Friday, May 31, 2013

Bills Introduced 5-29-13

With the House and Senate out of town for the week we still manage to get two bills introduced in the House this week. One is a biggie for readers of this blog since it touches on chemical security, cybersecurity, pipeline security; well just say it… it’s a homeland security bill. Infact HR 2217 is the FY 2014 DHS funding bill.

HR 2217: Department of Homeland Security Appropriations Act, 2014 Sponsor: Rep Carter, John R. (R,TX) House Reports: 113-91

You know that a bill is high priority when it is introduced with committee report during recess and the House Rules Committee has a rule hearing scheduled the first day back in session.

More info on the bill when I get finished reading it.

BTW: The other bill, HR 2216 was the military construction bill and it will share the Monday hearing.

Ammonium Nitrate Dangers

Since the explosion last month in West, TX there has been an awful lot of talk in the press (and amongst politicians) about the dangers associated with ammonium nitrate (See Twitter @Chemicalsafetyboard for the most comprehensive set of links to such news reports). The devastation in West, TX notwithstanding, ammonium nitrate fertilizer is not an explosive; to become an explosive it must be adulterated with other flammable/combustible material.

Ammonium Nitrate Explosives

Ammonium nitrate the explosive is a mixture of ammonium nitrate and fuel oil, more commonly referred to in the industry as ANFO. The ammonium nitrate explosive used in the attack in Oklahoma City was a mixture of ammonium nitrate fertilizer and racing fuel. The ammonium nitrate contributes two things to this ‘explosive’ mixture. First it is an oxidizer, upon decomposition (from heating for example) it produces oxygen gas which makes other flammable things burn faster. Secondly it increases the burnable surface area of the organic liquid by distributing it (absorbing it) throughout its bulk placing it in close proximity to the oxygen produced by decomposition. This greatly increases the speed of burning turning a flammable/combustible liquid into an explosive.

Other oxidizers can do the same thing. I mentioned in an earlier blog post ‘sugar bombs’ made by mixing either potassium chlorate or sodium chlorate with sugar. Again, the oxidizer provides both a matrix and an oxygen source for the explosive.

West Explosion

As far as we know (and we may never know because of the bureaucratic infighting between ATF and the Chemical Safety Board; mostly on the ATF side from what we have heard in the news) no one deliberately added any combustible/flammable liquids in the stored ammonium nitrate at West Fertilizer. There may have been other combustible organic material in the area (seeds, wood construction building, wood constructed storage bins, etc) that the oxidative properties of the ammonium nitrate turned into explosives. There was after-all something burning in the area and oxidizers don’t really burn.

Self Accelerating Decomposition Reaction

Nearly all molecules, if heated to a high enough temperature, will decompose into small molecules and/or atoms. There is a class of molecules, however, that when they begin decomposing produce heat that will accelerate the decomposition process through a self-accelerating decomposition reaction (SADR). Ammonium nitrate is one of these molecules.

Since gasses are typically the end product of these SADRs a great deal of pressure can build-up during the decomposition process if the material is in a confined space, such as a container. Since heat has a tendency to weaken the strength of the confining material, these pressure buildups from SADRs frequently result in the violently catastrophic failure of the container. That looks to most people like an explosion.

In large bulk storage of ammonium nitrate the material itself may act as the container, particularly if it is in a structured storage situation like bins. There are even reports that something falling onto a large bulk of heated ammonium nitrate may be enough to cause this type of pressure explosion.

Comparative Risks

So, ammonium nitrate is not an explosive, it is an oxidizer. As with other oxidizers you keep it away from combustible materials and you generally do not have any problems. This is clearly reflected in the large amounts of this material that are handled every day in this country in very large quantities and the very small number of explosive incidents that do occur.

To put this in perspective, let’s look at some other readily available chemicals that people handle every day that have the potential for causing explosions much larger than the one in West Texas. Gasoline for instance; under the proper circumstances the fumes from a gasoline spill may form just the right fuel air mixture to become a deadly fuel-air explosive (see the 2009 Catano Oil Refinery explosion in Puerto Rico or the 2013 PEMEX refinery explosion). Under the proper circumstances the amount of fuel in a gasoline tanker truck could easily be enough to produce an explosion comparable to West Fertilizer. These trucks drive major city streets every day.

Natural gas is another flammable, a gas this time instead of a liquid, that under the proper circumstances can produce a devastating explosion. The Chemical Safety Board has investigated a number of these (see The Little General Store) as has the NTSB (see San Bruno). Again, under the proper circumstances a significant, but hardly catastrophic, pipeline leak can also produce an explosion comparable to West Fertilizer. These pipelines run through neighborhoods.

None of this decreases the problems seen in the West Fertilizer situation. Neither the EPA nor OSHA has taken any actions on regulating SADR type situations (See T-2 Labs Explosion) as strongly recommended by the TSB. Congress has done nothing to provide support to the CSB in this matter and continues to under-fund and under-staff the agency.

Maybe the West Fertilizer explosion and all of its publicity will help change this situation. Probably not.

EPA Publishes 2016 Methyl Bromide Critical Use Notice

Today the Environmental Protection Agency (EPA) published a notice in the Federal Register (78 FR 32646-32650) requesting the critical use information from manufacturers, distributors and users of methyl bromide for 2016. This annual requirement is part of the EPA’s ‘phase-out’ of the use of methyl bromide as a fumigant in the agricultural sector under the Montreal Protocol on Substances that Deplete the Ozone Layer.

According to the notice the US recently submitted it recommendations for 2015 critical use exemptions and it “included only three uses (strawberries, fresh dates and dry cured ham)”. This is unusual since just last year the EPA and the Department of Agriculture approved the use of methyl bromide for fumigating imported shipments of cotton seed for cattle feed. That use is not discussed in this notice.


