee will be holding a hearing on “TSA’s Surface Inspection Program: Strengthening Security or Squandering Scant Resources?” on Thursday. The only surface security regulations really in place deal with rail security for hazardous chemicals. Perhaps Chairman Rogers (R,AL) will ask about the status of the long overdue regulations for security of truck transportation of the same chemicals.

No witness list is currently available. We can expect that there will be at least one witness from TSA.

Spending Bills

The House Rules Committee will be holding a hearing on Wednesday to formulate the rule for a number of appropriations bills; three of which may address issues of interest to the chemical security and cybersecurity communities. The one bill of certain interest will be H.R. 5855, Department of Homeland Security Appropriations Act, 2013; I’ve addressed this bill in some detail at the committee print stage. Three other bills will also be addressed at that hearing; the two of potential interest will be:

• H.R. 5743 — Intelligence Authorization Act for Fiscal Year 2013

• H.R. 5325—Energy and Water Development and Related Agencies Appropriations Act, 2013

I’ll be looking at each of these bills in more detail as the week progresses.

Floor of the House

According to the House Majority Leader’s web site the House is currently scheduled to consider HR 2764, the WMD Intelligence and Information Sharing Act of 2011 under suspension of the rules this week; this means it will require a 3/5 majority to pass. Scheduling it in this manner means that the leadership believes that this bill will pass without significant opposition.

Three of the four bills being considered by the House Rules Committee this week may make it to the floor on Thursday. The one not currently on the schedule is the DHS appropriations bill.

Monday, May 28, 2012

Port Security Grant Legislation Introduced

Recently Rep. Richardson (D,CA) introduced two pieces of legislation that would modify the Port Security Grant funding process, expanding the potential uses of those funds. The bills were HR 5802, the Port Security Equipment Improvement Act of 2012, and HR 5803, the Port Security Boots on the Ground Act. Neither bill expands the amount of money made available for the Port Security Grant program; they just expand where the awarded grants can be spent.

Equipment Improvement

HR 5802 would amend 46 USC § 70107(b)(2) by adding the words “and replacement”. This would make the first sentence of the paragraph read:

“The cost of acquisition, operation, maintenance, and replacement [changed wording] of security equipment or facilities to be used for security monitoring and recording, security gates and fencing, marine barriers for designated security zones, security- related lighting systems, remote surveillance, concealed video systems, security vessels, and other security-related infrastructure or equipment that contributes to the overall security of passengers, cargo, or crewmembers.”

As the Maritime Transportation Security Act of 2002 approaches being ten years old, some of the security equipment emplaced under the requirements of the act is reaching the end of its useful life. If this section of the authorization for the Port Security Grant program is not modified, local authorities will be forced to spend their own money replacing this aging equipment.

Boots on the Ground

HR 5803 would amend § 70107(b)(1), changing it to read:

“Salary, benefits, overtime compensation, retirement contributions, and other costs of additional Coast Guard mandated security personnel, including overtime and backfill costs incurred in support of other expenditures authorized under this subsection, except that not more than 50 percent of amounts received by a grantee under this section for a fiscal year may be used under this paragraph [added language].”

This would greatly expand the potential use of Port Security Grants to fund payroll expenditures. To prevent all of the grant funding from going to personnel costs, the bill does limit to total personnel expenditures to just 50% of any grant money received. This may hurt grantees that used their awards for a larger share of their personnel costs.

Moving Forward

I would be surprised if either bill makes it out of the Homeland Security Committee as stand alone legislation. I would suspect, however, that either or both of these bills could find their way into an authorization bill (DHS or Coast Guard) or the DHS appropriations bill as a floor amendment.

Sunday, May 27, 2012

RuggedCom Update and ICS-CERT Tips Published

Friday the folks at ICS-CERT published an advisory updating the vulnerability information for RuggedSwitch and RuggedServer that were identified last month. They also published a technical information paper covering mitigation strategies for dealing with identified or suspected cyber  intrusions.

RuggedCom Advisory

This Advisory is actually the second ICS-CERT follow-up to the initial alert on this vulnerability; there was an amended alert issued two days after the initial alert noting that RuggedCom would be issuing a firmware update within the month. This Advisory confirms that the firmware update was made available and ICS-CERT has confirmed that it effectively mitigates the vulnerability.

Actually that’s an overstatement of facts as a closer reading of the Advisory makes clear. The firmware update provided only applies to ROS 3.10.1. Updates for other versions will be released ‘in the next few weeks on a staggered basis’. The reason is that each version requires its own variations to be developed, tested and verified. While this may be initially confusing (especially for system owners that have equipment with different versions of the ROS in their various pieces of RuggedCom equipment) it does insure that the updated firmware gets into the field as quickly as possible.

