Friday, January 31, 2014

S 1961 Introduced – Chemical Storage

As I noted Tuesday Sen. Manchin (D,WV) introduced S 1961, the Chemical Safety and Drinking Water Protection Act of 2014, in response to the recent Freedom spill in Charleston, WV. This bill would amend various provisions of the Safe Water Drinking Act (SWDA, 42 USC §300f et seq) to help prevent the re-occurrence of such an incident. Among other things it would add a Part G—Protection of Surface Water from Contamination by Chemical Storage Facilities to that Act.

State Programs

Most of the requirements of this bill would provide States with new authority and responsibility in their enforcement of the Safe Water Drinking Act. These provisions are extensions of current enforcement authority. The States could decline to exercise this authority and then the enforcement authority would revert back to the Administrator of the EPA. This is how the Congress gets around the ‘unfunded State mandates’ dilemma; the States don’t really have to do anything, they can just let the Federal government step in and do it for them.

Covered Chemical Storage Facility

The key to this new legislation is the addition of a new term to the SWDA; covered chemical storage facility. The new §1471 would define this term as “a facility at which a chemical is stored and the Administrator or State, as applicable, determines that a release of the chemical from the facility poses a risk of harm to a public water system” {§1471(1)(A)}.

This is a very broad term that allows the Administrator of the EPA and State regulators a great deal of leeway in writing the applicable regulations that would implement this legislation. There is nothing in this language that would limit the scope of such regulations to bulk storage tanks such as those that were involved in the Freedom spill.

In fact, there is nothing here that would stop the regulators from including every privately owned facility, including individual homes, from coverage because everyone stores chemicals. Realistically, there would be no way to enforce such sweeping regulations and no agency is going to try to write regulations that are that sweeping in scope, but it would be allowed under this definition. The only restriction here is that a regulatory determination of potential harm to a drinking water system would have to be made.

Required Chemical Facility Actions

Section 1472 would require the establishment of State programs to protect drinking water from contamination by covered chemical storage facilities. States and the EPA would have one year from enactment to establish these programs. Those programs would be required to establish standards for {§1472(b)(2)(A)}:

• Good design, construction, or maintenance;
• Leak detection;
• Spill and overfill control;
• Inventory control;
• An emergency response and communication plan;
• An employee training and safety plan;
• An inspection of the integrity of each covered chemical storage facility; and
• Lifecycle maintenance, including corrosion protection;

While it would be hard to argue against any of those requirements, especially in light of the recent Freedom spill, the devil is always in the details. It would be helpful to the chemical industry if the EPA were to issue appropriate guidelines and regulations for the States to enforce. That way there would be a single, national standard for multi-state organizations to deal with.

The programs would also have to provide that covered chemical storage facilities would have to provide information to the EPA, state SWDA authorities, and the local water treating facility about:

• The potential toxicity of the stored chemicals to humans and the environment; and
• Safeguards or other precautions that can be taken to detect, mitigate, or otherwise limit the adverse effects of a release of the stored chemicals.

The lack of a definition for ‘potential toxicity’ is of more than a little concern. While the Crude MCHM was relatively non-toxic, it did have at least some measure of recognized toxicity. Would chemicals that did not have any known toxicity testing have to be reported? Would chemicals with extremely high dose rate toxicity have to be reported? There really should be a standard that combined known toxicity levels and maximum possible spill amount from a facility. High dose-rates for toxicity and small spill volumes add up to be a non-issue.

Finally the State programs would be required to spell out specific financial responsibility requirements (including proof of insurance, bond, or other similar instrument) for covered chemical storage facilities. This is very important because later in the bill (§ 1474) is the requirement that if costs are incurred by the EPA or State for response actions because of a release of a chemical from a covered chemical storage facility, the facility would be liable to the Administrator or the State for those costs.

State Program Actions

The programs established under §1472 would also include specific state actions in support of the program. Listed second {§1472(b)(2)(C)}, but certainly a primary responsibility would be the requirement to maintain a comprehensive inventory of the covered chemical storage facilities in the State.

This would have to include a precise physical location for the facilities because the second requirement, a State inspection program for those facilities, would have a frequency based upon the location of the facility with respect to water treatment facility source water assessment areas defined under 42 USC §300j-13. Facilities located within such source water assessment areas would have to be inspected every three years. All others would be inspected every five years.

This is going to require a fairly large staff of inspectors to be able to maintain reasonable inspection quality while covering the number of facilities involved. There is no mention of the golden phrase ‘inherently governmental function’ with respect to these inspections (though it could certainly be argued to be such), so it is possible that the States could contract out for this or even require facilities to pay for such inspections by licensed inspectors.

Information Sharing

Section 1476 would be added to the SWDA to cover the necessary information sharing aspects of the State plans under this legislation. It requires that whomever administers the Sate plans (EPA or State) is responsible for sharing with public water systems information about emergency response plans for all chemical storage facilities within the same watershed as the public water system {§1476(a)(1)} and an inventory of “each chemical held at the covered chemical storage facilities” {§1476(a)(2)}. Interestingly, there is no requirement in the State plan section for facilities to provide that inventory to either the EPA or State.

Copies of the emergency response plans would also have to be submitted to DHS and the EPA. Presumably the EPA copies would be sent to the EPA drinking water folks. To whom such plans would be sent at the sprawling DHS is not specified, but I suppose it would be FEMA.

To assuage concerns about the release of the above information presenting a security issue, the plan administrators at the federal or State level would be allowed to restrict the release of sensitive security information. The bill does not include mention of which sensitive security information program that would fall under. That could be very important because each of the existing programs have significantly different sharing rules and restrictions.

The provision does make clear, however, that there are limits on that information sharing restriction authority. It does not apply to public health information (not defined) {§1476(c)(2)(A)} nor can it be used to prevent sharing with “the Administrator, the Secretary of Homeland Security, a public water system, or a public agency involved in emergency response” {§1476(c)(2)(A)}.

Emergency Powers

Section 2 of the bill goes on to expand the current emergency powers of the EPA Administrator to take action under power of the SWDA (42 U.S.C. 300i). After first adding the words “or a covered chemical storage facility” after every mention of “public water system” in the appropriate paragraphs of 42 U.S.C. 300g–3, section 2(b) adds a new paragraph to §300i that would allow owner-operators of public water systems to either petition the EPA Administrator to take emergency actions or for the owner-operator to bring civil actions against “any activity or facility that may present an imminent and substantial endangerment to the health of persons who are supplied by that public water system” {§300i(b)(1)(A)}.

