Saturday, June 30, 2012

OMB Approves TWIC ICR Extension

On Thursday the Office of Management and Budget approved the TSA’s request for a renewal of the information collection request that supports the Transportation Worker’s Identification Credential (TWIC) application process. OMB approved the ICR, but only until October 31st of this year.

This renewal was requested last summer and would normally have resulted in a three year approval of the ICR. Because of the recently announced change in the TWIC renewal requirements OMB provided only a temporary extension of the ICR noting that:

“TSA should submit an Emergency Information Collection Request, to reflect changes to the program and burden hours that will result from the Exemption Notice published in the Federal Register on June 19, 2012 (49 CFR Part 1572 [Docket No. TSA–2006–24191]).”

The long time period between the submission of this ICR and its limited approval indicates that the OMB has long been aware of the DHS intention to provide some sort of relief on the TWIC renewal process pending the eventual approval of a TWIC Reader rule.

Port Security Votes

As I noted last weekend the House was scheduled to consider three separate port security related bills; HR 3173, HR 4005, and HR 4251. All three were debated on Tuesday, but a lack of a quorum caused the actual votes to be pushed back. On Thursday the House passed all three bills; two by overwhelmingly bipartisan votes and the other by a voice vote.

While these bills have enjoyed wide bipartisan support in the House (and no significant opposition) there are only a limited number of days left before the summer recess and it is unlikely that these bills will be taken up by the Senate in that time. Between the summer recess and the election in November, no significant political work will get done in the Senate as both sides posture for November. The best hope for these three bills to actually pass this year will be during post-election lame duck session.

Friday, June 29, 2012

Per Organization Limit Increased for CSSS

Yesterday SOCMA, a cosponsor for next month’s Chemical Sector Security Summit (CSSS), tweeted that DHSS is temporarily opening registration for additional members from an organization to attend the CSSS. The original DHS web site notice said that, as has been the case in recent years, registration would be limited to only two people from a single organization. This had been done to allow more organizations to send representatives to the meeting.

The tweet points to the registration web site, but that page still has the note about the two attendee limit. The Chemical Sector Security Summit web page still contains the note:

“Due to space constraints, each organization, company, and agency will be limited to two (2) registrants.”

This kind of worries me because it indicates that there hasn’t been the level of registration that we have seen in prior years. If the registration isn’t oversubscribed as it has been since its inception, it will be harder to convince DHS and the industry sponsors to web cast essential parts of the meeting.

ICS-CERT Incident Report

Yesterday the DHS ICS-CERT published a 17 page report on the cybersecurity incidents the organization responded to since its inception in 2009. The seventeen page report provides an overview of the number of incidents per year and by critical infrastructure sector. It summarizes common findings and provides an overview of vulnerabilities discovered in three broad categories; people, process and technology.

Summary Data Misleading

The initial summary of ICS-CERT incident response data is kind of frightening; nine responses in 2009, 41 in 2010 and 198 in 2011 (page 2). It would seem to support the general idea that our critical infrastructure systems are increasingly under attack; a conclusion supported by other report. A closer reading of the report, however, makes that conclusion less clear. For example the report notes that of the 2011 incidents an unspecified number were “due to a large number of Internet facing control system devices reported by independent researchers” (pg 5); presumably those incidents could have been reported in 2010 or 2009 if the tools for detecting internet facing devices had been available in those earlier years.

No ICS Threat Identified

The other misleading aspect of this report is that it is supposedly about the ICS threat landscape during the period. Unfortunately, the vast bulk of the incidents appear to be on enterprise systems at these facilities, not control systems. Of the incidents reported in any detail in this report (and the details are deliberately and rightfully sketchy) only three deal with actual control systems; a Stuxnet infection clearance, an environmental control system problem, and a water system pump problem. The last two were determined not to be related to a cyber-attack.

What the Report Doesn’t Say

The report does identify a number of incidents where sophisticated targeted attack were directed at critical infrastructure organizations. And it does briefly mention that there were multiple indications of information being exfiltrated from some of those infected systems. Unfortunately it doesn’t appear that anyone has any real idea of what types of information were taken; it could easily be assumed that control system access and topography data could have been copied that would allow for a sophisticated follow-on attack.

The report also makes no attempt to compare the reported attacks to a number of attacks detected but not reported to ICS-CERT or to a number of successful attacks that were not detected. While any such numbers would be guesses (hopefully educated guesses) they would give a better look at the potential threat landscape. As it stands this report seems to indicate that the overall threat to the ICS community is really rather small.

Political Implications

With the Senate perhaps (don’t really hold your breath) set to take up some sort of ‘comprehensive’ cybersecurity legislation in the coming weeks this report does a disservice to the control system community. It minimizes the potential threat to critical infrastructure control systems and makes the case quite firmly that there is no need for any regulation of cybersecurity for control systems. In fact, a diligent bean counter that read this report would conclude that there is little or no need for spending any significant corporate resources on control system security.

Because this politically inept report does not address the issue of the sharp increase in the vulnerabilities reported in control systems and the increasing interest in the hacker (black and white) community in finding the vulnerabilities in these systems, the report does not identify the increasing probability of attacks, sophisticated and otherwise, on control systems. It does not explain to the uninitiated that the landscape is quickly changing in that it is becoming easier to attack control systems and this presages a probable radical increase in actual attacks on control systems.

For those of us in the control system security community, this is a valuable report on what ICS-CERT has done, but it handicaps us in our ability to protect the critical infrastructure control systems in this country from future attacks.

Thursday, June 28, 2012

McCain Introduces New Cybersecurity Bill

Yesterday Sen. McCain (R,AZ) introduced S 3342, a new bill to improve ‘information security’. The GPO version of the bill is not yet available so I can only guess that this is an attempt to establish a compromise position between McCain’s earlier bill (S 2151) and the Senate Homeland Security Committee bill (S 2105). I don’t expect much (probably no) control system regulation, but you never can tell.

ICS-CERT Publishes Two Advisories and a new Luigi Alert

Yesterday the DHS ICS-CERT published a new advisory (GE Intelligent Platforms Proficy products), an advisory updating an earlier Luigi alert (Pro-Face Pro-Server) and an alert for new uncoordinated Luigi reported vulnerabilities (Sielco Sistemi Winlog).

