Monday, June 30, 2014

ICS-CERT Publishes Havex Advisory

Earlier today the DHS ICS-CERT upgraded their Havex alert updated last Friday to an advisory today and included new information in the released document. They also explain some of the additional data that is available on the US-CERT secure portal.

The new information includes references to a Symantec blog post about the Dragonfly Group. Their information is very similar to the report I mentioned yesterday from CrowdStrike. The fact that the two reports agree on so many areas is a good indication that the base intellignece may be being properly interpreted.

The advisory also expands on some of the information that Havex has been searching for. ICS-CERT provides some examples of the search results found by the Trojan as it searched for OPC linkages.

The advisory also provides the following list of information that is available on the US-CERT secure portal:

• Three C2 IP addresses and 105 C2 Domains
• Eighty-seven SHA1 hashes of unique Havex Variants
• Sixteen Havex payload SHA1 and four Havex Installer SHA1 signatures and filenames
• Six Karagany filenames/MD5 hashes, 4 Karagany filenames, 2 Karagany C2 Domain IPs, and seven misc directory paths, agent strings, outbound traffic, and directories to watch.
• A STIX /TAXI file (IB-14-20124.stix.xml) containing details on the Trojan.Karagany.

It is kind of odd (from a counter-intelligence perspective) that ICS-CERT would publish this descriptive list of sensitive files that are being held on a secure server. Typically information security folks would tell ICS-CERT that the simple list above would allow the perpetrators to successfully determine how well the investigation against them is proceeding. It also explains to the Havex creators what areas of their tool suite will be less effective in the Wild.

US-CERT Secure Portal Update

I got an interesting email today from Monica Maher, the Chief of Operations at ICS-CERT about access to the control system security area within the US-CERT secure portal. She wrote:

“I wanted to let you know that about a year or so ago, we updated our policies and procedures to allow a variety of ICS stakeholders to obtain membership.  Previously, we vetted asset owners and operators as well as ICS vendors into our portal.  Due to feedback, we created a process to also allow ICS consultants and systems integrators into the portal.”

With this information I would like to expand my suggestion that system owners should sign-up for access to the US-CERT secure portal to include control system vendors, integrators and ICS security consultants. The more ICS security people that are involved in this information sharing, the better off the community will be.

FRA 60-day ICR Notice for Oil Train Reporting Order

Today the DOT’s Federal Railroad Administration (FRA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (79 FR 36860-36861) to cover the reporting of crude oil unit train routing information under DOT Secretary’s emergency order published May 7th, 2014. The OMB’s Office of Information and Regulatory Affairs (OIRA) provided a 180-day emergency ICR to cover that order. This renewal would provide for the public comment period not afforded under the emergency ICR process.

Today’s notice provides the same regulatory burden data [Word® download link] submitted to OIRA in the original request for the emergency ICR. That annual data is summarized in the table below.

Initial notification to SERCs
Updated notifications
Notifications to FRA
Requests by SERCs

The number of initial notifications seems to be low to me. The only way that the number makes any sense is if there are only 120 possible routes that these crude oil unit trains could possibly take out of the Bakken oil loading region. That would mean that each of the listed responses would be addressed to multiple states along that route. That may be a reasonable way of accounting for the burden, but I doubt that that would be the method by which the notification would be compiled and delivered.

The FRA is soliciting public comments on this ICR. Comments may be submitted to Mr. Brogan at Public comments should be submitted by August 29th, 2014.

BTW: There is a major error in OIRA’s listing of the current emergency ICR. It shows two Federal Register citations for the submission of the original request. The first citation is for a totally unrelated ICR and the second citation is for an issue of the FR that has yet to be published. The only FR notice that mentions this oil route reporting requirement was the one published on May 13th, 2014 (79 FR 27363) and it contains no mention of an ICR.

Sunday, June 29, 2014

HR 4871 Introduced – TRIA Reauthorization

As I reported earlier Rep. Neugebauer (R,TX) introduced HR 4871, the TRIA Reform Act of 2014. This is one of five (HR 508, HR 1945, HR 2146, and S 2244) bills under consideration that would extend the Terrorism Risk Insurance Act that is due to expire this year. This bill would extend the operation of that Act through 2019 while making a number of changes to the program.