Citizen Suits

Adding covered chemical storage facilities to coverage under the SDWA makes them susceptible to citizen law suits for actions or failure to take actions under provisions of the new §1472. The citizen law suit provisions are covered under 42 USC 300j-8.

Moving Forward

The definitions of this bill are just too vague and the requirements potentially so far reaching that there will not be a single business organization that will be able to support the bill. This will almost certainly mean that the bill will never make it to the floor of the Senate and probably will never even be considered by the Senate Committee on the Environment and Public Works.

Thursday, January 30, 2014

ICS-CERT Publishes 2 Advisories

This afternoon the DHS ISC-CERT published to control system security advisories. One was a Crain-Sistrunk DNP3 vulnerability on Televen RTUs and the second was a NULL pointer dereference vulnerability in the 3S CoDeSys Runtime Toolkit. Both were coordinated disclosures.

Schneider DNP3 Advisory

The DNP3 vulnerability was a standard improper input validation vulnerability. According to the Robus web site, this is number 16 of now 28 (they have recently updated the total number) coordinated disclosures that Crain and Sistrunk have made based upon their proprietary fuzzer technology; still 12 more DNP3 vendors to go.

This advisory was originally posted on the CERT secure portal back on January 6th and it was disclosed on the Schneider Electric web site on December 30th. Schneider has produced a patch to mitigate the single vulnerability (based upon the CVSS v2 score it is probably the serial version of the vulnerability). There is no mention in the Advisory if Crain-Sistrunk were given a chance to validate the patch.

According to ICS-CERT a relatively low skilled attacker could remotely exploit this vulnerability to execute a denial of service attack.

The internal Schneider version of the advisory (.PDF Download) Schneider did more than just fix this vulnerability in the firmware update. They note that:

“In addition to better checking DNP3 input for malformed packets, the J0 firmware includes features for encryption, authentication, improved logging and DNP3 connection port validation.”

 CoDeSys Advisory

This advisory identifies a vulnerability reported by Nicholas Miles. 3S has developed an update that corrects the vulnerability and Miles has reported that it effectively mitigates the problem.

ICS-CERT report that a moderately skilled attacker could remotely exploit this vulnerability to cause a system crash within the Runtime Toolkit appliecation.

ICS-CERT provide a URL for the CoDeSys download page, but I don’t actually see this update unless it is the SP3 Patch 9 that was released last week (1-24-14), but it sure doesn’t look like it from the details provided.

Missed Vulnerabilities

There have been a couple of TWITTER notices by Joel Langill (@SCADAHacker) about ICS vulnerabilities that have not yet been noticed by ICS-CERT:

@SCADAhacker #ICS Vuln Alert: Emerson Network Power Avocent MergePoint Unity 2016 KVM Directory Traversal Vulnerability 

@SCADAhacker #ICS Vuln Alert - #Schneider - Floating License Manager Unquoted Service Path Vulnerability (15/01/2014)  #SHnews

Latest CRS Report on CFATS

Earlier this month the Congressional Research Service (CRS) published their latest version of their report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. This periodic report by Dana Shea summarizes the current state of the CFATS program, explains current problems facing the program. Past reports included an analysis of various potential solutions for CFATS problems that may require Congressional action, that is missing from this version.

SSP Process

Given the on-going congressional concern about the progress being made on the Site Security Plan (SSP) front Shea takes a detailed look at that portion of the program. This discussion begins very good, concise summary of the SSP regulatory process:

“Over time, the DHS has attempted to develop a consistent nomenclature for its review and inspection process. The DHS authorizes an SSP (issuing the facility a letter of authorization) when the submitted SSP is satisfactory under CFATS. The DHS conducts an authorization inspection of a facility with an authorized SSP to compare the authorized SSP to the conditions of the facility. Following a successful authorization inspection, the DHS approves the SSP (issuing the facility a letter of approval). At a later date, expected to be one year after approval of the SSP, the DHS will conduct a compliance inspection of a facility to determine whether the facility has fully implemented its approved SSP. Compliance inspections then occur on a periodic basis depending on the risk tier to which the facility is assigned.” [Footnotes removed]

What is missed in this discussion is why such a complicated SSP process is necessary. Since Congress declared in the CFATS authorization that DHS may not specify what security measures are required for SSP approval, DHS was forced to publish a rather vague Risk-Based Performance Standards (RBPS) guidance document and facilities were left to guess what security measures to put into their proposed SSP. Since security is not a profit center, the apparent actual risk of a terrorist attack is low (no attacks to present and no reports of credible threats against chemical facilities), and security measures usually complicate day-to-day operations, facilities want to establish just the minimum security measures required to assure compliance with CFATS. As a result, there is a natural tendency to under-guess what is required for compliance.

Further complicating the process is the fact that the current SSP data submission tool in the on-line Chemical Security Assessment Tool (CSAT) uses a question/response format that solicits a limited amount of specific information about the proposed SSP and relies on the addition of narrative submissions for the bulk of the details about the program. Facility security managers have every incentive to limit the amount of information that they provide since any changes to that information after the SSP is approved will have to be vetted through DHS before it can be changed. Limiting the scope of that DHS operational veto is in the best interest of the facility management.

The disjointed and frequently duplicative organization of the information in the SSP tool further aggravates the approval process by making it difficult for inspectors to preview the submitted data before they conduct their authorization inspections. Since large chemical facilities are already complicated physically and operationally, inspectors have to become familiar with the unique operational aspects of the facility and become familiar with the proposed SSP at the same time during the scope of a three day inspection.

Digesting that inspection information and preparing a coherent report on how well the facility complies with the RBPS is a time consuming process. This is complicated by the fact that every chemical facility is unique in its surroundings, operations, hazards and susceptibility to terrorist attack. Further, the Chemical Security Inspector (CSI) needs to have an operational understanding of chemical safety, physical security, operations security, and cybersecurity to adequately understand all of the implications of the proposed SSP.

Finally, the CSI workforce is limited to about 160 personnel which include regional commanders who would be expected to spend only limited amounts of time in actual inspection activities. Authorization inspections are typically conducted by 3 to 5 inspectors depending on the size and location of the facility.

