Friday, February 28, 2014

‘New’ Fuel has Security Implications

There is an interesting post over at about a potential replacement for hydrocarbon fuels, anhydrous ammonia. The author, Kurt Cobb describes six advantages to the use of ammonia:

• It contains no carbon, therefore no greenhouse gasses produced;
• Well-known processes for making ammonia;
• Worldwide ammonia production industry;
• Distribution technology understood;
• Enviable safety record (more on that later);
• Creates nothing that can be classed as pollution

In general this is a well thought out and well documented discussion about the pro-ammonia arguments. I do however, take exception to the glib statement about the anhydrous ammonia safety record and note that there are some serious security issues that must be taken into account in this discussion.

Safety Record

Anhydrous ammonia is a toxic inhalation (TIH) hazard chemical. This means that relatively low concentrations in the air can kill people. Kurt does make one good point about this particular TIH chemical; it is detectable and obnoxious at concentrations much lower than the lethal concentration in the air. This does mean that most people on the periphery of an ammonia cloud will be self-alerted to the danger so that they can undertake evacuation efforts.

One of the reasons that there have been fewer deaths from large scale accidents with anhydrous ammonia as compared to chlorine gas (another industrial scale TIH chemical) is that anhydrous ammonia is lighter than air so it generally rises above ground level in a release. Chlorine gas is about twice as heavy as air so that it hugs the ground.

You have to be careful about that word ‘generally’ there are all sorts of thing that can happen that will affect the rate of ascent of the gas cloud including air temperature profiles, amount of humidity in the air and the wind speed in the area. And, of course, if the gas cloud is inside of a building, all bets are off. And even if the bulk of the release cloud rises above ground level, air mixing is sure to keep non-lethal ammonia concentrations over a wide swath of down-wind ground, making life miserable for people in the short term.

As the 2009 incident in Swansea, SC showed even a gas cloud that is generally rising can cause deaths and this was from a relatively small volume release. If there is a drastic increase in the amount of anhydrous ammonia used in commerce the number of accidents can be expected to increase and I suspect that the accident rate would increase as small spills tend to cause personnel to evacuate the area rather than take immediate actions to stop the leak.


Anhydrous ammonia is a DHS chemical of interest (COI) for the CFATS program. Any facility that has over 10,000 lbs of anhydrous ammonia on site (about 1800 gallons, a relatively small pressure tank) is required to register with DHS and to submit a Top Screen. The current extended CFATS community includes more than 40,000 facilities that have submitted Top Screens. That number would significantly increase if we replaced oil/gas fired energy producing facilities with anhydrous ammonia fueled facilities.

Once a Top Screen is submitted DHS looks at the potential effects of a release of chemicals like anhydrous ammonia to determine if they are at high-risk for terrorist attack. While DHS will not share the details of their assessment regime for security reasons, it is clear that the more people that would be affected by a release the higher the probability that DHS would declare the facility to be at high-risk. That declaration brings with it the requirement to fully implement the security standards set forth in the CFATS regulations.

Those security measures would seriously add to the cost (capital and operational) of an anhydrous ammonia fueled power generation facility. Coal, oil or natural gas power plants are not currently covered because of fuels (they may be covered for other chemicals) since coal, oil, and natural gas are not listed COI.

TSA Security

Anhydrous ammonia is specifically listed {§1580.100(b)(2)} in the TSA freight rail security regulations (49 CFR §1580.100 et seq) as a rail security-sensitive material. These materials require special handling by shippers, railroads, and receivers in high-threat urban areas (HTUA).

These special handling requirements, including train speed limits, will also add costs to the use of anhydrous ammonia as a power generation fuel. Again, these costs need to be taken into account in determining the economic viability of this ‘new’ fuel.

Thursday, February 27, 2014

ICS-CERT Reports Two Schneider Advisories

This afternoon the DHS ICS-CERT published advisories on two separate Schneider applications, OPC Factory Server (OFS) and Floating License Manager. It appears that both vulnerabilities were self-reported and mitigations have been provided and communicated to customers.

OFS Advisory

This advisory is for a stack buffer overflow vulnerability. Schneider reports that the vulnerability exists in the C++ sample client supplied with the OFS product line. Schneider included this sample client for illustrative purposes only and does not recommend its use in a production environment. Newer versions of the OFS do not contain this vulnerability and Schneider recommends upgrading to the newer version or removing the sample client.

ICS-CERT reports that a moderately skilled attacker with physical access could exploit this vulnerability to start malicious programs on the system or execute arbitrary code.

Schneider reported this vulnerability to their customers on January 31st, 2014.

Floating License Manager Advisory

This advisory is for an unquoted service path vulnerability in one of the services installed by the Floating License Manager. Schneider reports that when “the executable path of a service contains blanks, attackers can exploit this to start malicious programs as Windows services”. They note that when the service paths in the registry are surrounded by quotes this vulnerability has no effect.

ICS-CERT reports that a moderately skilled attacker can exploit this vulnerability to execute malicious programs. The vulnerability is not reportedly subject to remote exploitation.

Schneider first published this vulnerability on January 16th and updated their advisory on January 31st. Customers were notified of the availability of an update via the Schneider Electric Software Update system.


Schneider is to be commended for discovering, fixing and reporting these vulnerabilities. The apparent delay in notifying ICS-CERT of the vulnerability is off-set by the fact that mitigation methods were made available to their customers while Schneider waited to notify ICS-CERT.

Reader Comment – AWWA Guide Available to Non-members

Kevin Morley, the Security & Preparedness Program Manager for the American Water Works Association, left a nice comment on my post from last week about their control system security guide. He noted that:

“Access to the AWWA guidance and use-case tool do not require membership in AWWA. These resources are freely available to everyone. Access does require creation of a user account, which simply confirms that the user accepts the terms of use.”

This is certainly good news for water systems that are not members of the AWWA. It also means that folks with control systems in other types of critical infrastructure have a tool that can be used to look at their control system security.

There will be very few things in the AWWA tool that are not applicable to other organizations. It might not look at all aspects of control system security for other types of industries, but lacking this kind of detailed guide from anyone else, it would certainly be a good start.

