Monday, March 31, 2014

Homeland Security Committee Announces HR 4007 Markup Hearing

The House Homeland Security Committee announced this morning that their Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee will be holding a markup hearing Thursday for HR 4007, the Chemical Facility Anti-Terrorism Standards Program Authorization and Accountability Act of 2014.

No details are available yet, but Rep. Meehan (R,PA) will be offering an amendment in the form of a substitute. Any additional amendments will be made to that language.

It will be interesting to see if the staff has worked out a compromise on the two issues that have kept the Republicans and Democrats on the opposite sides of the fence on the CFATS issue. I expect that we will see some sort of IST amendment and a worker participation amendment offered by Rep. Clarke (D,NY). If either of those amendments gets Republican support then there is a chance that this bill could actually get considered in the Senate. Passage in the House is not a big issue.

I refer readers back to my proposed IST compromise language.

OSHA PSM and Emergency Response Planning

This is part of a continuing look at the public comments that have been posted to the docket for the OSHA Process Safety Management program advance notice of proposed rulemaking. Earlier posts in the series include:

In Saturday’s post I mentioned that a “commenter noted that natural gas transmission and distribution facilities are already required to maintain close coordination with local emergency response authorities under 49 CFR 192.615”. That comment by the American Gas Association (AGA) points to one of the few places in Federal Regulations that provides specific requirements for the type and scope of emergency planning that must be undertaken by a chemical facility. As such, I thought that it would be a good idea to look at those requirements in some detail.

Emergency Planning

Section 192.615 outlines the requirements that every gas pipeline operator must adhere to for the establishment of emergency plans. Subparagraph (a) outlines the requirements for establishing a written plan for responding to gas pipeline emergencies. Subparagraph (b) establishes the requirements for communicating that plan to the employees of the gas pipeline operator. And subparagraph (c) addresses the requirements for coordinating with police, fire and other public officials.

Written Plan

Subparagraph (a) requires each operator to “establish written procedures to minimize the hazard resulting from a gas pipeline emergency”. The plan must address:

• Receiving, identifying, and classifying notices of events which require immediate response by the operator;
• Establishing and maintaining adequate means of communication with appropriate fire, police, and other public officials;
• Prompt and effective response to a notice of each type of emergency;
• The availability of personnel, equipment, tools, and materials, as needed at the scene of an emergency;
• Actions directed toward protecting people first and then property;
• Emergency shutdown and pressure reduction in any section of the operator’s pipeline system necessary to minimize hazards to life or property;
• Making safe any actual or potential hazard to life or property;
• Notifying appropriate fire, police, and other public officials of gas pipeline emergencies and coordinating with them both planned responses and actual responses during an emergency;
• Safely restoring any service outage;
• Beginning incident investigations under §192.617, if applicable, as soon after the end of the emergency as possible; and
• Actions required to be taken by a controller during an emergency in accordance with control room management regulations under §192.631.

Now the scope of the pipeline emergency plan may be a bit more expansive than one would expect to see at more typical chemical facilities. This is inherent in the fact that by their very nature, gas pipelines are mainly off-site facilities. Many of them run through or near inhabited areas which may significantly expand the scope of a gas pipeline incident.

This is further reflected in 192.615(a)(3) which defines the types of emergencies for which the pipeline written plan must provide a ‘prompt and effective response’. The four specific emergencies specified are:

• Gas detected inside or near a building;
• Fire located near or directly involving a pipeline facility;
• Explosion occurring near or directly involving a pipeline facility; and
• Natural disaster.

Employee Communications

Just having a written plan is not sufficient. This section of the pipeline safety regulations maintains that pipeline operators must share the written plan with their employees in a fairly specific manner. Section 192.615(b) requires operators to:

• Furnish its supervisors who are responsible for emergency action a copy of that portion of the latest edition of the emergency procedures;
• Train the appropriate operating personnel to assure that they are knowledgeable of the emergency procedures and verify that the training is effective; and
• Review employee activities to determine whether the procedures were effectively followed in each emergency.

While it is not specifically mentioned in the subparagraph (b) requirements the training must not only address what actions must be taken, but training needs to insure that each of the personnel have the capability to identify emergencies at the earliest opportunity and to be able to discriminate between the different types of emergencies to determine which action in the emergency plan should be taken.

The last requirement is often overlooked in emergency planning. After each incident where any portion of the emergency plan is put into operation, an after-action review (AAR) needs to be undertaken to ensure that not only were the employees’ actions correct with respect to the plan requirements, but also that the plan requirements were appropriate to the incident in question.

A natural extension of the AAR {again not specifically mentioned in §192.615(b)} is the need to revise the emergency plan based upon the lessons learned in the AAR.