One of the reasons that the EPA has recommended only those three areas, arguably the largest current uses, for the use of methyl bromide is that they have determined that there are substitutes available for other uses. These substitutes include:

• Sulfuryl Flouride – Dried fruit and nuts/flour mills, rice mills and pet food; and
• 1,3-Dichloropropene – Cucurbits, Eggplant, Pepper and Tomato/Orchard Replant/Ornamentals/Nurseries/Golf Courses;

Neither of these substitutes is currently listed as a DHS chemical of interest (COI) for the CFATS program. The manufacturers of these pesticides almost certainly use COI, but this will probably not result in new manufacturing or distribution, just increases in volume.

Applicants can still apply for use of methyl bromide for the above applications, but they must show economic and/or efficacy data that shows that methyl bromide is justified in that use over the substitutes. It will be interesting to see how many such nominations are received or approved.

Methyl Bromide and CFATS

As a toxic inhalation hazard (TIH) chemical, methyl bromide was initially on the proposed DHS list of COI. As part of the rule making process, however, it was removed from the list because the phase out of its use would make it unnecessary. Here it is almost five years later and the use of methyl bromide is still on-going and will continue in at least some limited form for the foreseeable future.

DHS has had on-going conversations with the chemical industry and other interested parties about possible modifications to Appendix A of the CFATS regulations. It seems that these discussions have been sidelined by ISCD efforts to resolve other programmatic problems. If and when such efforts resume, the issue of methyl bromide needs to be readdressed.

NOTE: Last year’s notice for the 2015 critical use submissions was posted on May 18th; almost two weeks earlier than this post. This program keeps getting further and further behind on all of its administrative actions. This is part of the reason that the EPA keeps having to resort to extralegal actions to authorize legitimate uses of methyl bromide every year. 

Thursday, May 30, 2013

SOCMA Announces CSSS Registration Open

The SOCMA web site today announced that the registration for the 2013 Chemical Sector Security Summit (July 10-11, 2013) is now open. They have provided a link to the 2013 CSSS site which, in turn, has a link to the registration page. Registration is still free, but only pre-registered personnel will be allowed into the CSSS. The block of rooms at the Hyatt Regency Baltimore will only be held open until June 10th, so you need to register early.

There is not currently any information on the DHS 2013 CSSS web page reflecting this information.\

TSA Publishes 60-day TWIC ICR Notice

Today the Transportation Security Administration published a 60-day information collection request (ICR) notice in the Federal Register (78 FR 32417-32418). This is a follow-up to the March approval of an emergency ICR extension to reflect changes in the Transportation Workers Identification Credential (TWIC) information collection process brought about by the short-term renewal process initiated last summer.

There is little actual information in this notice beyond a brief statement of burden estimates. As shown in the table below the burden estimates in this notice are higher than those published in the approved emergency extension. Without a number for the number of expected responses it is difficult to explain the change in time burden and cost. Based upon the number of folks currently enrolled in the TWIC program (2,556,783) we would expect to see about 500,000 renewals alone each year.

Current Burden
This ICR
Not Reported
Time Burden (hours)

TSA does not explain the cost burden (and again I applaud TSA for including this figure; it is inexplicably absent from most ICR notices) estimation process. Based on the current published data the cost is just about $50 per response, so it does not include the actual cost of the application fee for either the extended TWIC ($60) or  the new/renewed TWIC ($129.75).

The TSA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (; Docket # TSA-2006-24191). Comments should be submitted by July 29th, 2013.

NOTE: This ICR has nothing to do (directly) with the current Coast Guard TWIC Reader NPRM.

Wednesday, May 29, 2013

ICS-CERT Reports New Siemens Vulnerabilities

Today the DHS ICS-CERT published an alert concerning two vulnerabilities in the Siemens Scalence switch family. Siemens ProductCERT self-reported these two vulnerabilities. The vulnerabilities are:

• Privilege escalation vulnerability -  CVE-2013-3633; and
• Input validation vulnerability - CVE-2013-3634

NOTE: Since these vulnerabilities were reported to the US-CERT National Vulnerability Database last Friday the CVE links above are already active. The long weekend is the apparent reason for the delay in the ICS-CERT Advisory.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to execute arbitrary commands or execute a denial of service attack. Siemens notes that the attacker must have network access to exploit both vulnerabilities and specific device access for the second.

The advisory notes that Siemens has provided a firmware update for the affected devices that mitigates both vulnerabilities. Siemens also notes (pg 2 of Siemens Advisory) that for the second vulnerability there is an additional workaround available to mitigate the vulnerability; the device owner can “either disable SNMP or to completely disable any read-write access”.

Tuesday, May 28, 2013

DHS ITF IdeaScale Cybersecurity Project – Software Registration

This is part of a continuing series of blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier post in this series was:

This weekend I posted my fourth ‘idea’ to the ITFCCP site (NOTE: It did not make it live to the site until this morning, the moderators appear to work government hours). Readers of this blog probably saw this one coming, I would like to see vendors ‘register’ their systems, particularly their software and firmware, with an organization like ICS-CERT. To encourage vendor participation DHS could give them liability protection under the SAFETY Act. In turn they would agree to

• Provide DHS with a list of third-party components of their registered systems;
• Notify DHS when they identified, or were notified of the discovery, of a zero-day vulnerability;
• Allow DHS to notify registered high-risk critical infrastructure facilities of the zero-day vulnerabilities; and
• Work with DHS to minimize the vulnerabilities of each component of their registered system.

This proposal would allow vendors to become an integral part of the protecting critical infrastructure from cyber attacks.

As I have mentioned before, participating in this forum may be the easiest way that vendors, owners and researchers in the control system community may have a direct impact on the implementation of the President’s Cybersecurity Executive Order (EO 13636). So visit, read, comment, vote, and most of all suggest.

Honeypots Attacked But Not Real ICS?

We have been seeing a couple of reports (for example) about organizations setting up ICS honeypots and finding that they are attacked fairly routinely. If the honeypot results are translatable to actual control systems, we should be seeing lots of reports about attacks on actual systems.