GE Proficy Advisory

This advisory is based upon a command injection vulnerability reported by Andrea Micalizzi and the subsequent discovery (by GE Intelligent Platforms) of a stack-based buffer overflow in a third-party HTML help application used by some GE Intelligent Platforms Proficy products. Both vulnerabilities are remotely exploitable by a moderately skilled attacker utilizing a social engineering attack. The folks at GE are to be commended for going the extra step in discovering and identifying the additional vulnerability.

GE recommends unregistering and deleting the KeyHelp.ocx ActiveX control and has provided product specific instructions for doing so.

As with any vulnerability in a third-party provided component of an ICS system, one has to wonder what other vendors have used the same component in their product. One would suspect that any such system would have the same vulnerabilities as those identified here.

Pro-Face Advisory

This advisory is a close-out of an alert issued in May for an uncoordinated vulnerability-disclosure made by Luigi. That alert identified five separate remotely-exploitable vulnerabilities:

• Memory Corruption (2);

• Integer Overflow;

• Unhandled Exception; and

• Invalid Memory Read Access.

The Advisory reports that Digital Electronics, the developer/manufacturer of the Pro-Face line, has released patch modules for the affected systems. The Advisory describes the patch this way:

“The patch module prevents the Pro-Server EX and WinGP from an attack using inaccurate packets.”

This wording is odd because only one of the vulnerability descriptions mentions the use of packets in the exploitation of the vulnerability. This combined with the lack of a report that the mitigation has been verified by Luigi or ICS-CERT makes one wonder about the efficacy of the mitigation. Digital Electronics has apparently addressed this issue by recommending:

• A review of all network configurations for control system devices;

• The removal of unnecessary PCs from control system networks; and

• The removal of unnecessary applications from control system networks.

All of these are appropriate recommendations for any control system, but are hardly effective mitigation measures for these identified vulnerabilities. Especially since Luigi always publishes proof of concept exploit codes. This is very poor security support.

Sielco Sistemi Alert

This ICS-CERT alert addresses the latest report of ICS vulnerabilities by Luigi. Luigi identified multiple vulnerabilities when the software is configured to allow the system to act as a TCP/IP server. Those vulnerabilities include:

• Multiple buffer overflows;

• Directory traversal;

• Improper access of indexable resource; and

• Write-what-where condition.

As always Luigi provides proof-of-concept exploit code on his web site.

Tuesday, June 26, 2012

PHMSA Advisory Committees to Meet on New Rule

Today the Pipeline and Hazardous Materials Safety Administration published a notice in the Federal Register (77 FR 38132-38133) that two of their advisory Committees, the Technical

Pipeline Safety Standards Committee (TPSSC) and the Technical Hazardous Liquid Pipeline Safety Standards Committee (THLPSSC), will meet in July in Washington D.C. to discuss a proposed rulemaking to make miscellaneous changes to the pipeline safety regulations and to discuss several future regulatory initiatives. There will be a joint meeting on July 11th and separate simultaneous meetings on July 12th.

While the notice states that the “Agenda is published on the PHMSA (DOT) Web site” (77 FR 38133; and no link is provided for that agenda), that is not currently the case. The web page for this meeting reports that the “complete meeting agenda will be posted to the webpage in the near future along with other meeting documents”. That page does state, however that:

“The agenda will include committee discussions and vote on the proposed rule: ‘Pipeline Safety: Miscellaneous Changes to Pipeline Safety Regulations’ published in the Federal Register on November 29, 2011 (76 FR 73570).”

Presumably, since the comment period on that proposed rule has long since passed, PHMSA is intending for the committees to look at some sort of draft for the final rule.

These meetings will not be web cast, but presentations and documents will be posted after the meetings on the Federal eRulemaking Portal (; Docket # PHMSA-2009-0203). There is no reason given for not web casting the meeting, but it makes it look like PHMSA is trying to limit the public participation in the discussions. The Notice does state that the public may attend and make comments during the meeting (specific times for public comments are typically set aside in the agenda). As is usual for these types of meetings advance notice of intent to make comments needs to be submitted (via email: by July 5th, 2012. Written comments may also be submitted to the meeting docket listed above.

Monday, June 25, 2012

Explanation for CFATS eMail Change

Earlier this month I wrote a brief blog post about a notice on the CFATS Knowledge Center that the Help Desk email was changing. I mentioned that I had sent an email to the old Help Desk email to see how long the old email address would be active. Today I got a response that gave an indefinite answer to that question, but provided a little more detail about why the change was necessary.

The CFATS Team email explained that: “DHS email addresses now include a DHS-entity acronym immediately before ‘’.”  They then went on to explain that: “This email address format integrates independent email systems established throughout the Department and establishes the efficiencies of enterprise-wide email.”

While the Department is updating their web sites to show the new updated email address, the Department has taken measures to ensure that even if the old address is used, for some reasonable length of time (apparently not yet determined) the system will automatically forward the message to the correct address.

Change is inevitable, especially in a conglomerated organization like DHS. Appropriately planning for that change is unusual, even if only in the little things.

Sunday, June 24, 2012

Congressional Hearings – Week of 6-22-12

As the summer recess approaches Congress tries to figure out what work will actually get done before the fall election. There is only one hearing of potential interest this week and that deals with TWIC issues. Interestingly two days before this hearing the full House will vote on two bills that deal with the issues being reviewed in this hearing.

TWIC Hearing

The House Transportation and Infrastructure Committee will be holding a hearing on Thursday that looks at the delays and problems with the management of the TWIC program. The witness list is interesting; a Coast Guard Rear Admiral, a policy wonk from DHS, a port authority representative and a union representative. No one from the Transportation Security Administration will be there to answer the various accusations and complaints.

Port Security Week

As the summer recess approaches the House leadership continues to bring up large numbers of bills that will be relatively easy to pass; it helps to counter the election year claims of being a ‘do nothing’ body. This week three of the sixteen bills that will be considered under suspension of the rules will deal with port security issues. Those bills are:

• HR 3173 To direct the Secretary of Homeland Security to reform the process for the enrollment, activation, issuance, and renewal of a Transportation Worker Identification Credential (TWIC) to require, in total, not more than one in-person visit to a designated enrollment center

• HR 4005 GAPS Act

• HR 4251 Securing Maritime Activities through Risk-based Targeting for (SMART) Port Security Act

I’ve addressed the last two bills in earlier blogs (HR 4005, HR 4251). The first bill is interesting in that it is basically included as a section (§205) in HR 4251. There is an interesting difference though, HR 3173 gives the Secretary 90 days to reform the TWIC application process and HR 4251 allows 270 days. I suppose that whichever passes last is the one that governs the time frame that DHS will ignore.