RuggedCom will publish a new product bulletin for each of the updates as they are made available. It is not clear if ICS-CERT will update this advisory each time a new ROS version is updated. I suspect that they probably will.

Apparently RuggedCom is not planning on providing firmware updates to ROS versions earlier than 3.7. They are urging customers to upgrade products with older versions. ICS-CERT notes that RuggedCom has indicated a willingness to work with customers that are unable to make such upgrades.

Updating firmware has its own special challenges in installed equipment. To make matters more interesting in this case is the apparent fact that the update changes the way that the RuggedCom equipment will now handle recovery of administrative passwords. The ICS-CERT Advisory provides this information:

“These new versions of the ROS firmware remove the factory account and the associated security vulnerability. Customers using these new versions of the firmware should take special care not to lose the user defined password to a device’s administrative account as recovering from a lost administrative password will now require physical access to the device to reset the passwords.”

On a purely editorial note, it appears that ICS-CERT is providing a little more credit for the initiators of uncoordinated disclosures. This Advisory provides a link to the Justin Clark public disclosure of the vulnerability in these systems. In my opinion this is long overdue as a minimum standard of the acknowledgement of the intellectual property of the researcher involved.

Cyber Intrusion Mitigation

Friday also saw the publication of one of ICS-CERT’s infrequent tip sheets. According to the introduction this 8-page document provides “ high-level strategies that should can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur” (pg 1). While it is not stated anywhere in the document, I would assume that this is at least partially in response to the phishing attacks on US gas companies that were reported earlier this month.

The document addresses:

• Preserving forensic data;

• Detection and mitigation activities, including:

∙ Intrusion detection / preventing lateral network movement;

∙ Credential management;

∙ Increased logging capabilities;

∙ DNS logging with host level granularity; and

∙ Auditing network hosts for suspicious files;

• What to do with an infected host;

• Longer-term recommendations, including:

∙ Strict role-based access control;

∙ Network segmentation;

∙ Application whitelisting, and;

∙ Phishing prevention.

As one would expect, there is nothing really new here, but it is a nice summary of the multiple levels of cyber protection that need to be employed to help reduce the effectiveness and impact of a targeted cyber-attack.

Saturday, May 26, 2012

Reader Comment 5-26-12 – De-listing CFATS Sites

Early this morning an anonymous reader (from the tone of the comment, someone of some standing in ISCD) posted a comment objecting to two statements that I had made in an earlier blog about the delisting of 1670 CFATS facilities because they eliminated DHS chemicals of interest (COI) on site and another 700 because they reduced the volume of COI on site.

Removing Facilities from CFATS Coverage

I stated that “DHS has done nothing to confirm these reported changes”. The reader took exception to that stating:

“Inspector teams were sent in a significant number of cases to inspect and verify whether the facility had reduced or removed their chemical holdings according to their formal request to be retiered. These teams documented what they found and these analyses were used by DHS HQ in making the final decision on whether to retier the subject facility.”

If this is true (and I have no way of confirming or disproving this statement), this is the first public disclosure of the methodology that ISCD has been using to remove facilities from the ‘list’ of facilities at high-risk of terrorist attack. While some could quibble with the ‘in a significant number of cases’ instead of ‘in all cases’ there are no standards for removal from (or inclusion on for that matter) of the list of covered facilities in either legislation or regulation; this is left by Congress to the discretion of the Secretary of DHS. And it could be argued that since the Department accepts the initial Top Screen information without independent verification that it should accept modifications to that data by the same standard.

DHS has long taken the justifiable stand that it will not disclose the specific standards by which they determine that a facility in possession of a screening threshold quantity (STQ) of a COI presents a high level of security threat. With that oft stated policy it is not unreasonable that they will not disclose the same standards for removal of facility from that list. It is unreasonable, however, for ISCD not to publish the process by which they will collect and verify the information necessary for removal from CFATS covered status.

Currently, the sole bit of information publicly available about the ‘redetermination’ process is found in 6 CFR §27.205(b):

“(b) Redetermination. If a covered facility previously determined to present a high level of security risk has materially altered its operations, it may seek a redetermination by filing a Request for Redetermination with the Assistant Secretary, and may request a meeting regarding the Request. Within 45 calendar days of receipt of such a Request, or within 45 calendar days of a meeting under this paragraph, the Assistant Secretary shall notify the covered facility in writing of the Department's decision on the Request for Redetermination.”

Oh, yes, there is also a frequently asked question on the CFATS Knowledge Center web site (FAQ # 1557) which provides the name and address of the person to whom the letter requesting a redetermination should be sent.