Another DOT Emergency Order on Crude Trains

On Tuesday, the Office of the Secretary of the Department of Transportation issued an emergency order placing additional restrictions on the shipment of crude oil. The order requires

• The proper testing (“conducted with sufficient frequency and quality”) and classification of petroleum products prior to them being offered into transportation; and
• The classification of all bulk crude oil shipments (UN 1267, Petroleum crude oil, 3)  as either Packing Group I or II.

Proper Classification

The first requirement deals with the proper classification of hazardous materials. In numerous places in the Code of Federal Regulations there is a requirement that hazardous materials offered for transportation be ‘properly classified’ {see for instance 49 CFR 171.2(e)}. While §173.121 outlines the procedures for testing material to determine to which packing group it belongs, there is no specific requirement in the HMR for each load of material to be physically tested.

The first requirement in this Emergency Order requires that shippers:

“Shall, prior to offering into transportation, ensure that the petroleum products (i.e., petroleum crude oil) is properly tested and classed under current regulations, in accordance with the requirements of 49 CFR parts 172 and 173.”

What is not specifically spelled out here is whether each load of petroleum crude oil in a tank truck or rail car will have to be tested, or if DOT will allow each batch of crude oil from a storage tank, or from a well head to be tested.

No Packing Group III

The current entry for Petroleum Crude Oil in the hazardous materials table (§172.101) allows for crude oil to be classified as either PG I, II, or III depending on its physical characteristics outlined in §173.121. In removing the option for classifying crude oil as PG III effectively removes the option of using AAR Class 203W and 211W tank car for the transportation of crude oil; those are tank cars designed for ‘low hazard liquid’ hazardous materials {§284.241}. The use of those cars for PG III materials with a flash point above 100° F is authorized by special provision B1 {172.102(c)(3)}.

Public Notice

I am sure that the railroads were directly notified of this emergency order, but it has not yet been published in the Federal Register, nor is it available on either the Federal Railroad Administration (FRA) or the Pipeline and Hazardous Material Safety Administration (PHMSA) web sites. Even finding it on the DOT web site takes specific searching; it is not prominently listed. It was brought to my attention by a brief article at This is hardly proper public notice.

Wednesday, February 26, 2014

DHS Retrospective Review of Regulations

DHS published a notice in today’s Federal Register (79 FR 10760-10762) seeking public comments on specific existing significant DHS rules. DHS is publishing this notice as part of a review of these rules to determine if there are candidates for modification, streamlining, expansion, or repeal. This review takes place every three years with the last notice appearing in the Federal Register on March 14th, 2011 (76 FR 13526-13528); 63 responses were received for that notice.

Covered Rules

The notice specifies the chapters within the Code of Federal Regulations (CFR) that are being reviewed. The list below adds to that the specific parts of those chapters that might be of specific interest to readers of this blog.

6 CFR Chapter 1 – Homeland Security Regulations
Part 27 – CFATS
Part 29 – Protected critical infrastructure information

33 CFR Chapter I – Coast Guard Regulations
Part 105 – Maritime security - Facilities

46 CFR Chapter I – Coast Guard Regulations
Part 151 – Barges carrying bulk liquid hazardous material cargoes
Part 153 – Ships carrying bulk liquid, liquefied gas, or compressed gas hazardous material cargoes

49 CFR Chapter XII – TSA regulations
Part 1515 – Appeal and waiver of security threat assessments for individuals
Part 1520 – Protection of security sensitive information
Part 1572 – Credentialing and security threat assessments
Part 1580 – Railroad transportation security

Information Requested

The notice provides specific guidance for the types of comments and the details requested in those comments. It also lists 10 specific questions that it would like to see answered in the responses:

(1) Are there regulations that simply make no sense or have become unnecessary, ineffective, or ill advised and, if so, what are they? Are there regulations that can simply be repealed without impairing the Department's regulatory programs and, if so, what are they?
(2) Are there regulations that have become outdated and, if so, how can they be modernized to better accomplish their regulatory objectives?
(3) Are there regulations that are still necessary, but have not operated as well as expected such that a modified, stronger, or slightly different approach is justified?
(4) Does the Department currently collect information that it does not need or effectively use to achieve regulatory objectives?
(5) Are there regulations that are unnecessarily complicated or could be streamlined to achieve regulatory objectives in more efficient ways? If so, how can they be streamlined and/or made less complicated?
(6) Are there regulations that have been overtaken by technological developments? Can new technologies be leveraged to modify, streamline, or do away with existing regulatory requirements?
(7) Are there any Departmental regulations that are not tailored to impose the least burden on society, consistent with achieving the regulatory objectives?
(8) How can the Department best obtain and consider accurate, objective information and data about the costs, burdens, and benefits of existing regulations? Are there existing sources of data the Department can use to evaluate the post-promulgation effects of regulations over time?
(9) Are there regulations that are working well that can be expanded or used as a model to fill gaps in other DHS regulatory programs?
(10) Are there any regulations that create difficulty because of duplication, overlap, or inconsistency of requirements?

Public Comments

Comments may be submitted via the Federal eRulemaking Portal (; Docket # DHS-2014-0006) and should be submitted by March 28th, 2014.

The notice closes by reminding the public that DHS is under no specific obligation to respond to or take action on any of the comments submitted.

OMB Approves Hazard Mitigation Grant ANPRM

Yesterday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved FEMA’s Hazard Mitigation Grant Program (HMGP) advance notice of proposed rulemaking (ANPRM) ‘consistent with change’. This ANPRM could be published in the Federal Register within the next week or so.

According to the Unified Agenda entry for this rulemaking action FEMA “is seeking public comment on implementing a provision of the Robert T. Stafford Disaster Relief and Emergency Assistance Act regarding State administration of the Hazard Mitigation Grant Program (HMGP)”. This state administration of the grant program is authorized under 42 USC 5170c(c)(2). This provision was added by the 106th Congress (2000; PL 106-390, §204); certainly timely regulations.

