Tuesday, December 31, 2013

House to Consider Adding Explosive Reporting Requirement

A notice posted on the House Rules Committee web site provides instructions for the filing of possible amendments to HR 2279, the Reducing Excessive Deadline Obligations Act of
2013 as the Committee plans on meeting the week of January 8th to formulate a rule for the floor consideration of that bill. While this bill mainly concerns administrative amendments to the RCRA and CERCLA rules an amendment was made during the approval of this bill by the House Energy and Commerce Committee that would add specific State reporting requirements to some facilities covered by the CFATS regulations.

Explosives Reporting Requirement

Section 6, Explosive Risks Planning Notification, was added to the bill as the result of an amendment offered by Rep Waxman (D,CA). That section states:

“Not later than 180 days after the date of enactment of this Act, the owner or operator of each facility at which substances listed in appendix A to part 27 of title 6, Code of Federal Regulations [Link Added], as flammables or explosives are present above the screening threshold listed therein shall notify the State emergency response commission for the State in which such facility is located that such substances are present at such facility and of the amount of such substances that are present at such facility.”

Actually the terminology used in §6 is not quite accurate; it should read “… listed as having a Release Flammable, or Release Explosive, Security Issue in Appendix A…..”. It is clear from the language in §6 that the Theft EXP/IEDP Security Issue materials are not included in the language ‘or explosive’ since they are not themselves explosive, just precursors to making explosives or improvised explosives.

Since Waxman’s comments in the Dissenting Views section of the Committee Report (pgs 20-21) specifically refer to the ammonium nitrate explosion at the West Fertilizer facility in Texas, one would might assume that the ammonium nitrate stored at the facility would have been covered by this Section, but since that was fertilizer grade material it was not covered under the Release Explosive category [Defined as: Ammonium nitrate, (with more than 0.2 percent combustible substances, including any organic substance calculated as carbon, to the exclusion of any other added substance)] in Appendix A.

It would have been covered under the Theft EXP/IEDP as it is a precursor chemical to making explosive grade ammonium nitrate [Defined as Ammonium nitrate, solid (nitrogen concentration of 23% nitrogen or greater)]. So, under the requirement proposed here the West Fertilizer facility would not have had any obligation to report their ammonium nitrate to the Texas emergency response commission.

It is also not clear why Waxman failed to include chemicals with a Release Toxic Security Issue in this notification requirement; the possible effected area/population may be quite a bit larger for some of the toxic chemicals than for the flammable or explosive release chemicals.

More than CFATS Coverage

The wording of this section would apply to many more facilities than just those covered by the CFATS program. Many facilities with more than a screening amount of the chemicals listed in Appendix A (DHS chemicals of interest, COI) are not covered by CFATS because the DHS Infrastructure Security Compliance Division (ISCD) determines, after reviewing their Top Screen data submission, that they are not at high-risk of terrorist attack and thus not covered by CFATS.

The requirement of §6 would also apply to facilities specifically exempted by Congress from coverage under the CFATS regulation. This would include water and waste water treatment plants, MTSA covered facilities, nuclear facilities regulated by NRC and DOD facilities.

Invisible Rule

There is an even more basic problem with this reporting requirement; it is added to a bill that most facilities would never hear about. This largest portion of this bill is addressed to actions to be taken by the EPA in establishing regulations. This is the only portion of the bill that applies directly to the private sector. Thus, a very large proportion of the facilities that would be required to take actions based upon this bill would never know of the requirement.

Moreover, there is no way that anyone in the Federal government would know if a covered facility made the required reports as the reports are to be made to unnamed State agencies with no feed back to the regulatory agencies at the Federal level who might (or might not) be aware of the existence of the covered chemicals.

This is one of those congressional requirements that are made without thought as a knee jerk reaction to a real problem. In this case it does not even come close to addressing the issue it was made in response to as the chemical in question does not meet the definition of the chemical hazard referred to in the bill.

Congressman Waxman almost certainly realizes that this section was added in contravention of House rules prohibiting unrelated information being included in a bill. He should also be aware of the problems with the ammonium nitrate definition as he has been involved with the CFATS business almost since its inception well before the 2006 addition of the §550 authorization to the Homeland Security spending bill.