Not having published a process for the review of redetermination requests, I am more than a little surprised that there haven’t been any law suits filed in cases where a redetermination request has been denied. There are two reasonable explanations why that isn’t the case. First the letter from the Assistant Secretary does such a good job explaining the situation that the facility is forced by good sense to acquiesce, or secondly there have not been a significant number of redeterminations declined.

Changes in Concentrations

The reader also takes exception to my comments in the original blog post about minor changes in concentrations being reasons for redeterminations. The reader responded:

“While it is true that some facilities reduced the concentration, somtimes to a minor degree and other times significantly - the fact is, DHS established a threshold of concentration that was deemed significant, not one that below which posed zero risk. CFATS was designed to regulate high risk sites, not all sites that pose a risk. Therefore a threshold had to be established and followed.”

The reader raises a legitimate issue. In establishing a standard where there is not a clearly discrete situation; where there is a continuum where something must be determined to either fit or not fit a category; a line in the sand must be drawn. We can argue that the discrete difference between two items on either side of the line is nearly indistinguishable, but that will be true for any two points along the line.

Still, having said all of that, it still seems to me that the purpose of the CFATS regulations is somewhat compromised when a large sector of industry changes concentrations of aqua ammonia from 20% to 19% just to avoid coverage of the CFATS regulations. Of course if DHS were to just change the concentration in Appendix A to 19%, many of the distributors and users will just change to 18%; so there is no easy answer for coverage for new facilities.

Facilities that are already covered by CFATS do not have to be removed from the system if they simply change concentrations. DHS should make a positive determination that the change in concentration for an existing facility actually changes the risk below some minimum level before taking action to remove the facility from coverage. If that is what DHS is doing, so much the better.

Reducing Inventories

I didn’t specifically address reduced inventories in my earlier blog, nor did my anonymous reader in the comment posted this morning, but any ISCD procedure for adjusting CFATS status or tier ranking needs to take this into account. The major problem with reducing inventory levels to below STQ values to be removed from the CFATS program or to some (other) arbitrary level to reduce tier rankings, is that there is no way to ensure that the inventory doesn’t drift above that level at some future point in time.

I would like to suggest that before ISCD reduces a tier ranking or removes a facility from CFATS coverage due to an inventory reduction plan, they should require a facility to submit a plan for temporary security measures that would be put into place when the inventory raises above the STQ or tier raising threshold. Along with the required Top Screen submission for an increase in inventory levels, the facility would notify ISCD that the agreed upon security measures are in place and inspectable.

Redetermination Policy

Again I am happy to hear that ISCD has a procedure in place to ensure that there are adequate review and verification procedures in place to deal with requests for re-determinations of CFATS status or tier ranking. I would be much happier if the notification of the existence of that procedure had come from someone other than an anonymous source taking me to task on this blog. A published procedure or policy would be most appropriate, but even an article on the CFATS Knowledge Center would be better than a brief anonymous statement.

Friday, May 25, 2012

Two DHS ICS-CERT Advisories

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two advisories for control system vulnerabilities identified in Measuresoft’s SCADAPRO and the xArrow Software HMI system. Alert readers will note that the xArrow Advisory is an update from an earlier xArrow Alert.

Measuresoft Advisory

Measuresoft is an Irish SCADA manufacturer and this advisory is based upon an uncontrolled search path element vulnerability (DLL hijack) reported by Carlos Mario Penagos Hollmann in a coordinated disclosure. The vulnerability could be remotely exploited by a moderately skilled attacker; possibly resulting in execution of arbitrary code.

Measuresoft has produced upgrades for both its ScadaPro Server and Client. According to the Advisory Hollmann has verified that the upgrades appropriately mitigate the vulnerability.

xArrow Advisory

xArrow Software is a Chinese software development firm. The four vulnerabilities were identified in their HMI by Luigi back in March and reported in an uncoordinated disclosure. The vulnerabilities listed are:

• Null pointer de-reference;

• Heap-based buffer overflow;

• Out-of-bounds read; and

• Improper restriction of operations within the bounds of the memory buffer.

The Advisory states that; “No known exploits specifically target these vulnerabilities.” This contradicts what ICS-CERT said in their original Alert and Luigi is well known for having exploit code on his web site (and it looks like exploit code to me for this disclosure). This is probably one of those formatting mistakes (using a canned format for the Advisory) rather than a deliberate misstatement on the part of ICS-CERT.

Missed Alert and Advisory

I did not report on an alert and an advisory published by ICS-CERT last week. The alert was for another Luigi uncoordinated disclosure for multiple (4) vulnerabilities in the Pro-Face Pro-Server SCADA/HMI product. The advisory was a follow-up to an earlier alert about a buffer overflow vulnerability in the Advantech Studio, an automation tool used to develop HMI and SCADA systems. There is no telling what sytems Studio has been used to develop of if any have been compromised through this vulnerability.

