Thursday, October 31, 2013

Coast Guard Publishes Two ICR Notices

Today the Coast Guard published two information collection request (ICR) notices in the Federal Register. The first (78 FR 65351-65352) was a 60-day ICR notice and the second (78 FR 65349-65351) was a 30-day ICR Notice. The notices covered the following ICRs (the first one is the 60-day ICR notice):

1625-0025: Carriage of Bulk Solids Requiring Special Handling
1625-0074, Direct User Fees for Inspection or Examination of U.S. and Foreign Commercial Vessels; 
1625-0084, Audit Reports under the International Safety Management Code and 
1625-0093, Facilities Transferring Oil or Hazardous Materials in Bulk

All of these ICRs are renewals. Only the first and last notices may be of specific interest to readers of this blog.

Bulk Solids ICR

This ICR covers the submission of special permits for the safe carriage for unlisted materials. The only change noted in this ICR request is that the “estimated burden has increased from 745 hours to 955 hours a year due to an increase in the estimated annual number of responses for Special Permits”.

The previous ICR approval shows that the number of responses and the number of hours for the burden are the same. This indicates that the Coast Guard estimates that the average time to complete special permit request is one hour.

Bulk Transfer ICR

This ICR covers the filing of a letter of intent to operate a facility that will transfer bulk oil or hazardous materials to or from vessels and the maintenance of an Operators Manual for such a facility. The Coast Guard notes that the “estimated burden has decreased from 84,247 hours to 45,748 hours a year due to a reduction in the estimated annual number of respondents”.

The previous ICR approval shows 2,667 annual responses for an average burden per response of about 31.6 hours, presumably most of this is for the production and maintenance of Operators Manuals not writing letters of intent. Keeping the same ratio of manuals to letters we can assume that the Coast Guard is only expecting about 1448 responses per year.

Public Response

The Coast Guard is soliciting public responses on the accuracy of its assumptions and the need for these ICRS. The responses to the 60-day notice may be filed via the Federal eRulemaking Portal (; Docket # USCG-2013-0861) and must be submitted by December 30th, 2013. The responses to the 30-day notice need to be sent directly to the Office of Management and Budget (OMB) and may be sent by email ( by December 2nd, 2013.

Bills Introduced – 10-31-13

With the House preparing to head home for another long district week (to be back in Washington on 11-12-13) a large number of bills were introduced, many just for the purpose of campaigning while back home. Of the 95 bills and resolutions introduced yesterday, three might be of interest to readers of this blog:

HR 3381 Latest Title: To authorize appropriations for fiscal year 2014 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Sponsor: Rep Rogers, Mike J. (R,MI)

HR 3410 Latest Title: To amend the Homeland Security Act of 2002 to secure critical infrastructure against electromagnetic pulses, and for other purposes. Sponsor: Rep Franks, Trent (R,AZ)

HJ RES 100 Latest Title: Making further continuing appropriations for the fiscal year ending September 30, 2014, and for other purposes. Sponsor: Rep Miller, George (D,CA)

While most commentators will be looking at the Intel Authorization bill for restrictions on the use of electronic surveillance in the US, I will be watching for various cybersecurity provisions.

While an EMP attack could be devastating, the cost of defending against this type of low probability attack would be quite high. It will be interesting to see how this bill addresses the situation.

It seems a bit early to see the next round of Continuing Resolutions being introduced. Since Rep. Miller is a Democrat and is neither a member of the Appropriations nor Budget Committees, this bill has zero chance of being considered. So, this bill was introduced solely for home district consumption. Still it might be interesting to see what it includes.

Wednesday, October 30, 2013

Homeland Security Mark-up Hearing Results

Yesterday the House Homeland Security Committee held their markup hearing looking at six different bills including (of potential interest here) HR 1204, HR 1791, HR 2952, and HR 3107. All six bills were ordered to be reported favorably; some with amendments (including HR 1204, HR 2952, and HR 3107).

The Committee provides a nice summary of the amendments, but none of them were significant. The closest to being a meaningful change was the amendment from Rep. Horsford (D,NV) that changed one of the subcommittee names of the new Aviation Security Advisory Committee from the “Perimeter Security Subcommittee” to the “Perimeter Security, Exit Lane Security , and Access Control Subcommittee”.

Actually ‘access control’ was already one of the topics that this subcommittee was to cover, so it only added ‘Exit Lane Security’. This topic is already a big deal in the airport security community so this just gave ‘Exit Lane Security’ a specific home.

Of course, any time a House Committee can do the markup of six bills in a single hearing, we know that there are not going to be any controversial or substantive changes made to any of the bills.

NASA Announces PNT Advisory Board Meeting – 12-4-13

The National Aeronautics and Space Administration (NASA) published a meeting notice in today’s Federal Register (78 FR 65006) for a meeting of the National Space-Based Positioning, Navigation, and Timing (PNT) Advisory Board on December 4th and 5th in Washington, DC. The meeting is open to the public.

The agenda includes:

• Update on PNT Policy and GPS modernization;
• Opportunities for interoperability of current GPS with emerging international Global Navigation Satellite Systems (GNSS);
• Trends and requirements for PNT services;
• Current and future GPS services and PNT capabilities; and
• Consider the effects of potential PNT service degradation if adjacent radio-band spectrum interference is introduced.

While the meeting is open to the public the notice does not say anything about public participation or about the submission of oral or written comments.

NOTE: The GPS timing services are used for the synchronization of many SCADA systems, so this often ignored service is of serious interest to many in the ICS community.

Tuesday, October 29, 2013

NIST Publishes Notice for Preliminary Cybersecurity Framework

Today the National Institute of Standards and Technology (NIST) published a request for comments notice in the Federal Register (78 FR 64478-64480) for the Preliminary Cybersecurity Framework that was published on the NIST web site last week. Alert readers will note that this is a completely different process than that is followed in publication of a new rule or regulation.

