Wednesday, July 31, 2013

Bills Introduced – 07-30-13

With just a couple of days to go before the summer recess there are a number of bills being introduced in both Houses that are meant solely for political consumption back in the district. It appears that the one bill of potential interest to the chemical safety community might fall into that category.
S 1388 Latest Title: A bill to require the Secretary of Health and Human Services, in consultation with the Administrator of the Environmental Protection Agency and the Secretary of Energy, to conduct a study on the public health and environmental impacts of the production, transportation, storage, and use of petroleum coke, and for other purposes. Sponsor: Sen Levin, Carl (D,MI)

S 1388 is almost certainly a companion measure to HR 2298

ICS-CERT Publishes GE Cimplicity Advisory

It has been three weeks since ICS-CERT last published an advisory. Yesterday they published an advisory for an improper input validation vulnerability on the GE Cimplicity system. The vulnerability was discovered by two researchers, ZombiE and amisto0x07, that was released in a coordinated disclosure via a HP TippingPoint’s Zero Day Initiative.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to execute arbitrary code on the system. GE has released updates for the affected systems, but ICS-CERT does not report that anyone has independently verified the efficacy of the fix.

The GE Security Advisory for this vulnerability actually describes this as “multiple vulnerabilities” as the problem exists when GlobalView, WebView or ThinView are enabled. GE recommends that these views should be disabled if not being used and provides instructions for doing so. If GlobalView is needed it should be configured to run with the IIS web server.

BTW: GE published their advisory on June 18th. I would like to think that the delay in publishing the ICS-CERT version was so that it could be released on the restricted US-CERT server to allow owners with access to that service a chance to correct the problem before public disclosure was made. But, ICS-CERT usually mentions that in their advisories when that occurs.

Tuesday, July 30, 2013

CFATS Hearing Update – 07-30-13

The House Homeland Security Committee updated their hearing website for their CFATS hearing on Thursday. They added the witness list for the hearings. The witness list incudes three familiar faces and three new faces.

The familiar faces include:

• David Wulf, ISCD Director;
• Stephen L. Caldwell, US GAO; and
• Mr. Timothy Scott Dow Chemical

Director Wulf will make his first solo appearance before Congress; usually he has accompanied Under Secretary Rand Beers who has been temporarily been booted upstairs. Director Caldwell will present the latest GAO report. CSO Scott will present the major industry outlook on the CFATS program.

The new faces include:

• Paul Derig, J.R. Simplot Company;
• Donnie, Texas Ag Industries Association; and
• Sean Moulton, Center for Effective Government

The first two will represent agricultural interests before the panel, an industry that hasn’t had much to say publicly about CFATS since the interim final rule was adopted in 2007. Mr. Moulton will be representing the inherently safer technology viewpoint at this hearing.

The interesting question for hearing observers is whether the questions about small companies ignoring CFATS requirements will overshadow questions about the Site Security Plan implementation progress. I suspect that the two different panels will be arrayed as I’ve described them above and each panel will get questioned on the different aspects of the current CFATS situation.

CFATS Knowledge Center Update – 07-30-13

Today the folks at ISCD updated their CFATS Knowledge Center web page. They added links to the CFATS Fact Sheets for May thru July; the April CFATS Fact Sheet link has been there since ISCD first started publishing these documents. The links can be found in the ‘Documentation’ section of the page.

According to the ‘Latest News’ announcement of this addition today ISCD notes that: “These fact sheets are also available via the Publications page.” Unfortunately they don’t provide a link since I cannot find it on their Fact Sheet page. Searching using the pull down “Chemical Security” provides a ‘No items matched’ response as does just searching June or July.

Actually that is of academic interest only. The most logical place to search for these is on the CFATS Knowledge Center page that is more closely controlled by the CFATS people. I really hate to tar the ISCD folks with the ugly problems of the general DHS web site.

Connected Vehicle Planning and Policy Meeting

Today the Department of Transportation’s Intelligent Transportation System Joint Program Office (ITS JPO) published a meeting notice in today’s Federal Register (78 FR 45996-45997) for a public meeting seeking input from the planning community and related national associations on policy and legal aspects of Connected Vehicle implementation. The meeting will be held on September 12th, 2013 in Washington, DC.

With talks being given at this week’s blackhat convention on hacking automotive control systems, the timing of this notice seems especially appropriate. According to the DOT’s Connected Vehicle Research web site:

“The development and deployment of a fully connected transportation system that makes the most of multi-modal, transformational applications requires a robust, underlying technological platform. The platform is a combination of well-defined technologies, interfaces, and processes that, combined, ensure safe, stable, interoperable, reliable system operations that minimize risk and maximize opportunities.”

Unfortunately there is little information about this meeting in the notice beyond the time and place. The ITS JPO will provide more information about the meeting to registrants. To register to attend the meeting contact  Elizabeth Machek of the Research and Innovative Technology Administration ( With the limited information being made available to the public it does not seem to me that DOT is really interested in public feedback on this program.

S 1353 Introduced – Cybersecurity

As I noted last week, Sen. Rockefeller (D,WV) introduced S 1353, the Cybersecurity Act of 2013. This bill has received a lot of attention in the main stream press as a bill that would formally implement the cybersecurity framework initiated by the Obama Cybersecurity Executive Order (EO 13636), but there is very little linkage, if any, between the two.

The bill is organized into three Titles:

Title I — Public-Private Collaboration on Cybersecurity
Title II — Cybersecurity Research and Development
Title III — Education and Workforce Development

The last two titles are little more than rehashes of R&D and education programs outlined in other legislation and share the same short comings. No new funds are identified for the new and or repurposed programs so they will either have to steal funds from other worthwhile programs without Congress accepting responsibility for that reprograming or the new programs will die still born due to the lack of funds.

The meat of the bill is found in Title I, but even that suffers from the lack of specific funding authority for the executive actions that are directed to be accomplished by that title.


Before we actually get to Title I we need to first glance through Sections 2 and 3. Section 2 of the bill defines three terms to be used in this bill:

• Cybersecurity mission;
• Information infrastructure; and
• Information system.