Inspection Rate

Shea spends a great deal of time analyzing the rates of authorization, inspection and approval and their inter-relationships. I would assume that this was done at the request of various Committee Chair who are legitimately concerned with the progression of that process. Looking strictly at statistical data Shea has provided detailed information about the number of actions that are necessary to complete the SSP process in a variety of time frames. Table 1 below summarizes the Shea data for the average monthly rates for achieving completion of the SSP authorizations and approvals for the facilities currently the program.

1 year
2 year
5 year
10 year
Table 1: SSP Authorization and Approval Rates

As I have discussed in various posts (see the latest here) about the monthly reports the Infrastructure Security Compliance Division (ISCD) has been publishing on the SSP approval process, there are a lot of things beyond the control of DHS that have caused significant month-to-month variations in the approval rates. It is also not clear how the changes in types of facilities being inspected (alluded to in the CRS report). One would think that the process would be easier at smaller less complicated facilities, but as I recently noted the lack of administrative resources at those facilities is also going to impact the approval process.

It seems likely that DHS will be able to complete the authorization process in somewhere between two and five years, particularly since that portion of the process includes only limited CSI involvement. The projection for the approval process is less sanguine. Shea notes that ISCD has recently begun the process of compliance inspections which will cut into the number of authorization inspections that the limited CSI force can conduct. Also noted as a force time-consumer is the current regulatory requirement to begin the reauthorization/re-approval process for Site Security Plans. That should begin in very limited numbers this fall.

New Facilities

Further compounding this issue is a discrepancy between the number of covered facilities and the number of facilities with a final tier assignment. Facilities become regulated when they submit a Top Screen that DHS decides provides presumption of being at high-risk. In the initial Top Screen submissions in January of 2008 40,000+ facilities submitted Top Screens, but only about 7,000 were notified by DHS that they were preliminarily determined to be at high-risk and would have to enter the initial evaluation process of the regulated chemical companies, the Security Vulnerability Assessment (SVA).

What is not clear in Shea’s discussion is the fact that not all of those facilities submitting SVA will be confirmed as high risk and be given a tier ranking assignment. It is only at that point that the facility joins the cue of facilities in the SSP authorization/approval process. Of the original 7,000 covered facilities only about 4,000 were required to submit sight security plans, the remainder were dropped from the CFATS program because the additional data submitted demonstrated that they were not at high-risk of terrorist attack.

Shea appears to assume that all of the currently regulated facilities will be required to submit SSPs that will require future action. That is not supported by past history. Only about half of the currently regulated facilities that do not have tier assignments would be expected to have to submit SSPs.


What is disappointingly lacking in this version of the CRS report is a look at potential alternatives. With a new CFATS authorization bill currently in the works it would have been nice to see a look at possible congressional actions that could address this process.

The simplest action (and the least likely) is for Congress to increase the funding and authorized head count for CSI. Clearly the limited number of CSI has got to be a factor slow rate of approvals. Whether or not it is the only factor has yet to be seen. Shea acknowledges this, noting (pg  16):

“Increasing authorization inspection capacity might serve to highlight other potential issues within the CFATS process, such as delays in processing information from authorization inspections and issuing letters of approval.”

Congress is unlikely to significantly change the number of CSI. The CFATS program already has more full-time federal inspectors than does the EPA’s RMP program or OSHA’s PSM program which address similar (yet a far larger number) facilities. Federal employee costs are high and there appears to be a general reluctance to pay that cost for enforcement personnel.

Last summer I proposed another alternative to speed up the SSP authorization and approval process; adjust the standards by which those actions are reviewed for Tier 3 and Tier 4 facilities. Since these facilities are lower risk, it would seem reasonable that while the RBPS are lower the standards for review of the submissions should also be less stringent. While this would not technically need congressional approval it would certainly need congressional acquiescence.

Personnel Surety

There was one SSP issue that was completely ignored in the Shea report, technically there have been no site security plan approvals; they all have been conditional because facilities have not been able to fulfill all of the standards for RBPS # 12 Personnel Surety. The reason for this is that DHS has yet to establish a means for facilities to vet personnel given unaccompanied access to critical areas of the facility against a list of known or suspected terrorists. ISCD has been at work on this program with little success for over four years now.

I understand that this will be addressed by CFATS authorization legislation that will be introduced in the next couple of weeks. It remains to be seen whether or not that bill would, if passed (more than iffy in an election year), ease or compound the difficulties that DHS is having getting a plan that is acceptable to industry and accomplishes the requirements for personnel surety established in the current authorization.

In any case, some sort of reauthorization/re-approval process will have to be implemented once a CFATS personnel surety program is put into place by DHS. This should be able to be an almost completely administrative review, requiring little or no CSI involvement.

Another New Use for Methyl Bromide

Today the Department of Agriculture’s Animal and Plant Health Inspection Service (APHIS) published a notice in the Federal Register (79 FR 4867-4868) proposing to add another use of methyl bromide to their current Plant Protection and Quarantine (PPQ) Treatment Manual under the immediate need provisions of 7 CFR §305.3. This time it is for the treatment of kumquats for fruit fly infestations.

The new treatment schedule, T101-n-3, has been added to the PPQ subject to revision or removal based upon comments received per this notice. Public comments may be submitted via the Federal eRulemaking Portal (; Docket # APHIS-2013-0095). A copy of the Treatment Evaluation Document (TED) supporting this adoption may be found in that docket.


Once again the folly of excluding methyl bromide from the list of DHS chemicals of interest (COI)  for the CFATS program based upon the putative ‘phasing out’ of the chemical by EPA is exposed. While greatly reduced, the use of methyl bromide will continue for the foreseeable future as it is an effective pesticide that is readily adaptable to treatment of new pests.

Since this is a toxic inhalation hazard (TIH) chemical (which is why it is such an effective pesticide) it should be included in the CFATS list of COI that trigger reporting to DHS. 

Wednesday, January 29, 2014

House Accepts HR 2642 Conference Report

This morning the House accepted the revised language for HR 2642, the the Federal Agriculture Reform and Risk Management Act of 2013, found in the Conference Report by a bipartisan vote of 251 – 166. This was bipartisan in the modern term of the word; it was a vote by the moderates of both parties that carried the day.

As I noted yesterday the chemical safety and security measures in the original bill are there no longer. The closest we got was some funding for some existing minor biosecurity programs.

It will be interesting to see if the leadership in the Senate can broker the same sort of bipartisan middle ground over the bomb-throwers of both parties.

S 1951 Introduced – CERCLA Response

As I mentioned almost two weeks ago Sen. Schatz (D,HI) introduced S 1951, a bill dealing with CERCLA liability costs. The bill would extend the financial liability for the consequences of chemical spills under 42 USC 9607.