One major change would be to annually increase the trigger amount that would cause the US Treasury to pay a portion of the claims for a designated terrorist attack, from the current $100 million to $500 million in 2019.

The bill would also establish a new category of terrorist attacks. Section 102 of the TRIA authorizing language (15 USC 6701 Note) would be amended to require the Secretary of the Treasury to determine whether or not a designated terrorist attack would be an ‘act of NBCR [Nuclear, Biological, Chemical or Radiological] terrorism’ {§102(1)(D)}.

The term ‘NBCR terrorism’ is explained in the added §102(9) as any covered act of terrorism covered under the TRIA that “to the extent that the insured losses involve, regardless of any other cause or event that contributes concurrently or in any sequence to such insurance loss” due to:

• The dispersal or application of radioactive material, pathogenic or poisonous biological or chemical material;
• The use of a nuclear weapon or device that involves or produces a nuclear reaction, nuclear radiation, or radioactive contamination” or
• The release of radioactive material, pathogenic or poisonous biological or chemical material where “it appears that one purpose of the act of terrorism was to release such material”.

The only consequence of the declaration of an act of NBCR terrorism would be to lower the amount that triggers US participation in the payment of claims to $100 million.

As I noted in the earlier blog I think that this bill has the best chances of moving forward in the House since Neugebauer is the Chair of the Housing and Insurance Subcommittee of the House Financial Services Committee.

The Senate bill may be considered first and then the House leadership would have to decide whether or not they would consider their own bill or tack one of the House bills (presumably this one) onto the Senate bill as substitute language. In either case I would not be surprised to see the NBCR terrorism portion of this bill in any bill that goes to the President.

ICS-CERT and Information Sharing

An interesting series of twitversations were started yesterday about a single sentence in my post about the latest ICS-CERT update on the Havex Trojan. That dialog is important but a little more complicated than can be easily captured in 140 characters. I will try to address my outlook on the question here and welcome comments and opposing points of view to chime in on this discussion.

The Twitversation

What started this was the blog comment about mitigation measures:

“Presumably more up-to-date indicators are available through the US-CERT secure portal. This is another reason for potential targets to request access to the US Cert Secure Portal.”

Dale Peterson from DigitalBond started the twitversation from there noting that “we were told portal access is limited to asset owners”. I don’t know who the US-CERT allows to have access to their secure portal (I have not applied as I would almost certainly be turned down not being an owner or security professional, just a gadfly), but I replied “DHS ought to be fairly broadly defining 'asset owners'”.

I then made the more than a little sarcastic comment that folks in the ICS security business probably would not be included because “Ya'll are competitors after all (SAD)”. This touched a perennial sore spot with Dale who does not think that ICS-CERT/INL should be one of his business competitors (I agree).

Dale also asked: “what about integrators, resellers, vendors, industry groups ...”. To which Andy Robinson chimed in: “we are the ones who usually id and fix”. Again these are both important points.

US-CERT Portal

According to the US-CERT web site describes the US-CERT Portal this way:

“The US-CERT Portal provides a secure, web-based, collaborative system to share sensitive, cyber-related information and news with participants in the public and private sector, including GFIRST, the CISO Forum, NCRCG, ISAC members, and various other working groups. Authorized users can visit the US-CERT Portal.”

Access to the secure portal is provided to individuals or organizations that have been approved by various agencies of DHS. The ICS-CERT is apparently an approving agency for the ‘control systems compartment’ of the portal. Send requests for access to:

I do not personally know what criteria DHS uses to allow access to this portal. I would assume that representatives from critical infrastructure with cybersecurity exposure would be given access. I would hope that ICS-CERT would provide the widest possible access to control system owner.

I am extremely disappointed to hear that organizations like DigitalBond, an internationally recognized control system security company would have been denied access. I would think that it would be in the best interest of industry if security service providers, integrators and vendors were made an integral part of the information sharing community in the US-CERT secure portal. For a very large portion of the industrial control system owner community, these people are the ones that install, maintain and secure industrial control systems.

Why Restrict Access to Information

There are a number of legitimate reasons that the security and intelligence communities need to restrict access to information about control system vulnerabilities and threat information. For many control system applications, for example, there is no easy way for vendors of an application to reach out to the ultimate owners and users of those applications to ensure that they are informed of mitigation measures before a public release of vulnerability information. The ICS-CERT use of the secure portal to make such information available to the affected community before publicly announcing the vulnerability makes good sense.