Community Coordination

Since many gas pipeline incidents or accidents can have an immediate and devastating impact on the local community, close coordination between the gas pipeline operator and the local emergency response community is very important. This is reflected in the actions specified in §192.615(c). This subparagraph establishes the requirement for a pipeline operator to “establish and maintain liaison with appropriate fire, police, and other public officials”. This liaison is required in order to:

• Learn the responsibility and resources of each government organization that may respond to a gas pipeline emergency;
• Acquaint the officials with the operator’s ability in responding to a gas pipeline emergency;
• Identify the types of gas pipeline emergencies of which the operator notifies the officials; and
• Plan how the operator and officials can engage in mutual assistance to minimize hazards to life or property.

While the scope of the area that the operator is responsible for coordinating with local officials for emergency response actions is much larger than for most chemical facilities because of the length of most gas pipelines, the same reasons exist for making such coordination exist for any facility that houses or produces hazardous chemicals.

OSHA PSM Implications

In considering the current OSHA PSM standard and evaluating how well that standard addresses the requirement for emergency planning and community coordination, OSHA would do well to take a good hard look at §192.615. With very little modification to the wording in this portion of the Pipeline Safety Regulations, OSHA would have a fairly comprehensive set of requirements for PSM covered facilities upon which to base their emergency planning operations.

Sunday, March 30, 2014

HR 4293 and S 2112 Introduced – Pipeline Approval

As I noted earlier Rep Cramer (R,ND) introduced HR 4293, the Natural Gas Gathering Enhancement Act. The bill would amend various Federal laws to make it easier to get timely approvals to run natural gas gathering lines on federal lands. This is a companion bill to S 2112 that was introduced earlier this month by Sen. Barrasso (R,WY).

Congressional Findings

Section 2 of the bill sets out the ‘facts’ that make the passage of this bill necessary. The two key findings are:

• Large quantities of natural gas are lost due to venting and flaring, primarily in areas where natural gas infrastructure has not been developed quickly enough, such as States with large quantities of Federal land and Indian land {§2(2)}; and
• Permitting processes can hinder the development of natural gas infrastructure, such as pipeline lines and gathering lines on Federal land and Indian land {§2(3)}.

General ‘Right-of-way’ Authority

Section 3 of the bill amends 16 USC 79 adding natural gas pipelines as one of the ‘public utilities’ for which the Secretary of the Interior has the authority to permit rights of way through the public lands, forest and other reservations of the United States.  Interestingly, while this is a general authority, it also quite specifically applies to “the Yosemite, Sequoia, and General Grant national parks, California”.

NOTE: Someone really needs to re-write this entire section to make it grammatically correct, easier to read and less confusing. For example the way this amendment was crafted would make the section read “…for electrical plants, poles, and lines for the generation and distribution of electrical power for natural gas pipelines [emphasis added],”. This would technically limit the authority for establishing rights-of-way for ‘electrical plants, poles and lines’ to those supporting natural gas pipelines; certainly not the intention of the crafters of the bill.  

Energy Policy Act of 2005

Section 4 of the bill would add two section to the Energy Policy Act of 2005 (PL 109-58):

§319 Certain natural gas gathering lines located on Federal land and Indian land; and
§1841 Natural gas gathering system assessments.

Section 319 adds the definition of ‘Federal land’ which specifically excludes {§319(a)(2)(B)}:

• Units of the National Park System;
• Units of the National Wildlife Refuge System; or
• Components of the National Wilderness Preservation System.

It also excludes gathering lines from requirements of the National Environmental Policy Act of 1969 if they will be within a field or unit already covered under “an approved land use plan or an environmental document prepared pursuant to the National Environmental Policy Act of 1969 (42 U.S.C. 432 et seq.)” {§319(b)(1)(A)} and will be located “adjacent to an existing disturbed area for the construction of a road or pad” {§319(b)(1)(B)}.

Finally, this new section provides a veto authority to Governors {§319(b)(2)(A)} and Indian Tribes {§319(b)(2)(B)} to prevent the Secretary from establish rights-of-way on specific lands under their jurisdictions.

Section 1841 would require the Secretary of the Interior to undertake a study on any further actions that can be taken under current Federal laws and regulations to expedite the permitting process for gas gathering lines and associated field compression units. The study would also be required to determine what changes could be made to make the permitting process more expeditious.

Following the completion of the study the Secretary would be required to report to Congress on the findings. The report would also include progress made on expediting the permitting process as required by this proposed legislation.