The bill makes two changes. First it expands the liability provisions to include more than just the defined hazardous substances found in Table 1 to Appendix A in 49 CFR 172.101. It does this by adding the phrase “(or pollutant or contaminant if the President takes any response measure under section 104(a) [42 USC §9604(a)] with respect to the pollutant or contaminant)” {§1(1)}after every mention of ‘hazardous substance’ in 42 USC §9607(a). This mirrors the language in other CERCLA sections that include coverage of pollutants and contaminants.

It then revises §9607(a)(4)(C) to limit the new liability coverage to just owner and operators of facilities. It limits the current CERCLA coverage of liability of others (including waste facility owner/operators and transporters) to the current hazardous substance language.

The timing of this bill, coming just a week after the Freedom spill, makes it look like it is targeted against that type of situation. The Crude MCHM that was spilled into the Elk River would certainly seem to fall under the pollutant category rather than the current hazardous substance rule. The President’s emergency declaration in this particular case would not seem to fit the ‘response measure under section 104(a)’ portion of the pollutant coverage. That section provision could probably have been addressed by adding a reference to that section in the disaster declaration.

I suspect, however, that this bill was already in the works as Sen. Schatz does not represent the affected area (the one co-sponser, Sen. Rockefeller (D,WV), does however) and neither Schatz or Rockefeller made a floor speech about the introduction of the bill. The if the bill would have been specifically targeted at this type of spill, they missed a great press moment by not giving such a speech.

Unless there is some major objection to this bill by the chemical industry (and I don’t really see that happening) this bill could probably pass in the Senate in one of those unanimous consent procedures that relatively minor legislation is addressed by that body. It would be more appropriate, however, if this language were added to EPA authorization legislation.

EO 13650 Webinar

I have signed up to receive emails from the EO 13650 Working Group about the actions that the group is taking in support of the President’s Executive Order on Improving Chemical Safety and Security (EO 13650). This has mainly allowed me to get advance notice of various meetings, public listening sessions and webinars on EO 13650. I received one such email notice yesterday about a slightly different webinar, one specifically targeted to residents in New York and New Jersey.

To date these webinars and public listening sessions have been focused on receiving public input on chemical safety and security issues. The ones that I have listened to have been essentially opportunities for various industry and activist organizations to rehash their well established points of view about matters of chemical safety and security. This has been a worthwhile exercise as it has allowed representatives from EPA, OSHA and DHS chances to publicly ask questions to clarify their understanding of these various positions.

This webinar, to be held on February 2nd (more about sign-up details below) will apparently have a slightly different focus. According to the email it is designed to help people who want “to prepare for the in-person listening session in Newark, NJ on February 5th in order to provide comments and feedback on the Executive Order to help improve the safety and security of chemical facilities”.

The webinar is being hosted by the EPA’s Technical Assistance Services for Communities (TASC), and EPA community outreach organization. It is specifically focused at “Community members and grass roots organizations, including first responders, in the New York/New Jersey area, interested in improving the safety and security of chemical facilities”.

I have signed up for this webinar (though I am certainly not a resident of the NY/NJ area) because of its intent to “provide additional information about the New York and New Jersey areas”. I’m hoping that will include information about the pilot project on interagency cooperation that is being headed by the EPA in Region 2 (The Effective Chemical Risk Management Project, Federal Region 2). There has been very little public information about this project and I’m hoping that it will be discussed in this venue.

The email provides a link for signing up for the webinar - It is a relatively easy sign-up process with a minimum of personal information required. Interestingly I don’t see any information about an OMB approved information collection request for the information being requested. I also have a very low level of concern about the information I provided being shared with Skeo Solutions, the private-sector organization that will apparently be conducting the webinar for TASC.

Tuesday, January 28, 2014

Bills Introduced – 01-27-14

Yesterday there were 21 bills introduced in the House and Senate. One of those will be of specific interest to readers of this blog:

S 1961 Latest Title: A bill to protect surface water from contamination by chemical storage facilities, and for other purposes. Sponsor: Sen Manchin, Joe, III (D,WV) 

I wrote about this bill over a week ago after the initial press release from Sen. Manchin, but we will still have to wait for the bill to be published to see how it attempts to achieve its objectives. There is frequently a disconnect between what those press releases say and what the bill actually attempts to do.

NOTE: Rumors continue to abound about Rep. McCaul’s (R,TX) CFATS authorization bill, but it has not yet been introduced. I suspect that it is being further refined.

House to Consider HR 2642 Conference Report

The Conference Committee Report on HR 2642, the Federal Agriculture Reform and Risk Management Act of 2013, was submitted this evening and considered in the House Rules Committee. The rule for the consideration of HR 7 includes provisions for the consideration of the HR 2642 Conference Report.

The chemical safety and security provisions that were included in the version that the House originally passed last July were not included in the Senate version of the bill and did not make it back into the Conference Report version. The closest thing to chemical security provisions were found in Title VII, Subtitle E, Part 1 – Agricultural Security. Those provisions were funding for various biosecurity programs; including:

• Agricultural Biosecurity Communication Center, 7 USC 8912(c) {§7501};
• Assistance to build local capacity in agricultural biosecurity planning, preparation, and response, 7 USC 8913 {§7502};
• Research and development of agricultural countermeasures, 7 USC 8921(b) {§7503}; and
• Agricultural Biosecurity Grant Program, 7 USC 8922(e) {§7504}

H Res 465 provides for the consideration of both HR 7, an anti-abortion bill, and HR 2642. Section 2 of that resolution provides for an  hour of debate, no amendments, and a vote on the amended bill. There have been enough deal making made that there should be enough bipartisan support for the bill to allow it to pass over the objections of conservatives who will object that the bill does not cut spending near enough.

Because of the State of the Union Address this evening and the shortened session in the House to prepare the Chamber for the Address, it is unlikely that HR 2642 will get voted on today (Tuesday); Wednesday is much more likely.

Monday, January 27, 2014

Congressional Hearings – Week of 1-26-14

Both the House and Senate will be in session this week and the big news will, of course, be the President’s State of the Union (SOTU) Address. With this on the agenda there is a relatively light hearing schedule in both houses of Congress. There is only one this week that may (and this may be a stretch) be of specific interest to readers of this blog, a House hearing on TSA criminal investigators. There may be an authorization bill finally wending its way to a final vote this week as well.