DOT Appropriations

The House will also consider HR 5272, the DOT and HUD appropriations bill. This will be considered under an open rule with a large number of amendments to be submitted from the floor. I’ve already addressed some of the chemical safety and pipeline safety provisions of the bill in an earlier blog. There is no telling what neat new amendments will be offered on the floor.

TS Debby Targets Gulf Coast Chemical Facilities

This afternoon the National Hurricane Center (NHC) expanded their tropical storm warnings for TS Debby to include the Gulf Coast west from Tarpon Springs, FL to Morgan City, LA. This change is due to the recent northeastward track of the storm and continued disagreement between various models about whether the storm will turn east or west in the coming days.

According to the NHC the current consensus forecast has the storm turning to the west on Monday afternoon thru Tuesday morning. This track would have the storm affecting a large number of chemical manufacturing sites during the coming week. Since the storm is forecast to be slow moving, reaching the Louisiana coast sometime late Wednesday or early Thursday, it seems clear that the threat of flooding from rains appears to be quite high for those facilities.

Chemical facilities in these coastal areas are quite familiar with how to deal with tropical storms from a facility safety perspective (at least one would hope that that were true). What is less clear is if the facility security plans adequately deal with facility shutdowns and evacuations for such events. The time period between storm related shutdowns and startups (particularly if evacuations are involved) are periods of increased potential vulnerability to attacks on the facility.

Facilities that may be targeted by radical environmental-activists would probably me more likely targets of opportunity in this type of situation which favors an impromptu attack by a lone wolf or small teams already in the area. Attacks conducted in the confusion of a tropical storm or hurricane need not be nearly as sophisticated to be successful as attacks under more normal circumstances. This increases the likelihood of a successful attack.

Furthermore, attacks during a large storm are likely to have lessened environmental consequences or off-site damages or injury than the same attack conducted in normal weather conditions. This is due to the dilution and fire suppression effects of wind and rain. This may make the attack more palatable to environmental activists. At the same time their terror potential is increased by the incumbent communications issues and potentially poor emergency response actions.

Site security plans should take this into account at all facilities in the likely path of tropical storms along the Gulf Coast or South Atlantic Coast.

ICS-CERT Updates ICS Internet Accessibility Alert

On Friday afternoon the DHS ICS-CERT updated their alert on internet accessibility of ICS systems that was originally issued in January. The original report outlined a large number of reports of ICS systems being found on the Internet through the use of SHODAN, Googel, ERIPP and other search engines. This update provides information about Internet facing ICS systems with default passwords or weak authentication.

The update starts off (pg 2) by explaining that: “ICS-CERT has recently become aware of multiple systems with default usernames and passwords that are accessible via the Internet.”

This generic claim is not much help to the general ICS community, but the Alert does note that ICS-CERT has directly contacted the owner/operators of the affected systems to let them know of their vulnerability.

There is a new vendor name included in this initial paragraph, Echelon and their i.LON series of communications devices. ICS-CERT notes that the new reports that they have received include information on “the Echelon i.LON product that is commonly deployed within ICS devices such as motors, pumps, valves, sensors, etc., which contain a default username and password”. They do note that this is not an ‘inherent vulnerability’ (read; the user should have corrected the situation during the installation process).

The alert revision goes on to remind their audience that there have been a number of ICS-CERT advisories (including: ClearSCADA, Siemens Simatic, and RuggedCom) about systems with weak authentication mechanisms. They do not specifically mention that any of these systems that have been reported to be Internet facing, but given the current state of ICS security it would seem inevitable that there would be a number of these systems that are relying solely on their weak authentication systems for Internet protection.

Nothing has changed in the sections of this Alert that deal with mitigation efforts. Neither ICS-CERT nor any other ICS security player has come up with a magic bullet to protect Internet facing ICS equipment. The revised alert simply serves as an updated reminder that every ICS owner/operator needs to take a hard look at their control systems to ensure that they are appropriately protected. As such this updated alert deserves the widest possible dissemination.

NOTE: There is an interesting follow-up to this post written by Reid Wightman over on DigitalBond. Well worth reading and makes some additional points that bear attention. Plus he was nice enough to mention this post. [6-25-12 20:20 EDST]

Saturday, June 23, 2012

TWIC Personal Data Compromised

There is a report today on CyberWarNews that there was an attack on a TWIC web site ( operated by Lockheed Martin Corporation that compromised a database and may have resulted in a release of personal information of TWIC applicants. According to data provided by OZ Data Centa on the reported data dump was 9.82 KB so it isn’t a really large data compromise, but the information may be useful for more than just the normal identity theft; it may compromise TWICs.

As I noted on a comment posted to Homeland Security Today group on LinkedIn, it will be interesting to see how long it takes TSA to notify TWIC holders of the potential personal information data compromise.

Friday, June 22, 2012

PHMSA Meeting on “Incorporated by Reference”

The Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice in yesterday’s Federal Register (77 FR 37472 -37474) announcing that they would be holding a public workshop on the recent congressional mandate to eliminate the incorporation by reference of voluntary consensus standards. The workshop will be held on July 13, 2012 in Washington, D.C.


Since 1996 agencies of the Federal government have been directed to use voluntary consensus standards “published and adopted by domestic and international organizations, which have collaborated to agree upon best technical practices” instead of trying to develop duplicative standards in-house. This was requirement was adopted to save the government money and to speed the regulatory adoption of new technologies.

The standards developing organizations (SDOs) have spent a great deal of time, effort and money on developing and printing these consensus standards. Since the documents are not produced by the government, they are protected by copyright law and many SDOs recoup their expenses (or portions of their expenses) by selling printed copies or licensing access to on-line copies of these standards.

When these standards, or portions of these standards are incorporated by reference, they become, essentially, part of the regulation; in most instances an enforceable part of the regulations. This requires that the regulated community must acquire copies of these standards to avoid falling afoul of the regulations. Since PHMSA has incorporated all or parts of 60 of these standards into the various pipeline safety regulations, buying or licensing all of the applicable standards could get quite expensive (it would have been nice if PHMSA had included the actual potential cost in this notice).