The only thing that I can conclude is that Waxman is taking the easy way out and pushing a completely ineffective requirement because it is easy to get passed rather than trying to do something effective and complex in dealing with the way that the EPA and OSHA deal with explosive chemicals. And that is one of the reasons that we are in the chemical dilemma that we are currently facing, no one in Congress is willing to do the hard work to get real chemical safety legislation passed.


NOTE: The actual bill that the House Rules Committee will be considering is a mash up of three separate bills reported by the House Energy and Commerce Committee; HR 2279, HR 2226 and HR 2318. The §6 language discussed above will actually be in §106 of the new version of HR 2279.

Cybersecurity Legislation in 113th Congress

Here on the last day of 2013 it is appropriate to look back at the cybersecurity accomplishments of the 113th Congress. The table below shows all of the cybersecurity bills that were introduced this year. The links to the bills and dates refer to my blog posts. While the House has passed a number of bills the Senate has only passed two; both were spending related bills that contained some cybersecurity measures.


Passed in House
Passed in Senate
Notes


Ed Grants

CISPA - Info Sharing

R&D Spending
FY 2013 CR

R&D Cyber-Physical Systems
HR 1163

FISMA Amendments


SECURE-IT


Cyber Warrior Act – S 658

FY 2014 NDA


Cyber Espionage – S 1111

FY 2014 DOD Spending


Aaron’s Law – S 1196


Trade Secrets Protection


Centers of Excellence


FY 2014 DOT Spending


FY 2014 DOC Spending


Includes CI Control Systems


Boots on the Ground Act


FDA Software
FY 2014 NDA


NCCIPA


Place Holder


Cyber Warrior Act – HR 1640
S 1034


FY 2014 DOD Spending


Cyber Espionage – HR 2281


Aaron’s Law – HR 2454


FY 2014 NDA


FY 2014 DOC Spending


Cybersecurity Act


FY 2014 DOD Spending


Public Awareness


Monday, December 30, 2013

Another Oil Train Derailment with Fire and Explosions

Late this afternoon a grain train passing a crude oil train apparently derailed with some of the cars hitting the some of the passing crude cars. News reports (here, here and here) note that the resulting fire and explosions occurred outside of the town of Casselton, ND. There are no reports of injuries or other structures being involved in the fire.

The accident occurred about two miles west of a large ethanol production facility, Tharaldson Ethanol, that includes a massive rail loading facility that reportedly handles 153 million gallons of ethanol annually. The rail facility handles both grain trains delivering corn for the distillation process and ethanol heading to fuel blending facilities.


The combination of the North Dakota oil fields and ethanol production facilities like Tharaldson ensure that a large number of trains carrying hazardous materials transit towns like Casselton on an almost daily basis.

Cybersecurity Framework Comments – 12-28-13

This is the last in a series of posts about public comments submitted in response to the publication of the NIST Preliminary Cybersecurity Framework (PCSF). The earlier posts are listed below.


There were no new comments posted to the PCSF comment web site this week. I suspect that this means that all of the comments that were received in time (or even reasonably close to ‘in time’) have been posted. With the short time frame that NIST has in publishing the CSF I would not blame them for refusing to accept any additional comments.


I am still surprised by the relative lack of comments from the standard corporate commenters, especially from the chemical community. The ACC (part 1 and part 2) and Merc (part 1 and part 2) were the only two chemical commenters. This is kind of surprising because the chemical industry (under CFATS) and the pharmaceutical industry have some of the highest potential of seeing the CSF merged into current regulatory frameworks under EO 13636 §8(b).

Sunday, December 29, 2013

Grand Cyber Challenge – Automated Cyber Defense

The DOD Defense Advanced Research Projects Agency (DARPA) published a notice in Monday’s Federal Register (78 FR 79411-79412; available on-line Saturday) announcing a competition under the America Competes Act (15 USC 3719). The purpose of the DARPA Cyber Grand Challenge (CGE) competition is to develop autonomous cyber-defense systems that will automate the detection of novel program flaws in networked systems and to then automatically formulate and deploy effective defenses for those flaws.

The challenge will take place on commercial off-the-shelf (COTS) IT operating systems and software that would be used by DOD, industry and the Defense Industrial Base. According to the competition rules (pg 5), DARPA is expecting that competitors will use existing automated program analysis capabilities to detect the program flaws. Those capabilities would include:

• Dynamic Analysis;
• Static Analysis;
• Symbolic Execution;
• Constraint Solving;
• Data Flow Tracking;
• Fuzz Testing; and
• Related technologies.