TSA Criminal Investigators

On Tuesday the Transportation Security Subcommittee of the House Homeland Security Committee will be holding a hearing “Examining TSA's Cadre of Criminal Investigators”. Since these investigators also handle surface transportation investigation there may be some mention of chemical transportation security measures, but I’m not going to hold my breath.

All of the witnesses for this hearing are from DHS, including a representative of the DHS IG’s office. I am kind of surprised not to see someone from either the GAO or the TSA employees union.

HR 2642 Conference Report

The agriculture authorization bill is one of those big deals that needs to be passed every year. Here we are just over a quarter of the way through the fiscal year and, according to the Majority Leader’s web site, we may be getting a conference report this week.

The original version of the bill introduced in the House included some chemical safety and security measures, but they were removed in the Senate version. It will be interesting to see if any make it back into the Conference version of the bill.


I expect that the President’s annual speech tomorrow will include at least some mention of chemical safety and security measures, especially after the high profile train wrecks and the recent spill in West Virginia. I don’t really expect anything new on this front other than perhaps a plug for actions being taken (VERY SLOWLY) under his Improving Chemical Safety and Security EO.

TSB and NTSB Make Crude Train Recommendations

Early last week the Canadian Transportation Safety Board (TSB) and the US National Transportation Safety Board (NTSB) made a coordinated series of recommendations based upon the preliminary investigation results from the Lac-M├ęgantic crude oil train wreck and initial investigation results from the Casselton, ND crude unit train wreck.

The NTSB recommendations to the Federal Railroad Administration (FRA) and the Pipeline and Hazardous Material Safety Administration (PHMSA) go significantly beyond the political calls for replacing the older DOT 111 railcars that have apparently contributed so greatly to the catastrophic destruction seen in these recent derailments and fires.

The twin recommendation documents published on the January 21st outline what is currently known about the two accidents and additional related rail incidents that occurred with trains transporting ethanol. In addition they provide supporting details for the six recommendations that will be discussed below.

NOTE: It is interesting that the NTSB has expanded this discussion to include the bulk shipment of ethanol in unit trains. Given that there are more car loads of ethanol being shipped than crude oil, and given that they are using the same types of cars over the same tracks, it might be interesting for someone to look into why there has been a rash of crude oil train wrecks, but not similar rash of ethanol unit train wrecks. Could it be related to the fact that crude oil is not a ‘clean fuel’ and may thus be preferentially targeted by environmental extremists?

Route Planning

Two of the six recommendations (R-14-1 and R-14-4) are virtually identical in that they recommend that the two agencies work together to:

“Expand hazardous materials route planning and selection requirements for railroads under Title 49 Code of Federal Regulations 172.820 [Link Added] to include key trains transporting flammable liquids as defined by the Association of American Railroads Circular No. OT-55-N and, where technically feasible, require rerouting to avoid transportation of such hazardous materials through populated and other sensitive areas.”

The current route planning and selection requirements are limited to bulk rail shipments of explosives, toxic inhalation hazard (TIH) chemicals, and radioactive materials {§172.820(a)}. There has been no indication that the complicated rules for route evaluation (requiring evaluation of 26 separate and un-weighted factors Appendix D to Part 172) has done anything to reduce the number of shipments of the covered chemicals through major metropolitan areas which was arguably the intent of the regulators.

The current §172.820 regulations do not require the re-routing of the covered material ‘to avoid transportation of such hazardous materials through populated and other sensitive areas’. It requires a vaguer standard of:

“Using this process, the carrier must at least annually review and select the practicable route posing the least overall safety and security risk.” {§172.820(e)}

Enforcement of these route selection decisions is more than a little vague. There is no requirement to submit the analysis documents to either the FRA or PHMSA (or TSA for security issues) for approval. They must be made available to inspectors from DOT or DHS. Finally the DOT may only require a change in route selection in concert with the TSA and only after the Surface Transportation Board determines that the alternative route is “economically practicable” {§172.820(j)}. Because of the lack of a measurable standard for the “most secure practicable route available”, it is unlikely that any such order would stand up in court.

Spill Response Plans

There are nearly twin recommendations (R-14-2 and R-14-5) to the two agencies dealing with spill response plans. The primary responsibility for these plans is given to PHMSA:

“Revise the spill response planning thresholds contained in Title 49 Code of Federal Regulations Part 130 [Link Added] to require comprehensive response plans to effectively provide for the carriers’ ability to respond to worst-case discharges resulting from accidents involving unit trains or blocks of tank cars transporting oil and petroleum products. (R-14-5)”

Section 130.31 sets for the current requirements for spill response plans. While there are a number of administrative requirements, the key action item is found at §130.31(b)(4):

“Identifies, and ensures by contract or other means the availability of, private personnel (including address and phone number), and the equipment necessary to remove, to the maximum extent practicable, a worst case discharge (including a discharge resulting from fire or explosion) and to mitigate or prevent a substantial threat of such a discharge;”

The concern of the NTSB being addressed by the recommendation to revise the planning thresholds is that the current language in §130.31(a)(2) limits the requirements for the spill response plan to just a spill from a single packaging. The accident record in the last year surely indicates that more than a single railcar (the packaging in this instance) will be involved in the spill and subsequent fire.

The NTSB is concerned that the current language allows for inadequate funding support for the spill response in the types of accidents with crude oil and ethanol unit trains that we have been seeing. The adequate spill response for a single car spill may be totally inadequate for a a multiple rail car discharge.

The FRA counterpart to this recommendation addresses the need to audit the plans to “ensure that adequate provisions are in place to respond to and remove a worst-case discharge to the maximum extent practicable and to mitigate or prevent a substantial threat of a worst-case discharge. (R-14-2)” Since there are no provisions in Part 130 requiring the submission of spill response plans or the approval of emergency response plans, there is currently no good method of determining if the plans currently in place (even given their single packaging scope) are adequate to the task at hand.

One other significant shortcoming in the current spill response plan requirements is that there is no requirement in the plan in how to deal with fires and explosions subsequent to a spill. The only real response requirement is listed in §130.31(b)(3) which describes authority to “implement removal actions”. It might be worthwhile considering the addition of fire suppression planning for unit trains carrying flammables.

Crude Hazard Classification

The last two recommendations address the issue of proper classification of crude oil hazards. Again PHMSA is given the task of establishing the requirement and standards while FRA is given the responsibility for auditing the performance of rail shippers.