The Mandate

When the Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011 (PL 112-90) became law early this year it included §24 that prohibited DOT from issuing guidance or regulations that “incorporates by reference any documents or portions thereof unless the documents or portions thereof are made available to the public, free of charge, on an Internet Web site” (77 FR 37473).

Interestingly the wording does not require to go back and apply the same standard to the 60 existing standards incorporated by reference.

The Problems

The notice provides a listing of 14 potentially adverse consequences that could result from this requirement. They are listed in the following categories:

• Financial;
• Practical;
• Legal; and
• Policy.

I’ll note here just a couple of examples, taking one from each category (77 FR 34473):

Financial – “Costs to government would increase dramatically and immediately if PHMSA must write its own standards or purchase the right to freely publish standards from SDOs.”

Practical – “Government regulations with government-unique standards would not be likely to keep pace with technological and safety advancements made in the private sector.”

Legal – “Intellectual property laws play a critical role for both in the relationship between the government and the SDOs and in the relationship between the SDOs and its licensors or licensees.”

Policy – “Likely inconsistency of U.S. and international standards would arise due to inability to incorporate VCS and difficulty in harmonizing government-unique standards.”

The Meeting

The Notice identifies three objective of the meeting

• Provide an overview;
• Identify constraints; and
• Collect public input.

Additional information on the meeting can be found on the workshop web site. Personnel wishing to attend the meeting should register with PHMSA by email ( The same address can be used to register one’s intent to make a presentation (up to 5 minutes) at the meeting. The meeting will be web cast; information on that web cast will be on the workshop web site the week of the meeting.

Thursday, June 21, 2012

HR 5972 Introduced – DOT Appropriations

Yesterday Rep. Latham (R,IA) introduced HR 5972, the FY 2013 appropriations bill for DOT, HUD, and associated agencies. Title I of the bill is the Department of Transportation Appropriations Act, 2013. As I noted in an earlier posting the House Rules Committee will hold a hearing on the bill today to formulate the rule for the consideration of this bill next week.

The GPO version of the bill is not yet available, but the House Appropriations Committee web site has their committee print of the bill and the report on the bill available. As I expected there isn’t much mentioned in the way of security (a brief section on IT cybersecurity spending for the Department; only $6 Million; pg 5 of the bill), but there are a couple of mentions of chemical transportation safety measures in the Committee Report.

Rail Safety User Fee

The Committee provided $184,000,000 for safety and operations ($5,404,000 above FY 2012 enacted level and $28,000,000 above the budget request). The Committee rejected the President’s budget proposal “to establish a rail safety user fee collected from railroads to offset salary costs associated with rail safety inspectors” (Committee Report, pg 44).

PHMSA Special Permit Processing Fee

The President’s DOT budget included a request for a new fee for the processing and enforcement of special permits, a fee on top of the current application fee. The budget request forecast an income from that fee of $12 million. The bill did not include that new fee. The Committee Report (pg 64) noted that that request should have been part of an authorization bill not a spending bill.

Pipeline Safety Inspectors

The bill did not include funding for the additional 120 pipeline safety inspectors requested in the President’s budget. The Report notes that the recent Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011 (HR 2845, PL 112-90) included provisions for 10 new inspectors and that PHMSA is still having problems filling their previously allocated staffing positions. As a result the Committee did not feel it was appropriate to fund the President’s new request.

They did note that they will “reconsider a modest request for additional Pipeline Safety personnel in the Administration’s fiscal year 2014 budget, but only if PHMSA satisfies the pre-conditions enacted into law— by filling existing vacancies before asking for more and by determining that requested increases are necessary” (Committee Report, pg 65). That ‘promise’ is of course contingent upon the results of this November’s elections.

Moving Forward

As I noted in my earlier blog, the House Rules Committee will almost certainly provide an open rule for the consideration of this bill next week. This will mean that there will be a wide variety of amendments offered on the bill and some could address additional chemical transportation safety issues.

Wednesday, June 20, 2012

ICS-CERT Follows Up on Vulnerabilities

Yesterday the DHS ICS-CERT published a revision to an alert and an advisory to address the issues in an earlier alert. The systems involved are the WAGO IO 750 and the Wonderware SuiteLink.

WAGO Alert Update

This updated WAGO alert is updating an alert issued five months ago concerning multiple vulnerabilities in the IO System 750 identified by Digital Security Research Group (DSecRG). WAGO has issued a cybersecurity bulletin that recommends disabling two ports when ‘not actively in use’ and ensuring that the Web Server Authentication feature remains enabled.

It is unusual that successful (well the revised alert doesn’t say that anyone has confirmed that these measures actually work, but it sounds as if they should) mitigation measures are put into a revised alert instead of a final advisory. ICS-CERT doesn’t explain why they have taken this step, but I suspect that it is because implementing these measures leaves operators set up for future failure when they forget the reason for disabling the features and leave them enabled when the ports are required to be used for updating firmware for instance.

What is severely disappointing is that it took five months for WAGO to come up with these mitigation measures which required no real work on their part beyond publishing a notice on their web site. This would have been a smart move on their part if it had happened within a day or two of the publication of the original alert, pending a more structural change in the software. At this late date it indicates that the management team doesn’t care about security issues with their products. CAVEAT EMPTOR

Wonderware Advisory

This advisory for a stack-based buffer overflow vulnerability is a better example of how mitigation measures should be handled. The original alert based upon a Luigi uncoordinated disclosure was published just over a month ago. Invensys has produced a patch for their SuiteLink package and its efficacy has been verified by Luigi. The thirty-five day turnaround on an uncoordinated disclosure is very reasonable.

TWIC Renewal Exemption

As most people in the business are aware from a number of sources (blog or blog or Congress),  on Friday and over the weekend, the folks at DHS have established a one-time renewal policy to get current TWIC holders a relatively easy extension of their Transportation Workers Identification Credential (TWIC) to hold them over through the publication of a TWIC Reader rule. Yesterday the Transportation Security Administration published an exemption to certain TWIC related rules in the Federal Register (77 FR  36406 -36408). This notice provides the official details about what everyone has been talking about.

The Exemption

The TSA describes the basis for the exemption this way:

“This exemption will contribute to providing safe and efficient transportation while ensuring the efficient use and conservation of the resources of the United States. Due to the fact that [TWIC] readers are not yet required by regulation or in widespread use, we believe the burden associated with the full renewal requirements is not currently justified. The exemption permits eligible individuals to pay lower fees, reduce trips to an enrollment center, and avoid providing new biometric and biographic enrollment information when they request the card.”