There would be two tracks in the competition; a Proposal Track and an Open Entry Track. Organizations may submit a research proposal based upon a Broad Agency Announcement issued last month. Or teams may compete under a less structured and unfunded open entry track.

Competitors from the open track will eligible for prizes for winning CGE Qualifying Events (CQE; $750,00) and teams from either track in the CGE Final Event (CFE) will be eligible for prizes ($2 Million, $1 Million and $750,000 for 1st, 2nd and 3rd place respectively).

There will be four CQE addressing the following areas of excellence (AoE; pg 6 of the Rules):

• Autonomous Analysis: The automated comprehension of computer software (e.g., CBs) provided through a Competition Framework.
• Autonomous Patching: The automatic patching of security flaws in CBs provided through a Competition Framework.
• Autonomous Vulnerability Scanning: The ability to construct input which when transmitted over a network provides proof of the existence of flaws in CBs operated by competitors. These inputs shall be regarded as Proofs of Vulnerability.
• Autonomous Service Resiliency: The ability to maintain the availability and intended function of CBs provided through a Competition Framework.

The CQE are currently scheduled to be held on June 3, 2015. This will be preceded by two scored events that will not be counted in the CQE evaluations. Those practice events will be held on December 2nd, 2014 and April 6th, 2015.

The final CFE will include evaluations of the same AoE and a combined Autonomous Network Defense; the ability to discover and mitigate security flaws in CBs from the vantage point of a network security device. The CFE will be held on July 17th, 2016.


More information on registration and the competition is available on the CGE web site.

Friday, December 27, 2013

CSB Announces Twin Refinery Investigation Meetings

Today the Chemical Safety and Hazard Investigation Board published two public meeting notices in the Federal Register for meetings to review and approve the reports on two separate refinery accident investigations; a January 15th meeting (78 FR 78811-78812) on the 2012 Chevron refinery fire in Richmond, CA, and a January 30th meeting (78 FR 78810-78811) on the 2010 Tesoro refinery fire in Anacortes, WA.
Chevron Regulatory Report

The Richmond meeting will review and approve the staff regulatory report on 2012 fire that caused 15,000 residents to seek hospital care for exposure related issues caused by the fire. This will be the second of three CSB reports on that fire. In this report that staff will recommend (and the Board is expected to approve) a recommendation that California:

“Develop and implement a step-by-step plan to establish a more rigorous safety management regulatory framework for petroleum refineries in the state of California based on the principles of the `safety case' framework in use in regulatory regimes such as those in the UK, Australia, and Norway.”

I briefly mentioned in an earlier blog post that copy of the staff draft ‘Regulatory Report’ [Download Link] has been published for public comments. California is one of the States that has been cleared to enforce OSHA standards so this regulatory change, if adopted, would in effect be the OSHA refinery standard for the most populous State in the country. This means that this report will attract a great deal of attention as this could become a test bed for higher safety standards for the chemical process industry across the whole country.

The proposed safety case regulations would differ from the current PSM standards in two significant ways. First they would require the preparation of “a written ‘safety case report’—how major hazards are to be controlled and risks reduced to ‘as low as reasonably practicable,’ or ALARP”. On the enforcement side the report is “rigorously reviewed, audited, and enforced by highly trained regulatory inspectors, whose technical training and experience are on par with the personnel employed by the companies they oversee”.

As I noted in my earlier post the CSB is soliciting public input on the draft report. In addition, there will be an opportunity for public comments at the January 15th meeting before the Board votes on the acceptance of the staff recommendations.

Tesoro Refinery Report


The Anacortes meeting will review the staff draft of the final report and recommendations based upon the investigation of the fatal accident that killed seven employees at the refinery. An advance copy of the staff recommendations has not yet been made available. A 2011 CSB safety message (see Press Release and Video) on the need for preventive maintenance was based upon the investigation of this incident.

Again, the CSB is soliciting public comments at this meeting and will also accept written comments.

Thursday, December 26, 2013

DOT Announces Connected Vehicle Meeting – 1-16-14

The DOT’s Intelligent Transportation System Joint Program Office (ITS JPO) published a meeting notice in today’s Federal Register (78 FR 78467) concerning a public meeting on January 16th, 2014, to address the needs for guidelines, tools, resources, and policies that will support the successful implementation and operations of connected vehicle technologies.