Bills Introduced – 02-25-14

Yesterday both the House and Senate were in the Capitol and a total of 27 bills were introduced, one of which might be of specific interest to readers of this blog:

HR 4076 Latest Title: To address shortages and interruptions in the availability of propane and other home heating fuels in the United States, and for other purposes.Sponsor: Rep Shuster, Bill (D,PA)

This bill would extend the 30-day limit on transportation emergencies to allow the DOT Secretary to continue to suspend certain transportation safety regulations to allow for the transportation of propane into areas of the country hit by the current local shortage and low temperatures. Since this was introduced by the Chair of the House Transportation Committee I assume that this will see quick action.

Witness List Announced for HR 4007 Hearing

Yesterday the House Homeland Security Committee web site published the witness list for the Subcommittee legislative hearing of HR 4007, the Chemical Facility Anti-Terrorism Standards Authorization and Accountability Act of 2014. The witnesses include:

• Ms. Durkovich, Assistant Secretary Infrastructure Protection;
• Mr. Stephen L. Caldwell, Director, Homeland Security and Justice, GAO;
• Ms. Marcia Hodges, Chief Inspector, DHS OIG;
• Mr. Clyde Miller, American Chemistry Council;
• Ms. Kate Hampford Donahue, Society of Chemical Manufacturers and Affiliates (SOCMA)
• Ms. Anna Fendley, United Steelworkers

The substitution of Ms. Durkovich for ISCD Director Wulf is unexpected, though he might be sitting at the table with her. She is his boss and would give a little more political weight to the DHS support of the CFATS program.

Mr. Caldwell’s appearance is not unexpected. It does mean that we have another GAO update on the status of the CFATS program. That may provide some interesting insights into how things are improving.

Ms. Fendley has the unenviable responsibility of representing the activist community before this Republican lead panel. She will be advocating that the proposed revisions to the CFATS authorization don’t go far enough in advocating for worker participation or inherently safer technology. She will be politely ignored by the Republicans and offered token questions from the Democrats.

Tuesday, February 25, 2014

Busy Day on ICS-CERT Web Site

Today the DHS ICS-CERT published a new advisory for a variety of Schneider Electric applications, posted a year-end review for 2013 and provided belated links to articles about DHS support of the critical infrastructure implementation of the Cybersecurity Framework.

Schneider Advisory

This advisory addresses the exception handling vulnerability that was discovered by Carsten Eiram in CitecSCADA. Schneider subsequently discovered the vulnerability in other applications. Schneider has produced patches for that affected applications and the CitecSCADA application patch was validated by Eiram. The patches also apparently mitigate other undisclosed vulnerabilities in those applications. This advisory was originally released on the US-CERT secure portal.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute a DoS attack that would require a system re-start for recovery. 

According to the Schneider security page the code for this vulnerability was included in the latest security patch (December 16, 2013) for these applications. That vulnerability and its updates were not mentioned by ICS-CERT. The OSVDB site lists two potential vulnerabilities (here and here) that might fit that bill, along with three others (here, here and here) that were not reported by ICS-CERT since the first of the year.

2013 Review

This year-end review is a nice color brochure outlining the activities of ICS-CERT; one that any commercial activity would be proud of seeing as part of their Annual Report. It outlines any number of interesting statistics like:

• 14 briefings were given to over 750 attendees in various cities throughout the country to assist asset owners and operators in detecting intrusions and developing mitigation strategies (pg 4);
• Nearly 700 infrastructure professionals and law enforcement agents were trained including 11 Advanced Training Sessions to 442 participants (pg 6);
• Over 5,000 Cyber Security Evaluation Tools (CSETs) were distributed and downloaded (pg 7);
ICS-CERT received and responded to 257 incidents as voluntarily reported by asset owners and industry partners (pg 8);
• The ICS-CERT Vulnerability           Team received 187 reports from researchers and vendors that required coordination, testing, analysis, and the publication of information products (pg 9);
ICS-CERT’s Advanced Analytical Laboratory analyzed data from 73 incidents. Phishing or spear-phishing attacks comprised 21 of the 73. Data from 11 incidents were related to intrusion attempts by an emerging cyber threat actor as part of a larger campaign involving more victims (pg 9);
• ICS-CERT conducted 72 onsite cybersecurity assessments across the US critical infrastructure sectors (pg 12);

Interestingly, according to a pie chart on page 13 there were no ICS-CERT incident responses involving the chemical sector.

BTW: A comparison chart for the last three years provided on page 16 shows that in most metrics reported (8 of 11) ICS-CERT performance was down from previous years.

Oh yes: There may have been actual control system attacks investigated by ICS-CERT last year (it is implied anyway on page 8), but no even general information is provided. Who really needs to know that?

CSF Support

There are two links on the ICS-CERT web page to articles about the DHS Support for the recently published Cybersecurity Framework (CSF). Those articles are:

It is odd that the DHS Critical Infrastructure Cyber Community Voluntary Program features ICS-CERT in a number of places as a go-to agency for helping businesses getting started, yet that page is not listed on the ICS-CERT site nor is there any specific information on the ICS-CERT site explaining their support for this ‘vital’ DHS support program. I’m not sure if this says more about the DHS effort in general or the ICS-CERT participation specifically.

PHMSA Pulls Bulk Unloading Rule

Today the DOT’s Pipeline and Hazardous Material Safety Administration published a notice in the Federal Register (79 FR 10461-10465) announcing that it was closing the rulemaking process on its bulk loading and unloading operations rule. That rule was proposed in 2011 based upon recommendations from both the National Transportation Safety Board and the Chemical Safety Board as well as a petition from the Dangerous Goods Advisory Council.

The Proposed Rule

On March 11, 2011 PHMSA published their notice of proposed rulemaking (76 FR 13313). The rule would have specified bulk loading and unloading requirements both for carriers of hazardous materials and facilities at which those materials were loaded or unload to or from cargo tank motor vehicles (CTMV), generally speaking tankwagons.

The carrier responsibilities would have included requirements to:

• Assess the risks of loading and unloading operations and develop written operating procedures;
• Train hazmat employees in the relevant aspects of the operational procedures; and
• Annually qualify hazmat employees who perform loading and unloading operations.

The facility responsibilities would have included requirements to:

• Develop and implement a periodic maintenance schedule to prevent deterioration of equipment and conduct periodic operational tests to ensure that the equipment functions as intended; and
• Ensure that the equipment meets the performance standards in part 178 for specification CTMVs.