Individuals may qualify for this exemption if they are US national (“includes U.S. citizens and noncitizen nationals of the United States”) and hold a valid TWIC that will expire on or before December 31st, 2014. Qualified individuals have the option of requesting a three-year renewal of their TWIC as long as they currently meet all other requirements for holding a TWIC. Individuals may request a three-year extension by telephone and only make one trip to the enrollment center to activate the new TWIC. The three-year extension will not require a full fee; the requesting individual will only have to pay the typical $60 cost for replacing a lost or damaged card.

The Politics

Two years ago the Coast Guard was supposed to have published a final rule covering the use of TWIC Readers. Because of delays in conducting the required field trials, complications in getting OMB approval, and probably other un-enumerated reasons, the NPRM for this rule is expected sometime later this year and it is unlikely that a final rule will become effective by the time the initial issue of TWICs expires.

Congress has been trying, ineffectively, to get the TWIC Reader rule implemented since without the ability to biometrically verify the identity of the holder the TWIC is just another photo ID. A number of pieces of legislation currently under consideration have provisions that would require the Secretary to come up with some sort of plan to extend the current TWIC registration until the TWIC Reader rule becomes effective. Unfortunately, it is unlikely that any of those bills will actually have a chance to become law before the election this fall.

This is actually a pretty innovative move by TSA. In a relatively simple document this answers most of the concerns being mentioned in Congress about the TWIC. It limits the cost by not performing another STA on existing TWIC holders as would be required for a normal renewal. It only requires single trip to the enrollment center by allowing a telephone call to initiate the renewal process while still requiring a personal appearance to activate the card. The only concern not specifically addressed is setting the expiration of the card to the expiration of legal residency documents for non-citizens.

It will be interesting to see if this exemption provides and political incentive to proceed on any of the pending TWIC related bills.

Tuesday, June 19, 2012

Transportation Funding Bill Rules Committee Hearing

As I noted in my earlier blog, the House Appropriations Committee held their markup hearing this morning on the appropriations bill for the Department of Transportation. There is not yet a copy of the bill available to review for potential chemical or pipeline safety measures, but the House Rules Committee has announced that their hearing to formulate the rule for the consideration of the as yet unnumbered bill will be on Thursday morning.

Since the House will not be in session Friday, this bill will not be considered on the floor until sometime next week. The bill will certainly be considered under an open rule; lots of time for amendments to be formulated over the weekend.

PHMSA Announces Pipeline Safety R&D Meeting

Today the Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice in the Federal Register (77 FR 36606-36607) that it would be cosponsoring a public forum to aid in the development of a National research agenda that “will foster solutions for the many challenges with pipeline safety and with protecting the environment” (77 FR 36606). The National Association of Pipeline Safety Representative (NAPSR) is the other co-sponsor of the meeting to be held July 18th and 19th in Arlington, VA.


According to the announcement the purpose of the forum is to:

• Identify key pipeline technical challenges facing industry and government;

• Disseminate information on current research efforts; and

• Identify new research that can help to meet known challenges.

The first day will start with panel discussions covering existing challenges, current R&D roadmaps and a discussion about advancing new technology into the market. The remainder of the first day and most of the second day will be taken up with breakout working groups that will address:

• Threat Prevention;

• Leak Detection/Mitigation & Storage;

• Anomaly Detection/Characterization;

• Anomaly Repair & Remediation; and

• Design/Materials/Welding-Joining/Valves.

The second day’s efforts in the working groups will be targeted on identifying 3 to 5 research priorities including specifying the types of outputs needed for each of the priorities. Each group will prepare a brief presentation to be made at the closing session of the forum.


Advance registration is available on-line and special room rates are available at the Westin Arlington Gateway for participants. There will not be a web cast of this meeting (ignore the web cast blocks on the standard DOT meeting registration form). All presentations, including the final working group presentations, will be available on the meeting web page within a couple of days of the meeting.

ICS-CERT Updates RuggedCom Advisory

This afternoon the DHS ICS-CERT published an unusual update of an advisory that was published last month for a weak cryptography for password vulnerability in the RuggedCom operating system (ROS). The update corrects a poorly worded notice in the overview section of the original advisory that claimed that RuggedCom had “produced new firmware versions that resolve the reported vulnerability” (pg 1). As I noted in my earlier blog on the advisory, that over stated the extent of the mitigation; as a close reading of the original advisory really did make clear.

The update also announces that firmware updates have been issued for additional versions of the ROS. At least one additional firmware update is scheduled to be released “within the next few weeks“ (pg 3). It will be interesting to see if an additional update is issued when that next firmware update becomes available. I had half-way expected to see one for each of the version updates listed in this advisory; hopefully there was some other communications methodology used to alert system owners when these firmware updates were made available (and a passive listing on the RuggedCom web site doesn’t hardly count).

Sunday, June 17, 2012

Congressional Hearings – Week of 6-18-12

This week the House is back in Washington, but even with both houses of Congress in town we have to stretch some to find hearings that might be of interest to the chemical security and cybersecurity readers of this blog. There is another appropriations hearing and a look at the security clearance process.

Spending Bill

The House Appropriations Committee will be holding their final markup of the Transportation, Housing, and Urban Development Appropriations Bill on Tuesday. There will be nothing here directly mentioning security, either cyber or chemical, but there could chemical safety issues addressed that could have a potential to affect facility security matters; or maybe not. The Appropriations Committee gets proactive about the oddest things.

Security Clearances

The Senate Homeland Security and Governmental Affairs will be holding a hearing on Thursday on security clearance reform. While there is no current provision in law or regulation requiring critical infrastructure organizations (outside of the defense industry sector) to have personnel hold security clearances, that is likely to change as it becomes for obvious that many such industries will potentially be subject to serious cyber-attack. Providing those entities access to classified intelligence information, necessary for their internal security programs, will require large numbers of security clearances to be issued. No witness list is available yet.

HR 4251 Reported in House – Port Security

Early this week the House Homeland Security Committee filed their report on HR 4251, the SMART Port Security Act. Since the Committee publishes the full text of amendments they consider we don’t have any surprises in the language of the bill in the report. So that means the only reason to review the Report is to see the explanations that the Committee provides for the provisions of the bill; this helps explain congressional intent.