The Notice

Today’s notice points back to the NIST Framework web site for both a copy of the Framework to be reviewed and commented upon, as well as a copy of the form that NIST wants people to use to file their comments. Comments are to be submitted directly to NIST via snail mail or email ( and must be received by 5:00 pm EST on December 13th, 2013. NIST is not using the Federal eRulemaking Portal for these comments. Comments will be posted in their entirety at

The notice published today does not mention the alternative format for the listing of “informative references (standards, guidelines and best practices)” provided in the Framework. Apparently there has been some concern expressed about the ease of understanding the table provided in the Framework (pages 13-26). An alternative version is also available on the NIST web site. NIST would like comments on the two versions to be included in any submission of comments.

The Comment Format

NIST has specifically requested that all comment submissions use the form provided on (downloaded from) their web site. Many commenter will find it difficult to adapt their typical verbose expository commenting style to the spread-sheet format provided. I suspect that NIST is expecting a very large number of detailed comments and this format will make it much easier to collect, collate, and analyze a large number of comments.

Given that the President has provided a February deadline for publishing the final version of the Cybersecurity Framework, I think that NIST has made a very astute choice in the way they wish to receive their comments. I also suspect that this request will be widely ignored by many of the organizations that typically comment on federal rules and regulations.

The even larger number of comments from industry (at the operational level) and academia will be submitted by people who are very familiar with the spread sheet format. These commenters will have no problem submitting their comments in the manner suggested/requested by NIST.

The Choice

NIST has made a very interesting choice in the way they have published both the Framework and this request for comments. This request for comments will catch the attention of the people who normally comment of federal rules and regulations and their comments will be very important. The use of the NIST web site as the location for the publication of the rule and comments will attract a completely different set of responses; responses from people at the operational level who deal with cybersecurity issues on a daily basis. It will be interesting to see how effective NIST is in attracting comments from this group of people.

An interesting sidelight to the choice has to deal with the non-regulatory nature of the Framework. One of the reasons that NIST was selected to lead this effort was that they are not a regulatory agency and the Administration has been very careful to publicly reiterate that this is a completely voluntary program. On the other hand, many commentators, me included, have mentioned how easy it might be for regulatory agencies to incorporate this program into their current regulatory regime.

In publishing the Framework document outside of the Federal Register and taking the comment process out of the Federal eRulemaking Portal, NIST has made that inclusion just a little more difficult. Any agency attempting to directly co-opt the Framework will have to first put it through the regulatory wringer of publishing and comment process.

Chemical Safety and Security Working Group Listening Session

Today I received a copy of an invitation that was recently sent out to ‘industry stakeholders’ concerning a series of Listening Sessions that will be held across the country over the coming months by the Chemical Safety and Security Working Group to allow the public to provide input into the processes put into place by Executive Order 13650. A copy of this invitation will be published in the Federal Register in the near future.

The first Listening Session will be held in Texas City, TX at the College of the Mainland on November 5th. The start time for the meeting will be 9:00 am (presumably CST) with on-site registration opening at 8:00 am. Advance registration is being recommended ( The session is scheduled to last until 4:30 pm with some sort of break for lunch (I guess).

Public comments are being solicited (this is a listening session after all). Comments are being limited to 5 minutes and an intention to comment needs to be included in the registration. Apparently there is going to be an attempt made to coordinate and consolidate comments.

There will also be provisions for teleconference participation
 ( People participating via teleconference can submit electronic comments ( There will also be the potential for distance participation in future webinars (11-25-13 and 12-16-13).

Additional listening sessions will be held in:

• Washington, DC – 11-15-13;
• Springfield, IL – 11-19-13;
• Hamilton, NJ – 12-4-13;
• Orlando, FL – 12-11-13;
• California (city TBD) – January 7, 2014; and

• Houston, TX – week of 1-20-14

Monday, October 28, 2013

Witness List for Cybersecurity Emergency Response Hearing

This morning the House Homeland Security Committee updated their web site to include a witness list for Wednesday’s hearing on cybersecurity and emergency response. The witnesses include:

• Mr. Charliey English: for the National Emergency Management Association;
• Mr. Paul Molitor: the National Electrical Manufacturers Association;
• Mr. Craig Orgeron: for the National Association of State Chief Information Officers;
• Mr. Mike Sena: for the National Fusion Center Association; and
• Ms. Roberta Stempfley, DHS 

It would have been a tad bit more interesting if there was a chemical industry representative or a water facility cybersecurity manager responsible for a control system that managed the movement of chlorine gas. Then there could have been a real discussion of the emergency response requirements for a real cyber-attack.

Don’t get me wrong, a grid attack could have catastrophic consequences, but the electrical industry has a long history of responding to outages due to physical damage caused by storms, fires and earthquakes. There will be differences for a cyber-attack, but they have the interagency and inter-organizational communications procedures down pretty good at this point. No one in this country has responded to a large scale chemical release and the limited scale planning necessary to do so has never had a real test.

Oh well, it is to be expected. Congress has a long history of failing to prepare for, or even look at, the next emergency.

CFATS Update – October 1st

As I mentioned earlier, the folks at DHS Infrastructure Security Compliance Division (ISCD) published their October 1st status update of the CFATS program. While this is very late in the month, I think we can excuse the tardiness since first half of the month DHS was shuttered due to the federal funding fiasco.

The details included in this report all come from the period just before the F3 so this covers a period of 20 operational days (Labor Day off). The data shows continued increases in the number of authorized and approved Site Security Plans; this is shown in the first graph.

While that shows an apparent steady rate of approvals, a more detailed analysis shows a different story. The rate of site security plan authorizations have dropped off drastically while there was a significant increase in the daily rate of SSP approvals. The second graph shows the details; including the fact that the total number of combined SSP actions was a little below the rate from August.