When a cyber attack is first identified in the wild the cyber intelligence community needs to be able to share information with other potential targets to be able to identify and limit the effects of the attack. Conducting that outreach in a public forum would just ensure that the adversary make changes to their methodology to avoid further detection.

When cyber attack information is developed by private entities (such as F-Secure, Symantec, or CrowdStrike) using proprietary technology or techniques the sharing of that proprietary information would damage the business of those researchers and limit their ability to continue to develop threat information. Protecting information about those techniques and technology is a legitimate way to encourage those companies to continue to share their intelligence information with the government.

Questions about Status of Specific Information

It is easy for someone on the outside (like myself) to criticize government agencies for what information they share or fail to share. By definition we don’t have all of the information about a particular data release (or non-release) to be completely aware of what actually went into the release decision. Still we have a moral obligation to try to hold the officials involved accountable for their actions.

In a perfect world these decisions are made by professionals who have the best access to the information involved and complete understanding of the consequences of the release or restriction of that information. In the real world professionals are called upon to make these decisions on the fly with incomplete information about sources and consequences. And too frequently these decisions are made by professional politicians not security professionals.

From the outside, a good example of questionable information restrictions is the data about the three compromised web sites in the F-Secure report. I understand why a commercial organization like F-Secure would not publish that information; they are protecting themselves against potential libel and slander charges from the owners of the affected sites.

A government agency might take the same action based upon those concerns, but they are much better isolated from such liability claims than would be an organization like F-Secure. However, when ICS-CERT publicly announces that the identity of these sites is available on the US-CERT secure portal it is obvious that they are not trying to avoid litigation from the sites involved. Even the claim that they are protecting F-Secure from such litigation would be hard to accept in light of the public announcement of the information being available.

This is one of those times that it appears that the politicians have made a decision to protect information for a non-security related reason. And as is usual when security decisions are made for political reasons, this decision has put people (control system owners) at risk unnecessarily. This information should be given the widest possible dissemination to allow potentially affected system owners to evaluate their particular risk.

Lack of Cybersecurity Information Sharing Rules

It is situations like this one that illustrate the problem with the lack of information sharing rules for cybersecurity issues. Without a full and complete political discussion about what information should be shared by whom, with whom and under what conditions, the politicians within the executive branch are making these decisions on an ad hoc basis behind closed doors.

Now I understand and agree that the sharing of personally identifiable information is an important concern within the personal liberties community (and that community should be very large and important). How to protect individual information from abuse by large corporations and the government is a very complex and politically sensitive issue.

Fortunately, that portion of the cybersecurity problem is not very prevalent in industrial control system security issues. Perhaps Congress ought to take a first pass at cybersecurity sharing legislation that focuses on the narrow issue of information sharing about industrial control system security issues. This would allow that very important part of the security problem to be addressed and would allow the government to work out information sharing protocols that could be adopted to the broader cybersecurity problems without putting personal information at risk during the development process.

More Information on Havex

In a LinkedIn® discussion about yesterday’s post on the latest Havex ICS-CERT update, Kandy Zabka pointed me at an interesting discussion about the Havex RAT in a report from There is no date on this document but it is a ‘year in review’ type report for 2013, so I would suspect that it was probably posted in January or February.

The discussion is found on pages 16 thru 18 in their report about activities by the group ‘Energetic Bear’. It notes that the Havex RAT and the closely related SysMain Rat have been in operation since 2011.

There is no specific mention of the OPC related interest reported by F-Secure, but it does list the energy sector as a primary target with secondary targets including US healthcare providers and European precision machine tool manufacturers.

The most interesting part of the discussion is their assessment that the group responsible has Russian connections. The evidence presented in the report is weak on detail, but that is not unexpected in a year-end-summary type report. ICS-CERT would not be expected to address this issue publicly or even on the US-CERT secure portal, but it is something worthy of investigation by NSA (this is the type thing that they should be working on).

As with the Stuxnet discovery, this continues to get more and more interesting as we proceed to find out more about Havex. I have a feeling that this discussion is going to continue for a while.