Maritime Security Redundancies

In my initial blog post on this bill I noted that the provision in §104 for a GAO review of DHS port security program to identify overlapping provisions might identify such an overlap between the MTSA and CFATS programs in port areas. The explanation of this provision (pg 19) does not specifically mention CFATS. That doesn’t mean that the GAO report won’t address the issue.

TWIC Provisions

There are four TWIC provisions in this bill. They are:

Sec 205: Transportation Worker Identification Credential Process Reform;

Sec 206: Expiration of Certain Transportation Worker Identification Credentials;

Sec 207: Securing the Transportation Worker Identification Credential Against Use by Unauthorized Aliens; and

Sec 208: Report on Federal Transportation Security Credentialing Programs.

The Committee takes a very narrow view of the TWIC process, focusing on the ‘burden’ on the workers (and this is a Republican Congress). They note (pg 23):

“The Committee believes that the current requirement to visit a TWIC enrollment center multiple times is an onerous, unnecessary, burden for workers in the maritime industry, such as merchant vessel operators and truck drivers, who rely on obtaining the credential for employment.”

They ignore the security aspects of what is, at base, a security document. A year ago the Government Accounting Office looked at the security implications of mailing the TWIC card instead of having applicants come in and activate the card at a TWIC issuing center. They concluded that this could compromise the integrity of the TWIC system. Security is frequently inconvenient; politicians need to learn this before it is too late.

The provisions of §206 would extend all current TWIC expirations until the final TWIC Reader rule is published. The idea being that the TWIC isn’t really a TWIC until the biometric features available only through TWIC Readers come into full use. Congress tried mandating a date for the publication of the TWIC Reader rule, but DHS has diligently ignored that requirement. Now this section is designed to “provide the Department motivation to issue the rule at the earliest possible date” (pg 23); kind of sad actually.

Section 207 would require proof of US citizenship or legal residency at the time of application or renewal of TWIC. It would also require the expiration of TWICs issued to legal residents to expire no later than the expiration of their residency documents. The Committee is trying to “ensure all TWIC holders are authorized to work and are lawfully present in the U.S.” (pg 23).

The final TWIC section deals with harmonizing the background checks (known as ‘security threat assessments’ or STAs) for are a number of identification documents that issued by DHS. Each document has a slightly different STA requirement set by regulation. TSA has a regulation in the works that is supposed to address this issue (RIN 1652-AA61; Standardized Vetting, Adjudication, and Redress Services), but it has been in the works for a while. The Committee Report notes that:

“The Committee believes the Department should issue the Universal Rule as soon as possible, in order to reduce the unnecessary cost and duplicative regulatory burden on transportation workers.” (pg 24)

Way Forward

This bill was passed with broad bipartisan support in the Homeland Security Committee. This is a bill that has a decent chance of making it to the floor of the House before the Summer Recess, but making it through the Senate is more problematic because of the approaching election. It wouldn’t face any real opposition, but it isn’t ‘important’ enough to make it through the election year wrangling.

Saturday, June 16, 2012

ICS-CERT Publishes Innominate mGuard Advisory

Yesterday the DHS ICS-CERT published an advisory concerning an ‘insufficient entropy’ vulnerability in some of the mGuard security appliances produced by Innominate. The vulnerability was reported by an independent research group in a coordinated disclosure. Interestingly, there is no mention of this advisory being previously published on the US-CERT Secure Portal.

The vulnerability in a number of security appliances would allow a skilled attacker to obtain the credentials of administrative users. This could allow them to set up a man-in-the-middle attack where they could remotely gain control of networks protected by these devices. The affected appliances were all manufactured before 2006 (ancient by IT standards, but moderately new by ICS standards).

This is a much more serious set of vulnerabilities than the buffer overflow vulnerability ICS-CERT reported earlier this week. Too many security folks get comfortable when their networks are protected by VPN systems or firewalls. Defects in the security wall make everything more vulnerable behind them.

Innominate had provided mitigation tools to fix the identified problems. Since security keys are involved in these systems, the mitigation required gets a tad bit more complicated than in the normal software upgrades. The Advisory describes three separate modes of mitigation depending on the configurations involved.

The folks at ICS-CERT publishing this Advisory got a little too comfortable themselves in the publication process. At the end of the Advisory they include the standard blurb about additional measures that should be taken to protect systems. Unfortunately, these all involve putting industrial control systems behind the types of security devices that are involved in this vulnerability disclosure. While they do say that these measures are designed to “protect against this and other [emphasis added] cybersecurity risks” this section probably should have been left off of this Advisory.

Friday, June 15, 2012

ICS-CERT Publishes Sielco Sistemi Winlog Alert

Yesterday the DHS ICS-CERT published an alert concerning a buffer overflow vulnerability in the Sielco Sistemi Winlog HMI product. The uncoordinated disclosure was initiated by Michael Messner. Not much info at this point beyond the report that an a specially crafted request sent to a specific TCP could result in remote execution of arbitrary code. Seems like a pretty typical HMI vulnerability.

It is amazing that vulnerabilities like this are still being reported. This is such a common, basic vulnerability that one would like to think that vendors had gone back and checked for these. I kind of understand why a researcher might not want to waste time on a coordinated disclosure on such a basic vulnerability as this.

Wednesday, June 13, 2012


Today the Transportation Security Administration published a notice of proposed rulemaking (NPRM) in the Federal Register (77 FR 35343-35349) concerning the establishment of fees for the security threat assessments (STAs) that serve as the basis for the fees for such identification credentials as the Transportations Workers Identification Credential (TWIC) and the Hazardous Materials Endorsement (HME).

Currently the TSA is required to collect fees for the issuance of TWICs and HMEs that cover the cost of the STAs. These fees are currently written into the appropriate regulations; 49 CFR §1572.403, §1572.405, and §1572.501. TSA is proposing to remove the fee amount listing from the CFR and establish a requirement to publish changes to the fee schedule in the Federal Register.

TSA explains the reason for making this change in this way:

“Absent the ability to amend fees through notice rather than rulemaking, TSA is less likely to make timely changes to fees when associated costs change, such as contracts or vendor pricing, and when such changes are made, there is an increased likelihood that they would be more dramatic. Amending fees through notice would allow for more incremental changes and reduce the risk of TSA suspending issuance of credentials to meet HME or TWIC program requirements or decreasing services until a rule change is completed to reflect the new fee amount.” (77 FR 35347)

No Significant Economic Impact

TSA further explains that because this is an ‘administrative’ change making no changes in the procedures that private entities will be following that they certify “that this rulemaking would not have a significant economic impact on a substantial number of small entities. However, TSA invites comments from members of the public who believe there would be a significant impact” (77 FR 35348).