The total number of SSP approvals now stands at 348; still less than 10% of the 4,248 facilities currently in the CFATS program. The authorized SSPs now total 747 or about 18% of the total. At September’s approval rate it will take 812.5 days, or 162.5 weeks (@ 5 days/week), or 3.25 years (@ 50 weeks/year) to get all of the current SSPs approved.

As always I have to remind readers that none of these approvals are final since no facility has been able to complete their planning for the personnel surety program requirements of Risk Based Performance Standard (RBPS) # 12. When ISCD gets their terrorist screening program in place, then all of these facilities with ‘approved’ SSPs will have to get their updated personnel surety programs reviewed and fully approved. This should not take a great deal of time to upgrade the current ‘almost approval’ to full approval.

BTW: The September Update (for actions taken in August) is no longer available on the Chemical Security page and was not subsequently moved to the CFATS Knowledge Center. Fortunately the old link still works.

CFATS Deliverables

It has been over a week now since the end of the federal funding fiasco and I think we can assume that the DHS ISCD folks are now back on track with their continuing implementation of the CFATS program. Here is a short list of output from ISCD that I would like to see in the coming weeks and months.

• November CFATS Status Update will be due soon;
• 30-day CFATS Personnel Surety Program ICR;
• Proposed revisions for Appendix A (for Chemical Safety and Security EO – 11-5-13 Deadline);
• Report on CFATS data sharing with SERCs, TEPCs, and LEPCs (for Chemical Safety and Security EO – 11-5-13 Deadline);
• Report on CFATS data sharing with EPA and OSHA (for Chemical Safety and Security EO – 11-5-13 Deadline);
• NPRM for Ammonium Nitrate Security Program; and
• Final action resolving ‘temporary’ agricultural producer’s exemption for Top Screen.

I had included the October CFATS Status Update when I initially wrote this, but ISCD was faster than my posting. They have just published a link to that update on their Critical Infrastructure: Chemical Security web site. I’ll have more on that this evening.

Now those are all things that are supposed to be in progress. Now for some innovative ideas that I would like to see suggested by ISCD:

• Proposal for alternative methods of certifying Site Security Plans for Tier 3 and Tier 4 facilities;
• Proposal to tie CFATS to security programs for truck and train transportation of hazardous material, particularly COI;
• Proposal to identify other potential CFATS facilities based upon CFATS facility customers and vendors of CFATS COI;

I’ll keep an eye out.

Congressional Hearings – Week of 10-27-13

Both the Senate and the House will be in town this week and the pace of hearings is getting back to normal after the fiscal fiasco has passed. There are four House hearings and one Senate hearing that might be of specific interest to readers of this blog. They include three mark-up hearings, one Coast Guard authorization hearing and one cybersecurity hearing.

Mark-up Hearings

The House Homeland Security Committee will try for a third time on Tuesday to mark-up a group of bills including HR 1204, HR 1791, HR 2952, and HR 3107. I wrote about this hearing in some detail last week on the second attempt to hold this hearing.

The House Transportation and Infrastructure Committee will hold a mark-up hearing on Tuesday that will address four bills including HR 3300, the FEMA Reauthorization Act of 2013 that I described yesterday. No word yet on any potential amendments.

The Senate Homeland Security and Government Affairs Committee will have a Business Meeting today. It will either include a mark-up of some legislation, consider nominations or both; no agenda has been published.

Coast Guard Authorization

The Coast Guard and Maritime Transportation Subcommittee of the House Transportation and Infrastructure Committee will meet on Tuesday to look at a variety of issues that might be included in a Coast Guard authorization bill. The current ‘Summary of Subject Matter’ published by the Committee does not include mention of any security or chemical safety issues.


Wednesday will see a potentially interesting take on cybersecurity when the Subcommittee on Emergency Preparedness, Response and Communications and the Subcommittee on Cybersecurity, Infrastructure Protections and Security Technologies of the House Homeland Security Committee (whew, that’s a lot of words) hold a joint hearing on “Cyber Incident Response: Bridging the Gap Between Cybersecurity and Emergency Management”. No agenda or witness list is currently available.

Sunday, October 27, 2013

NIST Publishes Draft Agenda for 5th Cybersecurity Workshop

Along with publishing the Preliminary Cybersecurity Framework this week NIST published a draft agenda for the 5th Cybersecurity Workshop to be held in Raleigh, NC on November 14th and 15th. The web page for this workshop notes that:

“At this workshop, NIST will continue discussions on the implementation and future governance of the Cybersecurity Framework.”

Keeping in mind that this is just a draft agenda, presumably subject to change, it looks like there will be a fundamental shift in this workshop, more towards selling the Framework than in developing the framework. This is not unexpected since the Preliminary Cybersecurity Framework is now open for public comments.

The heart of this Workshop will be two sets of working sessions. The first set will run from 1:30 to 2:45 pm and the second from 3:15 to 4:45. The same six topics will be discussed in both sessions; it is not clear if this was set up to be a total of 2-hrs and 45-minutes of work on the topics, or if it was designed to give participants a chance to take part in two different discussions. The current proposed topics are:

• Small and Medium Business Considerations;
• How to Use the Framework;
• Voluntary Critical Infrastructure Cybersecurity Program;
• Research and Development; and
• Framework Ecosystem Development.

Additionally there will be presentations and panel discussions on topics including:

• Preliminary Cybersecurity Overview;
• Adoption Considerations;
• Industry Perspectives Panel; and
• Privacy and Civil Liberties.

Looking at these topics it is not clear why NIST claims that the target audience is:

“Critical Infrastructure Owners and Operators and cybersecurity staff. Specifically those who have operational, managerial and policy experience and responsibilities for cybersecurity, technology and/or standards development for Critical Infrastructure companies.”