We are hearing about some sort of ‘attacks’ on energy company control systems, but very little information about those is making it into public discussion. The public reports seem to indicate that these are more system information gathering attempts rather than actual attacks (though they may be preludes to attacks), so even these are not the same as being reported from the ICS honeypot experiences.

So, are the honeypots being targeted because they are honeypots, or are they really representative of what is happening in real world control systems. If we assume that honeypots aren’t being specifically targeted (And what self-respecting hacker would waste their time on such a target?) then why are we not seeing evidence of more attacks on control systems? I think there may be a couple of explanations.

First off, the vast majority of deployed control systems are relatively unsophisticated and have little to no security. For most of these facilities there are no cybersecurity professionals on staff and there may not even be a trained control systems engineer working at the facility. Indications of a simple hack may be nothing more than a hiccup in the control system; an intermittent failure in a particular control. The standard response would be to replace the ‘faulty’ control or maybe even just monitor for future failures. Even an ICS DOS attack might not be recognized as an attack by most organizations.

A sophisticated attack could seriously damage equipment or shut the plant down, but there is little incentive for a sophisticated attacker to hack most control systems; no economic or political gain to justify the expense. The average hacker, however, is not going to have both the cyber-system knowledge and the process knowledge necessary to cause serious harm to these systems, except by accident. They might be able to gain that level of sophistication by constant observation and tweaking of the system, but few hackers will have the incentive to spend that amount of time and effort on the average control system.

The average hacker will use these most vulnerable control systems to refine and develop their ICS skills. They will establish backdoors that they can use to verify to their friends and competitors that they have hacked these systems and they may leave the hacker equivalent of Easter eggs in the system to mark their passage, but their goal will be to remain undectected by the system owners. Being detected by unsophisticated owners will be a pre-requisite to their moving up the hierarchy of control system sophistication.

The organized hackers (nation states, terrorists, criminal gangs, hacktavists) are going to go after the big guys, the ones with at least some compute security savvy. These are the ones that would justify the time and knowledge necessary to have a significant, planned and controlled attack on a control system. The other systems, however, are going to be the ones that experience the most frequent attacks, and unfortunately, they are the ones least likely to be able to deter, detect or delay such attacks.

Monday, May 27, 2013

Congressional Hearings – Week of 5-26-13

Congress may be out of Washington for the Labor Day Recess (the ultimate long weekend; they come back to work on 6-3-13), but that doesn’t mean that they don’t hold hearings. There are two hearings scheduled on the West Coast this coming week and one may be of interest to the chemical safety community.

The Panel on 21st Century Freight Transportation, a special subcommittee of the House Transportation and Infrastructure Committee will be holding a field hearing on “How Southern California Freight Transportation Challenges Impact the Nation” on Thursday in San Bernardino, CA. According to a Committee press release the panel will be looking at “how the region’s unique transportation challenges impact the movement of freight throughout the entire Nation”. Issues affecting chemical transportation and Hazmat may be addressed.

There is no indication on the Committee web site that this hearing will be web cast.

Sunday, May 26, 2013

CFATS PSP Comments – 05-25-13

This is part of a continuing series of blog posts on the public comments submitted about the DHS 60-day ICR notice for the CFATS Personnel Surety Program (PSP). The other post in the series is:

We finally have some comments from the corporate sector, three from trade associations, one from a large chemical manufacturer and one from a background check provider.

Personnel Information

The background check provider calls out ISCD on a couple of paperwork issues, including:

• Maintaining PII files of information submitted to ISCD;
• PRA Notice signature requirements; and
• PII collection and storage for non-employees.

The major chemical manufacturer raises the same issues in their submission.

CSAT Requirements

The background check provider also wants to know some of the details about how the CSAT requirements for third-party submitters. They ask an interesting question, will lists of information (PII) submitted for the PSP have to be protected as Chemical-Terrorism Vulnerability Information (CVI) like the rest of the information submitted thru CSAT?

Lack of Authority to Require PSP Submissions

The chemical manufacturer and a trucking industry group question the authority of DHS to require data submissions to ISCD for local PSP. They cite the §550 stipulation that the Secretary may not require any specific security measure. They miss the loophole that was published in the 60-ICR Notice stating that facilities could propose alternative PSP measures in their Site Security Plan.

An explosives industry group agrees with the above comment and goes on to question the use of an information collection request as the vehicle for imposing essentially regulatory requirements on industry.

Alternative Visitor Process

The manufacturer notes that they had previously proposed an alternative method for submitting PII for visitors and contractors. They had proposed to NPPD that DHS could establish a secure web portal for individuals to submit the PII necessary for a Terrorist Screening Database (TSDB) search if they were going to be desiring to gain access to a covered facility. The manufacturer expresses concern that DHS has not followed up on the suggestion as promised.

TWIC, etc Procedures

The chemical manufacturer continues to complain about having to submit PII information on personnel who have a TSDB-based security identification. The explosives organization makes the same point, but further complains that ISCD is not accepting the ATF background check process that uses the same TSDB vetting.

The trucking group goes even further noting that requiring a HME holder to undergo additional security checks under federal programs is prohibited by 49 USC §5103a(g)(1)(B)(i)(I)-(II).

A training industry group supports the ISCD requirement for submitting PII for vetting personnel with other TSA supported identification, noting that a brief visual examination of the credential cannot determine if it is “expired, revoked or fraudulent”.  They additionally point to the problems with the TWIC Reader identified by GAO.

TSDB Positives

The manufacturer and the explosives group re-iterates their concern about DHS not notifying the facility if an individual is identified as having terrorist ties during the TSDB vetting.

48-Hour Submission Requirement

The chemical manufacturer objects to the 48-hour PII submission requirement for the TSDB vetting. They argue that since DHS will not routinely be informing facilities of positive TSDB matches, what difference does submitting the information 48-hours in advance of providing unescorted access make?

The trucking group notes that the 48-hour notice requirement could unnecessarily limit the availability of commercial deliveries.