The Hazardous Material Regulations (HMR) already require a shipper to properly classify and describe hazardous materials {§173.22(a)(1)} and §173.120 provides the definition of flammable liquids (Class 3) and §173.121 provides the testing criteria for the assignment of packing groups within that class.

While PHMSA is continuing its testing of samples of the Bakken Crude to determine if any additional testing requirements might apply, the NTSB discussion of the classification of the crude in the Casselton incident (pg 11 of the PHMSA recommendation letter) indicates that the initial shippers to the rail transloading facility had properly classified the material as Packing Group II while the shipping papers for the train cars incorrectly identified it as the less hazardous Packing Group III.

It is not clear how the NTSB intends for the FRA to audit the proper classification of crude oil shipments. The only real way to conduct such audits would be to pull samples from random railcars and send them to an outside lab for testing. Currently the only authority for opening hazmat packages in transit is found in §109.5, but it only allow for opening of  a packaging component “that is not immediately adjacent to the hazardous materials contained in the package”. In other words samples may not be taken.

The one exception to this is that when a DOT agent “agent has an objectively reasonable and articulable belief that the packages may pose an imminent hazard” {§190.7} the packaging may be transported to a facility for testing. This is clearly not intended to be used for audit purposes.

Safety and Security Plans

While not included in the formal numbered recommendations made by the NTSB, there is a lengthy discussion (pgs 10-11) in the documents relating to the requirements for the preparation of transportation safety and security plans for Class 3 materials classified in Packing Group I or II {§172.800(6)}. The NTSB concludes that discussion by recommending “that the FRA audit shippers and rail carriers of crude oil to ensure they are using appropriate hazardous materials shipping classifications, have developed transportation safety and security plans, and have made adequate provision for safety and security” (pg 11).

The current requirements for the security plan are more than a little vague and provide no measure to determine the adequacy of those plans. Section 172.802(a) provides a rather generic description of the components that will be included in the security plans; including:

• Personnel security (surety);
• Unauthorized access;
• Enroute security;

Since there are no real descriptions of what these components will include (for example there is no requirement for vetting personnel against a terrorist screening list or even a criminal background check) there is no way that such plans could be determined to be inadequate from a actionable regulatory point of view. Without being able to compel a shipper or railroad to achieve some measurable level of security, there is no practical need for an audit of such plans.

Now, if the NTSB had recommended that the provisions of Subpart B of the TSA Rail Transportation Security Regulations pertaining to rail security sensitive materials (again explosives, TIH chemicals, and radioactive materials similar to those requiring route planning) were made to apply to unit trains of crude oil or ethanol, then there would be some actual security planning and execution efforts to audit.

Moving Forward

The NTSB does not have any regulatory authority to compel the FRA or PHMSA to comply with their recommendations. Neither agency has a real good track record for timely adoption of NTSB recommendations. That combined with the industry’s almost legendary resistance to change and a well understood proclivity to use the courts to resist changes ensure that none of the recommendations will move forward quickly, if at all.

Sunday, January 26, 2014

CFATS Document Support

I’m hearing interesting rumblings from those in the CFATS field that as more and more small chemical facilities are getting visited by DHS Chemical Security Inspectors (CSI, oh that hurts; maybe CBS should sue for copyright infringement) a new ‘security issue’ is being found with increasing regularity. While these facilities appear to be doing a yeoman’s job at actually securing the chemicals on site, they are having problems documenting their security procedures.

The Problem

As DHS moves into the site security plan authorization and approval process in the Tier 3 and Tier 4 facilities, they are encountering a large number of small facilities, frequently with less than 10 employees on site and no corporate EHS&S support. The Security Manager at these types of facilities is frequently the same person that handles all of the other regulatory compliance issues for the facility along with another full time job related to chemical production or distribution.

This routinely means that while security measures might be employed, there is little time for preparing all of the documentation that goes into supporting a real security plan. There are dozens of written procedures and processes that the CSI need to be able to see when they arrive on site to verify that the facility understands its security program and is properly implementing all of the necessary support requirements that are part and parcel of the physical security investments that have been made.

For example, there might be a bright new 10 foot security fence with razor wire topper and an automated gate that opens only to employee ID cards, but there needs to be a document that describes the processes that support that fence. That barrier plan document would include a description of:

• Who/what the fence was designed to keep out;
• How the fence is kept under observation to ensure that no one cuts or climbs over it;
• How often the fence is inspected for physical integrity;
• Who is responsible for ensuring that defects are repaired;
• What is done while a defect is awaiting repair to compensate for the deficiency;
• How the employee ID cards are issued and controlled;
• Etc.

Each and every security measure that a facility employs needs this sort of documentation that can be shown to a visiting inspector (along with supporting records that show that required periodic actions are being taken). Without that documentation, the DHS cannot really tell if a facility is really properly secured.

CSAT Tool Lacking

It looks like the original intent of the developers of the Chemical Security Assessment Tool (CSAT) was to provide an on-line data entry tool that would allow much of this type of documentation to be bypassed, making the job of security managers much less complicated. Unfortunately, by the time DHS got around to implementing the Site Security Plan (SSP) portion of the tool it became painfully obvious that there was not enough time, money or support available to prepare an SSP tool that could do more than ask some general questions about a very complicated series of security topics.

I understand that suggestions have been made that DHS Infrastructure Security Compliance Division (ISCD, the folks that run the CFATS program) provide an on-line series of templates for the various supporting plans and documents that may be needed by a facility to support their SSP. For some fairly obvious reasons, that has not been done.

First off, ISCD is already stretched pretty thin doing what it is already required to do; authorize, approve and inspect 3000+ site security plans. We can argue whether or not they should have developed such templates as part of the original SSP tool development process, but that is water under the bridge and the current management team was not in charge of that process. At this point in time they don’t have the time, money or personnel to accomplish that type of template development.

I am hearing rumors that a variety of facilities that have already been authorized and approved have offered to allow some of the documents that they have produced to be used as templates (after filing off the appropriate nameplates and serial numbers, of course). This is quite heartening and a positive sign of how well the industry accepts their general responsibility for chemical security in general.

Unfortunately, the §550 bugaboo once again rears its ugly head; “the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure”. ISCD has, from its very inception taken this congressional restriction very seriously (too seriously in my opinion, but then again, I don’t have to go back to Congress every year of reauthorization either). One just has to look at the repeated weasel wording in the Risk-Based Performance Standards guidance document to see how seriously the Department takes this requirement.