It would seem that with the apparent focus on selling the Framework, it would be more beneficial to draw participants that have the ability to persuade owners of the utility of adopting and implementing the Framework. It would seem that a more appropriate target audience would be industry association representatives, industry publications and bloggers.

Perhaps we will have a better understanding of the purpose of this Workshop when the final agenda is published, probably early next month.

HR 3300 Introduced – FEMA Authorization

As I mentioned in an earlier post Rep. Shuster (R,PA) introduced HR 3300, the FEMA Reauthorization Act of 2013. The bill provides for funding the Federal Emergency Management Agency through 2016 at a flat annual rate of $972,145,000 {§101}, down from the FY 2013 funding of $973,118,000. There is not much else in this bill.

Section 102 does provide for the modernization of the Integrated Public Alert and Warning System. The language roughly parallels that found in HR 3283 that I have previously discussed. There are a number of editorial differences that might be of interest to lawyers, but nothing that appears to be of consequence beyond the fact that this version does not actually amend the Homeland Security Act. That means that the provisions and requirements laid out here would remain fairly buried and out of general public notice once this becomes law.

Section 201 reauthorizes the Urban Search and Rescue Response System; adding §327 to Title III of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 USC 5141 et seq.). It makes some HR changes to the way individuals appointed to the system are placed into limited Federal Service to allow “for the participation of the System member in exercises, preincident staging, major disaster and emergency response activities, and training events sponsored or sanctioned by the Administrator” {§327(f)}.

Section 202 reauthorizes FEMA to make grants to provide for implementation of the Emergency Management Assistance Compact. FEMA is authorized to make grants totaling $2 million each fiscal year through 2016. The funds would remain available until expended.

As usual, I am disappointed that there is no mention of any FEMA responsibility for working with State or Local Planning Committees on emergency response planning for accidental or deliberate chemical releases. LPCs and their State counterparts are required by EPA rules, but there is no funding or oversight provided for these organizations that should be an integral part of planning for potential chemical disasters. Realistically, that type of grant funding or program oversight belongs under FEMA.

Congress has not passed a FEMA authorization bill since 2006. This bill looks like it has avoided any of the controversies that have impeded consideration of past bills. Rep. Shuster is Chairman of the House Transportation and Infrastructure Committee which is the only committee to which this bill has been referred. Rapid action within the Committee is expected, but we will have to wait and see how quickly it makes it to the floor.

Friday, October 25, 2013

PHMSA Publishes Five 60-day ICR Notices

Today the Pipeline and Hazardous Material Safety Agency (PHMSA) published a 60-day information collection renewal (ICR) notice in the Federal Register (78 FR 64049-64051) for five separate ICRs a variety of hazardous material shipping programs.

The five ICRs were:

2137-0018: Inspection and Testing of Portable Tanks and Intermediate Bulk Containers
2137-0051: Rulemaking and Special Permit Petitions
2137-0510: Radioactive (RAM) Transportation Requirements
2137-0586: Hazardous Materials Public Sector Training and Planning Grants
2137-0595: Cargo Tank Motor Vehicles in Liquefied Compressed Gas Service

PHMSA was able to get away with publishing all five in a single notice because there were no changes in the burden estimates for any of these ICR requests. The table below shows the current burden estimates for these ICRs.

OMB Control #

PHMSA is soliciting public feedback on these five ICRs. Comments may be submitted via the Federal eRulemaking Portal {; Docket # PHMSA-2013-0002 (Notice No. 13-14)}. Comments should be submitted by 12-24-13.

NISPPAC Meeting Announced – 11-14-13

The National Archives and Records Administration (NARA) published a meeting notice in today’s Federal Register (78 FR 64024-64025) for the next meeting of the National Industrial Security Program Policy Advisory Committee (NISPPAC) on November 14th, 2013 in Washington, DC.

The announcement only notes that purpose of the meeting is to “discuss National Industrial Security Program policy matters”. The minutes from the last meeting, however, indicate that there will be an update “on the status of E.O. 13587 [Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information]
 implementation and its impact on Industry” (page 10).

This meeting is open to the public, but due to space limitations advance registration ( is required by November 5th.

OMB Receives Two New Rules from Administration

Well, actually OMB received 5 new draft regulations from the Administration yesterday but two just might be of interest to readers of this blog. Unfortunately I can’t tell you much about either of them, or be completely sure I’m interested in them, because they have never been published in the Unified Agenda.

The two proposed rules (presumably going to be notices of proposed rulemaking – NPRM) are from the Coast Guard and DOD respectively. They are:

The first one is probably a safety training rule. If it is I won’t be much interested in it unless it also includes security training requirements. The second is just too odd of a title for a DOD rule (even a DFARS related one) that I’ll at least have to look at it.

All administrations have rules that come up outside of the planned rulemaking process, so there is nothing inherently unusual in these not being on the last Unified Agenda, and the last UA was published on July 4th. But, it seems to me (and I haven’t done any statistical analysis on this so it is just an impression) that the Obama Administration does a lot of rulemaking outside of the Unified Agenda process.

Thursday, October 24, 2013

Video Surveillance in the Rain

It has been a while since I have mentioned John Honovich and his IP Video Market web site ( Long time readers might recall that John’s site is a very informative location for unbiased information on all things associated with video surveillance. He recently posted a report (membership required, sorry) looking at comparing the operations of three different video analytic systems in the rain.

Most modern facility security systems use some sort of video surveillance system. Larger installations are shifting to video analytics to reduce the manpower necessary to adequately track outputs from a large number of video cameras. A proper assessment of the adequacy of such a system must not only take into account standard daylight and night-time operations but also a wide variety of expected weather conditions.

The report provides some interesting test results for detecting both personnel and vehicle line crossing (a typical video analytics task) at ranges from 20 feet to over 200 feet from the camera in moderate to heavy rain. The tests were conducted in a parking lot so a lot of the issues associated with vegetation in the target area were eliminated.