Wednesday, May 23, 2012

Senate Appropriations Committee Addresses CFATS

Yesterday Sen. Landrieu (D,LA) introduced S 3216, the DHS Appropriations Act for FY 2013. While a copy of the actual bill is not yet available via the GPO, a copy of the Committee Report is. Like their House counterparts, the Senate Committee took the opportunity to address the CFATS issues raised in recent reports about problems at the DHS Infrastructure Security Compliance Division.

Funding Reductions

The Senate bill would not make the drastic cuts in ISCD funding that are found in the House bill (still to be introduced). While reducing the appropriations from last year’s budget, the Committee would provide more funds for CFATS than requested by the Administration, noting that (pg 98):

“This budget proposal was developed before a detailed plan to address the implementation problems had been completed. The Committee understands that within the third and fourth quarters of fiscal year 2012, a detailed manpower and systems review will be completed [emphasis added]. Initial action items show that fiscal year 2013 costs will likely need to be incurred for additional personnel, training, and information technology. The Committee notes it would be shortsighted, in the meantime, to take the full amount of proposed savings when the need for improvement has been documented. Funding will not resolve all of the outstanding issues, but the proposed cuts are too deep to ensure change for the better can be completed.”

It’s extremely interesting that we get to hear about this review from the Appropriations Committee when hearings by two House Committees on the ISCD problem did not mention the review. Of course both of the appropriations committees have more say over the CFATS program than do any of the other three (2 House and 1 Senate) committees that claim some sort of oversight responsibility. Of course, controlling the purse strings certainly helps, but the repeated failure to craft a real chemical security bill that can make it to the White House is the real reason that the other committees have so little influence on ISCD.

Program Success?

Even while complaining about the lack of implementation progress, the Committee Report declares the CFATS program a success noting (pg 99) that:

“These findings emphasize the accomplishments made by government and industry working together and the need to continue the program.”

The ‘these findings’ refers to a ‘recent survey’ by the American Chemistry Council that “found that the risk-based performance standards approach is effective”. The two measures mentioned in this report justifying that finding are the amounts of money spent on security measures ‘as the result of CFATS’ and the fact that “more than 1,670 facilities have completely removed chemicals of interest and more than 700 facilities have reduced the quantity of stored chemicals for better security”.

While ISCD, GreenPeace and the American Chemistry Council all site [cite] these figures as proof that improvements are being made, all of them are ignoring the fact that DHS has done nothing to confirm these reported changes, nor has a study been done to determine how the changes were made. I know for a fact that some of those changes were due to a change in the concentration of a commercial grade of aqueous ammonia from 20% to 19%, hardly a significant change from the point of view of chemical security.

Another Report Required

Appropriations committees have never found an issue that did not justify the mandate of yet another report. This Committee Report is no different. Among other reports to Congress required by this section of the Report the Committee directs NPPD to prepare a semi-annual report on the progress of CFATS implementation; the first one is due 90 days after passage of this bill. The following information will be reported (annotated by Risk Tier):

• Facilities covered;

• Inspectors;

• Completed inspections;

• Inspections completed by region;

• Pending inspections;

• Days inspections are overdue;

• Enforcements resulting from inspections; and

• Enforcements overdue for resolution.

Since this is compiled data, with no facility specific information being required, there is no need for this report to be classified or marked Chemical-Terrorism Vulnerability Information (CVI). That means that Congress could easily share this information with the public; it won’t but it could. After all, the high-and-mighty Senators need to know things that the lowly public doesn’t.

Tuesday, May 22, 2012

S 3188 Introduced – WMD Civil Support Teams

Last week Sen. Gillibrand (D,NY) introduced S 3188, a bill to increase the authorized number of Weapons of Mass Destruction (WMD) Civil Support Teams. The bill would increase the current authorized number (23 to 55) of CST to 25 to 57 {§1043(a)(2)}. The current number is based upon a statutory requirement to have at least one CST in each State, territory and the District of Columbia.

There is no indication in the bill of where the two additional teams would be deployed, but I would expect that Sen. Gillibrand intends for at least one to be stationed in the New York City area. It seems like the fact that California has two teams and New York only one may be further aggravating the concern that the ‘largest terrorist target’ in this country does not have its own CST.

According to the National Guard WMD-CST web page the role of the teams are to:

Assess hazards, advise civil authorities, and facilitate military support during emergencies and incidents of suspected weapons of mass destruction or other disasters. Advise civilian responders on appropriate actions through on-site testing and expert consultation, and assist and facilitate the arrival of follow-on state and federal military forces.