I discussed these requirements in more detail in a series of blog posts:

Security Issues; and

 Reassessment of Rulemaking

PHMSA notes that it received 44 comments from various organizations and individual about the provisions of the NPRM and that those comments were generally negative (as is the case with most proposed rules). Those negative comments fell into five general categories:

Scope – Confusion about the applicability of the proposed rule;
Risk Assessment – Concern over the possibility of duplication of efforts by facilities and carriers;
Operating Procedures – Questioned the intent of provisions for the maintenance and testing of transfer equipment within the operating procedure requirements; and
Training and Qualification – Overly burdensome and unnecessary.

PHMSA also considered that existing regulations, including those from OSHA (29 CFR 1910.119) and EPA’s Clean Air Act (General Duty Clause) partially addressed some of the same issues for some classes of chemicals and the PHMSA hazmat employees training rules also could be considered to apply to most bulk loading and unloading situations.

Based upon the above PHMSA conducted a reassessment of the need for this rulemaking and determined that there were additional concerns about the potential effectiveness of the proposed regulations and their enforcement. Those concerns included:

• Redundancy within the hazardous materials regulations (HMR);
• Questions about the lack of potential impact because human error was the source of most incidents;
• Need for a memorandum of understanding with OSHA and EPA about roles and enforcement responsibility in overlapping jurisdictions.

Alternative Actions

In pulling this rulemaking PHMSA is not giving up on resolving the issue of serious accidents related to bulk loading and unloading of hazardous chemicals from CTMVs. The notice reports the following continuing actions that will be taken by the agency:

• Preparation of a Bulk Loading/Unloading guidance document;
• Engaging in a rigorous outreach campaign; and
• Conducting a human factors study.


Personally, I am very disappointed in the short sighted action taken by PHMSA today. I have worked in the chemical industry for over 20 years. I have attended and closely observed hundreds of bulk loadings and unloadings in that time at multiple facilities. Facilities that had the type programs in place like those suggested in the NPRM were successful in safely loading and unloading some very dangerous chemicals. I can’t recall a single incident at such facilities that was not related to an equipment issue on the truck side of operation.

I have seen facilities that did not have the assessment and training programs in place conduct some very unsafe practices that resulted in hazardous material spills and personnel injuries. While most chemical drivers, particularly hazmat drivers, are professional and well trained some of the worst mistakes that I have seen perpetrated were made by truck drivers. And in each case those mistakes were due to lack of training and inexperience.

PHMSA’s claim that regulatory redundancy is part of the reason that this rulemaking is being withdrawn ignores the fact that accidents continue to happen with great regularity with these other regulations in place. Obviously these other regulations are lacking in effectiveness. Neither the OSHA nor the EPA regulations have any specificity in dealing with bulk loading or unloading operations as they are not transportation regulators and bulk chemical transfers of this sort are inherently transportation related activities conducted by personnel that operate under the purview of the HMR. The limitation in the proposed rule to the coverage of the rule to the operation on the vehicle side of the first fixed valve makes that clear.

And finally the claim that the regulations would be ineffective because most of the bulk transfer accidents have been related to human error is ludicrous. The only way to reduce human error is to conduct training and reinforce that training with periodic performance assessments. That was the main point of the proposed rule. Any complaint that that type of requirement was too burdensome borders on criminal negligence and should be rejected out of hand.

By this action today, PHMSA is ensuring that transportation related bulk transfer accidents and incidents will continue unabated. So much for being concerned with transportation safety; PHMSA has abdicated their responsibility.

Monday, February 24, 2014

CFATS Fact Sheet – February 2014

I just got an email from a contact at DHS that provided me with the link to the February 2014 CFATS Fact Sheet. It is not yet available on either Critical Infrastructure: Chemical Security [NOTE: As of 4:30 pm CST, 2-24-14, it is on this page] web page or on the CFATS Knowledge Center.

The important numbers as of February 1st (numbers as of January 1st)

• CFATS Covered Facilities – 4,266 (4,266)
• Security Plans Authorized – 1,389 (986)
• Security Plans Approved – 506 (417)

Table 1 below shows the overall number of authorized and approved Site Security Plans for each month since ISCD began publishing monthly numbers.

 Table 1: Total Authorized and Approved SSPs

Table 2 shows the average daily rate authorizations and approvals for the periods in question.

Table 2: Daily Average Authorized/Approved 

As I mentioned this weekend, I expect that the February numbers will be published early in time for Thursdays House hearing on HR 4007. If the numbers continue to improve like these latest figures show, some of the heat will be off of Director Wulf at that hearing.

30 Day CFATS PSP ICR – Remote Access

This is part of an ongoing series of blog posts about the recently published 30-day information collection request (ICR) published in the Federal Register by DHS. This ICR would support the long overdue personnel surety program requirements for the Chemical Facility Anti-Terrorism Standards (CFATS) program. Earlier posts in the series include:

Since control systems, security systems and business networks will likely be on the list of critical assets for most facilities (depending on which DHS chemicals of interest – COI – are present) personnel with access to these systems will almost certainly require vetting under the site personnel surety plan as it is difficult to imagine when such access would be not be considered unaccompanied.

Remote System Maintenance

Most complex cyber systems (which certainly includes control systems) now comes with the option for remote system maintenance support. CFATS covered facilities that utilize such options have an obligation to ensure that the vendor’s personnel who have such access are properly vetted under the facility’s PSP. This would appear to be another instance where the background check agency provisions (discussed in the last post in the series) of the ICR would come into play.

Since there is no way that the facility will actually know which individual is remotely accessing the facility’s computer systems there will have to be some shifting of responsibility to the vendor. This would have to be done through some formal document like a memorandum of understanding and this would have to be included in the facility’s site security plan so that ISCD could review the provisions as part of the SSP authorization and approval process. This would also mean that changes in vendors would have to be reported to ISCD as part of the ‘material change’ provisions of §27.210(d), §27.215(d) or §27.225(d)(2).

Remote Monitoring

Many facilities will opt for the use of off-site security monitoring programs. Since such monitoring programs will be a significant part of the security apparatus for the facility it will certainly fall under the critical area rule requiring vetting under RSPB #12. Again the vendor providing such services would most likely fall under the Background Check Agency provisions described earlier. Again, there would have to be some formal document in the site security plan outlining the vendor’s responsibility for conducting the vetting.