Of course this does not address the potential for more frequent fee changes. Since most of these changes will be increases (Has a government agency ever reduced fees?) in fees and many employers actually pay the TWIC and HME fees, this could result in a ‘significant’ increase in costs.

Public Comment

TSA is soliciting public comment on this NPRM. Comments must be filed by July 30th. Comments can be filed via the Federal eRulemaking Portal (; Docket Number TSA-2004-19605).

EPA Publishes Final Rule on Methyl Bromide for Cottonseed Fumigation

Today the EPA published a final rule in the Federal Register (77 FR 35295-34298) establishing the pesticide tolerances for the use of methyl bromide as a fumigant for cottonseed to be used as a feed stock for cattle. The EPA action on this rule has been prompt as the NPRM was published on April 6th and the Department of Agriculture published the necessary addendum to the PPQ Treatment Manual on May 29th.

Critical Use List

There appears to be just one more hurdle to be cleared before methyl bromide may actually be used in any quantity for the fumigation of cottonseed, it must be added to the list of critical uses for exemption of the Montreal Protocol on Substances that Deplete the Ozone Layer and an amount established for its annual use. Since the final rule for those uses in 2012 has already been published, I would expect that the EPA would issue a letter allowing the use of methyl bromide for this year and add it to the consideration allocation for use next year that is already underway.

Similarly the actual listing of the use of methyl bromide as a ‘critical use’ has been made for each year through 2014, the EPA will have to go through some sort of hoop jumping to justify its use before 2015. The 2015 listing process is currently underway.

Interestingly, this issue of the listing of critical uses of methyl bromide under the Montreal Protocol has never been mentioned in this rulemaking action.

Effective Date

This rule is effective today. Objections to this rule and requests for hearings must be submitted by August 13th.

Methyl Bromide and CFATS

Once again it is clear that DHS overestimated the ability of EPA to actually phase out the use of methyl bromide; the justification that DHS used to remove methyl bromide from the proposed list of DHS chemicals of interest (COI) that form the basis for the initial screening of chemical facilities to determine if they are at high-risk of terrorist attack.

Once again (and I know that I am continuing to beat this drum at every opportunity) I urge DHS to add methyl bromide back to the Appendix A list of COI for the CFATS program. This toxic inhalation chemical will almost certainly be around for much longer than 2015.

Monday, June 11, 2012

Pipeline Hazardous Leak Reporting Notice

Today the Pipeline and Hazardous Material Safety Administration published an advisory notice in the Federal Register (77 FR 34457-34458) providing additional guidance for reporting the apparent cause of mechanical fitting failures when completing the Mechanical Fitting Failure Report Form. The need for this guidance was determined after a review of the over 8,000 reports filed for 2011.

These reports are required to be filed for any leak resulting from a failure of a mechanical fitting that results in a hazardous leak (49 CFR 192.1009). This may include failures in:

• The body of the mechanical fitting;

• Failures in the joints between the fitting and the pipe;

• Indications of leakage from the seals associated with the fitting; and

• Partial or complete separation of the pipe from the fitting.

Reporting Installation Defect Leaks

The reports are filed using PHMSA’s Mechanical Fitting Failure Report Form (PHMSA F 7100.1-2). Question 15 of that form addresses the apparent cause of the leak and provides various categories apparent causes to be used to classify the cause of the leak. This advisory notice seeks to clarify the classification to be used for failures resulting from an installation defect. PHMSA wants such failures to be reported as ‘Incorrect Operation’.

An apparent alternative is ‘Construction/Installation Defect’ as a subcategory under ‘Material or Welds/Fusion’. According to this Advisory Notice it is “PHMSA's intent to capture failure data under the ‘Material or Welds/Fusions’ leak cause category that is specific to manufacture, fabrication, material, and design defects” (77 FR 34458).

Use of Unique Leak Incident Identifiers

The Advisory Notice also advises operators that there has been a revision made to the form to allow for the use of unique leak incident identifiers developed by operators to “allow for ease of identification and prevention of duplicate filing". This revision was made at the suggestion of a number of operators.

PHMSA also reports that they have begun work on a function within the online system to allow the simultaneous submission of multiple reports. This too is in response to suggestions received from multiple operators.

S 3254 Introduced – DOD Authorization

This last week Sen. Levin (D,MI) introduced S 3254, the  National Defense Authorization Act for Fiscal Year 2013. While, as expected, there is nothing in this bill that directly addresses ICS security issues, there are some issues raised in Title IX of Division A in the bill that might be of interest to the cybersecurity community. Additional issues are raised in the Committee Report.

Interconnected Networks

Section 923 of the bill requires the Secretary of Defense take actions to “to substantially reduce the number of sub-networks and network enclaves across the Department of Defense, and the associated security and access management controls” {§923(a)}. There are a number of good reasons given for requiring this action; they include:

• Visibility for the United States Cyber Command in the operational and security status of all networks, network equipment, and computers.

• Elimination of redundant network security infrastructure and personnel.

• Rationalization and consolidation of cyber attack detection, diagnosis, and response resources, and elimination of gaps in security coverage.

• Reduction of barriers to information sharing and enhancement of the capacity to rapidly create collaborative communities of interest.

• Enhancement of access to information through authentication-based and identity-based access controls.

• Enhancement of the capacity to deploy, and achieve access to, enterprise-level services.

• Separation of server and end-user device computing to facilitate server and data center consolidation and a more secure tiered and zoned network architecture.

The one thing that seems to be missing from this reasoning is that if Cyber Command has easy ‘visibility’ of all of these networks, it means that an adversary who successfully penetrates one of these networks can achieve that same visibility. Just think about a single low-ranking intelligence analyst’s unfettered access that lead to Wiki Leaks.

Host Based Cybersecurity

Section 924 requires the DOD CIO to “develop a strategy to acquire next-generation host-based cybersecurity tools and capabilities” {§924(a)}. This next-gen capability should eliminate the current problems with signature based threat detection techniques. An important part of this new system is that it be expandable to include more than just intrusion detection. That potential tool set, yet to be developed, should include {§924(b)(2)}:

• Insider threat detection;

• Continuous monitoring and configuration management;

• Remediation following infections; and

• Protection techniques that do not rely on detection of the attack, such as virtualization, and diversification of attack surfaces.