I’ve long maintained that these teams may have an important role in responding to terrorist attacks on large chemical facilities or catastrophic accidents at such facilities. It would be nice to hear that such facilities have engaged these National Guard units in the emergency response planning process for such incidents.

Monday, May 21, 2012

Private Sector Resources Catalog Update

A couple of years ago someone at DHS got an absolutely brilliant idea, publish a document on the web that provided a summary of, and point of contact information for, each of the public programs operated by each of the various components of DHS. Today, DHS published the latest update of this document on the Private Sector Resources Catalog (PSRC) web site.


One can download the entire PSRC, an unwieldy 75 page document, or you can access individual sections of the document.  During the previous update last summer DHS changed the format of the information somewhat, aligning the sections with the five missions of the Department. Adding some general department information and points of contacts the PSRC offers the following links:

Most readers of this blog are going to find the ‘Preventing Terrorism’ and ‘Securing Cyberspace’ sections most valuable. The ‘Key Contacts’ section provides either an email address or a phone number for (in some limited number of cases) for the various programs in DHS; listed by organization.

Suggestions for Improvements

This really is a great idea, but I just can’t leave well enough alone; there are some changes that I would like to see.

First off, too many of the programs listed in the PSRC do not have their own web page for people to go for more information. These programs typically have an email address to get more information. Each time I have used that contact method I have gotten an informative reply within a day or two; a very reasonable response given that the action agency is typically a small shop with just a couple of people working on the project.

If each program had a small web site with links to the documents that are readily sent to the public, the response would be more efficient; with a more timely exchange of information and less work by the office involved.

I know this isn’t possible for all of the programs. There are some programs where there are vetting requirements before DHS can share the information. For those, we will just have to live with the email point-of-contact.

The second change deals with the Index page provided for the PSRC. The current version is a low-tech index with just a page number for each of the listed programs. It is only useful if you have downloaded the entire PSRC since it doesn’t tell you in which section the page number will be found (though for many you’ll probably be able to guess).

Instead of being a .PDF document this page should be an HTML document with active links to each of referenced programs.

And really, that’s all I’ve got for improving this document. The folks at the Private Sector Office at DHS have done a pretty good job with this information sharing program. Keep it up.

Congressional Hearings – Week of 5-21-12

The House is out-of-town this week so that half of the Building is quiet. The Senate is in session, but the only hearings of concern for the cybersecurity people is the mark-up hearings for the Senate’s version of the National Defense Authorization Act (NDA) for 2013. The full Senate Appropriations Committee will meet behind closed doors on Wednesday, Thursday and Friday to markup that bill. It will be interesting to see how different it is from the House version passed last week.

Don’t expect any big news in that bill. The unclassified parts of cyber-warfare and cybersecurity will be very minor mentions in the bill. Still we watch for what we can see.

Saturday, May 19, 2012

House Passes HR 4310 with Cyber Measures

Yesterday, after two long days of debate including the consideration of over 100 amendments the House passed H4310, the National Defense Authorization Act for Fiscal Year 2013, by a bipartisan vote of 299 to 120. The cyber provisions of the bill that I described in an earlier blog remain in the bill (one with a floor revision). Three cyber-related amendments to the bill were considered during the floor debate; all passed by voice vote.

There is still nothing specifically addressing industrial cybersecurity or control system security, but it does offer a look at the expansion of congressional interest in cyber operations. The interesting thing about the votes on these three cyber-related amendments is that they were considered as part of three separate ‘en bloc’ votes containing 15 or more other amendments. Such groupings are made up of non-controversial amendments because significant opposition to even one of the members of the group could result in all of the amendments being voted down.

Amending Offensive Operations in Cyberspace

In the earlier blog I noted that the bill considered this week amended the current congressional authority to conduct operations in cyberspace to specifically authorize clandestine operations in support of congressionally cleared operations. Rep. Rogers (R,MI) offered an amendment that would clarify that while clandestine operations would be authorized nothing “in this section shall be construed to authorize a covert action” {§954(d)}. While there may be more sophisticated explanations for the difference between ‘clandestine’ and ‘covert’ here it appears to rest upon the type of Congressional authorization required for the action.

Air Force and Cyber Security

Rep. Hanna (R,NY) offered an amendment that would require the Secretary to report on Air Force cyber operations research, science, and technology. Most of this is amendment is focused on military operations in cyberspace, but the last sub-paragraph requires the inclusion of a review of the “potential benefit to the Air Force for collaboration with private industry and the development of cyber security technology clusters” {§245(9)}. While not specific to control system security, any additional research into cybersecurity will probably be beneficial to the ICS  processes.