Sunday, February 23, 2014

HR 4034 Introduced – WMD

As I noted almost two weeks ago Rep. Pascrell (D,NJ) introduced HR 4034, the WMD Prevention and Preparedness Act of 2014. This bill is nearly identical to the version of HR 2356 reported out of the House Homeland Security Committee in the last session of Congress and very similar to HR 5057 from the 111th Congress.

As has been usual for these bills, the focus is on biosecurity issues not chemical issues. There are some provisions that mention chemicals and could be interpreted to cover both accidental and deliberate releases, but those provisions still mainly refer to biosecurity not chemical security.

Neither the Senate nor the House has been able to move a bill to the floor even though it has been a high-priority for the respective chairs of those committees. Being introduced this late in the session, there is a very low likelihood that the bill will be considered on the floor of the House.

Congressional Hearings – Week of 2-23-14

The House and Senate return from their President’s Day recess this week and there are three congressional hearings slated that might be of specific interest to readers of this blog. They deal with CFATS, rail transportation safety, and the new DHS Secretary.

DHS Secretary

The new DHS Secretary, Jeh Johnson, has been traveling around the country learning all about the various agencies that report to him. This week he will be traveling to Capitol Hill to talk to the House Homeland Security Committee on Wednesday. This will be a high-level discussion about a wide range of issues with very little in the way of specifics mentioned. Cybersecurity will certainly come up and perhaps chemical security, but only because of the President’s Improving Chemical Facility Safety and Security Executive order.

Rail Transportation Safety

The House Transportation Committee will hold an oversight hearing on passenger and freight rail safety. According to the Staff memo about the subject matter there will be two topics of chemical safety interest; a review of Positive Train Control implementation, and the ever popular crude oil train problem. The witness list includes:

• Administrator Szabo, Federal Railroad Administration;
• Administrator Quarterman, Pipeline and Hazardous Materials Safety Administration;
• Mr. Sumwalt, Member, National Transportation Safety Board
• Mr. Tolman, Vice President & National Legislative Representative, Brotherhood of Locomotive Engineers and Trainmen
• Mr. Gerard, President and Chief Executive Officer, American Petroleum Institute
• Mr. Melaniphy, President, American Public Transportation Association
• Mr. Hamberger, President and Chief Executive Officer, Association of American Railroads

This is a very large committee and members will be dropping in and leaving like it was a train station. This means that there will be a lot of repetitive questions and no one will apparently be listening to the answers. I hope the witnesses have taken their valium.

CFATS Hearing

On Thursday the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee of the House Homeland Security Committee will be holding a legislative hearing on HR 4007, a bill that would more formally authorize the current CFATS program. There is not a witness list published yet, but the first witness will almost certainly be ISCD Director Wulf followed by the standard industry and activist witnesses. I would not be surprised to see another GAO CFATS report released.

As we have come to expect over the last year and a half there will be hard questions asked about the implementation of CFATS. Two topics that will surely come up will be site security plan implementation and the personnel surety program.

On the Floor

There is no legislation currently planned to come to the floor of the House or Senate that will be of specific interest to readers of this blog. That can certainly change, particularly in the Senate.

Saturday, February 22, 2014

CSF - Control System Security and CFATS

Yesterday I wrote a post describing a new process control system security program developed for the Water Sector. The program is broadly based upon the recently published NIST Cybersecurity Framework (CSF). Since large portions of the Water Sector are federally regulated (usually under State supervision) it was to be expected that an attempt would be made to incorporate the CSF into the loose regulatory scheme for drinking water security.


Chemical facilities covered under the CFATS program might also be expected to face the inclusion of a CSF based cybersecurity program under the terms of §10 of the President’s Executive Order on Improving Critical Infrastructure Cybersecurity (EO 13636). Risk Based Performance Standard (RBPS # 8) of the CFATS regulations already {6 CFR §27.230(a)(8)} governs cybersecurity at covered facilities and requires that those facilities:

Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems;

Thus it would appear that DHS through the Infrastructure Security Compliance Division (ISCD) of the National Protection and Programs Directorate (NPPD) has the requisite “clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure.

Furthermore, the non-directive nature and the lack of specificity found in the CSF would mesh well with the CFATS program’s congressional mandate to allow covered facilities the widest latitude in developing security procedures and processes that would achieve the broad requirements of the RBPS.

The CFATS program already has an RBPS Guidance document that was adapted through a formal publication and public comment process. It provides very-broad, non-specific guidance on all 18 of the separate RBPS that govern the CFATS security processes. It contains 9 pages (pgs 71 – 81) of broadly written guidance on what the facilities site security plan must cover with respect to cyber security. Those pages includes nearly four pages of vaguely worded metrics that may be keyed to the (Risk) Tier ranking of the facility. An example is given below.

Metric 8.2.5 – Password Management - The facility has documented and enforces authentication methods (including password structures) for all administrative and user accounts. Additionally, the facility changes all default passwords and ensures that default passwords for new software, hardware, etc., are changed upon installation. In instances where changing default passwords is not technically feasible (e.g., a control system with a hard-coded password), the facility has implemented appropriate compensating security controls (e.g., physical controls).

Appendix C (pgs 162 – 173) includes another discussion of cybersecurity and how it impacts some of the other RBPS. That discussion also includes a listing of cybersecurity references similar to those found in the CSF. The RBPS reference list is not keyed to allow the facility to determine what areas of what standard apply to which parts of their cybersecurity program.

CSF Style Cybersecurity Guidance

A cybersecurity guidance tool like that developed for the Water Sector would fit in very nicely with the CFATS general security program. It would provide a general discussion of the various details that should make up a cybersecurity program and provide specific references that could be expected to provide more detailed information about that specific portion of the program.

The CFATS cybersecurity program is targeted not so much at protecting information as it is designed to protect access to and control of chemicals. Thus most of the systems covered are control systems, though some of the order placement and tracking systems could be a CFATS concern if the facility were regularly shipping covered DHS chemicals of interest (COI). Additionally any automated security systems, including video detection, security alarms and chemical release mitigation systems would also require protection under the CFATS site security plan.