Saturday, June 28, 2014

ICS-CERT Updates Havex Alert

Last night the DHS ICS-CERT published an updated version of their alert for the Havex Trojan. The update provides a more complete description of the actions of the Havex Remote Access Trojan (RAT), though still not as detailed as the original F-Secure blog post. It does, however, report for the first time a separate operational issue with the Havex RAT:

“It is important to note that ICS-CERT testing has determined that the Havex payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.”

This would not be expected to be a deliberate design element of the Trojan, but it could serve as an indicator of a potential Havex attack for organizations that do not have operational system logging capabilities.

ICS-CERT Still Restricting Information

ICS-CERT is still restricting information about the known ‘watering hole’ sites to the US-CERT secure portal. I agree with Dale Peterson’s Tweet that this probably slows the community response to this threat vector as only a very limited number of control systems organizations currently have access to this information source. ICS-CERT continues to provide information on how to request access the US-CERT secure portal:

“ICS-CERT encourages US asset owners and operators to join the control systems compartment of the US-CERT secure portal. To request access to the secure portal send your name, email address, and company affiliation to”

This is a very low threshold to pass to gain access to this information. While we can (and should) debate whether or not ICS-CERT should be restricting access to information that the source of the Havex attack already knows (and the F-Secure blog post identifies clearly enough for the attacker to know which compromised sites have been identified), any organization that uses an OPC server in their control system architecture should apply for access to this information.

Mitigation Measures

The update also significantly expands the mitigation measures that organizations can use to limit the activity of the Havex Trojan. There is not anything new here, but this appears to be a pretty good list of actions to take to secure control systems in general. ICS-CERT does not provide any specific indicators of compromise in this alert, but they do provide a link to the F-Secure blog post on this RAT from Monday that does contain some of those indicators.

Presumably more up-to-date indicators are available through the US-CERT secure portal. This is another reason for potential targets to request access to the US Cert Secure Portal.

Information Sharing

ICS-CERT continues to request that organizations that know or suspect that they have been compromised by Havex contact ICS-CERT. Any new information that may be provided by users will make the ICS-CERT investigation of this malware more complete.

This would be a very good point in time to have federal legislation in place that would provide safeguards for organizations that wish to share this type of information with ICS-CERT. At a minimum such information sharing activities should be protected to limit liability concerns and restrict what detailed data the government can share with other organizations, both governmental and private sector.

Lacking such specific cybersecurity information sharing protections, anyone submitting detailed information to ICS-CERT should attempt to avail themselves of the protections provided by Protected Critical Infrastructure Information (PCII) program. At an absolute minimum any information submitted to ICS-CERT should specifically include the following PCII Express Statement:

“This information is voluntarily submitted to the Federal Government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002.”

A better method would be to include the ‘Express and Certification Template’ found in Appendix 5 of the PCII Procedures Manual.

Friday, June 27, 2014

HR 4007 – CFATS Reauthorization – Reported in House

Earlier this week the House Homeland Security Committee filed their report on HR 4007, the Chemical Facility Anti-Terrorism Standards Program Authorization and Accountability Act of 2014. This bill is now cleared for consideration on the floor of the House. I expect that it will be considered under a rule that limits the amendments that will be considered on the floor.

CFATS Facilities

It is always interesting to go back and read the language of the bill that is included in the report. Readers may remember that I reported that the exempted facility list had been removed from the substitute language that would be offered in the Full Committee markup of this bill. That language exempting MTSA, water, DOD and NRC facilities from coverage has found its way back into §2101(f)(1).

I went back and confirmed that the substitute language that had been on the Committee web site prior to the hearing did not, in fact, include that language. The version of that markup language that is currently on the web site (posted the day after the hearing) does have the language. I would assume that the language had been changed between the time I wrote my post and the time that Committee met.

PSP Redress

In that earlier post I identified the new requirement for a redress procedure for the CFATS personnel surety program. I noted that:

“The new language requires the Secretary to establish a personnel surety program that provides redress to an individual “who believes that the personally identifiable information submitted to the Department for such vetting by a covered chemical facility, or its designated representative, was inaccurate” §2101(d)(3)(A)(iii). This completely ignores that possibility of being incorrectly identified as having terrorist ties due to an error on the part of the Government.”