Saturday, May 25, 2013

Comments for TWIC Reader NPRM – 5-25-13

This is part of a continuing series of blog posts on the public comments filed in the previous week for the Coast Guard’s TWIC Reader NPRM. The previous posts in the series are listed below.

This is the first week into the comment extension period. One comment was published before the old comment period end on Tuesday and the remaining five comments were posted on Friday.

GAO Report

The GAO report was mentioned this week. A private individual had a comment just on the GAO issues, suggesting that the “GAP performance issues” need to be resolved before the TWIC Reader Rule moves forward. A maritime union recommended that the GAO recommendation for a security assessment of the TWIC program (not just the TWIC Reader) is conducted

Every Entry Rule

Complaints continue (here, here and here) about the requirement to use the TWIC as a flash pass every time an individual enters a secure space on Risk Group B and C vessels.

Facilities Serving Multiple Passenger Vessels

One commenter wanted clarification about the risk group status of a facility that only served Risk Group B and C vessels, but that might have multiple vessels being serviced at the same time putting it over the 1000 passenger limit.

Need for TWIC Readers

An industry association questioned the need for adding TWIC Readers to security plans for Risk Group A vessels and facilities. They did not see how it would materially increase security or reduce the potential occurrences of Terrorism Security Incidents (TSI). A maritime union agrees and extends that to the TWIC program in general. Neither comment will be effective in this particular case because both the program and the TWIC Reader have been mandated by Congress, not the Coast Guard.

Pipeline Security Amendment Defeated

I did not pay much attention to HR 3, the Northern Route Approval Act, when it came up for consideration this last week. While it is a pipeline act (it us the latest House effort to get the Keystone Pipeline route across the border into Canada – hence the ‘Northern Route’ – approved) it seemed to me to be more about politics and jobs than safety or security. Oops, I was wrong.

Anti-Terrorist Security Certification

I came across this yesterday when I was looking for something in Wednesday’s Congressional Record Daily Digest in the discussion about the floor action associated with the passage of HR 3:

“Connolly [D,VA] amendment (No. 4 printed in H. Rept. 113–88) that sought to require a threat assessment of pipeline vulnerabilities to terrorist attack and corrective actions necessary to protect the pipeline from such an attack and to mitigate any resulting spill (by a recorded vote of 176 ayes to 239 noes, Roll No. 172)” (pg D488)

Well, I went back and found H. Rept. 113-88 and read the meat of Amendment #4, the Connolly Amendment; it would be added as §3(b):

“THREAT ASSESSMENT.—Subsection (a) [Existing §3] shall not apply until the Pipeline and Hazardous Materials Safety Administration, in consultation with the Department of Homeland Security, conducts a study of the vulnerabilities of the pipeline to terrorist attack and certifies that the necessary protections have been put in place so that the pipeline would withstand such an attack and a spill resulting from such an attack.”

This doesn’t seem like an unsound or unreasonable stipulation to add to the Keystone Pipeline approval bill. After all, there have been terrorist attacks on pipelines in Canada (See Here and Here). Okay, they were apparently local ‘terror’ attacks in protest of local ‘sour gas’ production, but they were terror attacks. But, in any case, the Keystone Pipeline would have to be considered a potential target of environmental wacos or jihadist wacos; so security will certainly be a legitimate concern.

Republican Opposition

The Republican response, delivered by Rep. Schuster (R,PA) simply noted that:

“My good friend from Virginia, I understand his need to make sure that our pipelines are safe, but this amendment is redundant of existing Transportation Security Administration guidelines. It’s unnecessary and simply attempts to further delay the project.” (CR 5-22-13; pg 2879)

Of course stopping the delays of the pipeline approval and construction process was the whole point of this bill so it is understandable why the amendment failed on a recorded vote of 176 – 222 on a mainly party-line vote.

Voluntary TSA Program

Of course, Schuster was wrong, the amendment is not really duplicative of existing programs since it would have required PHMSA (it probably should have been TSA) to certify “that the necessary protections have been put in place”. TSA certainly does have a pipeline security program in place, but it is completely voluntary. I have heard reports that the TSA program is fairly effective, but there is no real data to support or dispute that since there are no public measures of how many facilities participate (or not) or how many facilities comply with the TSA suggested security measures.

This is not the TSA’s fault; they have not been given any authority to establish a regulatory program for pipeline security.

Moving Forward

Okay this is really a non-issue since HR 3 will almost certainly not make it to the floor in the Senate and even if it did, it would almost certainly not pass. The only thing that the vote did do was to give next year’s Democratic campaigners a vote to show that they were more interested in security than were the Republicans. In tight campaigns that might be enough, especially if there is even an abortive attempt at an attack on a pipeline in the interim.

PHMSA Workshop on Integrity Verification Process

The Pipeline and Hazardous Material Safety Administration published a public meeting notice in Monday’s Federal Register (available on-line today, 78 FR 32010-32011) about a public workshop on the concept of “Integrity Verification Process.” This is a very preliminary and incomplete notice for the meeting in August.


According to the Notice summary:

“At this workshop, the Pipeline and Hazardous Materials Safety Administration, the National Association of State Pipeline Safety Representatives and various other stakeholders will present information and seek comment on a proposed Integrity Verification Process that will help address several mandates set forth in Section 23, Maximum Allowable Operating Pressure, of the Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011 [49 USC §60139].”

More information on this workshop and its agenda will be posted on the meeting web page as it becomes available.