The CFATS program already has a series of on-line tools that it uses in administering the evaluation of the implementation of the site security plans as well as the administrative aspects of the program. This Chemical Security Assessment Tool, CSAT, could easily be expanded to include a cybersecurity tool.

CFATS Cybersecurity Framework Tool

The Cybersecurity Framework Tool (CSFT) would encompass three closely related cybersecurity tasks:

• Define and catalogue those components of the facility computer based systems that would have direct impacts on the security of the chemicals of interest made, used or stored at the facility;
• Provide a reference based description of the security measures that would be necessary to protect those cyber assets; and
• Provide a method for recording the security activities that the facility has taken and plans to take to protect the security of their chemical security related cyber assets.

CSFT and the Security Vulnerability Assessment

ISCD makes a preliminary determination that a facility is at high risk of terrorist attack based upon the initial information provided in the Top Screen, a data submission tool that provides DHS information about the types and quantities of DHS chemicals of interest (COI) stored, used or produced on site and general geophysical information about the facility. Once that preliminary determination is made, ISCD directs the facility to complete a security vulnerability assessment (SVA).

The first portion of the CSFT would become a portion of that SVA. The facility would provide a brief description of the major components of its chemical and security related cyber systems. The tool would be constructed in a similar manner to the way the current SVA tool is designed with a series of questions with multiple choice types of answers and a limited number of fill in the blank responses.

For facilities that had release hazard COI (chemicals that if released on site in a terrorist attack could be expected to have serious off-site consequences) would be required to list the types of computer or electronic systems used to monitor or control the movement or physical status of those release COI on site. These would be primarily industrial control systems, but could also include automated safety systems and release detection systems.

For facilities that had theft/diversion hazard COI (chemicals that could be used to make improvised explosive devices (IED) or chemical weapons (CW) would be required to list the types of computer or electronic systems used to control the inventory and shipping of those chemicals. This would include any security systems used to control access to those chemicals.

All facilities would also be required to provide information about the electronic security systems that were used to monitor the facility or key area perimeters or control facility or key area access.

Once the major cyber components were identified there would be a series of questions about each of those components. Those questions would be designed to solicit the information necessary to determine the Use Cases similar to those shown in Table 3-1 of the AWWAC Process Control System Security Guidance for the Water Sector. Those use cases would be used to determine the level of cybersecurity risk at that the facility related to the electronic systems used to control or protect the COI at the facility.

More to Come

This post has gotten a little bit longer than I like, so this seems to be a reasonable stopping point. In future posts in this series I’ll look at how the CSFT can be used as part of the site security plan development, authorization and approval processes for CFATS facilities. I’ll also discuss how DHS can use the provided information to provide specific cybersecurity support to the facility.

ISCD Late Again with CFATS Update

Here we are three-quarters of the way through the month of February and there has still not been a CFATS Fact Sheet update for the site security plan implementation numbers for the month of January (the January CFATS Fact Sheet covers, of course, December). I understand that DHS is in no way obligated to keep the public up-to-date on how well they are overcoming the problems that previously plagued ISCD (just a little touch of sarcasm there, I apologize), but when they started publishing these monthly updates back in April of last year they established an expectation that they would be published in a timely manner.

It will be interesting this week because I expect that we could see two updates published one for the January data and the other for some portion of February. Or, ISCD could just wait until Wednesday to publish the combined data for the two months.

The reason for an early publishing of the February data? I expect that Director Wulf will probably be making a trip to Capitol Hill for a hearing on HR 4007 on Thursday. I’ll have more information on that hearing in my weekly congressional hearing blog post.

FRA Sends PTC Rule to OMB

On Friday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a draft of a final rule from the DOT’s Federal Railroad Administration for the modification of the current regulations on the use of Positive Train Control.

According to the Unified Agenda information on this rulemaking this proposed regulation “would revise Positive Train Control regulations by defining the de minimis exception and en route failures, proposing exceptions relating to yard movements that may not be considered on the main line system, and amending regulations governing grade crossing and signal and train control systems”. This rulemaking was initiated based upon a petition submitted by the Association of American Railroads.

The notice of proposed rulemaking (NPRM) on this proposal was published in December of 2012 and only received eleven comments. The most serious objections came from:


It will probably be months before OIRA approves the draft for publication in the Federal Register.

Friday, February 21, 2014

30 Day CFATS PSP ICR – Background Check Agency

This is part of an ongoing series of blog posts about the recently published 30-day information collection request (ICR) published in the Federal Register by DHS. This ICR would support the long overdue personnel surety program requirements for the Chemical Facility Anti-Terrorism Standards (CFATS) program. Earlier posts in the series include:

In the previous post in the series I briefly discussed the roll of background check agencies in the PSP process as described (in passing) in the ICR. A reader asked me to expand on the idea so in this post I’ll take a more detailed look at how BGCAs will fit into the PSP processes.


One of the major problems that many commenters have had with the PSP process outlined in the ICR is the issue of visitor’s being vetted 48 hours before they are given unescorted access to the facility. There are a wide number of folks that periodically visit chemical facilities to provide a wide variety of services. Some of these personnel are asked in on extremely short notice to provide high value services.

While the facility could get around the PSP vetting rules by providing vetted escorts for these visitors, this is frequently not a realistic option given the limited number of personnel working at many of these facilities. Relying on the escort provisions of the vetting rules would end up in many cases where there is escort in name only and facility managers are smart enough to realize this in advance of the situation arising.

Organizations that routinely provide these types of services could register with the folks at DHS as a sort of BGCA. The PII for their field support personnel would be entered into the PSP tool and would be linked with all of the covered chemical facilities that they had support contracts with. When the vendor linked an employee’s information to a covered facility, that facility would be notified by ISCD that the vetting information had been provided to DHS.

In the event that one of the employees at one of these vendors had to be assigned to a new facility on short notice, it would not be problem as long as their PII had already been submitted to ISCD. As long as there was enough time for ISCD to notify the facility that the person’s information had been submitted, the visitor would be properly vetted.