Permitting Deadlines

Section 5 of this bill would amend 30 USC 185 Rights-of-way for pipelines through Federal lands by adding paragraph (z), Natural gas gathering lines. This would establish the following deadlines for the Secretary to issue “a sundry notice or right-of-way”:

• 30-days for a gas gathering line and field compression unit described in §319(b) of this bill {§185(z)(1)}; and
• 60-days for all other gas gathering lines and associated field compression units {§185(z)(2)}.

Section 6 of this bill would add similar requirements to 43 USC 1764  General requirements (Rights of Way).

Moving Forward

There is nothing in either HR 4293 or S 2112 that would be a significant impediment to their passage. Unfortunately, there is also nothing to commend either bill to expedited handling as they would have little positive effect on most congressional districts. This late in the election cycle there is little chance for either bill to advance unless Cramer and/or Barrasso can attract the favorable attention of the leadership of the Committees given jurisdiction (The Natural Resources and the Agriculture Committees in the House and The Energy and Natural Resources Committee in the Senate). The two-committee assignment in the House makes moving the bill forward even more difficult.

If either (or both) bill makes it out of Committee, the bills would almost certainly be considered on the floor under the abbreviated procedures available for non-controversial bills (Unanimous Consent in the Senate, Under Suspension of the Rules in the House) if the respective leadership could be convinced to bring the bill to the floor.

In a perfect world, I would like to think that environmental groups would get behind these bills since the vented or flared natural gas is a contributor to global warming, but these groups are not going to support anything that makes hydrocarbon drilling more effective.

Congressional Hearings – Week of 3-30-13

Both the House and Senate will be in session this week. Budget and spending matters continue to dominate the hearing schedule, but only one of those will be of specific interest to readers of this blog. There is also a hearing this week on the reauthorization of the Hazardous Materials Regulations.


The table below shows the hearing status of the various agencies of specific interest to readers of this blog and when the hearing have been / will be held on the President’s budget request for them.





The hearing I mentioned above does not fit on this table because it isn’t specifically about the President’s budget. It is related to transportation safety so I’ll discuss it below. Please note that I’ve added ‘NA’ to the Senate side of the hearing table for ‘Defense’; they break out the hearings for defense spending into much smaller pieces so there is no single date that would fit into this block. In the unlikely event that they do a specific cybersecurity defense hearing I’ll replace the NA with that date.

Transportation Safety
The Railroads, Pipelines, and Hazardous Materials Subcommittee of the Senate Transportation and Infrastructure Committee will be holding a hearing looking at “Examining Issues for Hazardous Materials Reauthorization” on Wednesday. By definition chemical transportation safety will be the topic for this hearing.

The witness list includes:

• Cynthia Quarterman, PHMSA;
• William F. Downey, American Trucking Association;
• Thomas E. Schick, American Chemistry Council;
• Stephen Pelkey, American Pyrotechnics Association; and
• Kevin O'Connor, International Association of Fire Fighters

With the absence of any railroad or petroleum industry witnesses I don’t suspect that the crude oil classification issue will get much discussion, though it will probably be mentioned.

The Transportation, Housing and Urban Development, and Related Agencies Subcommittee of the House Appropriations Committee will be holding an oversight hearing looking at the DOT Modes (FAA, FHA, FRA, FTA, PHMSA, FMCSA and MA). Witnesses will include representatives from each of these agencies.

Chemical Transportation Safety will be one of the topics that will come up with a possible mention of the crude oil train safety issue.

House Floor

The Majority Leader’s web site shows mainly political posturing bills being considered by the House this week, as I would expect to see through the first Tuesday in November. Tuesday will be the day of bipartisanship this week with a number of bills being considered under suspension of the rules. The only bill of specific interest here will be HR 4005, the Coast Guard Authorization bill that I discussed in an earlier post.

Saturday, March 29, 2014

HR 4005 Reported in House – CG Authorization

Earlier this week the House Transportation and Infrastructure Committee published their report on HR 4005, Coast Guard and Maritime Transportation Act of 2014.

Chemical Safety and Security

The Committee did not make any changes to the bill during its markup that had anything to do with chemical safety or the Coast Guard’s Maritime Transportation Safety Act (MTSA) during the markup of this bill last month.  

The only provision in the bill dealing, even tangentially, chemical safety and security is §202. This section deals with the Prevention and Response Workforce, the Coast Guard’s safety and security specialists, both enlisted and officer. The Committee Report describes this section this way:

“This section ensures servicemembers assigned to certain prevention and response jobs have opportunity for career advancement.”

Moving Forward

According to the Majority Leader’s web site HR 4005 will come to the House floor on Tuesday, April 1st. It will be considered under suspension of the rules, so no amendments will be considered. The House leadership certainly expects this bill to pass with wide bipartisan support.