New MOAP Requirements

Interestingly there are three integrity verification deadlines set forth in that section of the Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011:

• “The Secretary of Transportation shall require each owner or operator of a pipeline facility to conduct, not later than 6 months after the date of enactment of this section, a verification of the records of the owner or operator relating to the interstate and intrastate gas transmission pipelines of the owner or operator in class 3 and class 4 locations and class 1 and class 2 high-consequence areas.” {§60139(a)(1)}

• “Not later than 18 months after the date of enactment of this section, each owner or operator of a pipeline facility shall identify and submit to the Secretary documentation relating to each pipeline segment of the owner or operator described in subsection (a)(1) for which the records of the owner or operator are insufficient to confirm the established maximum allowable operating pressure of the segment.” {§60139(b)(1)}

• “Not later than 18 months after the date of enactment of this section, the Secretary shall issue regulations for conducting tests to confirm the material strength of previously untested natural gas transmission pipelines located in high-consequence areas and operating at a pressure greater than 30 percent of specified minimum yield strength.” {§60139(b)(1)}

Since the bill was signed into law on January 3rd of 2012, all three of these deadlines will have passed by the time this public workshop is held. PHMSA met the first deadline last May and the second was addressed in a December 2012 PHMSA Advisory Bulletin. The rulemaking requirement has not yet seen PHMSA publish a notice of proposed rulemaking to date. I will admit that an 18-month time limit to issue a new regulation is more than a tad bit tight.

Public Participation

PHMSA is soliciting public participation at the workshop. To ensure that adequate space is provided, PHMSA is requesting advanced registration, though no method of such registration has yet been provided. You may want to contact Cameron Satterthwaite, Office of Pipeline Safety, at ( Written comments on the workshop or the workshop topics may be submitted via the Federal eRulemaking Portal (; Docket PHMSA-2013-0119); though they do seem to be having some communications issues today.

Cybersecurity Workshop Update

As I noted earlier, this coming week the National Institute of Standards and Technology will be holding their second Cybersecurity Framework Workshop in Pittsburgh, PA. This last week they updated their agenda for the meeting. As expected this provides a clearer indication of what will take place at the meeting and ties in the NIST analysis of comments received in response to their request for information.

After a brief introduction to the NIST Framework process and their review process for the RFI comments the workshop participants will be broken out into four groups to cycle through the below listed discussion groups. Each participant will take part in each of the tracks.

• Business of Cyber Risk
• Threat Management
• Cybersecurity Dependencies and Resiliency
• Cybersecurity Progression and Maturity: From Basics to Advanced Cybersecurity

The agenda specifically notes that attendees should expect to discuss “specific standards, guidelines, and practices identified in the RFI responses”. It would probably be a good idea (a little bit of sarcasm) to download the NIST analysis and read it before attending. I still say that it would be beneficial if NIST published the database they developed from the RFI responses. This would provide participants with better data upon which to discuss the proposals as there is no way that the participants will be expected to wade through the over two hundred responses; some of them quite detailed. Even I didn’t do that in detail.

I am disappointed that there is still no indication that NIST intends to treat control system security different than information system security in the Framework. There are too many fundamental differences between the two types of cybersecurity for them not to do so. NIST certainly has the internal technical expertise to understand this, but there has been nothing to date in their discussion of the development of the Framework that would so indicate. Maybe this will be addressed in Pittsburgh.

Friday, May 24, 2013

Bills Introduced – 05-23-13

With the Memorial Day Recess coming up there was a typical surge in the number of bills introduced yesterday. Of that large number of bills two will probably be of interest to the chemical security and cybersecurity communities. They are:

S 1034 Latest Title: A bill to authorize appropriations for fiscal year 2014 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Sponsor: Sen Levin, Carl (D,MI)

HR 2146 Latest Title: To extend the Terrorism Risk Insurance Program of the Department of the Treasury for 10 years. Sponsor: Rep Capuano, Michael E. (D,MA)

The military spending bill may provide cybersecurity language. It will be interesting to see if the latest terrorism insurance extension bill (this one with a large number of bipartisan co-sponsers) corrects the deficiencies I’ve noted in the two earlier bills.

DHS ITF IdeaScale Cybersecurity Project – System Registration

This is part of a continuing series of blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier post in this series was:

Yesterday I posted a new ‘idea’ for discussion on the DHS/IdeaScale Integrated Task Force Collaboration Community (ITFCC). This idea is actually a two parter:

• Identifying high risk control systems; and
• Registering high-risk control system with ICS-CERT to get earlier warnings of zero day vulnerabilities

High-Risk Cyber Systems

I’m going to ignore information systems here; those can be dealt with by different controls and procedures. I’m going to concentrate on control systems because it is only throught their unauthorized manipulation that a cyber-attacker can cause widespread physical damage to society. This high-consequence risk provides a legitimate societal concern with the security of such systems.

Even at a high-risk, high-consequence facility, not all control systems or even their components have an equal potential to cause catastrophic off-site consequences. It is only those portions of the cyber-systems controlling physical processes that could cause off-site catastrophic consequences that society has a legitimate interest in seeing that the systems are adequate secured. Identifying and perhaps isolating those high-consequence components will help to prioritizes where to spend the time, money and manpower to ensure that the systems are adequately secured against attack or unintentional failure. Of course, any other components of the overall cyber-system that allow for access to those critical components become critical in their own right.

A prime prerequisite of any serious cybersecurity program must be to identify these components that provide a determined attacker the capability to cause widespread physical harm via computer controlled system.

Zero-Day Vulnerability Warnings

If society has a strong interest in the prevention of attacks on high-consequence control systems, they also have a concomitant obligation to provide assistance to the owners of such systems in the protection of those systems. One such critical form of assistance is the notification of system owners when a zero-day vulnerability (ZDV) is discovered in their protected system.

There is a legitimate argument to be made that the wide spread dissemination of information about ZDVs increases the risk to cyber-systems because it is generally easier to exploit a ZDV than to mitigate one, particularly since the skill sets necessary to develop a mitigation strategy are frequently not found in-house at critical infrastructure facilities.

A targeted distribution of ZDV knowledge to high-consequence installations using the vulnerable systems avoids a certain amount of the danger associated with providing ZDV information to various adversaries. But to accomplish this the ZDV information distribution agency must know what facilities have what control system components deployed in critical installations. This requires the registration (voluntary or otherwise) of those components with an organization like ICS-CERT.