Facilities would have to have some way to identify these individuals when they arrived at the facility gate. This process could easily be established by the vendor emailing a copy of their employee’s corporate ID to the facility security manager in advance of visitor’s arrival. This information could be provided to the gate personnel as part of a daily expected visitors list. Checking the identification against that list would provide the means for closing the loop on the vetting process.

Truck Drivers

Most chemical facilities see a daily parade of local and long haul truck drivers picking up and delivering materials at the facility. In many cases it is not possible to keep those trucks away from critical areas of the facility and it is typically going to be difficult to provide an escort for a truck moving through the facility.

A large number of truck drivers already have already been vetted for their Hazardous Materials Endorsement (HME) or a Transportation Workers Identification Credential (TWIC). For reasons that I discussed in the ‘Three Options’ blog in this series ISCD is still requiring a PII submission on these folks to ensure that credential vetting is up-to-date. An alternative method is provided for the TWIC folks; no data submission is required if their TWIC is periodically validated by a TWIC Reader or checked against the Canceled Card List (CCL) and the Certificate Revocation List (CRL).

Plants fully realize that they will not be able to do the required PII submissions when a truck driver shows up at their gate. The facilities will get around this by requiring all delivery companies to ensure that their drivers have been vetted against the CFATS PSP before they will be allowed to deliver or pick-up loads at the facility. Maritime Transportation Security Act (MTSA) covered facilities are already using that tactic with requiring drivers to have TWICs for similar reasons.

Trucking companies that routinely service MTSA covered facilities are going to have little problem certifying that their drivers’ TWICs are periodically validated by TWIC Readers. For companies located further from port facilities that certification will be harder to do.

Again, the trucking company could set itself up in the CFATS PSP tool as a BGCA and register their drivers. HME and TWIC holders would be entered in one portion of the tool and the remainder of the drivers in the other portion. Those registered drivers would be linked to the facilities to which they would be expected to deliver. For driver changes, all that would be necessary would be for there to be enough time for ISCD to notify the facility that the driver’s PII had been submitted.

And again, there would have to be some way to close the loop by adequately identifying the driver to the facility. This would be accomplished in the same way that I described in the Visitor’s Section above.


Contractor is kind of an undefined term used in the ICR and the CFATS regulations. Generally speaking there are two groups of people that fit into this category. One is a large company that provides a variety of direct services to the facility under a blanket contract. These folks will almost certainly want to avail themselves of the BGCA provisions to get their people vetted. Many of these people will be moved from facility to facility as needs change so it would provide a lot more versatility to the organization if they would not have to go through a new vetting process every time they were moved.

The second kind of contractor is usually a professional that is hired individually on a contract basis for providing a specific service for a specific amount of time. The longer the expected period of the service the more likely it will be that the individual facility will handle the vetting process. For those individuals that move between facilities more frequently, it may be worthwhile to find a BGCA that provides CFATS PSP vetting services and pay them to submit his PII. In other cases it may be more appropriate for the individual contractor to handle those BGCA activities on their own.

Site Security Plan

ISCD has made clear in the ICR discussions that they intend to provide a certain amount of creative leeway for facilities to tailor the PSP program to their situation. This means that if a facility intends to allow the use of a BGCA to vet the various non-employees that periodically show up at the facility gates to work then there will have to be a decent description of how that second-party vetting process would be conducted.

ISCD also reminds folks fairly frequently in the ICR discussion that the DHS vetting against the TSDB is only one portion of the background check requirements outlined in the personnel surety Risk-Based Performance Standard. The CFATS regulations (6 CFR §27.230(12)) outline three additional types of background checks that need to be done as part of the facility PSP. Those are:

• Measures designed to verify and validate identity;
• Measures designed to check criminal history;
• Measures designed to verify and validate legal authorization to work;

The first and last of those requirements are fairly straight forward and are outlined in more general labor regulations. The second provides the facility management with a lot more leeway in what is determined to be acceptable findings in the individuals criminal history. What criminal offenses and/or times since completion of the jail time for those offenses is deemed to be disqualifying is up to the facility management.

When a facility uses a BGCA to vet some or all of their employees there needs to be clear rules spelled out for that BGCA to make those criminal history assessments. This is particularly true when non-employee vetting is being done by someone different than does the employee vetting. It would seem to be prudent to have a standard Memorandum of Understanding with each vendor, contractor or trucking company that will be serving as its own BGCA that outlines the acceptable criminal background that the facility will allow as part of its Site Security Plan.

Control System Security Guide

There is an interesting blog post by Bridget O'Grady over at about a new control system security program being introduced by the American Water Works Association (AWWA). Based at least in part on the recently published Cybersecurity Framework (CSF), this voluntary program for water treatment facilities looks like an interesting attempt at making the CSF usable.

There are two main components of this program, a Cybersecurity Guide and an on-line Cybersecurity Guidance Tool. Unfortunately for most readers of this blog, the tool is only accessible to members of the AWWA.

Cybersecurity Guide

There are three main parts to the publicly available guide:

• Recommended Cybersecurity Practices;
• Cybersecurity Guidance Tool; and
• Cross Reference to NIST Cybersecurity Framework

The recommend practices section gives a overview of the broad sweep of cybersecurity practices including definitions of some key terms. It addresses twelve important areas of cybersecurity:

• Governance and risk management;
• Business continuity and disaster recovery;
• Server and workstation hardening;
• Access control;
• Application security;
• Encryption;
• Telecommunications, network security and architecture;
• Physical security of PCS equipment;
• Service level agreements;
• Operations security;
• Education; and
• Personnel Security

Table 2-1 in the Guide provides a slightly more detailed listing of the various components of the above listed category. All of this is written in the broadest language and is hardware and software non-specific. While some of the wording used applies specifically to water treatment systems, there is nothing here that could not generally be applied to any industrial control system.

Cybersecurity Guidance Tool

While the tool itself is not available to the public, there is a good description of how the tool works and how to use it in the Guide. It employs a check-list type approach to allow a facility to describe its control system. For example, under system architecture there are three check boxes (and more than one box can be checked):

AR1: Dedicated network: All network and communications infrastructure is dedicated exclusively to SCADA. No connections to enterprise networks.