The first is a very expansive term that describes a wide range of activities that includes such things as threat reduction, international engagement, resiliency (which is not an activity the last time I looked) and incident response to name a few. It also ropes in some aspects of even more disparate activities such as law enforcement, diplomacy, military and intelligence missions where they relate to the security and stability of cyberspace.

The second term, ‘information infrastructure’, means “the underlying framework that information systems and assets rely on to process, transmit, receive, or store information electronically” {§2(b)}. Interestingly the definition specifically includes “communications networks, and industrial or supervisory control systems [emphasis added] and any associated hardware, software, or data”.

Before anyone gets too excited about the specific of control systems, it needs to be made clear that the construction of the second and third definitions limits those control systems to those that directly support information systems. The definition of that term comes from 44 USC 3502(8) where it is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. So we can forget this bill covering security for any control system that manufactures, controls or moves anything besides information.

One last thing that we need to look at before we get to Title I is §3 of the bill. It specifically and unequivocally states:

“Nothing in this Act shall be construed to confer any regulatory authority on any Federal, State, tribal, or local department or agency.”

Public-Private Collaboration - NIST

Section 101(a) starts out by modifying the list of activities that the Secretary of the Department of Commerce is allowed (not required) to perform through the Director of the National Institute of Standards and Technology (NIST) under 15 USC 272(c) by adding sub-paragraph (15) that would allow “on an ongoing basis, [to] facilitate and support the development of a voluntary, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to reduce cyber risks to critical infrastructure”.

If the drafters of this bill had really wanted NIST to undertake a proactive cybersecurity development program they would have listed this program in §272(b) under the mandated functions of the Institute rather than under the allowed activities in §272(c). This is especially true since §272(c)(13) and (c)(14) already provide wide latitude to study computer controls and information systems.

Section 101(b) goes on to add another paragraph to 15 USC 272. Section 272(e) provides additional details about how the Director is to go about executing his newly allowed activities. There is a lot of coordinating and consulting mentioned before one gets to the meat in §272(e)(1)(A)(iii) that outlines a mandate (in an allowed, not required activity) to “identify a prioritized, flexible, repeatable, performance-based, and cost-effective approach” that can be voluntarily adopted “owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks”.

Section 272(e) goes on to require that the approach would

• Mitigate impacts on business confidentiality {§272(e)(1)(A)(iv)(I)};
• Protect individual privacy and civil liberties {§272(e)(1)(A)(iv)(II)};
• Incorporate voluntary consensus standards and industry best practices {§272(e)(1)(A)(v)};
• Align with international standards ‘to the fullest extent possible’ {§272(e)(1)(A)(vi)}; and
• Prevent conflict with regulatory requirements, mandatory standards and related processes {§272(e)(1)(A)(vii)}.

Section 272(e)(2) provides limited protection of information shared with or provided to the Director of NIST in support of §272(c)(15). It specifically states that the information “shall not be used by any Federal, State, tribal, or local department or agency to regulate the activity of any entity”. The bill does not, however, provide any protection against public disclosure of that information or use of that information in civil actions by those other than the government. Nor are there any provision to protect against anti-trust actions based upon the sharing of standards, best practices or security practices.

There are also no provisions in this bill for protected information sharing about specific intelligence or threat information. To be fair, one would not expect that in an NIST activity as it is not part of the intelligence community, but the sharing of threat intelligence will almost certainly have a major impact on the development of best practices, methodologies and procedures. Without open and effective threat information sharing the effectiveness of any such developments will be stunted to say the least.

EO Lite

Because the crafters of this bill limited Title I of the bill to just activities at NIST, this bill only supports just the barest number of supports for the Cybersecurity Framework currently be  developed by NIST in support of the President’s EO. Without the activities outlined for agencies in DHS, DOD, Justice and GSA in the EO, the most effective parts of the Framework are either not present or not supported by this flimsy legislative structure.

The biggest shortcoming of this bill in this regards is the complete lack of any indication that one of the largest portions of the cybersecurity threat currently facing this country is not information related (though that is certainly an important area of concern) but rather the vulnerability of physical control systems to manipulations that could cause  widespread physical damage, mass casualties or the destruction of infrastructure that would reverberate throughout our economy through cascading supply chain damage.

Moving Forward

This bill will likely move through markup today without discussion. The big question will be if, after the summer recess, it will have any chance of making it to the floor of the Senate. A lot of that will depend on the competing bills that are crafted between now and then. This is a bland enough bill that it would probably pass, both here and in the House if it were to make it a vote.

Monday, July 29, 2013

CFATS Update Sheet

This is just a brief note to explain that the July 2013 CFATS Update Fact Sheet that I wrote about earlier this month is now directly available through the DHS Critical Infrastructure – Chemical Security web page. Before today you had to know where it was through a link like the one in my blog to be able to find this.

FYI: The old link to the June 2013 update is still good (though there is no guarantee for how long) as is the one for the original April 2013 update. The link for the May 2103 update no longer works.

Senate Cybersecurity Markup

The Senate Commerce, Science and Transportation Committee announced today that they will be conducting a markup hearing of S 1353, the Cybersecurity Act of 2103 tomorrow. This will have to be one of the fastest rubber-stamp hearings on record as the Committee will also be considering 11 other Senate bills, one resolution, eight nominations and the Coast Guard promotion list. I’ll be very surprised if there is much discussion about this bill.

The copy of the bill just became public this afternoon. I’ll have a report on it before morning.

Congressional Hearings – Week of 7-28-13

This is the last week before the long summer recess and Congress is going to try to get a lot of stuff done. With that said there are only four hearings currently on the schedule (and one promised) that may be of specific interest to the chemical safety/security and cybersecurity communities; DOD spending, one CFATS hearing, one chemical safety hearing and maybe a cybersecurity hearing.


The Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee will be holding a hearing on Thursday on "West Fertilizer, Off the Grid: The Problem of Unidentified Chemical Facilities." No witness list is currently available, but we can be assured that David Wulf, the ISCD Director will be there. The other perennial favorite Rand Beers has been temporarily bumped upstairs so there is no telling who will be representing NPPD.