While the missed target data on the three systems tested vary substantially, I was really surprised that their test did not have a single false positive. John’s tester did not mention this in the report, but I wonder if the sensitivity of the system shouldn’t have been tweaked up just a bit; an occasional false positive in these adverse conditions might have increased the target detection rate.

What is important in John’s report is that target detection distances are significantly impaired by rain events. Any infantryman knows that rainy days favor the attacker and this just goes to show that that fact is not just due to cold, wet, miserable folks being less than attentive. Even video surveillance systems are affected.

Cargo Theft and CFATS

A couple of interesting recent articles (here and here) address the issue of truck cargo theft. While neither one directly deals with the theft of hazardous chemicals nor chemicals that may be used to make improvised weapons (either explosive or chemical), the chemical manufacturing and chemical transportation communities ought to take notice.

The first article is a general overview of the cargo theft problem here in the United States. It is lacking in specific information that would be useful in helping shippers and transport companies avoid the problem. It does, however, outline the scope of the problem.

The second article addresses an apparently increasing tactic for cargo thieves, impersonating legitimate trucking companies and scheduling legitimate pick-ups from shippers and then diverting the cargos. Chemical facilities that ship theft/diversion COI chemicals need to take special note of this article because this would be a very effective way of targeting such chemicals.

What Roxana Hegeman’s article describes is essentially commercial identity theft. She describes one of the ways that the identity theft works:

“Thieves assume the identity of a trucking company, often by reactivating a dormant Department of Transportation carrier number from a government website for as little as $300. That lets them pretend to be a long-established firm with a seemingly good safety record.”

This technique, along with the forging of appropriate commercial trucking company documentation allows the thieves to bid on loads with commercial freight brokers. When a bid is won a truck shows up at the loading dock with legitimate paperwork to pick-up a properly scheduled load. The only problem is that the truck and its cargo are never seen again once they pull away from the loading dock.

Unfortunately the article is short on effective methods for shippers to prevent this type of cargo diversion. It recommends:

• Checking for temporary name placards or identification numbers on the truck;
• Paying attention to abrupt changes in the time of the pickup;
• Being aware of the lack of a GPS tracking system on the truck; or
• Getting a thumb print of the driver.

For CFATS covered facilities it probably makes more sense to protect theft/diversion COI shipments from this type of diversion by only using known trucking companies that the facility has a well-established history of working with. This would be sort of a ‘know your transporter’ program that would parallel the ‘know your customer’ idea identified in RBPS #5 in the CFATS Risk Based Performance Standards guidance document.

HR 3303 Introduced – FDA Software

Yesterday I mentioned that Rep. Blackburn (R,TN) introduced HR 3303, the Sensible Oversight for Technology which Advances Regulatory Efficiency Act of 2013 (with the snappy short title – SOFTWARE Act of 2013). I had hoped that this bill would be addressing (at least in part) cybersecurity issues for medical software regulated by the FDA. Boy was I wrong.

The Provisions

It starts off by defining ‘medical software’ in 21 USC §321 as software that would be intended or marketed to either “directly change the structure or any function of the body of man or other animals” {§321(ss)(1)(A)} or used “by consumers and makes recommendations for clinical action” {§321(ss)(1)(B)}. The definition specifically excludes software that is “integral to the functioning of a drug or device” {§321(ss)(2)} or component of a device. So the software controlling communications with Vice-President Cheney’s pacemaker would be excluded from the definition of ‘medical software’.

Section 2(b) of the bill would add a new section to 21 USC Subchapter V (§524B) that would make the provisions of 21 USC Subchapter V Part A apply to medical software and treat them like devices.

Section 3 of the bill would add another definition to 21 USC §321; ‘clinical software’ is software used in a clinical setting that “captures, analyzes, changes, or presents patient or population clinical data or information and may recommend courses of clinical action, but does not directly change the structure or any function of the body of man or other animals” {§321(tt)(1)(A)}. It specifically includes in this definition “associated hardware and process dependencies” {§321(tt)(1)}.

Another term is also included in this paragraph (though it is odd that it does not get a paragraph of its own); ‘health software’ which is not medical software or clinical software. It includes software (and again including hardware and associated processes) that:

• Captures, analyzes, changes, or presents patient or population clinical data or information {§321(tt)(2)(A)};
• Supports administrative or operational aspects of health care and is not used in the direct delivery of patient care {§321(tt)(2)(B)}; or
• Has the primary purpose is to act as a platform for a secondary software, to run or act as a mechanism for connectivity, or to store data {§321(tt)(2)(B)}.

Section 3 goes on to add another section to 21 USC Subchapter V Part A {§524(C)} that specifically excludes clinical software or health software from regulation by the FDA.

What Is Missing

There is nothing in this bill that addresses or even identifies concerns about cybersecurity for any of these three types of software. This bill would be a very good place for Congress to specifically provide FDA the authority to regulate the security of software that might directly affect the health or life on individuals or the privacy of an individual’s medical information.

Moving Forward

It is unusual for a bill to actually be published by GPO the day after it is introduced in the House. Bills that get this expedited service have typically been identified for early action. Since Ms. Blackburn is Vice-Chair of the House Energy and Commerce Committee, the sole committee given jurisdiction over this bill, I would assume that it will get prompt attention in that Committee and will move promptly to the floor. It will probably get considered under suspension of the rules.

I see no reason why this bill would attract any serious opposition on either the floor of the House or the Senate. 

Wednesday, October 23, 2013

FMCSA Publishes 60-Day ICR Renewal Notice for Hazmat Highway Routings

Today the Federal Motor Carrier Safety Administration published in the Federal Register (78 FR 63280) a 60-day information collection request (ICR) notice supporting the FMCSAs program for collecting information about State programs for designating hazardous material highway routes under 49 CFR §397.73.

This is a straight forward renewal of an existing ICR without any changes in the burden estimates.