Interagency Coordination

The final cyber-related amendment was offered by Rep. Thornberry (R,TX) that would require the establishment of an interagency organization that would “coordinate and deconflict full-spectrum military cyber operations for the Federal Government” {§1084(a)}. While this is probably directed at DOD agencies (it does refer to military ‘cyber operations’ after all), this could be expanded to include non-DOD agencies like DHS. Coordination of government cyber operations (coordination of anything, for that matter) is probably a good thing in general.

Moving Forward

Now that it has passed in the House we can expect that the Senate will start with its own version of the bill (which I haven’t seen yet) and then the two will get reconciled in conference. It’s anybody’s guess as to what will survive that process.

Friday, May 18, 2012

Two EPA Methyl Bromide Actions

Earlier this week the EPA published a final rule and a notice in the Federal Register relating to the use of methyl bromide. The final rule (77 FR 29218-29231) authorized the 2012 ‘critical use exemptions’ to the methyl bromide phase-out under the Montreal Protocol on Substances that Deplete the Ozone Layer. The notice (77 FR 29341-29344) was a solicitation for data to formulate the 2015 critical use exemption numbers.

2012 Final Rule

As I mentioned in an earlier blog post this publication comes way too late to be an effective tool in the control of the use and production of methyl bromide. I noted in that blog that in 2011 EPA had provided a letter to the affected parties that provided dispensation to use methyl bromide outside of the required publish and comment process. This final rule notes that the same was done in December of 2011 for this year’s program.

This delay in the issuance of the final rule was addressed in the preamble to the rule. And to be fair EPA did get OMB’s approval for this year’s rule before they issued the final rule for last year’s allocations; so they are getting better.

This rule became effective on the date of its publication.

2015 Information

In order to provide for timely rulemaking EPA requires input from the affected methyl bromide community. The information being solicited in this weeks’ notice will support the rulemaking process for 2015. Anyone wishing to obtain a critical use exemption for 2015 must provide EPA with technical and economic information to support a “critical use” claim and must do so by the deadline specified (August 15, 2012) even if they have applied for a CUE for earlier years.

The notice provides a summary of the different information that would be required for a number of different uses. Those uses include:

Applications may be emailed to

Methyl Bromide and CFATS

Once again it is clear that DHS overestimated the ability of EPA to actually phase out the use of methyl bromide; the justification that DHS used to remove methyl bromide from the proposed list of DHS chemicals of interest (COI) that form the basis for the initial screening of chemical facilities to determine if they are at high-risk of terrorist attack.

Once again (and I know that I am continuing to beat this drum at every opportunity) I urge DHS to add methyl bromide back to the Appendix A list of COI for the CFATS program. This toxic inhalation chemical will almost certainly be around for much longer than 2015.

Thursday, May 17, 2012

House Appropriations Committee Report Addresses CFATS

A House Appropriations Committee draft report on the FY 2013 DHS appropriations bill that was marked up yesterday contains an extensive and scathing analysis of the problems associated with the CFATS program. While the recommendations and mandates included in the report do not carry the force of law, they can be enforced by the Committee’s funding of programs in subsequent years.

The ISCD Problem

While the Committee has not held any hearings on the problems self-identified by the Infrastructure Security Compliance Division, the Committee has reached a definitive conclusion about the effects of these problems (pg 99):

“It is the Committee’s understanding that even with the changes that are currently being implemented, it will still be more than a year before the CFATS regulatory process authorizes, approves, and inspects even a single facility of the over 4,500 facilities that are part of the program. Furthermore, based on information received by the Committee, it may be almost seven years before all facilities will be fully authorized, approved, and inspected. This type of timeline and lack of progress is unacceptable.”

The report goes on to note that another large-scale industrial security program operated by elements of DHS has been effectively implemented in a timely manner. The report describes the Coast Guards Maritime Transportation Security Act (MTSA) implementation this way (pg 99):

“In less than two years after enactment of that Act, vessels and port facilities had conducted vulnerability assessments and developed security plans to include: passenger, vehicle, and baggage screening procedures; security patrols; restricted areas; personnel identification procedures; access control measures; and/or installation of surveillance equipment. The Coast Guard had reviewed and approved these plans and, to this day, continues to regularly inspect the facilities and vessels for compliance to ensure there is a consistent, risk based security program for all the Nation’s ports to better identify and deter threats.”

Based upon this apparent disparity between the successes of the two programs the Committee “directs the Under Secretary for NPPD in conjunction with the Commandant of the Coast Guard” to conduct a critical review of the CFATS implementation. There are eight specific areas that the report identifies to be included in the review (pgs 99-100):

1. Is the ISCD organized to efficiently, effectively, and faithfully carry out the requirements detailed in Section 550 of Public Law 109–295?