If ICS-CERT were to have this information, when they were contacted with information about an ICS ZDV they could (immediately after notifying the vendor of the vulnerability if the information comes from a researcher) notify those facilities deploying the vulnerable system in a high-consequence application. For those facilities without in-house or contract control system security capabilities, ICS could provide assistance in setting up interim security processes while waiting for the vendor to rectify the vulnerability.

Public Participation

A quick reminder here that the whole ITFCC program requires public participation in the suggestion, discussion, selection and implementation process. The ITFCC web site is a forum for suggesting and discussing ideas that could become parts of the process for the security of critical infrastructure cyber-systems. Failing to participate in that process makes it less likely that you will be satisfied with the products of that process; products that you may be compelled to employ.

Take a couple of minutes and look at my latest idea and the other ideas currently under discussion at the site. Provide comments where you feel appropriate; become part of the discussion. Vote up or down on all of the ideas that you feel you can or cannot live with. And more importantly, provide your own ideas on how we as a society can increase the security of the cyber-systems that are an integral part of our everyday lives.

Thursday, May 23, 2013

PHMSA Pipeline Public Awareness Workshop

The Pipeline and Hazardous Material Safety Administration published a notice in today’s Federal Register (78 FR 30964-30965) concerning an upcoming public workshop “to bring pipeline safety stakeholders together to discuss ways to improve public awareness outreach” on pipeline safety. The two day meeting will start on June 19th and will be held in Richardson (Dallas), TX.

This workshop is part of the PHSMA outreach on its incorporation by reference of the American Petroleum Institute’s (API) Recommended Practice (RP) 1162, "Public Awareness Programs for Pipeline Operators (1st edition)." The goals of the work shop, according to the PHSMA web site, include:

• Provide an overview of the public awareness program and discuss recent inspection findings;
• Understand what's working and not working with RP 1162 (1st edition) from various stakeholder perspectives (industry, pipeline operators, public, emergency response officials, local public officials, and excavators);
• Share ways to improve public awareness outreach efforts; and
• Discuss the path forward for improving public awareness.

The public is invited to attend this workshop or view the web cast (Again I hearted endorse any effort by agencies of the Federal government to utilize web casts to extend the range of participation in any public meeting NPPD PLEASE NOTE). The registration form for the workshop provides for both public and virtual attendance or even follow-up information if not able to attend.

Bills Introduced – 05-22-13

Congress was busy yesterday with a fairly large number of bills introduced. One in particular will probably be of interest to the chemical security/safety community:

S 1009 Latest Title: A bill to reauthorize and modernize the Toxic Substances Control Act, and for other purposes. Sponsor: Sen Lautenberg, Frank R. (D,NJ)

This bill has been widely mentioned in the press because of the wide political range of its co-sponsors and at least initial support by the chemical industry.

There is one other bill that I just have to mention in passing because of its obvious internal contradictions. I won’t be mentioning this bill again.

HR 2113  Latest Title: To end the practice of including more than one subject in a single bill by requiring that each bill enacted by Congress be limited to only one subject, and for other purposes [emphasis added]. Sponsor: Rep Marino, Tom (R-PA) (introduced 5/22/2013) 

You just can’t make stuff up like this.

ICS-CERT Publishes CODESYS Gateway Advisory

Yesterday afternoon DHS ICS-CERT published an advisory about a ‘use after free’ vulnerability in the CODESYS Gateway application. The vulnerability was reported by Nicholas Miles in a coordinated disclosure.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to conduct a DOS or execute arbitrary code. CODESYS has developed an update to mitigate this vulnerability and Miles has verified its efficacy.

The Advisory notes that Gateway application is used by multiple vendors in other products and many integrators use the application in developing integrated automation systems. The Advisory includes the following recommendation:

“Control systems vendors should review their products, identify those that incorporate the affected software, and take appropriate steps to update their products and notify customers.”

Readers might recognize that this is exactly the type situation that I had referred to in my recommendation on the Integrated Task Force Collaboration Community site. While CODESYS has probably notified the system vendors to whom they have sold this system, it is not clear that all of the system owners of integrator built systems would get notified of their exposure to this vulnerability.

Wednesday, May 22, 2013

PHMSA Resumption of Transportation NPRM

The Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in today’s Federal Register (78 FR 30258-30266) implementing Congressional requirements for the agency’s enhanced enforcement procedures resumption of transportation rules. These requirements were set forth in §33009 of MAP 21 (PL 112-141).

Clarify the Department's position with respect to perishable hazardous material, by amending the opening of packages provision of the Department's hazardous materials procedural regulations for the opening of packages, emergency orders, and emergency recalls;
Recognizes the special characteristics and handling requirements of perishable hazardous material by clarifying that an agent will stop or open a package containing a perishable hazardous material only after the agent has utilized appropriate alternatives;
Codify the statutory notification requirement in HMTSIA by incorporating into the regulations the Department's current notification procedures from the operations manual that was developed in conjunction with the PHM-7 final rule; and
• Add a new provision to address appropriate equipment for inspectors.

Public comments on this NPRM are being solicited by PHMSA. Public comments may be filed via the Federal eRulemaking Portal {; Docket #PHMSA-2012-0259 (HM-258B)}. Comments must be received by July 22nd, 2013.

BTW: The MAP-21 requirements include a mandate for the Secretary to have these regulations finalized by July 6th, 2013; an unrealistic requirement if there ever was one and one that will obviously not be met.

ICS-CERT Closes Mitsubishi Alert

Late Monday afternoon the DHS ICS-CERT published a new advisory for the Mitsubishi MX Component that closed the book on the alert for that equipment that was issued last month. Both documents address an ActiveX buffer overflow vulnerability that was discovered by Derek Betker and  Dr Ide, who published exploit code for the vulnerability on the web site.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to execute a DOS attack or executing arbitrary code. Mitsubishi recommends upgrading the equipment to MX Component version 4.3 which is not affected by this vulnerability.