Public comments are being solicited. Comments may be submitted via the Federal eRulemaking Portal (; Docket # FMCSA-2013-0305). Such comments should be submitted by December 23rd, 2013.

Bills Introduced – 10-22-13

The House is back from their shortened district work period and are at work at a slightly slower pace this week. Only 17 pieces of legislation were introduced yesterday and two of those were condolence resolutions for a deceased Representative and a former Representative. Two other bills might be of interest to readers of this blog:

HR 3300 Latest Title: To reauthorize the programs and activities of the Federal Emergency Management Agency. Sponsor: Rep Shuster, Bill (R,PA)

HR 3303 Latest Title: To amend the Federal Food, Drug, and Cosmetic Act to provide for regulating medical software, and for other purposes. Sponsor: Rep Blackburn, Marsha (R,TN)

Both of these bills seem to be relatively high-priority for someone as they have already been published by the GPO. I’ll have more details on these bills later.

President’s NSTAC to Look at Cybersecurity

Today the DHS National Protection and Programs Directorate (NPPD) published a public meeting notice in today’s Federal Register (78 FR 63232) for a meeting of the President’s National Security Telecommunications Advisory Committee (NSTAC) on November 20th, 2013. The meeting will be open to the public.

According to the notice the agenda will include:

• A work status review from the Industrial Internet Subcommittee;
• A briefing on the current threat environment;
• An FCC briefing on its cybersecurity activities;
• An NIST lead round-table discussion of the Preliminary Cybersecurity Framework.

A short public comment period will take place during the meeting; advance registration is required (email . Written comments may be submitted via the Federal eRulemaking Portal (; Docket # DHS-2013-0057).

Tuesday, October 22, 2013

ICS-CERT Updates Earlier WellinTech Alert

Today the DHS ICS-CERT published an advisory that updated a September alert issued for twin ActiveX vulnerabilities in the WellinTech KingView application. The earlier alert and this advisory respond to uncoordinated disclosures made by Blake (here and here).

ICS-CERT describes these vulnerabilities as:

• Insecure ActiveX control - CVE-2013-6127 (a flaw in the SuperGrid.ocx ActiveX control); and
• ActiveX Remote File Creation/Overwrite - CVE-2013-6128 (a flaw in the KChartXY.ocx ActiveX control}

NOTE: CVE links are not yet active.

ICS-CERT notes that a moderately skilled attacker could remotely execute the publicly available exploits to overwrite files and copy them from one location to another on the target machine. WellinTech has developed new versions of the affected files that hopefully (my word not ICS-CERT’s) mitigate the vulnerabilities. Bruce, being a non-cooperative researcher, does not get the chance to publicly verify the efficacy of the updates nor is there any mention that ICS-CERT has done so.

While ICS-CERT does now give credit to Bruce as the discoverer of the vulnerabilities it does not give credit to OSVDB.ORG for the two workarounds provided in this advisory. Those two workarounds (here and here) were on the web site the day the initial alert was published. It is not clear from that site if the workarounds were developed by OSVDB or by Bruce.

DOD Publishes Final Rule on DIB Cybersecurity Information Sharing

While Congress is unable or unwilling to move forward on cybersecurity information sharing legislation, the Department of Defense published their final rule on cybersecurity information sharing with its Defense Industrial Base (DIB) partners in today’s Federal Register (78 FR 62430-62438). I discussed many of the details of this rule last year when DOD published their interim final rule on the topic.

Public Comments and DOD Responses

With the numerous controversies surrounding this topic (controversies that are responsible in large part for the congressional paralysis on the issue) it is not unexpected that the DOD received a large number of comments. The bulk of the preamble to this final rule deals with identifying and responding to the issues raised. In all but two cases the DOD response boiled down to: “No change is made to the rule”.

The first comment eliciting a change in the rule dealt with the definition of a “US Citizen” in the rule and the DOD clarified that issue by removing the phrase ‘holding a U.S. passport’ as part of the definition of ‘U.S. citizen’ in §236.2(o).

The second comment dealt with a requirement in the program to conduct a legal review of the implementation of the program and the language in §236.6 that appeared to require a violation of attorney-client privilege. DOD responded by removing the second sentence in §236.6(c), noting that that sentence “was not intended to imply that there was a requirement to provide such information as a condition of the program”.

Effective Date

This program is currently running under the interim final rule. The limited changes made in this final rule become effective on November 21st, 2013.

Monday, October 21, 2013

ICS-CERT Updates Latest Crain-Sistrunk Advisory

This afternoon the DHS ICS-CERT updated the latest single product advisory for a DNP3 vulnerability reported by Adam Crain and Chris Sistrunk that was originally published less than two weeks ago. The updated information explains the vulnerability differences when the devices is used in two different modes; serial communications and IP communications modes.

ICS-CERT now separates the improper input validation vulnerability into two separate vulnerabilities with their own CVE # (IP -  CVE-2013-2787; Serial - CVE- 2013-2818) and different CVSS v2 base scores (IP – 7.1; Serial – 4.7) based upon the different modes of access. The higher base score for the IP installation is based upon the fact that the vulnerability is remotely accessible.

ICS-CERT also notes that the skill level necessary to exploit the vulnerabilities is different, noting that it takes less skill (moderate) to exploit the IP based installation as compared to the high skill level required to exploit the serial based implementation vulnerability. It appears that they base that distinction solely on the fact that physical contact with the device is required for a serial exploit.

I’m not sure that I agree with the exploit skill level assessment. It takes different skills to defeat physical security than to gain network access, but I’m not sure that I would call it higher skills. There are certainly more people out there with the ability to penetrate a remote facility protected by fences and cameras (I can certainly do that as can most ex-infantry soldiers, gang bangers and B&E specialists to name a few; hell an 80-year old nun did it earlier this year at a nuke weapons installation) than can penetrate network defenses to access to a port on a device.