The meeting is open to the public and DOT will web cast this meeting. Participants are encouraged to register in advance for participation at this meeting (either in person or via the webinar) at the following web site: http://www.itsa.org/policy2014. More information can be found at the meeting web site.


There is no specific mention of cybersecurity measures to be addressed at this meeting, but that is certainly one of the areas that this program will have to address.

PHMSA Announces Transportation Safety R&D Meeting – 1-17-14

The Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice in today’s Federal Register (78 FR 78506) announcing a public meeting of the Research and Development Forum on January 17th, 2014. The meeting will address recently completed, in process and possible future research programs related to hazardous material transportation safety issues.

Topics currently on the agenda for the meeting include:

• Modeling for Toxic Inhalation Hazard Zones
• Acute Exposure Guidelines and Emergency Response Guidebook Update
• Self-Contained Breathing Apparatus
• Cargo Tank Rollover Special Study
• Study on Improving Nurse Tank Safety
• R&D Initiatives on Packaging Testing
• Paperless Hazard Communications Pilot Program
• Odorization of LP Gas
• Safety Effectiveness of Pressure Relief Devices
• Explosives Testing
• Improving the Safety of Ammonium Nitrate Transport

This is a public meeting and people wishing to attend are encouraged to pre-register via email (tanika.dyson.ctr@dot.gov). There is no indication that this meeting will be webcast.


PHMSA is soliciting public input on the topics listed above. There is no mention in the notice about the possibility of making oral presentations at the meeting. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2013-0261; NOTE: That docket was not active as of 8:30 am on 12-26-13). There is no comment closing date provided in the notice.

Tuesday, December 24, 2013

White House Issues Twin Policy Documents

As the sixth year of the Obama Administration quickly approaches, the White House has issued two high-level homeland security policy document that are designed to shape future of programs of the Federal Government. These two documents (in order of release) are the National Strategy for Information Sharing and Safeguarding (NSISS) and the National Infrastructure Protection Plan (NIPP). Neither of these documents has any specific regulatory force, yet they are both intended to help shape the direction of a wide range of regulatory programs within the Federal government.

NISS

This strategy is designed to address the conflicts in the twin nature of information. First information must be shared to have any effect on the real world and second information shared is likely to be released to someone who should not get the information. Finding the proper balance between these two aspects of information policy is never easy.

The NISS starts out with a discussion of the current operating environment in which information collection and sharing takes place. It then establishes three Core Principals that define the Administration’s approach to information sharing (pgs 6-7):

• Information as a National Asset
• Information Sharing and Safeguarding Requires Shared Risk Management
• Information Informs Decisionmaking

With those motherhood and apple pie principals in place, the NISS outlines five goals in some depth. The listed goals are (pgs 8-13):

• Drive Collective Action through Collaboration and Accountability.
• Improve Information Discovery and Access through Common Standards.
• Optimize Mission Effectiveness through Shared Services and Interoperability.
• Strengthen Information Safeguarding through Structural Reform, Policy, and Technical Solutions.
• Protect Privacy, Civil Rights, and Civil Liberties through Consistency and Compliance.

Finally the document lists sixteen information sharing objectives with five being given the title of Priority Objectives. Those Priority Objectives are (pg 14):

• Align information sharing and safeguarding governance to foster better decisionmaking, performance, accountability, and implementation of the Strategy’s goals.
• Develop guidelines for information sharing and safeguarding agreements to address common
requirements, including privacy, civil rights, and civil liberties, while still allowing flexibility to
meet mission needs.
• Adopt metadata standards to facilitate federated discovery, access, correlation, and monitoring
across Federal networks and security domains.
• Extend and implement the FICAM [Federal Identity Credential and Access Management] Roadmap [Link] across all security domains,
• Implement removable media policies, processes and controls; provide timely audit capabilities of assets, vulnerabilities, and threats; establish programs, processes and techniques to deter, detect and disrupt insider threats; and share the management of risks, to enhance unclassified and classified information safeguarding efforts.


NIPP

The 2013 NIPP is an update of the 2009 document that I found negatively stimulating. The newer document reads better, but it still doesn’t really say much.

It starts out with the standard corporate vision-mission-goal statement (pg 5):

Vision Statement - A Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened.

Mission Statement – Strengthen the security and resilience of the Nation’s critical infrastructure by managing physical and cyber risks through the collaborative and integrated efforts of the critical infrastructure community.