An additional requirement is that it should be “designed for ease of deployment to potentially millions of host devices of tailored security solutions depending on need and risk, and to be compatible with cloud-based, thin-client, and virtualized environments as well as battlefield devices and weapons systems” {§924(b)(2)}.

While this is the holy grail of security systems, if anyone has the resources to get one developed that meets these requirements, it will be DOD and DARPA. Even if they only half-succeed, it will be a major accomplishment. The only question is since such a system will undoubtedly classified, will the Government allow its use by critical infrastructure that needs the same level of protection against similar attackers.

Improving Software Security

While an improved cybersecurity system will go a long way to protecting DOD computer systems, they will only be as secure as the software that runs on those systems. Section 925 would require an improved software acquisition process. This new process would require:

• Update of development and acquisition models {§(925(b)};

• Requirements for secure code development practices {§(925(c)}; and

• Verification of effective implementation {§(925(d)}.

There is an interesting sub-paragraph to this section that has the misleading title of “Study on additional means of improving software security” {§(925(e)}. What it is really being required is a study to look at ways of ensuring that procured software meets the security needs of the Department. The methods suggested include:

• Liability for defects or vulnerabilities in software code.

• So-called ‘‘clawback’’ provisions on earned fees that enable the Department to recoup funds for security vulnerabilities discovered after software is delivered.

• Exemption from liability for rigorous conformance with secure development processes.

• Warranties against software defects and vulnerabilities.

Because of the size of the DOD purchasing pocket book this could be a change in the way that software security is addressed in the market place. If these types of actions become the standards for software security assurance, there will be a wholesale change in the way software is developed and sold; probably an over due change.

Cyber-Operations Facilities

Anyone that has spent time in the military knows that all services have extensive physical facilities where the weapons of war are tested, evaluated, and most importantly where their use is practiced. The Senate Armed Services Committee takes the Department to task in its report for “its lack of attention to its cyber ranges” (pg 67; Adobe 87). An extensive discussion covering three pages of the Committee Report identifies a number of instances where funding and resourcing of existing and developing cyber ranges have declined in recent years.

The Committee requires DOD to prepare a report to Congress that identifies a central management structure for the oversight of cyber range “infrastructure, funding and personnel” (pg 69; Adobe 91). The report will also identify the sources of funding and resources for the modernization and operation of the cyber ranges.

Cybersecurity Personnel

Everyone knows that there is a severe shortage of personnel with a cybersecurity background. The Department of Defense has a large number of personnel slots that need to be filled in this area. The Committee Report notes that “that every effort must be made to successfully recruit, train, and motivate for military service young people with computer skills to operate and defend the Department of Defense’s computer networks and infrastructure” (pg 117; Adobe 139).

The Report requires DOD to provide a ‘letter report’ to Congress within 180 days of this legislation becoming law that:

• Describes current programs for identifying, recruiting, training, and retaining young people with outstanding computer skills for military service;

• Reports any human capital or specialty shortfalls in cyber defense career fields; and

• Describes bonuses or any non-traditional or non-standard recruiting practices that are employed by the military services to locate and recruit young people for cyber-related career fields.

Development of Cybersecurity Expertise

The Committee Report (pg 180, Adobe 202) “encourages the Department of Defense to continue to support multi-disciplinary programs of study and research that focus on developing U.S. cyber security expertise and tackling vital cyber security issues”. Included in those issues, the Committee specifically included the protection of critical infrastructure “which the Department would be called upon to defend in the event of a cyber attack on the United States”.

What is not clear from this discussion is how the Senator’s would expect DOD to impose themselves between such critical infrastructure and cyber-attackers.

Sunday, June 10, 2012

HR 5904 Introduced – Terrorism Liability

Last week Rep. Lungren (R,CA) introduced HR 5904, the  Justice Against Sponsors of Terrorism Act, a bill that would make it easier for victims of terrorist attacks against interests of the United States to seek civil liability claims against “persons, entities and foreign states, wherever acting and wherever they may be found, which have provided material support or resources, directly or indirectly, to foreign organizations that engage in terrorist activities against the United States” {§2(b)}.

The bill would add language to 28 USC 1605(a) that would expand the definition of exceptions to the claim of foreign sovereign immunity to specifically include “any statutory or common law tort claim arising out of an act of extrajudicial killing, aircraft sabotage, hostage taking, terrorism, or the provision of material support or resources for such an act, or any claim for contribution or indemnity relating to a claim arising out of such an act” {§3(a)(1)}.

Does Not Address Cyber-Terrorism

It doesn’t seem that the above wording would include cyber-attacks against critical infrastructure in the United States. Since the bill specifically limits itself {§3(a)(1)} to attacks within the United States, the definition of ‘terrorism’ that would be applied comes from 18 USC §2331(5) that describes ‘domestic terrorism’ as activities that “involve acts dangerous to human life that are a violation of the criminal laws of the United States or of any State”.

For example, while blowing up a chemical plant is clearly ‘dangerous to human life’ the ‘act’ of manipulating computer code is less clearly so. It could be argued that the intention was to disrupt the operation of the facility, more an act of civil disobedience than terrorism, and that the resulting actions ‘dangerous to human life’ arose out of poor design of the facility, the control system or associated safety systems.

Furthermore, I don’t know (and I am clearly not a lawyer, so this may just be the result of my ignorance) of any current law that specifically makes it illegal to attack an industrial control system. That would remove the second requirement for making such an attack a covered terrorist incident under the provisions of this proposed law.

Expands Statute of Limitations

Section 7 of this bill would extend the statute of limitations for civil actions regarding terrorist attacks from four years to fifteen years. The bill would apply that new standard to “all proceedings pending in any form on the date of the enactment of this Act” {§7(b)}. It would even allow these provisions to apply to previously dismissed actions if they would have met these new statute of limitations standards.

Since this bill only affects civil actions, not criminal liability, I suppose that the prohibitions against ex post facto legislation do not apply.

Moving Forward

Since Mr. Lungren is an influential member of the Judiciary Committee, I suppose that we might expect some sort of prompt action by that Committee on this bill. Once they report it to the Full House, I don’t see any strong impediments to its passage other than the constraints of time and election year politics.
/* Use this with templates/template-twocol.html */