Since there is no Senate version of this bill, it will likely be considered in the Senate before the summer recess. It is remotely possible that there will be no Senate amendments.

Public Comments on OSHA PSM ANPRM – 03-29-14

This is part of a continuing look at the public comments that have been posted to the docket for the OSHA Process Safety Management program advance notice of proposed rulemaking. Earlier posts in the series include:

There is only one day left in the comment period (Monday) and there were only eleven comments posted to the docket in the last week, including another one from yours truly (from last week’s blog) and one from a private citizen. The comments were submitted by:

Many of the same comments seen in earlier comments have been repeated here. I will just address the new information or new points of views detailed in the current set of responses.

Need for New OSHA PSM Regulations

A comment was made that the problems used in the RFI to justify a possible expansion of the OSHA PSM coverage was a better justification for better enforcement of the current PSM requirements.

Oil and Gas Drilling Exemption

One commentor noted that removing the current oil and gas drilling rig exemption would add an additional 4,000 work sites to the list of facilities that an already overburdened inspection force would not be able to get around to. Another commentor noted that there is no clear definition of what might be included; they suggest that production facilities as defined in API Recommended Practice 80 might form a workable definition. A comment was made that the original exemption was put into place with the understanding that a separate OSHA standard would be developed for these activities; that has not occurred. Another commentor noted that natural gas facilities are regulated under PHMSA pipeline regulations.

LEPC Coordination

A suggestion was made that in addition to LEPC coordination, facilities storing large quantities of hazardous materials be required to submit a Hazardous Materials Management Plan as outlined in NFPA 400. Another suggestion was made that large chemical facilities be required to provide financial support to the local LEPC. A commenter noted that natural gas transmission and distribution facilities are already required to maintain close coordination with local emergency response authorities under 49 CFR 192.615.

Atmospheric Storage Tank Exemption

The use of the NFPA 30 definition of atmospheric storage tanks has been suggested as a way of removing the current confusion related to the OSHA definition. An update of §1910.106, the flammable liquids standard has been suggested. A suggestion was made that there should be a distinction between raw material tanks that feed a process and finished goods tanks that are filled from the process.

Highly Hazardous Chemicals

Expanding the list of Highly Hazardous Chemicals by adding specific chemicals would be a reactive exercise. The suggestion was made to use generic descriptions based upon amount and hazard category in place of trying to list all new HHC.

Certification of Auditors

A commentor noted that lead auditors, whether in-house or third party, should be Certified Process Safety Auditors. Other members of the team that are subject matter experts would not need to be certified.

Management Systems

The suggestion was made that portions of the new ANSI/AIHA Z10 consensus standard on industrial hygiene be included in the management systems language of the PSM standard.

Temporary Workers

While this was not specifically addressed in the RFI one commentor submitted a lengthy paper about the perceived hazards of allowing temporary workers to work in PSM cover areas. This included a suggestion that the PSM standard specifically address increased training requirements for temporary workers.

PHMSA Publishes 60-Day ICR for OPID and Operator Registry Forms

The DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a 60-day ICR revision notice in Monday’s Federal Register (79 FR 18118-18119, available on-line today) concerning proposals to revise two forms used by gas transmission and gas distribution pipeline operators to provide information to the National Registry of Pipeline and LNG Operators under authority of 49 CFR §191.22 and  §195.64.

Those two forms are:

• PHMSA F 1000.1, OPID Assignment Request; and
• PHMSA F 1000.2, Operator Registry Notification

OPID Assignment Request Changes

PHMSA is proposing to make the following changes to the OPID Assignment Request form:

Align the gas distribution and gas transmission commodity choices with those found on the annual and incident reports;
Modify the list for types of gas distribution operators to reflect the ownership structure of the operator;
Collect the miles of pipe and facility descriptions for each state;
Eliminate liquefied natural gas (LNG) plans and procedures as a separate safety program type; and
Collect business cell phone numbers for contacts in addition to office phone numbers.

Operator Registry Notification Changes

PHMSA is proposing to make the following changes to the Operator Registry Notification form:

Remove and revise instructions regarding pipeline safety program information submissions at several locations in the form and instructions;
Reduce the number of notification types and the text describing each type to enhance clarity;
Require Type B notifications to indicate whether the operator is assuming or ceasing operatorship of pipeline facilities;
Require separate notifications for an acquisition and a divestiture;
Allow an operator submitting a divestiture to request the deactivation of their OPID
Align the gas distribution and gas transmission commodity choices with those found on the annual and incident reports;
Collect data about miles of pipeline separate from facilities, such as breakout tanks, storage fields, and compressor stations, in Step 3;
Require operators to provide data about pipeline facilities (Step 3) when they submit a change in entity operating (Type B) notification;
Collect the miles of pipe and facility descriptions for each state; and
Add a “Guidance for Selecting the Appropriate Notification Type” section to the instructions.