Chemical Safety

The Senate Environment and Public Works Committee will be holding a hearing on Wednesday looking at “Strengthening Public Health Protections by Addressing Toxic Chemical Threats.” This could be a chemical security hearing, no witness list to judge by, but I suspect this will be a look at Sen. Boxer’s re-work of the late Sen. Lautenberg’s TSCA bill (S 1009).

DOD Spending

There will be two mark-up hearings this week in the Senate for the FY 2014 DOD spending bill, the Homeland Security Subcommittee on Tuesday and the full Appropriations Committee on Thursday. We might see the bill published before the Senate heads home Friday.


The Senate Commerce, Science and Transportation Committee is supposedly going to be holding a markup hearing this week on S 1353, Senator Rockefeller’s Cybersecurity Framework me-too bill. We still haven’t seen an official version of the bill in print nor is there anything on the Committee web site about a hearing, but there are news reports that this will be coming this week.

Floor Action

The Senate will resume consideration of the Transportation spending bill (S 1243) today. When it passes the Senate will hold off further action until the House adopts HR 2610 later this week. The Senate will then substitute the S 1243 language for the House language and send the bill to conference. There are big differences on overall spending here so this one could get ugly.

HR 2787 Introduced – FY 2014 DOC Spending

As I noted last week Rep. Wolf (R,VA) introduced HR 2787, the Commerce, Justice, Science, and Related Agencies Appropriations Act, 2014. The House Appropriations Committee has favorably reported the bill so it may now be acted upon by the House.

The bill provides funding for a number of agencies that have significant cybersecurity missions, including the National Institute of Standards and Technology (NIST) and the National Science Foundation (NSF). There is no specific mention of cybersecurity in the bill itself. The closest mention is found in §515 that requires agency heads to consult with the FBI to ensure that information systems being acquired have been investigated for potential cyber espionage risks, particularly if the equipment comes from China. A distant second is §533 that prohibits funds from being used to establish or maintain a computer network that doesn’t proactively block porn sites.

There are some brief mentions of cybersecurity issues in the Committee Report.  A variety of reports to Congress are required, including an annual report on cyber-attacks executed against the Department of Commerce (pg 6). The Committee Report does note that the bill provides “funding to strengthen NIST’s core cybersecurity research and development programs” (pg 61).

All of the other cybersecurity mentions in the Report deal with Dept. of Commerce internal cybersecurity measures. This includes funding for an Enterprise Security Operations Center that would provide “Department-wide, 24×7 security status information on cyber security threats” (pg 31). Additional reporting is also required on responses to an IG FISMA report on “significant weaknesses exist in basic security practices” (pg 31) in the Dept. of Commerce.

Saturday, July 27, 2013

Cybersecurity Framework – Update 07-27-13

This week the National Institute of Standards published a link to a new update document on its Cybersecurity Framework page. The document provides an overview of the results of the 3rd Cybersecurity Framework Workshop and briefly explains some changes that are being made in the Framework document based upon feedback received at that workshop.

As one would expect at this point in the process there are no earth shattering changes being made. For example they are changing the names of the proposed functions that will act as the backbone of the document, but not what those functions represent. I’ve listed the old and new function names below.

OLD: Know, Prevent, Detect, Respond, and Recover
NEW: Identify, Protect, Detect, Respond, and Recover

Small Business Concerns

There are a couple of points in this update document that reference small businesses concerns. In some ways this is surprising because it did not seem to me that the definition of ‘critical infrastructure’ in §2 of the Cybersecurity Executive Order (EO 13636) would apply to many (if any) small businesses. So, either NIST’s interpretation of that definition is much wider than most commentators have accepted, or NIST is truly trying to make this a framework that can be adopted by a much wider range of organizations than the President envisioned.

If it is the former, I think that we need a wider and more vocal discussion of the types of organizations that will fall under the coverage of the EO. Since making that determination is actually a DHS tasking {at least as far as identifying the specific organizations that are Critical Infrastructure at Greatest Risk, §9(a)} it would be helpful if DHS were to publicly explain the process by which they have selected organizations to be on the list of “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”.

If the small business concerns in the update document are instead based upon producing a Framework document with the widest possible voluntary application, I applaud NIST’s vision. I do, however, have to question whether this expansion of purpose (however laudable) will interfere with the core mission of developing a cybersecurity framework for critical infrastructure.

International Engagement

Another area addressed in the update document that is of potential concern is the emphasis on the international context of the Framework. It is clear to anyone with a modicum of sense that modern businesses of a certain size almost always operate in an international arena. And it is certainly hard to argue that separating the computer systems between the international and domestic operations of such businesses is a practical way for most organizations to operate.

But, if the Framework is not to be prescriptive or establish new standards, but is simply a method by which businesses can organize and evaluate their cybersecurity practices, then it is hard to see why cyber-systems would have to be separated at the international border. I don’t see anything in the way this is supposedly being laid out that would require any consultation or coordination with any international body.

I am not saying that the US is the font of all knowledge cybersecurity. There are certainly good sources of information about best practices and international standards (which multi-national businesses will have to include in their cybersecurity programs) outside of our borders. International standards certainly need to be included in the compendium of information sources about cybersecurity.

I do, however, have some concerns when NIST says that they need more vigorous international outreach to “ensure greater awareness of and standards harmonization [emphasis added] with the Cybersecurity Framework” (pg 2). This is supposed to be a national critical infrastructure cybersecurity framework, not one that addresses protecting French, Nigerian or Chinese cyber infrastructure.

Now if the intent is to actually make this Framework a new cybersecurity compliance standard to which even a limited number of Critical Infrastructure at Greatest Risk organizations must comply, then yes, we need to ensure that the organizations that are required to comply with the standard must still be able to operate in an international environment. But, if that is the case, NIST and the Administration needs to make that perfectly clear so that the appropriate discussions can take place during the development. And, the current timeline needs to be immediately scrapped.

Public Involvement

As I have mentioned on a number of occasions, NIST is doing an outstanding job of pulling a wide number and variety of folks into the development of the Framework. Pulling in hundreds of self-anointed experts into these workshops and guiding them through productive discussions has got to be harder than herding a cloned army of Schrodinger’s cats.