There is no way that ISCD is going to provide templates for SSP support documents for fear of running afoul of this restriction. Additionally, the Department lawyers would vociferously argue against providing such templates for fear having to defend ISCD against legal complaints when facilities that used such templates were found wanting in their SSP plan implementation. Templates would have to be generally enough written that a lot would still depend on how the various blanks were filled in. Besides, chemical facilities covered under CFATS are so diverse that it is unlikely that a single template, no matter how generally written, would cover all situations.

Industry Support

It looks like Congress, reading the full language of the §550 authorization, actually thought that there would be a viable solution to this issue. We can see this in the language related to alternative security plans (ASP). They thought that the various areas of the chemical industry would come up with generic security programs tailored to the specific requirements and security issues facing that industry segment.

Unfortunately, to date only one ASP has been developed that is in wide spread use and that is the one that was introduced just over a year ago by the American Chemistry Council (ACC). The ACC’s ASP is much closer to being an actual site security plan template than is the SSP tool in CSAT. It is still, however, falls short of the actual policies and procedure documents that need to be in place at all CFATS covered facilities. And there is a good reason for this; the ASP document once submitted and authorized/approved by DHS cannot be changed without approval of DHS.

Policies and procedures supporting the ASP need to be living documents that can be changed and modified to fit changing circumstances. As long as those changes don’t materially modify the processes approved by DHS there should be no need to burden the ISCD folks with a change approval request. So the data submitted to the DHS in the ASP needs to cover much of the same information as would found in the policy and procedure documents, but not in quite so much detail. (NOTE: Finding the acceptable limits of that detail is what is taking so much time in the SSP authorization and approval process.)

In any case, it would be helpful if the various chemical industry support groups would help the smaller companies in their organizations by developing template documents for many of the security policies and procedures that facilities would have to have in place to support their SSP.

ASP Approvals

While I am on the topic of ASPs, I heard a very interesting comment from the field the other day about why DHS is not pushing the ACC ASP. Now Director Wulf has made an official statement in support of the use of the ACC ASP, but there is nothing on the DHS CFATS web sites specifically mentioning the ACC ASP, and there is certainly no link to the ASP on the DHS sites. Some are questioning this lack of support.

The comment I heard this week is that the reason for this lack of support is that the cost of the design and maintenance of the current CSAT tool would be hard to justify if there were wide spread adoption of the ACC ASP. While I would not be surprised to hear that there were individuals associated with the CSAT development that might have their feeling hurt to hear that their SSP tool was less than adequate (AND IT CERTAINLY IS THAT), I do not think that is why the current management team at ISCD has not made their support for the ACC ASP more widely known.

First off, any federal bureaucrat has to be very careful about how they endorse a commercial product. While the ACC ASP is certainly free-of-charge for use the ACC and its affiliated companies are commercial enterprises, so Director Wulf has to be careful in that respect. Also, as other ASPs hopefully come into use failure to publicly recognize and support those with the same alacrity that they supported the ACC ASP could lead them into political problems, so a measured approval is probably politically prudent.

There should be, however, a link on the SSP homepage to any and all ASPs that have been approved by DHS. If there is only one such link because only one such program has been approved by ISCD, then so be it. This should serve as an incentive for other organizations to develop their own industry specific templates.

Saturday, January 25, 2014

OMB Approves Methyl Bromide NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the EPA’s notice of proposed rulemaking (NPRM) for the 2014 Critical Use Exemptions to the phase out of the use of methyl bromide under the Montreal Protocol for the Protection of Atmospheric Ozone. This annual rule making exercise is proceeding slower and slower; this approval comes one month later than did the 2013 OMB approval.

The OIRA notice states that the NPRM was approved ‘consistent with change’. Presumably this means that they are requiring EPA to make some relatively minor changes to the draft NPRM that had been submitted for approval. This means that we probably won’t see publication of the NPRM until the first week in February.

As I noted last May when EPA submitted the final rule for the 2013 Critical Use Exemption, because of this delayed rulemaking process EPA must provide extralegal assurances that it will not take actions against producers, dealers and users of methyl bromide for the production, importation or use of methyl bromide this year while the rulemaking process proceeds.

According to the 2014 CUE web page, the NPRM should be authorizing the use of methyl bromide for the following uses; Commodities (740 kg), Food Facilities (22,800 kg), Ham (3,730 kg), and Strawberries (415,067 kg). No mention is made of the various emergency use approvals that EPA and the Department of Agriculture (eg: Cotton Seed and Blueberries) have approved since the 2014 CUE list was submitted to the UN for approval in January of 212.

Standard Rant Warning

As always, I will take this opportunity again to argue that the removal of methyl bromide, a toxic inhalation hazard chemical, from the final Appendix A, 6 CFR Part 27 list of DHS chemical of interest because methyl bromide use was being phased out was ill-advised and contrary to the congressional intent to have DHS regulate dangerous chemicals that could be used by terrorists in a weapons of mass destruction attack within the United States. Methyl bromide should be added back to the COI list post-haste.

Friday, January 24, 2014

What Constitutes “Possesses”?

I had an interesting theoretical CFATS question thrown at me this week by a reader, a question that for fairly obvious reasons was not going to be offered to the folks at the DHS Infrastructure Security Compliance Division (ISCD), the people who administer the CFATS program. As I have to periodically remind people, I am not a lawyer, so I cannot offer legal advice and I certainly don’t work for ISCD, so my regulatory advice is somewhat suspect. Having said that; I always like looking at odd things from different perspectives. So let’s look at this question.

The Situation

A facility routinely uses aqueous ammonia and receives the material in bulk in quantities in excess of 20,000 lbs. The concentration of the aqueous ammonia ordered and used in the facility is 19%. This puts the product outside of the description for ammonia found in Appendix A, 6 CFR Part 27 since that document describes the DHS Chemical of Interest as “Ammonia (conc. 20% or greater)”. So the facility has no responsibility for reporting their use of aqueous ammonia to ISCD even though the amount of the material on-hand routinely exceeds that screening threshold quantity (STQ) for the defined ammonia (20,000 lbs).

A mistake on the vendor’s part results in a load of 28.4% ammonia being sent to the facility to fulfill an order for 19% ammonia. The paperwork accompanying the shipment (including both the bill-of-lading and the certificate of analysis) indicates that the material received is 19% ammonia as requested, so it is accepted and unloaded by the facility. Subsequent use of the material indicates that it is more concentrated than it should be and subsequent on-site testing confirms that a mistake has been made.