Burden Estimate

This ICR Notice provides a revised estimate of the burden that these collections will impose on the 2,328 Natural gas, 82 LNG facility and 335 Hazardous Liquid operators on an annual basis. Table 1 below shows a comparison of proposed revised ICR with the currently approved ICR for these forms. The current data comes from information submitted  to the OMB’s Office of Information and Regulatory Affairs (OIRA).


Time Burden
Cost Burden
Table 1: Burden Estimates

The currently approved OPID numbers are high because this was for the initial implementation of the program and all 2753 operators had to register. Only new operators and certain changes would be reported with this form now so the current annual collection requirement would be much less than 2753 submissions. PHMSA estimated that it would take one hour to complete the OPID Assignment Request form.

PHMSA originally estimated that there would be four notifications per year from each operator using the Operator Registry Notification form. They estimated that it would take 15 minutes for each of those notifications.

PHMSA does not routinely report the cost burden in its ICRs. They do, however, provide a cost estimate to OIRA. They most recently estimated that hourly cost for this ICR was $64.75 providing a total annual burden cost for both forms at $356,513.50.

The ICR notice does not make it clear what form the 630 responses would involve. It would seem that the one hour per submission would mean that it was the OPID Assignment Request. Either that or the proposed changes to the Operator Registry Notification form would take four times as long to complete. In either case, PHSMA should explain the basis for the change in the burden estimate.

Public Comments

PHMSA is soliciting public comments on these proposed form changes and the associated change in the ICR burden. Comments may be submitted via the Federal eRulemaking Portal (; Docket # PHMSA-2014-0018). Comments need to be submitted by May 30th, 2014.

Friday, March 28, 2014

ICS-CERT Publishes Siemens Advisory for ROS

Today the DHS ICS-CERT published an advisory for the Siemens RuggedCom operating system (ROS). The improper input validation vulnerability upon which this advisory is based was reported to Siemens by Aivar Liimets from Martem Telecontrol Systems. Siemens has produced a product upgrade that mitigates this vulnerability in most affected systems, but there is no indication in this Advisory or the one from the Siemens ProductCert that Liimets has verified the efficacy of the update.

The Vulnerability

ICS-CERT reports that a relatively unskilled attacker could exploit this vulnerability to conduct a denial of service attack on the device. Such a DoS attack would not affect the switching functions of the device according to both advisories. The attacker would need to have network access to the device.

Siemens is still in the process of developing an upgrade for v4.0 of the ROS, but upgrading most earlier version to v3.11.5 will mitigate the vulnerability according to Siemens. When the v4.0 upgrade is available, Siemens will update their internal advisory and presumably ICS-CERT will update the one issued today.

Another Advisory Update from Siemens

I said ‘presumably’ for the ICS-CERT update in the last paragraph because they have not provided an update to their previous Siemens ROS advisory that Siemens updated today. The Siemens update added a new mitigation for the v3.11 devices (the same upgrade discussed above) and updated the support contact information.

Follow-up on Schneider Advisory

There has been an interesting Twittversation about these vulnerabilities since I did my earlier post.
Carsten Eiram (@carsteneiram) provided a link to the original vulnerability report that Risk Based Security published after Schneider apparently published their original (though no longer available) advisory back in March of last year. While that report is not exactly ‘exploit code’ it certainly contains enough information that a reasonably competent hacker should be able to write their own.

Adam Crain (@jadamcrain; of DNP3 Fuzzing Fame) asked: “Any idea what took @ICS-CERT so long on this one?” This is certainly a good question since it has now been over a year since Schneider first publicly reported the vulnerability.

The delay is almost certainly related to the fact that Schneider is fixing the problem system by system. While the problem is reportedly in the common ModbusDriverSuite, the implementation of that suite in each of the eleven products is likely slightly different. According to the most recent Schneider advisory (dated September 13th, 2013) they don’t intend to issue product updates just for this vulnerability; the fix will be included in the next product update.

I suspect that either ICS-CERT finally got fed up with the slow pace of updates or they received some recent communication from Schneider that indicated that Schneider had effectively decided not to fix the other eight products. Either would certainly explain the following comment in yesterday’s ICS-CERT Advisory:

“Schneider Electric has no immediate plan [emphasis added] for updating the other identified software products.”

In any case, Schneider has left customers owning the below listed software in an unenviable position. Their control system has a publicly identified security vulnerability that there is only a network limitation fix available; a fix that individual customers may or may not be in a situation to be able to put into place.