Goals:

• Assess and analyze threats to, vulnerabilities of, and consequences to critical infrastructure to inform risk management activities;
• Secure critical infrastructure against human, physical, and cyber threats through sustainable efforts to reduce risk, while accounting for the costs and benefits of security investments;
• Enhance critical infrastructure resilience by minimizing the adverse consequences of incidents through advance planning and
mitigation efforts, as well as effective responses to save lives and ensure the rapid recovery of essential services;
• Share actionable and relevant information across the critical infrastructure community to build awareness and enable risk informed decision making; and
• Promote learning and adaptation during and after exercises and incidents.

There is an interesting, if broadly painted, discussion of the risk environment (pg 8) with the a summary of the information provided in figure 2, a graphic representation of the ‘evolving threats to critical infrastructure’. They are categorized as:

• Extreme weather
• Accidents or technical failures
• Cyber threats
• Acts of terrorism
• Pandemics

Interestingly there is a wide degree of overlap between the middle three categories that is not mentioned in the NIPP discussion. There is, however, one interesting risk that is tossed off at the end of this discussion that is then promptly ignored in the rest of the document; “vulnerabilities may exist as a result of a retiring workforce or lack of skilled labor”. Add in ‘reductions in force’ and you have an interesting topic for a whole series of discussions.

Then it provides a set of motherhood and apple pie statements (this time called ‘Core Tenets’; pgs 13-14) that will guide the remaining discussion of critical infrastructure protection:

• Risk should be identified and managed in a coordinated and comprehensive way across the critical infrastructure community to enable the effective allocation of security and resilience resources.
• Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to enhancing critical infrastructure security and resilience.
• Gaining knowledge of infrastructure risk and interdependencies requires information sharing across the critical infrastructure community.
• The partnership approach to critical infrastructure security and resilience recognizes the unique perspectives and comparative advantages of the diverse critical infrastructure community.
• Regional and SLTT partnerships are crucial to developing shared perspectives on gaps and actions to improve critical infrastructure security and resilience.
• Infrastructure critical to the United States transcends national boundaries, requiring cross-border collaboration, mutual assistance, and other cooperative agreements.
• Security and resilience should be considered during the design of assets, systems, and networks.

The NIPP then goes into a lengthy discussion (pgs 15-20) of the iterative risk management framework that weaves together three elements of critical infrastructure; physical, cyber and human. It outlines five steps in the repetitive process:

• Set Infrastructure Goals and Objectives
• Identify Infrastructure
• Assess and Analyze Risks
• Implement Risk Management Activities
• Measure Effectiveness

It then goes on to describe 12 separate ‘Calls to Action’ that “will inform and guide efforts identified via the priority-setting and joint planning processes. They fall into three easily remembered categories:

• Build upon Partnership Efforts
• Innovate in Managing Risk
• Focus on Outcomes

Probably the most useful part of this document can be found in descriptions of the various organizations that have been established to aid in the critical infrastructure coordination process. This is found in Appendix A and includes:

• Sector Coordinating Councils
• Government Coordinating Councils
• Sector-Specific Agencies
• Critical Infrastructure Cross-Sector Council
• Federal Senior Leadership Council (FSLC)
• State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC)
• Regional Consortium Coordinating Council (RC3)
• ISACs
• Critical Infrastructure Partnership Advisory Council
• NICC and NCCIC
• NOC
• NCIJTF

The Real Effect


There is nothing really new or earthshaking here, as one would expect from policy documents issued at the end of the fifth year of an Administration. How much effect this will have on future actions by the Federal government will depend more on who wins control of the Senate next November than how well the Administration writes regulations reflecting these goals in the next two years.

Monday, December 23, 2013

Short Takes 12-22-13

Just some more things that I did not get a chance to address during the week.

Another Parked Train Derailment

While the actual accident came on the 13th early this week brought the announcement that BNSF railroad was offering a reward of $100 Thousand for information about the apparent vandals that released the breaks on a parked train car in Tulsa, OK. The released cars (not a whole train) rolled back onto a mainline track and into an on coming train.

No chemicals (other than 100-gal of diesel fuel) were spilled in this accident and there was no fire. If someone were, however, interested in making a nasty chemical mess, this looks like it might be a way to accomplish the task with the proper selection of either the parked cars or the passing train. The rail community needs to take a close look at this incident and come up with a better way of dealing with parked train security.