AR2: Shared WAN: Wide-area network communications infrastructure is shared (controls: physical (media) separation, VPN, VLAN, firewall).

AR3: Shared LAN: Local-area network communications (within facility) is shared (controls: VLAN, firewall).

Each of these selected boxes is described as a Use Case. Once the system architecture is described, the tool provides a list of Recommended Controls for each of the selected Use Cases. Readers who are familiar with the CSF will recognize the general format of these Recommended Controls as it references back to various established standards using both the standards listed in the CSF and some additional standards more directly applicable to control systems (DHS DID: DHS Recommended Practice: Improving Industrial Control Systems Cyber Security with Defense-In-Depth Strategies) or water treatment facilities (ANSI/AWWA G430-09: Security Practices for Operations and Management).

The Recommended Controls are provided in four different priority levels starting with the minimum accepted levels of security for SCADA/PCS (Priority 1 Controls) and ramping up to the most complex controls that are targeted at preventing the most sophisticated attacks (Priority 4 Controls). The description of the use of these various priority levels seems to be more targeted on an implementation.

Cross Reference to CSF

Appendix A provides a tabular cross reference of these suggested security controls back to the Appendix A table in the CSF. Unfortunately they used the August 28th, 2013 draft version of the CSF for their table so it does not exactly match up with the table in the final version of the CSF. Given that this was published within a week of the final version of the CSF I can understand why this choice was made. It would have been nice, however, if the authors had been able to access a more up-to-date version of this table, but such is life.


This actually looks like a very useable process and the AWWA is to be commended, not only on the thoroughness of the effort, but on the speed with which it was done. They obviously relied on a lot of the public work that was done by NIST during the development of the CSF.

There is one slightly negative thing that I do have to say about this effort. This program is a management program not a technical program. It is a valuable tool to provide management with a set of techniques to oversee the establishment and maintenance of a control system cybersecurity program. It is not, however, an actual guide on how to secure a specific control system.

Granted it would not be possible to write a single useable document to the security of the wide variety of control systems in use even in the relatively limited area of water treatment. But management must realize that they are still going to have to rely on the judgment and skills of their control system staffs and contractors to actually put the controls into place and make them work on a day-to-day basis. And if management is not willing to ensure that those employees and contractors have the necessary skills and tools to accomplish those tasks, no level of ‘compliance’ with a tool such as this will provide any kind of cybersecurity for their organization.

Thursday, February 20, 2014

ICS-CERT Publishes 4 Advisories

Today the DHS ICS-CERT published four advisories for vulnerabilities in control systems. Three were product specific for systems from Siemens, Mitsubishi and Iconics. One was for an open source protocol used by multiple vendors. Two of the advisories were initiated by ICS-CERT, one by a team of Malaysian researchers in a coordinated disclosure, and one by an anonymous researcher in an uncoordinated disclosure.

Iconics Advisory

This advisory was initiated by ICS-CERT (needless to say in a coordinated disclosure) after discovering the vulnerability during an investigation concerning an unrelated product. This is an insecure ActiveX vulnerability in the GENESIS32 system. Interestingly the advisory never states that Iconics has produced a patch or upgrade for this vulnerability.

ICS-CERT reports that a moderately skilled attacker could exploit this vulnerability remotely, but nature of the vulnerability would require an authorized user to visit a specially crafted web site first. A successful exploitation could lead to the execution of arbitrary code.

An Iconics security document (that lists all 8 ICS-CERT Iconics’ advisories) reports that a patch has been developed and ICS-CERT is in the process of validating its efficacy. It also notes that the IcoLaunch.dll can be accessed via command line.

Mitsubishi Advisory

This advisory is also about an ActiveX vulnerability, this time in the McWorX application. The uncoordinated disclosure by Blake included proof-of-concept code was reported in an earlier ICS-CERT Alert. A patch is available for the affected version and newer versions do not include this vulnerability.
ICS-CERT reports that a moderately skilled attacker could use the publicly available exploit code to remotely exploit this vulnerability to execute arbitrary code.

The Mitsubishi patch download page explains that the patch loads a new version of IcoLaunch.dll, the same file that was a problem in the Iconics vulnerability. It would seem that ICS-CERT discovered the Iconics vulnerability while investigating the Mistubishi vulnerability. It makes me wonder what other vendor has used the same vulnerable version of IcoLaunch.dll in their product.

Mitsubishi also notes that the patch removes some functionality from the McWorX application. The report that they will work with individual customers to restore that functionality if necessary.

Siemens Advisory

Those of you who follow @SCADAHacker @DigitalBond, or me on Twitter® will already have heard a discussion about this vulnerability as the Siemens ProductCERT published their alert on early Tuesday morning (US time). This advisory reports an uncontrolled resource consumption vulnerability in Rugged Com ROS devices. The vulnerability was discovered by Ling Toh Koh, Ng Yi Teng, Seyed Dawood Sajjadi Torshizi, Ryan Lee, and Ho Ping Hou of EV-Dynamic, Malaysia.

ICS-CERT reports that skilled attacker could remotely exploit this vulnerability to execute a DoS attack that would disable switching functionality until a cold reboot was executed. Siemens has developed a patch for one of the affected versions and continues to work on the others. ICS-CERT will update this advisory as Siemens produces the other patches.

Siemens is to be congratulated on their early public disclosure of this vulnerability even as much as ICS-CERT is to be castigated for their delay in their conveying this advisory to the US public.

NTP Reflection Advisory

This advisory is more than a little unusual. The vulnerability, a vulnerability to DoS attacks staged using Network Time Protocol (NTP) Reflection, has apparently been in use for some period of time. And the vulnerability is not found in a single device or application, but rather any number of products using the NTP service.

ICS-CERT reports that a low skilled attacker ‘would be able’ to remotely exploit this vulnerability remotely using publicly available ‘exploits’ to execute DoS attacks on various control systems. They go on to report that an upgrade that mitigates this vulnerability has been available since 2010.

I don’t know which is scarier the fact that this vulnerability remains uncorrected in so many systems that ICS-CERT was finally forced to report this vulnerability, or the fact that it has taken almost four years for ICS-CERT to finally report this vulnerability.
/* Use this with templates/template-twocol.html */