• TwidoSuite Versions 2.31.04 and earlier (available next month?);
• PowerSuite Versions 2.6 and earlier;
• SoMove Versions 1.7 and earlier;
• SoMachine Versions 2.0, 3.0, 3.1, and 3.0 XS;
• UnityLoader Versions 2.3 and earlier;
• Concept Versions 2.6 SR7 and earlier;
• ModbusCommDTM sl Versions 2.1.2 and earlier;
• PL7 Versions 4.5 SP5 and earlier and
• SFT2841 Versions 14, 13.1 and earlier.

Maybe this push by ICS-CERT will speed up the process. Or maybe enough complaints from customers will provide the necessary impetus. Finally regulators that have cyber security controls available may want to ensure that folks with these systems are taking special precautions.

Bills Introduced – 03-27-14

Yesterday 63 bills were introduced in the House and Senate. Three of those bills may be of specific interest to readers of this blog:

HR 4338 Latest Title: To amend title 49, United States Code, to require gas pipeline facilities to accelerate the repair, rehabilitation, and replacement of high-risk pipelines used in commerce, and for other purposes. Sponsor: Rep Rangel, Charles B. (D,NY)

HR 4339 Latest Title: To establish State revolving loan funds to repair or replace natural gas distribution pipelines. Sponsor: Rep Rangel, Charles B. (D,NY)

S 2167 Latest Title: A bill to establish a grant program for career education in computer science. Sponsor: Sen Gillibrand, Kirsten E. [NY]

I suspect that the two pipeline bills are related to the recent gas pipeline explosion in New York City. That explosion highlighted the dangers associated with this specific portion of our aging infrastructure problem.

The last bill will only receive coverage here if it has specific coverage of cybersecurity education support.

Thursday, March 27, 2014

Markup Results on DHS Communications Bills

This morning the Emergency Preparedness, Response, and Communications Subcommittee of the House Homeland Security Committee met to conduct a markup hearing on three communications related bills. Those bills were:

HR 3283, the Integrated Public Alert and Warning System Modernization Act of 2013;
HR 4263, the Social Media Working Group Act of 2014; and
HR 4289, the DHS Interoperable Communications Act.

The Subcommittee agreed to all three bills by voice vote. The first two were amended before being agreed to, but the last was agreed to without change.

HR 3283 Changes

As I noted earlier, Rep Brooks (R,IN) offered an amendment in the form of a substitute. This revised language was further amended by four amendments from Rep. Payne (D,NJ) that were considered en bloc; four amendments from Rep. Clarke (D,NY) that were considered en bloc; and a single amendment from Rep. Higgins (D,NY). All amendments were agreed to by voice vote.

Most of the Payne amendments were minor word changes, but the last one would require DHS to determine which commercial wireless devices were capable of receiving the warnings broadcast under the Integrated Public Alert and Warning System and to annually publish a list of those devices.

All four of the Clarke amendments were related to cybersecurity concerns. They included:

• A requirement to ensure that the Integrated Public Alert and Warning System is hardened ‘to the greatest extent practicable’ against cyber-attack (listed in two separate places);
• A requirement to add Under Secretary for Cybersecurity and Communications of the Department of Homeland Security to the members of the Advisory Committee; and
• A requirement for the Advisory Committee to conduct an assessment of the cybersecurity of the Integrated Public Alert and Warning System.

The Higgins amendment would require the Advisory Committee to consider lessons learned each time the Integrated Public Alert and Warning System is used.

HR 4263 Changes

Again, I reported earlier that Ranking Member Payne had offered an amendment in the form of a substitute for this markup. That language was further amended by a separate amendment from Mr. Payne that added the Office of Disability Integration and Coordination of FEMA to the Working Group.

An amendment from Higgins would add an additional requirement in the Working Group’s report to Congress about recommendations about how public awareness of the Department’s social media communications could be increased.

Moving Forward

The next step in the legislative process will be the full committee markup hearing and I expect that all three bills will again be marked up in a single hearing. How soon that hearing takes place will be a rough measure of the likelihood that this bill will make it to the floor of the House. If these bills don’t get to the floor before the summer recess, the only way they will likely make it to the President’s desk will to be included in the DHS spending bill.

ICS-CERT Publishes New Schneider Advisory

Today the DHS ICS-CERT published a new advisory affecting 11 separate Schneider Electric products that use the serial MODBUS driver. This advisory is based upon a stack-based buffer overflow vulnerability reported by Carsten Eiram of Risk-Based Security in a coordinated disclosure. An updated ModbusDriverSuite has been produced, but there is no indication whether or not Carsten has had a chance to verify the efficacy of that mitigation.

ICS-CERT reports that a highly skilled attacker could remotely exploit this vulnerability to execute arbitrary code.