2. Is the Site Security Plan program sufficient and justified to accomplish the goals of the CFATS program?

3. Should the facility inspection process be streamlined and if so, what is the most efficient mechanism to do so, particularly for low-threat facilities?

4. Are the requirements for ISCD personnel for the inspection process—to include manning, training, site visits, and enforcement— being met?

5. Have clear training and guidance materials been provided to the inspectors so that they can review security plans and conduct inspections consistently, regardless of the type of facility visited?

6. Has ICSD developed adequate plans for follow up inspections for entities whose Site Security Plans have been approved?

7. Does the CFATS program include the appropriate level of stakeholder outreach to address valid industry concerns?

8. Are the requirements outlined in the Information Collection Request Reference Number 201105–1670–002 [Personnel Security Program] duplicative of other programs?

It is absolutely clear that the Committee intends for this review to be more than they typical congressionally mandated paper study. Instead of the typical 90- or 180- day reporting period the Report mandates that the report be submitted to Congress by April 1st, 2013; almost a full year for the completion of the study.

Alternative Security Programs

The Report also addresses a perennial congressional favorite security topic, the utilization of ‘alternative security programs’. It notes that “the use of alternative security programs established by private sector entities in the implementation of the CFATS program” (pg 100) is specifically allowed by the §550 authorization for the program. The Committee directs the Under Secretary to report on the ISCD use of alternative security programs to “address the massive backlog of unapproved site security plans”. This report will also be due on April 1st, 2013.

Interestingly the Committee demonstrates its lack of understanding of the fundamental definitions of the CFATS program when the report comments that:

“While alternative site security programs may not be advisable for high-risk facilities, the Committee believes that in many cases the use of alternative programs may be an efficient and effective method to reduce the backlog currently in existence.”

All facilities covered by the CFATS program are, by definition, ‘high-risk facilities’. There are rankings or tiers of ‘high-risk’, but all covered facilities are at high risk for terrorist attack as determined by the Secretary. Additionally, no one in Congress has explicated how these alternative security programs will reduce the approval and inspection work load of ISCD. Unless Committee is suggesting that non-governmental organizations can be delegated the inherently governmental responsibility of conducting site approval and inspection activities, ISCD will still have to do the hard work of the program.

Personnel Assurance Program

The Appropriations Committee becomes the third Committee in Congress (Homeland Security and Energy and Commerce Committees being the other two) that has expressed concerns about the personnel surety program that has yet to be finally defined by DHS. Every Congressman that has commented on the program has expressed concerns that the program does not recognize TWIC or HME identifications as meeting the requirements of the program. Since we haven’t seen the final document on the program (another oft delayed program) it isn’t clear that this is actually the case, but the complaints are continuously voiced.

The other concern included in this report about the personnel surety program is the provision that if a submitted name is found to be on the Terrorist Screening Database (TSDB), ISCD specifically has stated that they did not intend to notify the facility of that determination. The Report notes the Committee’s concern (pg 101):

“While the Committee understands the need to protect ongoing investigations, the liability concerns of allowing a person in the TSDB into a chemical facility is distressing to the Committee and to industry stakeholders.”

Another report to be submitted by April 1st, 2013 will be required to address these surety concerns. An interesting requirement in this report is inclusion of an analysis of the number of chemical workers (presumably at CFATS facilities) are already covered by the TWIC. Since no one will be able to make a realistic assessment of the TWIC status until facilities submit the list of covered personnel that will be covered by the surety program, I don’t see how ISCD will legitimately make this information available.

While it might be reasonable to provide a one-year reporting period one would like to think that other Committees in the House and Senate might actually step up and address the problems that I have been identified in the ISCD implementation of the CFATS program. Or maybe not. After all the Senate Homeland Security and Government Affairs Committee has yet to hold a hearing on the problems; they’re more interested in looking as the Secret Service agents consorting with prostitutes.

Wednesday, May 16, 2012

Uncoordinated Luigi Again

Yesterday the folks at DHS ICS-CERT published an alert based upon an uncoordinated disclosure (NOTE: for some reason this link is on Luigi’s alternate site) by Luigi; obviously he hasn’t completely given up his independent disclosure ways. The alert concerns the Wonderware SuiteLink communications protocol. The vulnerability is an unallocated Unicode string vulnerability that can lead to remotely executed denial of service attack. Luigi calls it a ‘resource consumption’ vulnerability in newer versions of SuiteLink.

Wonderware has acknowledged the vulnerability and has system-specific mitigation upgrades available on their web site for some of the affected products. They are continuing to work on a ‘standalone update tool’ that will be useable across the product line. This looks like a really quick response to an uncoordinated disclosure; they must have known about the vulnerability already.