It seems to me that this is an attempt to understate the potential threat to electric (gas and water) transmission systems that employ these devices. There has been a lot of discussion in the cybersecurity press about the physical vulnerability of these types of devices at remote sites. Those discussions describe the ease of plugging a device into a serial port and how uncomplicated TCP packet can be used to put the outstation into an endless loop. This type of attack would make it impossible to control the control systems at that outstation until the system was reset.

Other than those concerns, the new updated does more accurately describe how the vulnerability can be exploited and the different ways the vulnerability can be exploited based upon how the device is employed.

Congressional Hearings – Week of 10-20-13

The House returns to work tomorrow while the Senate remains in their States for another week of keeping in touch with voters and contributors. The House does not currently have a real heavy hearing schedule this week and only one hearing that might be of specific interest to readers of this blog, a mark-up hearing that was originally scheduled for 10-2-13.

The House Homeland Security Committee will be meeting on Thursday to consider six different bills; four of which may be of specific interest here:

HR 1204, The Aviation Security Stakeholder Participation Act of 2013;
HR 1791, The Medical Preparedness Allowable Use Act;
HR 2952, The Critical Infrastructure Research and Development Advancement Act of 2013; and
HR 3107, The Homeland Security Cybersecurity Boots-on-the-Ground Act.

Revised language will be introduced for three of these bills:

HR 1204;
HR 2952; and
HR 3107

Among other things the revisions to HR 1204 would tend to re-emphasize that the TSA is to take the recommendations of the Advisory Committee very seriously; reporting to Congress when the TSA does not follow those recommendations. The changes in the language for HR 2952 are essentially non-substantive political changes. The same can be said of the proposed changes to HR 3107.

It’s Official – The Crain-Sistrunk Vulnerabilities Are the Real Deal

On Friday a blog post over at explains the Crain-Sistrunk vulnerabilities and how they are a danger to the electrical grid. As you would expect with such a technically literate organization, the blogger (Nicole Perlroth) got a lot of the details a little bit wrong (and she loves periods way too much), but the post has the broad outline of the process and the potential threat generally correct.

But missing the small stuff is of little consequence, the big thing is that the New York F***ing Times is telling the world that this is a problem. If you see it in the Times, Virginia, you know that it is true. And besides the politicians are now aware of the problem, probably never having heard of DigitalBond or ThreatPost or the other technical discussion groups where there was more (and more correct) information available about the problem at an earlier date.

What will be interesting to see is how soon it will be before Congress will call a hearing to look into the problem. Looking at the CFATS issues of a year and a half ago as a forecasting tool, I suspect that someone will call a hearing in March. That is unless there is a significant portion of the electrical grid shut down by some script kiddy in the meantime. Then it will be June or July before Congress starts to demand answers about why no one told them about the problem before the attack.

Of course (Severe Sarcasm Alert) the technically qualified part of DHS (ICS-CERT, look Nicole, no periods) has been right on top of this since being approached by Adam and Chris. They have gone out of their way to make sure that electrical grid and water system owners have been fully advised about the seriousness of the threat. Nine of the 16 vendors have rushed patches into the market place and are leading a coordinated evangelical campaign to get each and every vulnerable device patched or replaced. And the other seven vendors are so consumed with making things right with their product that they have inadvertently forgotten to tell owners of their products about the vulnerability (End of Severe Sarcasm Alert).

No, none of that has been done. ICS-CERT has published advisories for the vulnerabilities that have had patches developed by the vendor, but it seems as if they forgot their 45-day limit for withholding vulnerability alerts to allow vendors to get patches in place. I assume that the seven no-patch available vendors are working on the issue and that is why ICS-CERT is holding off on publishing the alerts. Even the master ICS-CERT advisory issued last week makes the problem sound minor and might as well say “hey man, no worry, it’s all good” for all of the concern that it will raise..

Now Crain and Sistrunk have not published exploits for their vulnerabilities so that may also contribute to the ICS-CERT justification for remaining mute on the uncorrected vulnerabilities. I would like to suggest that given the simplicity of the exploit as described in the ThreatPost and DigitalBond posts (enter a poorly secured remote substation, plug in your communications tool into an open serial port and send almost any message to the master station and the local system gets a brain freeze and no electricity goes down the line) that those posts should count as publication of exploits requiring ICS-CERT to issue alerts so that the facility owners holding equipment from those 7 vendors will be aware of the fact that they were specifically targeted.

Oh well. Let me step down from my soap box, catch my breath and comb my hair. Maybe I caught someone’s attention, but probably not. I’ll try again later this week.

Sunday, October 20, 2013

A New Canadian Fuel Train Derailment

Saturday morning saw another small Canadian town disrupted by the derailment of a fuel train with subsequent fire and explosions. This time it was Gainford, Alberta near Edmonton that saw the effects of the fire and explosions. The train was transporting crude oil and liquefied petroleum gas (LPG). Thirteen cars derailed and apparently only three LPG cars (of the nine that were derailed) were actually involved in the fires and explosions. The four crude oil cars are not apparently leaking or burning. No deaths or injuries are being reported at this time.

The Incident

NOTE: See news reports here, here, here and here.

As is typical with a flammable gas fire, the local fire departments are not trying to put out the fire. Instead they are just trying to contain the fire to the area of the derailment. If the fire were extinguished while gas in the car was still leaking it would result in an explosive vapor cloud that could further damage nearby cars and cause further leaks.

A photo from the RCMP (see cropped version below) show a typical flame jet from a pressurized gas release from a small hole or broken line. The flame appears to be pointed away from other cars, reducing the danger of other explosions or other cars becoming involved in the fire.

News reports indicate that there were two separate explosions, but it does not appear from the news photos that any of the three propane cars actually exploded (not near enough damage). What probably happened is that leaking LPG formed a vapor cloud that detonated when it expanded to reach an ignition source. Again, the damage seen in the news photos looks like the fuel clouds were rather small.