The ICS-CERT advisory gives conflicting information about the mitigation efforts undertaken by Schneider. In one paragraph it states that the latest versions of OFS and UnityPro have been released with an updated ModbusDriverSuite and other affected systems will have that suite in their next update. The next paragraph then states that: “Schneider Electric has no immediate plan for updating the other identified software products.”

The advisory from Schneider (originally released September 13th, 2013) states:

“The ModbusDriverSuite for TwidoSuite will be available in April of 2014. Until the ModbusDriverSuite becomes available for TwidoSuite, Schneider Electric recommends using a firewall to allow only authorized systems to access TwidoSuite. OFS V3.5 and Unity Pro V8 have been released including the updated ModbusDriverSuite. For other products listed, the updated ModbusDriverSuite will be implemented with each new version of those Software Products.”

The Schneider produced advisory has some changes recorded in it. It appears that initially at least that they believed that the vulnerability could only be exploited via local access. They also apparently initially underestimated the degree of risk associated with this vulnerability; they updated the CVSS Base Score from 6.9 to 9.3 (the same value that ICS-CERT is reporting). There is no indication when these two visible changes were made to their advisory.

Bills Introduced – 03-26-14

There were 25 bills introduced in Congress yesterday and two of them may be of specific interest to readers of this blog:

HR 4298 Latest Title: To amend the Federal Power Act to protect the bulk-power system and electric infrastructure critical to the defense of the United States against cybersecurity, physical, and other threats and vulnerabilities. Sponsor: Rep Waxman, Henry A. (D,CA)

S 2158 Latest Title: A bill to amend the Federal Power Act to protect the bulk-power system and electric infrastructure critical to the defense of the United States against cybersecurity and physical and other threats and vulnerabilities. Sponsor: Sen Markey, Edward J. (D,MA)

I suspect that these twin bills (known in Washington as ‘companion bills’) are a considered response to a report authored last year by Rep. Waxman and then Rep. Markey on the security of the electric power grid.

Wednesday, March 26, 2014

HR 4289 Introduced – DHS Interoperable Communications

As I noted earlier this week Rep. Payne (D,NJ) introduced HR 4289, the DHS Interoperable Communications Act. The bill would require DHS to develop a strategy to implement changes in the department’s operations and equipment that would allow the various DHS components to communicate with each other during operations.

Interoperable Communications

The bill starts off with amending 6 USC 341 by adding a definition of ‘interoperable communications’ as paragraph (d). That definition describes the term as:“the ability of components of the Department to communicate with each other as necessary, utilizing information technology systems and radio communications systems to exchange voice, data, and video in real time, as necessary, for acts of terrorism, daily operations, planned events, and emergencies”.

Develop a Strategy

Section 3 of the legislation gives the Under Secretary for Management 120 days to present to congress a copy of a strategy to achieve interoperable communications within the Department. That strategy should provide:

• An assessment of interoperability gaps in radio communications among the components of the Department {§3(a)(1)};
• Information on efforts and activities, including current and planned policies, directives, and training, of the Department since November 1, 2012, to achieve and maintain interoperable communications {§3(a)(2)};
• Planned efforts and activities of the Department to achieve and maintain such interoperable communications {§3(a)(2)};
• An assessment of obstacles and challenges to achieving and maintaining interoperable communications{§3(a)(3)};
• Information on, and an assessment of, the adequacy of mechanisms available to the Under Secretary for Management to enforce and compel compliance with interoperable communications policies and directives {§3(a)(4)};
• Guidance provided to the components of the Department to implement interoperable communications policies and directives {§3(a)(5)};
• The total amount of funds expended by the Department since November 1, 2012, and projected future expenditures, to achieve interoperable communications, including on equipment, infrastructure, and maintenance {§3(a)(6)}; and
• Dates upon which Department-wide interoperability is projected to be achieved for voice, data, and video communications, respectively, and interim milestones that correspond to the achievement of each such mode of communication {§3(a)(7)}.
As expected there are also provisions for various reports to Congress about the implementation of this strategy.

Moving Forward

As I noted in Monday’s blog about the introduction of this bill this bill has bipartisan support as it was introduced by the Ranking Member of the House Homeland Security’s Emergency Preparedness, Response and Communications Subcommittee and cosponsored by the chair of that Subcommittee Rep Brooks (R,IN). The first markup hearing will be tomorrow, so we can see that this is being pushed along quickly.

I expect that his bill will be adopted easily tomorrow and by the full Committee when that markup is scheduled. The only question past that will be if the bill actually makes it to the floor in either House. This is an election year and this doesn’t look like a high priority in anyone’s re-election campaign. So unless this gets the attention of the Republican leadership in the House and then Sen. Reid’s (D,LV) eye, this bill will probably remain on the desk when this Congress adjourns the final time in December.