NOTE: For a variety of reasons I have missed reporting on a few of the more recent ICS-
CERT advisories. They include:

Tuesday, May 15, 2012

CFATS Knowledge Center Update – 05-15-12

This afternoon the folks at ISCD updated the response to one of the Frequently Asked Questions (FAQ) on the CFATS Knowledge Center web site. The FAQ response was changed for FAQ #1557; concerning the procedure to be used for requesting the correction of an incorrect high-risk determination or risk tier-ranking. The question reads:

“What should I do if I think my facility was incorrectly determined to be high-risk or received an incorrect preliminary risk-based tier determination?”


Alert readers might remember that this page was updated just a couple of months ago to reflect the acting appointment of William Flynn as the Assistant Secretary for Infrastructure Protection (ASIP). Today’s change is based upon a similar personnel action; Caitlin Durkovich was recently appointed to the post of ASIP. According to the White House announcement Ms Durkovich has been the Chief of Staff of the National Protection and Programs Directorate since 2009 so she certainly has some insider knowledge about NPPD. She also has some management experience with a variety of tech organizations including the Internet Security Alliance and Verisign.

Other Changes

There is one other minor changes to the response to FAQ #1557. The first sentence of the third-to-last paragraph was re-written to make it easier to read. The old version read:

“It will assist DHS in processing requests for consultation with the Coordinating Official and Requests for Redetermination by the ASIP if such requests include the facility ID number assigned to the facility by the Chemical Security Assessment Tool (CSAT).”

The new version reads:

“Include the facility ID number assigned to the facility by the Chemical Security Assessment Tool (CSAT[)] to assist DHS in processing requests for consultation with the Coordinating Official and Requests for Redetermination by the ASIP[.]”

You’ll notice that I have corrected two minor typos in the re-written versions. The version on the web site is missing a closing parenthesis on the abbreviation “CSAT” and the closing period for the sentence is missing. Fortunately I’ve never had problems with typos in my blog (riight). Most people will never notice the first, but the second does make it a little bit more difficult to understand what the sentence is saying. Even so it’s easier to understand than the earlier version so it is still a gain.

One other point that I would like to make about this FAQ response. It references proper marking and packaging requirements for sending Chemical-Terrorism Vulnerability information to DHS. Unfortunately it only provides a reference to the CFATS regulations as a method to determine those requirements. The details needed to mark and package CVI are not found in that document; but they can be found in the Chemical-terrorism Vulnerability Information Procedures Manual.

FRA Publishes PTC Amendments Final Rule

Yesterday the Federal Railroad Administration (FRA) published their PTC Amendments Final Rule in the Federal Register (77 FR 28285-28305). This rule eases some of the requirements for removing sections of rail line from the requirements to install positive train controls (PTC). These rules only pertain to track segments that “do not transport poison- or toxic-by-inhalation hazardous (PIH) materials traffic and are not used for intercity or commuter rail passenger transportation as of December 31, 2015” (77 FR 28285).

This rule is being issued in response to a Settlement Agreement reached in a suit by the Association of American Railroads (AAR). It eliminates two qualifying tests previously required to remove a line segment from PTC implementation. Those tests were based upon alternative route analysis and the residual risk analysis.

Complicates TIH Shipping Issues

As I noted in an earlier blog, it would seem that the removal of these two tests, particularly the alternative route analysis test, will further complicate the toxic inhalation hazard (TIH) routing issues that plague relations between TIH shippers and the railroads. This issue is addressed in the preamble to the rule with the FRA stating that “even where a railroad is able to reroute its PIH materials traffic in accordance with the PHMSA regulations, resulting in future PIH materials traffic needing to traverse a line segment that does not have a PTC system in order to travel from its source to its destination, FRA does not view such rerouting as a barrier to future PIH materials traffic” (77 FR 28292).

I also noted in a separate blog post that this rule could increase the number of rate setting disputes that the Surface Transportation Board will be required to hear. This rule acknowledges this potential problem; noting that “FRA recognizes that PTC system implementation may affect STB's review of rates” (77 FR 28292); but then ignores the issue in this rule.

Public Comments

This is a final rule and it is effective on July 13, 2012. Apparently anticipating objections to this rule (it is a tad bit controversial) the FRA has set a deadline for petitions for reconsideration on the same date. Those petitions will be published on the Federal eRulemaking Portal (; Docket # FRA-2011-0028). Public comments on those petitions are being solicited (they really do expect petitions apparently) need to be submitted via the same venue by August 27, 2012.

Oh, by the way, FRA is already considering the next set of amendments to the PTC rules. There is no mention of the topics to be covered in such amendments, just the notice that a new notice of proposed rulemaking (NPRM) is already in the works.
/* Use this with templates/template-twocol.html */