The biggest potential danger in these types of accidents appears to have been avoided here. When one of the flame jets seen in the RCMP photo is directed at an intact car carrying either flammable gasses or liquids, it heats the contents of the car to the point where the pressure builds up in the car to the point where the flame weakened metal catastrophically fails and a large gas cloud is released and ignites in a spectacularly destructive explosion.

It is way too early yet to discuss causes of the derailment. According to one news report, a spokesman from the Canadian National Railway Company said that the tracks had been ultrasonically tested last month and the train had been inspected Friday.

The Conflict

This accident takes place against a political backdrop where there are discussions going on in both Canada and the United States about the large increase in the transportation of crude oil and other fuels by railroad. These increases are being driving by the resurgence of oil and gas production in the United States and Canada and the difficulty (physical and political) of getting pipelines in place to transport the oil and gas being produced either to refineries or markets.

There are on-going discussions in both countries about improving rail safety regulations concerning the shipment of fuels. The proposed regulations under consideration look at both the construction specifications for the cars transporting the fuels as well as the operation of trains transporting those cars.

Generally speaking pipeline transportation is safer than rail which is safer than truck. The flexibility of shipment destinations, however, is exactly the reverse; trucks are more flexible than trains which are still more flexible than pipelines. Unfortunately, the pipeline approval and construction process takes a great deal of time.

 BTW: Thanks to a TWEET® from Rob Massey (@irobertcmassey) for pointing me at this story.

Canada Requires Additional Testing of Crude for Rail Shipments

As part of the continuing Canadian government response to the Lac-M├ęgantic, Quebec derailment, fire and explosions in July the Transport Canada issued a new Protective Direction (#31) ordering additional testing of crude oil being imported into Canada or being offered for transportation in Canada. This order is much more specific and legally binding than the similar recommendation offered by PHMSA in August.

Canadian Order

The Canadian order requires that any “any person engaged in importing or offering crude oil for transport to immediately test the classification of crude oil being imported, handled, offered for transport or transported as UN 1267, or UN 1993, if the classification testing has not been conducted since July 7, 2013, and to provide those test results to Transport Canada upon request”.

For any shipments where such additional testing has not been done since July 7th the directive requires that a default classification of “Class 3 Flammable Liquid Packing Group (PG) I “ must be applied to the material and the packaging and shipping documentation should reflect the PG I shipping requirements set forth in Canadian regulations.

FRA/PHMSA Advisory

On August 7th the US Federal Railroad Administration and the Pipeline and Hazardous Material Safety Administration issued a safety advisory that addressed the results of the same Canadian incident. It took a much more lenient stance on the crude re-testing requirement, recommending that:

“Offerors evaluate their processes to ensure that hazardous materials are properly classed and described in accordance with the HRM.”

There is a long distance between ‘evaluating processes’ and ‘additional testing’. The earlier FRA-PHMSA advisory was based upon sketchy evidence available at the time that at least some of the oil in the railcars was more flammable that was reflected in the shipping papers and rail car selection. I would assume that the more recent Canadian order is based upon later and better evidence indicating misclassification.

The Problem

In a blog posting about the FRA-PHMSA advisory I noted that:

One of the potential issues raised in this accident is the flammability of crude oil. Different sources and blends of crude oil have different flash points. This is reflected in the three different Packing Groups that may be used for the classification of crude oil as a Class 3 hazardous material. Those Packing Groups in-turn have an impact on what types of rail cars may be used to transport crude oil. This has potential safety implications if the crude oil has a lower flash point than reflected in the shipping paperwork and an improper rail car selection is made.

I suspect that it would be common practice in the oil industry to test the crude from a single source one time and assume that that is the classification for all of the crude from that source. A good argument could be made supporting that assumption. It certainly would make ordering railcars to ship that crude much simpler.

I don’t see anything in the HMR that requires that the contents of each rail to be specifically tested. An argument would be made by regulators that the HMR (and I would suppose the Canadian equivalents) requires that, since each railcar load needs to be properly characterized {49 CFR §171.1(b)} on the shipping papers, the shipper has the responsibility to take whatever measures are necessary to ensure that classification is properly made. Thus shippers could make whatever assumptions they want about a material, but if PHMSA or FRA found the material to be improperly classified, the shipper would be responsible.

Of course, this would mean that government inspectors would need to open and sample the material for testing to detect an improperly characterized crude oil shipment. This is specifically authorized under 49 CFR Part 109. I really doubt that PHMSA would stop a crude oil train to sample each car, but stranger things have happened. Short of that, there is no real way for PHMSA to effectively enforce a mandate for individual car testing. That may be why the FRA-PHMSA advisory was worded as a process review recommendation rather than a testing mandate.

Saturday, October 19, 2013

OMB Approves CG Change to LNG-LHG ICR

Yesterday the Office of Management and Budget (OMB) approved a Coast Guard request to extend and revise the information collection request (ICR) for safety and security programs covered under 33 CFR 127  the Waterfront Facilities Handling Liquefied Natural Gas and Liquefied Hazardous Gas. This is fairly routine update supporting a program that has been in place since 1986.

The table below shows the routine changes that have been made in the reporting burden estimates for this program since it came under the control of the Department of Homeland Security.

Approval Date
Time Burden
Time per Response

The average time per response column is a little misleading since there are a wide variety of responses covered under this program; the most complex (and time consuming) of which is the Waterway Suitability Assessment (33 CFR §127.007). The Coast Guard explained that the sharp reduction in the estimated annual time burden for this ICR, even while the number of estimated annual responses increased by 25%, is due to the decrease in new WSA’s from 7 to 1 per year. The increase in annual responses is due to the increase in recently approved facilities.
/* Use this with templates/template-twocol.html */