Australia Group CWC Final Rule Published

Today the DOC’s Bureau of Industry and Security (BIS) published a direct final rule in the Federal Register (79 FR 16664-16668) updating various portions of the Export Administration Regulations (EAR) to implement the understandings reached at the Australia Group (AG) plenary meeting held in Paris, France, on June 3-7, 2013 and the recommendations presented at the AG intersessional implementation meeting held in Bonn, Germany, on December 6-7, 2012.

Changes Made

The following changes were made:

15 CFR 710Added 7 countries as signatories to CWC including Somalia and Syria.

15 CFR 738 Country ChartRemoved CB2 listing for Mexico

15 CFR 740 Country ChartAdded Mexico as a member of the Australia Group

15 CFR 745 States Party to CWCAdded Somalia and Syria as signatories to CWC

15 CFR 772.1Added definition of Australia Group - The countries participating in the Australia Group have agreed to adopt harmonized controls on certain dual-use chemicals (i.e., precursor chemicals), biological agents, related manufacturing facilities and equipment, and related technology in order to ensure that exports of these items do not contribute to the proliferation of chemical or biological weapons.

15 CFR 774 Supplement 1 (the Commerce Control List)

1C350 Chemicals that may be used as precursors for toxic chemical agents – Changed quarterly reporting of samples shipped to annual reporting.

1C351 Human and zoonotic pathogens and “toxins” –.

Added provision allowing Strategic Trade Authorization license exemption; and
Added “alpha, beta 1, beta 2, epsilon and iota toxins” to d.5 Clostridium perfringens listing

1C352 Animal Pathogens – Changed a.8. listing to “Rabies virus and all other members of the Lyssavirus genus;”

1C353 Genetic elements and genetically modified organisms – Changed Technical Note 1 to read “’Genetic elements’ include, inter alia, chromosomes, genomes, plasmids, transposons, and vectors, whether genetically modified or unmodified, or chemically synthesized in whole or in part.”

2B350 Chemical manufacturing facilities and equipment – Changed para b to read:
Agitators designed [added] for use in reaction vessels or reactors described in 2B350.a…

2B352 Equipment capable of use in handling biological materials – Revised para b to read:

b. Fermenters and components as follows:

b.1. Fermenters capable of cultivation of pathogenic micro-organisms or of live cells for the production of pathogenic viruses or toxins, without the propagation of aerosols, having a capacity of 20 liters or greater.
b.2. Components designed for such fermenters, as follows:
b.2.a. Cultivation chambers designed to be sterilized or disinfected in situ;
b.2.b. Cultivation chamber holding devices; or
b.2.c. Process control units capable of simultaneously monitoring and controlling two or more fermentation system parameters (e.g., temperature, pH, nutrients, agitation, dissolved oxygen, air flow, foam control).
Technical Note: Fermenters include bioreactors (including single-use (disposable) bioreactors), chemostats and continuous-flow systems.

Direct Final Rule

The BIS published this as a final rule without going through any of the intermediate rulemaking processes. BIS maintains that:

“The provisions of the Administrative Procedure Act (5 U.S.C. 553) requiring notice of proposed rulemaking, the opportunity for public participation, and a delay in effective date, are inapplicable because this regulation involves a military and foreign affairs function of the United States (See 5 U.S.C. 553(a)(1)). Immediate implementation of these amendments is non-discretionary and fulfills the United States' international obligation to the Australia Group (AG).”

The effective date of this final rule is today, March 26th, 2014.


Most of the changes made by this direct final rule seem to be rather standard fine tuning of regulations. Until you get down to the changes made to “2B352 Equipment capable of use in handling biological materials”.

The previous language for paragraph b is now b1. The remaining language in this paragraph specifically adds the separate components that could be assembled into the described fermenter. This now places these classes of equipment on the Commerce Control List which complicates the export of this equipment.

One part of this list may be of special concern to members of the chemical manufacturing community; the equipment listed in paragraph b.2.c:

Process control units capable of simultaneously monitoring and controlling two or more fermentation system parameters (e.g., temperature, pH, nutrients, agitation, dissolved oxygen, air flow, foam control).

The ‘process control units’ very generically described here are not unique to the manufacture of biological materials. Generally speaking these industrial control systems are also used by chemical manufacturers and food manufacturers and just about any other industry that includes the automated process control of liquids.

It is interesting to note that there is no such mention of ‘process control units’ in the very lengthy description of equipment for Chemical manufacturing facilities and equipment (2B350).
/* Use this with templates/template-twocol.html */