As we’ve come to expect from NIST’s Information Technology Laboratory (the NIST action agency here) the closing section of the update document is titled “Stay Engaged” and encourages concerned folks that cannot attend the next Cybersecurity Framework Workshop (this time in Dallas, TX, September 11th – 13th) to provide feedback, comments and suggestions to email them to

I understand NIST’s intent here and even applaud it, but there is an underlying problem that needs to be addressed with these email communications. This Cybersecurity Framework is for all intents and purposes a regulatory process. The Administration can declaim its voluntary nature as much as it wants, but as soon as it starts providing incentives for participation in the framework it becomes a de facto regulation that organizations must adhere to to receive those incentives.

This means that NIST must ensure that the public record of the discussions that are taking place during the development of the Framework is complete. This includes the emails sent to the cyberframework address.

Input Data Analysis  

Having complained about a minor incompletion of the record in the preceding section of this post I have to now complain about the embarrassing wealth of data that is currently available in the public record on this project. We now have three multi-day workshops of public discussions about various aspects of the development of the Framework and the fourth workshop is fast approaching. Most of the discussions were webcast to an unknowably large audience and have been archived for the record.

Unfortunately, the complexity of the record ensures that any number of good ideas may have been overlooked. The breakout organization of the workshops has compounded the problem. A suggestion that might have met with a lukewarm reception in one group may have had profound implications in another if it had only been introduced there. A few years ago this would have been a problem relegated to historical discussions as only historians would have the time and inclination to delve into the records in that depth.

NIST, in their meta analysis of the public comments on the original cybersecurity framework request for information, showed us that modern computer technology provides a much better way of pulling bits of information out of large volumes of public data. I would like to suggest that it would be appropriate for NIST to attempt the same sort of analysis of the suggestions made during these workshops and the subsequent email suggestions received on the same topics.

I understand that encoding verbal ideas is more than slightly more complicated than entering written records, but the OTHER government agency with responsibility for cybersecurity apparently has extensive experience and technology capable of cataloging verbal records. Marrying the two efforts in this way would be a profoundly useful example of the application of heretofore classified techniques.

Even if the not so secret agency were to share a not quite up-to-date version of their analysis system with NIST I still think that it would make a valuable contribution to science of public data analysis. It would also make workshops like this a more valuable technique for developing technically challenging rules and regulations.

Friday, July 26, 2013

THUD Amendments – 7-25-13

During floor action in the Senate yesterday on S 1243, the Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2014 (THUD), two new amendments were introduced that might be of interest to the chemical transportation safety and cybersecurity communities; one of which was passed by unanimous consent.

Cybersecurity Amendment Adopted

The Senate adopted a cybersecurity amendment as part of an en bloc adoption of three amendments without debate. SA 1803 (Cong Rec 7-25-13 Pg S5975) was introduced by Sen. McCain (R,AZ) and it was almost identical to SA 1780 that he introduced yesterday. The same withholding of cybersecurity funds pending the same report is being required by the new amendment. The only difference is that it does not list which congressional committees should be the recipients of the report; instead is specifies that it should be submitted “to the appropriate committees of Congress”.

HAZMAT Transportation Amendment

Sen. Menendez (D,NJ) introduced SA 1812 (Cong Rec 7-25-13, Pg S 5977) that would require the Administrator of the Federal Railroad Administration (FRA) on the safety of transporting hazardous materials over movable railroad bridges. The study would be specifically required to address {§155(b)}:

• The adequacy of span locking and its relation to the practice of trains passing over bridges displaying a stop signal; and
• The adequacy of training received by train crews to inspect their route before passing over a bridge displaying a stop signal.

This amendment is almost certainly related to the Paulsboro, NJ train derailment in November of last year that involved a movable bridge. According to news reports there were a number of previously reported problems with track alignment and signals on that bridge before the accident. Earlier this month an NTSB public hearing also addressed this issue.

Interestingly, the completed report is not required to be submitted to Congress, but to be placed on the FRA web site. Not that I’m a big fan of reports to Congress, but a report placed on a web site (while probably more available to the public) will be easier for Congress to ignore in consideration of any revisions to hazmat transportation safety laws. 

This is another amendment that will probably be approved without discussion or vote.

Moving Forward

The Senate will resume consideration of S 1243 on Monday afternoon.

Bills Introduced – 07-25-13

There was one bill introduced yesterday that may be of specific interest to the chemical security community. It was:

HR 2836 Latest Title: To strengthen the enforcement of background checks with respect to the use of explosive materials. Sponsor: Rep King, Peter T. (R,NY)

Thursday, July 25, 2013

THUD Amendments in the Senate – 07-24-13

Yesterday Sen. McCain (R,AZ) offered an amendment to S 1243 (SA 1780), the Transportation, Housing and Urban Development, and Related Agencies Appropriations Act (THUD), 2014 that dealt with cybersecurity. The amendment would withhold DOT cybersecurity funds until the Secretary reported on the planned uses of those funds.

• The report would be required to include:
• How the cyber security funding will be obligated or expended;
• The programs and activities that will receive cyber security funding;
• If and how the use of the funding complies with the Federal Information Security Management Act of 2002 (6 U.S.C. 101 et seq.) and any other applicable Federal law;
• The performance metrics that will be used to measure and determine the effectiveness of cyber security plans and programs; and
• The strategy that will be employed to procure goods and services associated with the cyber security objectives of the Department of Transportation.

As I noted in an earlier blog, the bulk of the DOT cybersecurity spending identified in the Senate Appropriations Committee Report would be going to the FAA. Some of the systems involved could be described as control systems. They are of a very specialized nature and most of the cybersecurity tools developed for them would probably not be widely applicable to industrial control systems.

This amendment is not one of the limited number that has been listed as ‘pending’ in the Congressional Record’s Daily Digest, but it still could be brought to the floor at any time during the debate of HS 1243 at the discretion of the leadership. These ‘report’ types of amendments have a good probability of passing if brought to a vote even if this one is a bit coercive.

Bills Introduced – 7-24-13

There was one bill introduced in the Senate yesterday that will be of specific interest to the cybersecurity community.

S 1353 Latest Title: A bill to provide for an ongoing, voluntary public-private partnership to improve cybersecurity, and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness, and for other purposes. SponsorSen Rockefeller, John D., IV (D,WV)

This is almost certainly the anticipated and much discussed Rockefeller bill to essentially codify the President’s cybersecurity executive order.