Tuesday, May 21, 2013

Update DHS Spending Mark-up Information

Earlier this week I mentioned that the House Appropriations Committee would be holding a mark-up of the DHS FY 2014 spending bill. Today the Committee placed additional information on the hearing web site. They provided an updated draft version of the bill and a draft copy of the Committee Report that will accompany the bill. Both documents contain important provisions for DHS cybersecurity and chemical security operations.

Draft Bill

This new draft bill is apparently different than the version that I reviewed during the approach of the Homeland Security Subcommittee hearing last week. All of the CFATS provisions and TWIC Reader provisions that I discussed in that earlier post remain the same in this new version of the bill.

Draft Report

In many ways the Committee Report that accompanies these spending bills is more important than spending bill. The reports provide the Appropriations Committee a certain level of oversight over individual programs through the pocket book. Most times programs like CFATS never get mentioned in the main bill, but do frequently get attention in the report.

Some of the items discussed in this draft report include:

• TSA requirement to develop “a program to facilitate the tracking of motor carrier shipments of highway security-sensitive materials (HSSM)” (pg 59);
• Detailed TWIC Reader discussion (pgs 61-2);
• CFATS funding at FY 2013 level (pg 82);
• Detailed CFATS discussion (pgs 83-86);
• Ammonium Nitrate security discussion (pgs 85-86) and
• Cybersecurity discussion (pgs 86-88)

Several of these items deserve a detailed discussion. If they remain in the final Committee Report, I will address them in more detail.

NTSB Announces Single-Truck Accident Meeting

Today the National Transportation Safety Board announced in the Federal Register (78 FR 29781) that they would be holding a meeting in Washington, DC on June 4th to look at the results of a Safety Study on the Characteristics of Single-Unit Truck Accidents Resulting in Injuries and Death.

We have been seeing a large number of news reports about single-truck accidents, many of which involve hazardous materials. A reduction in the number of such accidents would be of immeasurable benefit to shippers, transporters and the general public.

The meeting is open to the public and the NTSB will web cast the meeting (I am so glad to see more and more federal agencies learn the value of webcasting; NPPD PLEASE take note). The link will be available on the website.

NPPD Extends Comment Period on CFATS Personnel Surety Program ICR

Today the DHS National Protection and Programs Directorate (NPPD) published and ICR Comment extension notice in the Federal Register (78 FR 29759) extending the comment period on the CFATS Personnel Surety Program (PSP) information collection request. The fourteen day extension moves the end of the comment period to June 4, 2013.

The extension notice does not mention any specific request for additional time. It justifies the move by saying:

“The Department believes that the public would benefit from additional time to provide comments on the March 22, 2013 CFATS Personnel Surety Program Notice and Request for Comments.”

Today was supposed to have been the closing day for comments so it is uncertain if the extension will practically provide any additional time for comments. Typically corporate comments come in at the end of the comment period, so the management decision to comment or not will have already been made.

To date only three comments have been posted and only one of those made any substantive suggestions. After the firestorm of comments received on the previous ICR, I expect that ISCD is waiting for the other shoe to drop, but it looks like they may have addressed the major concerns of industry with the previous PSP proposal. Oh well, another 14 day delay in fielding the PSP won't make much difference, I hope.

Public comments on the PSP may be submitted via the Federal eRulemaking Portal (; Docket # DHS-2012-0061).

Monday, May 20, 2013

Cyber Threats and Security Solutions Hearing Update

The House Energy and Commerce Committee has updated their hearing web site with additional information about tomorrow’s hearing on Cyber Threats and Security Solutions. Copies of witness testimony have been posted to the site.

The testimony of Dave McCurdy, President and CEO, American Gas Association, will be of particular interest to the cybersecurity community and the pipeline security community. He provides an interesting summary of the various programs that help the pipeline industry identify cybersecurity issues and techniques for dealing with those issues. Since a great deal of the industry’s cyber portfolio deals with control systems over hundreds of thousands of miles of pipelines, McCurdy’s testimony is mainly about control system security issues.

You would expect that the testimony from a former head of the CIA, R. James Woolsey, would focus on intelligence issues related to cyber security. Unfortunately, Woolsey’s testimony is a one-trick-pony-show about the threat of electromagnetic pulse (EMP) attacks. I’ll admit that the consequences of an EMP event (natural or man-made) is a potentially catastrophic cyber-problem on a very large scale, but this does not seem to be the place to do more than mention the threat in passing.

Former Directory of National Intelligence (DNI) McConnell does address intelligence and information sharing issues in his testimony. He introduces a new and very scary term “suicide cyber attacks”, fortunately he doesn’t provide a definition of the term that lives up to the scare value of its source term, suicide bomber. How you get the blind acceptance of a sure death linked up with the intellectual curiosity necessary for cyber-attacks is completely ignored.

It looks like the remainder of the nine-member witness panel will be dealing with IT security issues. I’m not belittling those concerns, there are very many more IT computers out there, but I will leave coverage of their testimony for other bloggers.

HR 1945 Introduced – Terrorism Insurance Extension

As I noted in an earlier blog post, Rep. Thompson (D,MS) introduced HR 1945, the  Fostering Resilience to Terrorism Act of 2013. The bill would extend the operation of the Terrorism Risk Insurance Act (TRIA, 15 USC 6701 note) until 2024. In many ways this bill is similar to HR 508, the TRIA Reauthorization Act of 2013.

Program Extension

The extension of the current terrorism risk insurance program is accomplished by making the following changes to the TRIA:

• In the definition of ‘Program Year’ {§102(11)(G)} it changes the last program year from 2014 to 2024 (HR 508 changes this to 2019);
• In the discussion of insured loss shared compensation and the recoupment of the Federal share for an attack that occurs after January 1st, 2012 {§103(e)(7)(E)(i)(III)} extends the date for the government to collect premiums from September 30th, 2017 to September 30th, 2024; and
• Changes the termination date of the program {§108(a)} from December 31st, 2014 to December 31st, 2024 (HR 508 changes this to 2019).