The vendor acknowledges the mistake, apologizes vociferously, and expeditiously removes the unused portion of the material from the facility and makes a complete refund for the full amount delivered (including the portion consumed).

The question is, does the facility have to report the 40,000 lbs of 28.4% ammonia received to DHS ISCD on a Top Screen submission?

On the One Hand

The CFATS regulations clearly state {§27.200(b)(2)}:

“A facility must complete and submit a Top-Screen in accordance with the schedule provided in § 27.210, the calculation provisions in § 27.203, and the minimum concentration provisions in § 27.204 if it possesses [emphasis added] any of the chemicals listed in appendix A to this part at or above the STQ for any applicable Security Issue.”

The 40,000 lbs of 28.4% ammonia delivered to the facility is clearly a chemical listed in Appendix A above the STQ. This means that compliance with the CFATS regulations requires that the facility register with CFATS for the purpose of establishing a Chemical Security Assessment Tool (CSAT) account so that a Top Screen can be submitted within 60 days of the time that the 28.4% ammonia was delivered to the facility.

On the Other Hand

The offending ammonia was removed from the site before there would have even been a chance for DHS to provide log-in credentials for the facility personnel to begin to work on the Top Screen submission. The toxic gas release hazard was gone with the off-spec ammonia. There was no intent by the facility to purchase, obtain or use ammonia in any concentration higher than 19%.

While the Top Screen submission is relatively un-intrusive as chemical regulations go, it does take time and administrative efforts to complete the registration and Top Screen submission process. For a facility to have to make even those relatively minor efforts for a mistake made and corrected by someone else, does not seem to make a lot of sense.

The purpose of the CFATS regulations is to ensure that chemical facilities that make, store or use chemicals that could be used by terrorists in effecting a chemical attack, either by causing a hazardous release of toxic, flammable or toxic chemicals or by using stolen or diverted chemicals to make improvised chemical weapons or explosives that would be used in a subsequent attack. In this particular case, that purpose would not be served by requiring the facility to complete the registration/Top Screen processes for chemicals that are no longer and never again should be on hand at the facility.

Letter or Intent of the Rule

This comes down to the old dilemma, which is more important, the letter of the law or the intent of the law. I personally tend to come down on the side of the spirit of the law. While the law should be blind and impartial so that it treats everyone the same, it also must be practical. Blind adherence to the letter of the law is frequently discriminatory in application. A small company being required to meet the §27.200 requirements in this case would be more burdened by that requirement than a large company in the same situation.

Since the purpose of the regulation in this case would not be measurably served by a strict adherence to the letter of the law, the application of the burden would be discriminatory against the small company and (again in my opinion) should be avoided.

ICS-CERT Publishes GE Proficy Advisory

Yesterday the DHS ICS-CERT published an advisory for twin path traversal vulnerabilities reported in the GE Proficy CIMPLICITY application by amisto0x07 and Z0mb1E. The disclosure was coordinated through the Zero Day Initiative (ZDI). A patch has been developed by GE for one of the vulnerabilities and a configuration change has been suggested for the other. There is no indication that the researchers have validated the efficacy of these mitigation measures.

ICS-CERT notes that a moderately skilled attacker could remotely exploit either of these vulnerabilities to execute arbitrary code on the system.

GE has published two advisories (GEIP13-05 and GEIP13-06) that discuss the vulnerabilities in more detail and explain the mitigation measures.

GEIP13-05 – No Patch

This GE Advisory notes that the vulnerability is due to a single component (gefebt.exe) and recommends that ‘all copies’ of the file be deleted. The advisory provides information about where copies of the file should be found in the server directories and on the server web pages.

The advisory notes that making these changes will disable links on the default home page on the CIMPLICITY system that allow users to “to browse CIMPLICITY projects and view alarms, points, screens and objects”. To regain this functionality, the default home pages will have to be re-created using the “Create Webpage” option.

This could be a very complex remediation.

GEIP13-06 – Patch Available

The second advisory provides a link for a patch to CIMPLICITY version 8.2. It notes that users of versions earlier than 8.2 should upgrade to version 8.2. Interestingly, versions 4.0 and earlier are not affected by either of these vulnerabilities.

GE provides two other mitigation options as alternatives to updating or applying the patch to version 8.2. If web –based HMI functionality is not need, they provide the option of disabling that functionality. If that functionality is required there is the option of using an alternative web server, IIS web server instead of the vulnerable CimWebServer.exe.

Delayed ICS-CERT Notification

Joel Langill notes that OSVDB has been reporting this vulnerability since the middle of December. The GE advisories are also dated from the same point in time and both note that public disclosure of the vulnerabilities was expected by December 31st.

There is no explanation in the ICS-CERT advisory as to why it has taken them so long to report this vulnerability. These delays are becoming increasingly common with ICS-CERT advisories. More importantly it is becoming more common for ICS-CERT to ignore or miss reports of ICS vulnerabilities all together. Perhaps it is time for Congress to exercise their oversight responsibility and look into the operations of ICS-CERT.

Thursday, January 23, 2014

CSB Changes Anacortes Meeting

Today the Chemical Safety Board published a notice in the Federal Register (79 FR 3777-3778) changing the purpose of the meeting that they had originally advertised as a meeting to review and approve the staff report on the 2010 fire and explosion at the Anacortes, WA Tesoro Refinery.

A meeting notice published last month indicated that the CSB Staff would present their draft report at a public meeting on January 30th and after allowing for public comments on the draft, the CSB would publicly consider approving the report.

While the draft staff report has not yet been made publicly available, it was expected to include a ‘safety case’ regulatory scheme for refineries similar to the one that was discussed last week in  Richmond, CA for the Chevron Refinery accident investigation. However, since that staff report was not accepted (yet not rejected either) when two Board Members requested more staff work on investigating some of the negative public comments received on the new regulatory scheme proposal, the Board is not going to attempt to review and vote on accepting the Staff Report on the Tesoro Refinery accident at the scheduled January 30th meeting.

Instead the Staff will make a public presentation of their draft report and listen to public comments on that presentation. The Draft report will then be posted to the CSB web site and the CSB will accept comments on the proposal for 45 days. After that time they will reschedule a public meeting to  review and vote on accepting the Staffs recommendations.

To see the comments that the CSB received on the safety case issue, click here. To see the CSB responses to those comments, click here.

/* Use this with templates/template-twocol.html */