Wednesday, July 24, 2013

House Passes HR 2397

Earlier this evening the House passed HR 2397, the Department of Defense Appropriations Act, 2014, in a largely bipartisan vote of 315 – 109. The vast majority of Republicans and almost half of the Democrats voted in favor of the spending bill. As expected the two amendments limiting military spending in Syria and Egypt (# 97 and #98) passed by voice votes. The least restrictive anti-NSA amendments (#99) passed overwhelmingly and the more restrictive (#100) narrowly failed.

As I noted earlier today, the one cybersecurity amendment cleared for consideration was never brought to the floor for debate or vote. The only cybersecurity measures in the House passed version of the bill are those that were included in the Appropriations Committee version of the bill.

It is not yet clear when the Senate will take up this bill as the Appropriations Committee still has not introduced their version of the bill yet.

House Skips Cybersecurity Amendment to HR 2397

Yesterday during the consideration of amendments to HR 2397 the sole cybersecurity amendment that was cleared to be offered on the floor (Langevin #7 in the Rules Committee Report) was skipped. Under the rule for the consideration of HR 2397 once an amendment is skipped in sequence it cannot be brought back up.

So if this bill passes, a high probability but not a foregone conclusion in the House, the only cyber-provisions will be the ones put in place by the Appropriations Committee.

The debate continues today with a probable vote late this afternoon.

NOTE: The Senate Appropriations Committee has not yet published their version of the DOD spending bill.

S 1329 Introduced – FY 2014 DOC Spending

As I briefly noted last week Sen. Mikulski (D,MD) introduced S 1329, the Commerce, Justice, Science, and Related Agencies Appropriations Act, 2014. The Senate Appropriations Committee also favorably reported the bill for consideration by the Senate.

The bill itself does not contain any specific cybersecurity language; the programs are all funded at too low a level to show up as items in the bill. The Committee Report does provide some cybersecurity language for programs at both NIST and NSF. Interestingly there is no mention of the President’s cybersecurity executive order (EO 13636) in the Report even though NIST is one of the prime movers in executing the EO provisions.

NIST Cybersecurity

The Committee Report (pg 20) lists three cybersecurity programs supported by NIST spending:

$15,000,000 for the National Cybersecurity Center of Excellence;
$15,000,000 for the Comprehensive National Cybersecurity Initiative; and
$24,500,000 for the National Strategy for Trusted Identities in Cyberspace

There is nothing here that specifically targets control system security, though research funding could be used for that purpose.

NSF Cybersecurity

The Report notes (pg 122) full funding for NSF cybersecurity research ($159,250,000) which includes $57 million for the above mentioned Comprehensive National Cybersecurity Initiative.

A separately funded program, the CyberCorps scholarship for service program is being funded at $45,000,000, which is $20,000,000 above the requested level. The report notes that:

“More than 900 students have completed the program, which was initiated in fiscal year 2001; 92.6 percent of students have placed with more than 120 Federal agencies.”

It would be interesting to see how many of them have since transferred to private industry.

Moving Forward

As with all Senate spending bills the typical process will entail the language from this bill being substituted for the House language (in HR 2787 in this case which was introduced yesterday) and then goes to conference to work out the differences. Only in this case this is one of the lower priority spending bills so some version of the two bills will probably get folded into an omnibus spending bill or continuing resolution.

Bills Introduced – 7-23-13

There was just one bill introduced yesterday that may be of specific interest to the cybersecurity community.

HR 2787 Latest Title: Making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2014, and for other purposes. Sponsor: Rep Wolf, Frank R. (R,VA)

This bill funds NIST and NSF both of which have cybersecurity programs.

More on CFATS Threats

I’ve had some interesting feedback on yesterday’s blog post about the congressional letter to the Secretary. Rather than try to quote some un-named sources we’ll just blame me for the ideas which are mine in any case. They just threw up the observations and I make the ideas out of whole cloth.

General Duty Clause

As I have made clear on a couple of occasions, the Clean Air Act General Duty Clause (GDC) is not a piece of security regulation. It is a piece of good regulation writing that allows the Administrator of the EPA to go after obvious environmental and safety problems that Congress and the regulation writers overlooked or couldn’t foresee. When used in that manner it is valuable regulatory tool that makes us all safer.

If the CFATS program were to be defunded or otherwise eliminated without a replacement, the political reality is that someone would have to step in to regulate high-risk chemical facilities. The only law that I know of that is currently in place that could be stretched to fit that need is the GDC. Does the EPA want to do this? Not hardly, they are understaffed and underfunded in their efforts to enforce the Risk Management Plan program. Having to reinvent the wheel with even less congressional advise and support than the CFATS folks had would be a thankless job at best.

Would it happen? I think so. Any administration with a trace of gumption and any idea of the potential threat would have to take some action. I hope that Representative McCaul, Upton and Carter remember that as they move forward with their threats. And, of course they will; they are already fighting hard against efforts of organizations in the environmental community to force EPA to turn the GDC into a security rule.

The point I was trying to make in my earlier post was not a suggestion to use the GDC as a substitute for an ineffective CFATS program, but rather to remind people that you have to be careful when you make threats. At some point in time the victim is likely to tell the bully ‘go ahead and do your worst’. Be sure you have the stomach for the consequences.


Apparently some people have been making the point in Washington that the EPA’s RMP program and OSHA’s PSM program regulate many of the same facilities covered by CFATS and they do a better regulatory job with fewer people and less money. The information about the comparative resources is certainly true, but the ‘better regulatory job’ is not even an apple and oranges comparison; it is more like apples and orangutans comparison.

Both the RMP and PSM programs are safety programs not security programs. They specify what types of things must be covered and provide some pretty clear and specific guidance on how to go about accomplishing the program goals. There are also pretty extensive academic and self-regulation communities that provide technical support to these two programs that are currently absent from the chemical security community.