Recoupment of Federal Costs

Rep. Thompson apparently misunderstands the way the TRIA works even more so than does Rep. Grimm (R,NY). Both of them change the date of the Federal recoupment to 2020 for terrorist attacks conducted after January 1st, 2012. This means that what was originally intended to be a two to three year recoupment period is changed to a 22 year period for attacks that (would have) occurred in 2012. This amendment should have included a sliding scale of attack dates and recoupment dates.

Thompson compounds Grimm’s error by extending all dates to 2024. This means that for terror attacks that took place in later years would have less time for insurance companies to reimburse the federal government for the share of the claims paid for by the federal government. Each year that recoupment time would become smaller and smaller. In 2024 the federal government would be required to recoup all funds that it would pay out in future years for attacks in 2024.

Homeland Security Information

Section 4 of this bill goes further than HR 508 in that it requires the Department of Homeland Security to help increase the resilience to terrorist attack of facilities insured under TRIA. The bill would amend the TRIA (15 USC 6701 Note) by adding §103(j) to require DHS to provide:

• Timely homeland security information, including terrorism risk information, at the appropriate classification level {§103(j)(1)}; and
• Information on best practices to foster resilience to an act of terrorism {§103(j)(2)}.

The bill would also require the Secretary to report to Congress as to how well critical infrastructure organizations were incorporating the information provided by DHS into their business operations. It would be interesting to see how DHS would collect the information necessary to complete that report.

Moving Forward

In a press release, Rep. Thompson said:

“The Boston Marathon bombings last month serve as a stark reminder that terrorism and mass violence remain both a homeland security and economic threat. If TRIA is allowed to expire next year, there may be fewer insurers offering terrorism insurance and prices potentially could increase. By extending this program for 10 years, we will ensure much-needed stability and predictability for the business community.”

The Boston terror attack may provide adequate impetus for the passage of an extension of the TRIA. Grimm’s bill probably has a better chance to get to the floor of the House since it is assigned to only a single committee (the Financial Services Committee) for review while Thompson’s bill also has to go through a review at the Homeland Security Committee. That plus the fact that Grimm is a Republican on the Financial Services Committee makes it more likely that his bill will move forward in that Committee.

HR 1960 Introduced – NDA

As I noted last week Rep. McKeon (R,CA), Chairman of the House Armed Services Committee, introduced HR 1960, the National Defense Authorization Act for Fiscal Year 2014. This is one of the authorization bills that frequently contain cybersecurity language because of the increasing emphasis on cyber-warfare. As introduced, however, there are no significant mentions of cybersecurity. This may change during the legislative process.

Congressional Hearings – Week of 5-19-13

While both the House and Senate will be in Washington this week, we only have to worry about hearings from the House, at least those of us in the chemical safety/security and cybersecurity communities. There will be two House cybersecurity hearings and two hearings on spending matters.


Two different subcommittees of the House Energy and Commerce Committee will both be looking at cybersecurity issues on the same day. Fortunately one is in the morning and the other is in the afternoon; otherwise the cybersecurity staff would be hard pressed to whisper the right questions into the correct congressman’s ear.

In the morning the Energy and Commerce Subcommittee will be holding a hearing on “Cyber Threats and Security Solutions”. The witness list is available and it is lengthy. Dr. Gallagher, Director of NIST, will be the first panel; no prizes for guessing what he will be talking about.

The second morning panel (I almost expect a second and third panel) will include:

• Dave McCurdy, American Gas Association
• John M. (Mike) McConnell, Booz Allen Hamilton
• R. James Woolsey, Woolsey Partners LLC
• Michael Papay, Northrop Grumman Information Systems
• Phyllis Schneck, McAfee, Inc.
• Charles Blauner, Citigroup, Inc.
• Duane Highley, Arkansas Electric Cooperative Corporation
• Robert Mayer, United States Telecom Association

The afternoon hearing will be conducted by the Communications and Technology Sub-Committee and will address “Cybersecurity: An Examination of the Communications Supply Chain”. While this does not directly affect control system security (except of course where it interfaces with a communications network) many of the same issues will apply to the control systems supply chain. The Subcommittee does have a staff background memo up on the Committee web site that provides the witness list and a description of the topics to be addressed.

Money Hearings

We will need to monitor the outcome of two mark-up hearings this week that will be looking at money matters.

The House Appropriations Committee will be marking up the as yet un-numbered FY 2014 Homeland Security spending bill on Wednesday. I’ve already described some of the CFATS and TWIC related language that is in the draft document. The Homeland Security Subcommittee met last week to do their markup, but we will not seeing the results of that mark-up until the bill is introduced.

There will be a whole series of hearings this conducted this week by the various subcommittees of the House Armed Forces Committee on the FY 2014 National Defense Authorization Act, HR 1960. The one that will probably be of interest to the cybersecurity community will be the markup being conducted Wednesday by the Subcommittee on Intelligence, Emerging Threats and Capabilities. Again, we probably will not be seeing the results of this hearing until the Committee Report is prepared.

Sunday, May 19, 2013

ICS-CERT Publishes TURK Gateway Advisory

On Friday (okay, it was dated Thursday, Tweeted Thursday, but it wasn’t posted on the public site until Friday) ICS-CERT published an advisory for a hard-coded credential vulnerability in two programmable gateways from TURK. The vulnerability was reported by Ruben Santamarta of IOActive in a coordinated disclosure.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to execute arbitrary code or shut down the system, or just about anything else someone with direct access to a PLC could do (okay I added the last).

The advisory notes that TURK has developed a firmware update that removes the FTP service, but it does not state that Santamarta or anyone else from IOActive has verified the efficacy of the update. Unfortunately neither link provided in the advisory for downloading the firmware updates takes you any closer to the updates than a search page on the TURCK web site and none of the typical search terms (BL20 Update, BL20 Firmware, BL 67 Update, BL 67 Firmware, or Firmware Update) work.

Oh well, I guess it wasn’t important anyway.

/* Use this with templates/template-twocol.html */