TSA Security Solicitations

TSA recently published two interesting solicitations for security proposals; one for ID authentication and one for monitoring high-risk rail car movements.

In the first the TSA is looking for the development of a “Credential Authentication Technology (CAT) system” that would allow them to verify a wide variety of identity cards. Once TSA vets such technology, it would only be smart to move it security checkpoints at other critical infrastructure locations that have a wide variety of visitors.

In the second TSA is looking for a more timely method of tracking rail security sensitive materials than the current reporting method directed by 49 CFR 1580.103. A technology solution is being looked for instead the current phone reporting method.

DHS Morale – A GAO Report

The GAO published a report this week on efforts to improve employee morale at DHS. It updates earlier reports from February and September 2012. They note that DHS has put some improvement programs into place, but as we’ve come to expect from these GAO reports, complains that DHS has not included methods to measure and track changes in morale brought about by these efforts.

Illegal Trade in Cyber Weapons

An interesting, but brief article over at NextGov.com about a provision in NDA passed this week that requires the government to “suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense”. An interesting point is made about who will determine if something is a cyber weapon or a legitimate cyber tool. Another point made is if we cannot control physical arms trade which is easier to physically detect and track, how are we going to be able to track software trade?

Cybersecurity Follows Safety Culture Model

An interesting article over at Automation.com compares the current ICS cybersecurity situation to the early efforts to legislate chemical safety. While the author tries to make the case that early legislation led to a much improved safety culture, the current chemical safety program problems being addressed by the President’s EO points to problems with trying to legislate safety/security without putting a strong enforcement effort in place to ensure compliance.

Wiper Malware

A brief article over at SecureList.com looks at the use of Wiper Malware, programs that wipe data off of systems. The author describes a number of variants currently in the wild. While their recent use has been focused at IT systems, the author closes with a scary statement:

“We estimate that Wiper attacks will continue and may become even more popular in the near future, as means of attacking critical infrastructure at precise times, to cause widespread damage.”

The use of such malware against control systems or even just segments of control systems could have devastating effects, particularly if employed against chemical process systems. Even if catastrophic releases were not bad enough, the re-startup of these complex systems would be very difficult.

Gasoline Tanker as a Weapon

An article over at NewsDay.com describes a recent Long Island accident where a gasoline tanker drove into a car resulting in a massive fuel leak and fire. A witness described the scene this way:

“There was quite a huge fireball and a river of burning gasoline running down the street."

As I have mentioned a number of times in this blog, a hijacked gasoline tanker placed in the proper place and equipped with an appropriate charge could be quite an effective weapon.

CSB Report on California Refinery Fire


The Chemical Safety Board released a draft ‘Regulatory Report’ [Download Link] as part of its ongoing investigation of the 2012 Cheveron refinery fire in Contra Costa, CA. The Board is recommending that California change the way it regulates chemical safety at refineries (and presumably other high-risk chemical facilities). They are suggesting a change to the European Safety Case Model instead of the current compliance model used by OSHA. The draft was released to solicit public comments on the suggestion. This report is particularly important because of the OSHA RFI concerning potential changes to the Process Safety Management (PSM) program.

Sunday, December 22, 2013

EO 13650: A Late 90-Day Update

It has been over a month now since I wrote anything on President Obama’s Chemical Safety and Security Executive Order (EO 13650) and that has mainly been because, beyond some listening sessions and the OSHA RFI, there does not seem to be much movement on the EO. Then Friday the beneficent information sharing gods showered me with three separate emails providing updated information on the topic; one from the American Chemistry Council, and two from the Executive Order 13650 Working Group.

ACC Blog Post

Scott Jenson, the Issues Communications Director from the ACC, sent me a link to their recent blog post on the EO. It provides a very nice summary of the events leading to the EO and the actions that apparently have been taken since. There is a great deal of support for the EO by the ACC (and most folks in the chemical industry) and that is reiterated in this blog post.

The only negative comments here are saved for the suggestions that the EO should serve as a vehicle for instituting federal requirements for implementing inherently safer technology mandates. This is a long standing ACC position, shared by most chemical companies. The post does provide a brief summary of the arguments against an IST mandate.

To date I have seen nothing that indicates that the Working Group is considering such a requirement, but it has certainly been something that has been discussed in the listening sessions as if the WG had such a proposal in the drafting phase.