More importantly though is that the enforcement side of things is more reactive than proactive. There are no requirements for EPA or OSHA to pre-approve these safety plans. Inspectors will eventually show up at sites to inspect the adequacy of the programs. Unless there has been a complaint or a significant accident there will be a single inspector on site for part of a day. Fines will be levied for program deficiencies and then negotiated with organization by the folks back at Headquarters. The inspector has moved on to the next facility, probably to never return to yesterday’s site.

BTW: I’m hearing second and third hand rumors that the House Homeland Security Committee is going to be holding a hearing to look at a comparison of the effectiveness of these three programs. That would be an interesting circus. Maybe they need to talk to the folks as ACC or SOCMA about the differences between the programs.

No Required Security Measures

ISCD has certainly had their share of ineptitude in the implementation of the CFATS program. They did identify many of the problems internally and appear to be hard at work at fixing their systemic problems while they continue their regulatory work. Having said that, they are Constitutionally (and that is deliberately capitalized) unable to fix the biggest problem to rapid authorization and approval of site security plans.

Congress saddled them with an almost impossible restriction on their authority. In the authorizing language {§550(a) of the  Homeland Security Appropriations Act of 2007 (Public Law 109-295) is the following statement:

“Provided further, That the Secretary may not disapprove [emphasis added] a site security plan submitted under this section based on the presence or absence of a particular security measure, but the Secretary may disapprove a site security plan if the plan fails to satisfy the risk-based performance standards established by this section”.

This means that the Department (and its Inspectors) cannot tell a facility what security measures are necessary. The facility may submit a plan and DHS may decide that it does not meet the Risk-Based Performance Standard. DHS is, however, forbidden by Congress from telling the facility management what they need to do to correct the deficiency. Every deficiency becomes a matter for debate and negotiation.

To be sure, this was added at the insistence of industry, but it greatly strings out the time necessary to get a site security plan authorized. To hold ISCD’s feet to the fire to correct these time delays without correcting this requirement is a sure way to make ISCD inspectors violate the letter and intent of the congressional mandate.

Now it is certainly true that most chemical facilities are custom built unique entities. They will each have their own particular security issues that will not be met by cookie cutter security plans. The CFATS regulations need to take that into account. But one only has to read the Risk-Based Performance Standard Guidance document to see how badly the wording of the authorization language has affected the site security planning and authorization process.

Changes Need to be Made

If ISCD is going to be able to effectively administer the CFATS program, it is going to have to have some legislative help from Congress. It is obvious that a comprehensive chemical security bill is beyond the capability of any congress in the current balance of power situation. So any changes are going to have to be incremental and relatively non-controversial.

The first thing that needs to be done is to remove the current requirement that all covered facilities have to have their site security plans authorized and approved by ISCD. A good argument could be made for the Tier 1 facilities having their plans approved, but the other three tiers should only be required to submit their plans to DHS. Since the Tier 1 plans are mostly done, this would allow ISCD to start inspecting facilities to ensure that their site security plans are being properly implemented and maintained. This would be much easier to do than to determine if the site security plans are actually adequate.

This could be achieved by amending the language of the fourth ‘provided further’ of §550(a) to read:

Provided further, That the Secretary shall review and approve the site security plan of each of the highest-risk covered facilities under this section, the Secretary will ensure that all covered facilities will be periodically inspected to ensure that their site security plans are properly implemented and maintained:

The second thing that would need to be done is to ease the current prohibition of telling the facility management what needs to be done to a Tier 1 site security plan to get it approved. This could be done by amending the second ‘provided further’ of §550(a) to read:

Provided further, That the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure, but the Secretary may disapprove a site security plan if the plan fails to satisfy the risk-based performance standards established by this section; when a plan fails to satisfy those standards the Secretary will provide multiple suggestions as to appropriate actions that could be taken to satisfy those requirements:

Finally, there needs to be a time standard under which the Secretary will authorize and approve a Tier 1 site security plan. This could be achieved by adding a new ‘provided further’ after the revised fourth ‘provided further’ of §550(a) that would read:

Provided further, That the Secretary will provide timely approval or disapproval of all Tier 1 site security plans; all plans, unless disapproved prior, will be considered to be approved on the 180th day after their submission or re-submission.

More to Come

This is a good first start for changes to be made to the current CFAT program to make it more effective. There are certainly other things that could be done and you can be sure that I will get around to mentioning them at some later date.

Tuesday, July 23, 2013

House Leaders Threaten CFATS Program

Last week the committee chairs of the three House committees (okay two committees and an Appropriations Committee subcommittee) that have the most jurisdiction over the Chemical Facility Anti-Terrorism Standards (CFATS) program ( Carter-Appropriations, Upton-Energy and Commerce and McCaul-Homeland Security)  sent a letter to Secretary Napolitano formally complaining about the problems that have been plaguing the implementation of that program and the lack of progress in developing the Ammonium Nitrate Security Program (ANSP).

The Problems

The fact that these three are critical of the CFATS implementation is hardly news to anyone that has been following the CFATS program over the last couple of years. In the last year both Upton and McCaul have chastised Director Wulf and Under Secretary Beers in hearings before their respective committees. Over the last year Carter has actively tried to reduce the funding for the program either through draconian cuts (50% proposed for FY 2013) or withholding funds ($20 million for FY 2014).

The letter outlines complaints that have been detailed in other venues. They include:

• An incomplete risk evaluation system for tiering high-risk chemical facilities;
• Delays in evaluating, authorizing and approving site security plans;
• Failure to identify potentially at-risk facilities; and
• Delays in developing the ANSP regulations.

The Threat

The letter contains a very thinly veiled threat to discontinue funding of the CFATS program unless fundamental changes are made. The three Chairmen note:

“The Committees on Energy and Commerce and on Homeland Security, as authorizers, did not object to the appropriation of funds to CFATS in the Fiscal Year 2014 Homeland Security Bill because the House Committee on Appropriations, in both its bill and its accompanying Report, requires the Department to formally justify its expenditures, create a plan to reduce its backlog, and report to Congress on its progress to correct some of its most serious shortcoming.”

They then go on to note that just meeting these “requirements will not be enough to justify the program in the long term”.

Both Upton and McCaul promise to “continue the rigorous oversight and strict guidance needed to get CFATS on track”. But, since neither Committee has ever actually authorized the program it would be left to Chairman Carter to actually take realistic actions against the program if the required changes are not made.
The Reality

The frustration of these three gentlemen is clear, and it is shared in large part by Director Wulf and Under Secretary Beers. Given the political reality of the currently divided Congress, these threats are largely empty. Because of the potential threat posed by these facilities and their economic necessity, a federal program to oversee their protection against terrorist attack is absolutely necessary.

Unfortunately there is no consensus around which to re-build the CFATS program from scratch as evidenced by the lack of the ability to even get a comprehensive reauthorization of the current program. The only possible fallback position available (because no legislation would be specifically required) would be to regulate their security under the EPA’s Clean Air Act General Duty clause, an anathema to these three Chairmen.

Even if there were a way to make these three gentlemen accept the prospect, the EPA does not have the experience, manpower or regulations available to turn a single paragraph into a viable security regulation.

Instead of blindly making empty threats, these three gentlemen and their ranking members and the ISCD leadership need to get together and come up with concrete requirements that can be put into law and reasonably be put into place in by the folks at ISCD. Anything less will be continuing to contribute to the problem, not solving it.

BTW: It will be interesting to see if the Secretary chooses to respond publicly to this letter. The problem will cease to be hers long before any of these Committees can do more than hold another ineffectual hearing. If I were her, I would probably be content to walk away from the unsolved problem, after all it was largely the creation of an ineffective Congress.

House Rules Committee Provides Open Rule for HR 2610

The same rule from the House Rules Committee that governs the floor debate for HR 2397 also addresses the debate for HR 2610, the Departments of Transportation, and Housing and Urban Development, and Related Agencies Appropriations Bill, 2014. In this case, however, the Committee adopted an open rule like those that the Republican leadership has been using since regaining control of the House.

The rule provides that any time after HR 2397 has been considered the House may begin consideration of HR 2610. There will be an hour of general debate on the bill and then the reading of the bill will begin. At any point during that reading, amendments may be offered from the floor on the areas currently being read. When there are conflicts for recognition, the Chair may give priority to amendments that have been published in the Congressional Record (none had been offered as of yesterday).

At this point there is no telling when this bill will come to the floor. Consideration may start this week and carry over until next week, or it could be held until next week. And we are still waiting to see when HR 2410, the Ag spending bill, will be brought to the floor.

DHS Publishes Regulatory Agenda

Earlier this month DHS, along with all of the other major Executive Branch agencies, updated their Unified Agenda web site. Today they published their Regulatory Agenda in the Federal Register (78 FR 44266-44275).

According to the Summary:

“The regulatory agenda is a summary of current and projected rulemakings, as well as actions completed since the publication of the last regulatory agenda [78 FR 1586] for the Department.”

Effectively the Regulatory Agenda is a sub-set of the Unified Agenda and reflects the Department’s estimate of which of the Unified Agenda items is most likely to see regulatory action in the near future. Actually that definition and the term near future are mine not the governments, and it has more than a little sarcasm associated with it. It really is not clear what criteria the government uses to select this short list of regulatory actions as it has historically not born any relationship to future actions.

The items on the Regulatory Agenda notice that might be of specific interest to the chemical security/safety community (there are no cybersecurity measures on the list) include:

• Ammonium Nitrate Security Program 1601-AA52
• Updates to Maritime Security 1625-AB38
• Transportation Worker Identification Credential (TWIC); Card Reader Requirements 1625-AB21
• General Aviation Security and Other Aircraft Operator Security 1652-AA53

Other than establishing a short list of regulatory actions that may (or may not) be taken in the foreseeable future, there is no new information in this document.

House Rules Committee Adopts Structured Rule for HR 2397

The House Rules Committee earlier this evening adopted astructured rule for the consideration of HR 2397, the Department of Defense Appropriations Act, 2014. The unusual move by the Republican leadership will restrict the amendment process to ‘just’ 100 amendments listed in the Committee Report on the Rule. This was apparently done to prevent passage of amendments that would have defunded NSA or restricted the President’s options to respond to the current conflict in Syria and potential conflict in Egypt.

New Cybersecurity Amendments

There is only one cybersecurity related amendment among the 100 amendments that may be considered during the debate in the House. That is amendment #7 from Rep Langevin (D,RI). It would reduce the appropriation for Operations and Maintenance, Defense-Wide by $5 million and transfer that amount to RDT&E, Defense-Wide for the purpose of restoring the funding for Cyber Security Advanced Research to the amount requested in the President’s Budget.

Moving Forward

This bill will probably come to the floor this week. It is quite possible that it will  pass if the leadership manages to keep the more conservative elements of the Republican side of the House in line. It is not clear that just allowing votes on watered down amendments (# 97 thru 100) dealing with the NSA funding and limited restrictions on dealings with Syria or Egypt will be enough to accomplish that feat.

Monday, July 22, 2013

HR 1542 Passes in House

This evening the House passed HR 1542, WMD Intelligence and Information Sharing Act of 2013, by a widely bipartisan vote: 388 – 3. The debate only lasted 11 minutes; the results were never in doubt. If this bill reaches the floor in the Senate it will pass there as well.

Congressional Hearings – Week of 7-21-13

There are only three House hearings and one Senate hearing that might be of specific interest to the chemical safety/security and cybersecurity communities. They involve a TSA markup, a rule for two spending bills, a transportation bill and a cybersecurity bill. A WMD bill will also be considered on the floor of the House.

Spending Bills

The House Rules Committee will meet this evening to try again to formulate a rule for the consideration of HR 2610 (FY 2014 DOT spending bill) and HR 2397 (FY 2014 DOD spending bill). The big holdup here is the question of whether or not to have an open rule (which the Republican leadership has made the norm for spending bills) for the DOD bill. There is a great deal of concern about an amendment defunding the NSA over the recent cyber-snooping disclosure about that agency.

Apparently there has been a resolution as to handle the DOD bill because the Majority Leader’s web site reports that HR 2397 will be considered this week.

TSA Markup

The Subcommittee on Transportation Security of the House Homeland Security Committee will be holding a markup hearing on Wednesday. One of the bills to be considered will be HR 1204, the Aviation Security Stakeholder Participation Act of 2013.