January Listening Sessions

The second email I received Friday was from the Working Group (via their eo.chemical@hq.dhs.gov email address) and it concerned the listening sessions scheduled for next month. These sessions are all in-person public meetings with a listen-only telepresence capability. The dates/times and locations are listed in the table below.

All advance registrations are being handled by GovEvents.com; links are provided in the table. The linked in-person registration pages provide good details about the venue location along with a link to a Google Map to the location. There is also information about how to go about registering to provide a 5 minute presentation.

Date
Time
City
Links
1-8-14
0900 – 1630
Sacramento, CA
1-9-14
1800 – 2000
Los Angeles, CA
1-10-14
0900 – 1400
Los Angeles, CA
1-14-14
0900 – 1630
Washington, DC
1-24-14
0900 – 1630
Houston, TX

As always, written comments may be submitted to the working group, either via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2013-0075) or by email to the Working Group.

A brief note about the use of the GovEvents.com site. It does require registration and it was set up as a service for government employees. There is one point in the registration process that you have to select your affiliation. The default for most people will be ‘government employee/military’ even if you are not affiliated with the government. The owner of the site has assured me that there will be no repercussions for using that designation.

Working Group Update

The final Friday email was also from the Working Group. It provided me with a copy of an official Working Group update on EO 13650 (Undated!! Why can’t they put dates on these things? It will just get confusing when they issue a second update.).  This four page document provides a high-level summary of the EO and a listing of public actions taken to date. Those include

• Establishment of a Working Group web page on the OSHA site (link in the update does not work, they forgot to include “https://”). NOTE: There are also web pages on the EPA site and DHS site; the one on the OSHA site has the most information and the DHS web site is worthless.

• Exploring information sharing initiatives between Federal agencies and ‘vetted members of the SERCs’. Mentions include ATF and CFATS exploring these possibilities. The EPA pilot program ‘Effective Chemical Risk Management Project, Federal Region Two’, that I’ve mentioned before; still no web site for this initiative.

• Continued conversations between OSHS/EPA/ATF and the Chemical Safety Boardto improve coordination and exchange of information during investigations of chemical incidents.     

• Sharing of chemical safety/security database information between EPA, OSHA and DHS to aid in compliance checking for the three programs (RMP, PSM, and CFATS). I’ve heard the EPA-DHS database sharing was relatively easy, but they were having problems with the OSHA PSM database; database communications can be tricky.

• Publication of the interim advisory (NOTE: the link in the Update takes you to an EPA page listing a number of chemical safety publications, my link takes you to the document) on storage of ammonium nitrate.

• Publication of the OSHA RFI for updating their chemical safety regulations and guidance that I have already covered.

One small nit-picking point; all of the links in the Update take you away from the Update page without options for opening documents in separate tabs or pages. This seems to be a standard coding practice with many Federal documents and it is unnecessary and annoying.

What Was Supposed to Have Been Accomplished

The following items from the Executive Order that were supposed to have been accomplished by the 90-day point (November 5th or 22nd depending on how you count the 16 days in the Federal funding fiasco) were not addressed in this Update:

• The Working Group shall develop options for improved chemical facility safety and security that identifies improvements to existing risk management practices through agency programs, private sector initiatives, Government guidance, outreach, standards, and regulations

• The Secretary of Homeland Security, the Secretary of Labor, and the Secretary of Agriculture shall develop a list of potential regulatory and legislative proposals to improve the safe and secure storage, handling, and sale of ammonium nitrate.

• The Administrator of EPA and the Secretary of Labor shall review the chemical hazards covered by the Risk Management Program (RMP) and the Process Safety Management Standard (PSM) and determine if the RMP or PSM can and should be expanded to address additional regulated substances and types of hazards.

• The EPA and the Department of Labor shall develop a plan, including a timeline and resource requirements, to expand, implement, and enforce the RMP and PSM in a manner that addresses the additional regulated substances and types of hazards.

• The Secretary of Homeland Security shall identify a list of chemicals, including poisons and reactive substances, that should be considered for addition to the CFATS Chemicals of Interest list.

• The Secretary of Labor shall identify any changes that need to be made in the retail and commercial grade exemptions in the PSM Standard.


I always maintained that the schedule called for in the EO was more than a little tight. Most of this stuff is complex and deals with coordination between government agencies at multiple levels. There is no way that the initial schedule was going to be met.
 
/* Use this with templates/template-twocol.html */