Friday there will be a field hearing in New York City by the House Transportation and Infrastructure Committee’s Panel on 21st Century Freight Transportation looking at “How Freight Transportation Challenges in Urban Areas Impact the Nation”. There is no witness list yet available so it is hard to tell what might be discussed. Always a possibility is the issue of the risk of hazmat trains transiting urban areas.


The Senate Commerce Committee will be holding a hearing on Thursday looking at “The Partnership Between NIST and the Private Sector: Improving Cybersecurity”. This should be another feel good hearing about the Cybersecurity Framework being developed by NIST under the President’s Cybersecurity EO (EO 13636). No witness list is yet available, but we can expect to see the NIST Director.

WMD Intelligence

There will also be a House floor vote on HR 1542, the WMD Intelligence and Information Sharing Act of 2013. This bill will be considered under suspension of rules so there will be no floor amendments allowed. There was no committee markup of this bill so there was no chance to add the industrial chemical amendment that I suggested. This bill will pass in a bipartisan vote later today.

Sunday, July 21, 2013

EPA Publishes Methyl Bromide 2013 Exemption Final Rule

The Environmental Protections Agency (EPA) published a final rule in the Monday Federal Register (available on-line Saturday, 78 FR 43797-43801) for authorizing uses that qualify for the 2013 critical use exemption (CUE) to the Montreal Protocol on Substances that Deplete the Ozone Layer and specifying the amount of methyl bromide that may be produced or imported for those uses.

Methyl Bromide CUE

While this final rule is being published more than halfway through the year in which it is effective, and the greatest amount of CUEs cover pre-planting activities, the current users, producers and distributors of methyl bromide were notified last December that the EPA would “not enforce restrictions on methyl bromide production and import found at 40 CFR §82.4 until such time as the EPA’s Office of Air and Radiation issues a final rule that authorizes the production  and import of methyl bromide for critical uses in 2013”.

The Table below shows the amounts authorized for production and/or import in the December non-enforcement letter, subsequent NPRM (77 FR 74435-74449) and the amounts authorized under this final rule. The amounts include both preplant and post-harvest uses. Weights are expressed in kilograms. According to the Preamble to this Rule, Decision XXIII/4 of the Parties to the Montreal Protocol allows the United States to manufacture or import a maximum of 562,326 Kg for US critical uses

December Letter
Final Rule
Great Lakes Chemical
Albemarle Corp
ICL-IP America
TriCal, Inc
Authorized Production and/or Import of Methyl Bromide

The pre-planting amount in made available in the final rule is larger than the total amount authorized in the December letter and the NPRM. I would assume that, since there has been no general outcry about a shortage of methyl bromide, the producers/importers produced more than would have been authorized by the NPRM or the December letter.

What is not clear in the published rule is how the EPA came to the final figures for the CUE. Could it be somehow related to the actual production of methyl bromide manufactured to support the pre-plant activities for the authorized uses?

It is interesting to note that the EPA reports that over 90% of the critical uses for methyl bromide are found in California. Georgia and Florida would account for most of the remaining uses of methyl bromide. Thus we can expect that about 1.1 million pounds of methyl bromide (a toxic inhalation hazard – TIH – chemical) is stored, transported and used in the most populous state in the country.

Immediately Effective

The effective date for this rule is the date of publication, 7-22-13. They typical 30-day effective date rule does not apply in this case because the EPA views this not as a regulatory action but relief from the prohibition on the use of methyl bromide. It really doesn’t matter since the EPA made it clear that it wasn’t going to enforce any numbers until the final rule was published.

Methyl Bromide and CFATS

Methyl bromide is a TIH chemical. As such one would expect that it would have been included on the DHS chemicals of interest (COI) list (Appendix A to 6 CFR Part 27) with a screening threshold quantity (STQ) of 10,000 lbs like other TIH chemicals. It was, in fact, included on the initial COI list but was removed before the final list was published because of the ‘phase out’ of the use of methyl bromide under the Montreal Protocol.

This rule makes it clear that the current authorized CUE is about 2% of the 1991 methyl bromide consumption in the United States. That is certainly a good thing for the environment given the way that methyl bromide reacts with ozone layer. Still 1.2 million pounds of annual production, storage, transportation and use in 2013 is still a significant amount of a chemical that is a potential terrorist WMD.

As I normally do, I urge DHS to reconsider the ‘phase out’ COI exemption given to methyl bromide. There are already rules in place to provide relief to organizations that reduce or remove COI from their facilities. Those should be used to address the ‘phase out’ issue, not an exemption from coverage.

Senate Begins Consideration of S 1243 – FY 2014 DOT Spending bill

On Thursday the Senate officially began the consideration of S 1243, the Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2014. No action was taken beyond the Clerk’s reading of the title of the bill in and the first cloture motion being submitted. Actual action will begin next week with the vote on the cloture motion to close debate on proceeding to consider the bill on Tuesday.

No amendments to S 1243 were filed on Thursday or Friday (only a pro forma session Friday so nothing could be filed then in any case. I expect that we will start to see the amendment process crank up on Tuesday.

BTW: The House is not currently scheduled to take up HR 2610, the House version of the bill, according to the Majority Leader’s web site, but that may change as the Rules Committee is scheduled to take up the bill on  Monday evening. More on that in my weekly congressional hearing post.

H 2642 Amended and Passed in Senate

On Thursday the Senate substituted the language from S 954 for the recently passed language of HR 2642, the Federal Agriculture Reform and Risk Management Act of 2013, and then passed the measure by unanimous consent. The Senate version of the bill does not have any chemical security or chemical safety measures included.

There is a decent chance that the chemical safety and security measures included in the House version might make their way back into the bill during conference.

If a conference can resolve the differences in the two bills then the revised bill will stand a good chance of being able to pass in the House with at least some bipartisan support. A substantial number of Democratic votes will be required to overcome the objections of the conservative Republicans that blocked the passage of HR 1947.

The open question is if the House can vote to go to conference on this bill without passing a food stamp bill. A vote for conference would almost certainly pass with Democratic support but also with large and vocal opposition from conservative members. The question is whether or not the Speaker will be able to withstand the intra-party attacks if he brings the vote to the floor.
/* Use this with templates/template-twocol.html */