The language still reads that way but there is an interesting discussion in the report about this section of the bill. It reads:

“Finally, this subsection requires any such program to make available redress to an individual who wishes to challenge a determination based on DHS vetting.”

Lawyers love to argue the ‘intent of Congress’ based upon this type of language in Committee Reports. Whether or not judges accept that ‘intent’ is another story. This is this is the basis for a lot of lawyer fees. But, in my (non-lawyerly) opinion the language of §2101(d)(3)(A)(iii) still clearly applies only to case where “the personally identifiable information submitted to the Department for such vetting by a covered chemical facility, or its designated representative, was inaccurate”. There is still no relief for an error on the government’s part, the report commentary notwithstanding.

Moving Forward

I fully expect that this bill will be considered by the Full House in early July. It will pass with significant bipartisan support. There will probably be unsuccessful attempts at adding language for some sort of limited IST provision and worker participation.

Since the Senate Homeland Security and Governmental Affairs Committee did not take up a CFATS bill this week I think that there is a good chance that they will take up the bill before the summer recess. If the bill makes it through that Committee without major changes, I think that there will be a good chance of the bill coming to the floor of the Senate before the election as that will be a signal that they bipartisan support for the language in the House Committee has carried over to the Senate. If major IST changes, worker participation changes or civilian law suit enforcement procedures are added, the bill will certainly face Republican filibuster and it will die the same death that we have seen too many times before.

Bills Introduced – 6-26-14

In their last day before taking a week off for the 4th of July the House and Senate introduced 81 bills. Two of those bills may be of specific interest to readers of this blog:

S 2534 Latest Title: An original bill making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2015, and for other purposes. Sponsor: Sen Landrieu, Mary L. (D,LA)

S 2547 Latest Title: A bill to establish the Railroad Emergency Services Preparedness, Operational Needs, and Safety Evaluation (RESPONSE) Subcommittee under the Federal Emergency Management Agency's National Advisory Council to provide recommendations on emergency responder training and resources relating to hazardous materials incidents involving railroads, and for other purposes. Sponsor: Sen Heitkamp, Heidi (D,ND)

As is usual I will expect that the report accompanying the DHS spending bill to be more interesting than the bill itself. The Senate will pass it’s bill and the House theirs and then the Conference Committee will work out the differences. Most of the ‘requirements’ in the report however will stand.

It is interesting that Heitkamp’s advisory committee will actually only be a subcommittee of an already existing AC. I’m looking forward to seeing what requirements are laid upon that subcommittee.

Wednesday, June 25, 2014

ICS-CERT Publishes Havex Alert

This evening the DHS ICS-CERT published an alert concerning the Havex RAT publicly reported by the folks at F-Secure with a follow-up article at Both sources provide more information than does ICS-CERT.

The Havex Remote Access Trojan (RAT) has reportedly been used to gather information about industrial control systems. What makes this particular RAT of specific concern is that at least some of the infections detected by F-Secure were pickup up from compromised web sites of control system vendors. F-Secure has not publicly identified the three specific web sites that were compromised.

The interesting comment in the ICS-CERT advisory (beyond the most basic reporting about the RAT) is the notice that they have released a third-party report on the US-CERT secure portal. Hopefully, some of the as of yet ‘unverified’ information in that report is the list of affected web sites.

This is obviously a preliminary effort by ICS-CERT. They report that they are working to:

• Evaluate the install/deployment base of the reported affected vendors
• Provide additional indicators of compromise
• Identify any affected entities in the US
• Reach out to the ICS vendors that were compromised and offer assistance in identifying those customers that may have visited the web site and downloaded the Trojan.

They are also requesting that any organization that feels that they may have been affected by the Havex malware contact ICS-CERT. This will help them identify more details about the problem.

Bills Introduced – 06-24-14

Mid-way through the legislative week and 27 bills were introduced yesterday. Two of those may be of specific interest to readers of this blog:

S 2519 Latest Title: A bill to codify an existing operations center for cybersecurity. Sponsor: Sen Carper, Thomas R. (D,DE)

S 2521 Latest Title: A bill to amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Sponsor: Sen Carper, Thomas R. (D,DE)

It is very likely that there will be no control system security language in either of these bills, but they are being marked-up [.PDF download link] this afternoon in a hearing before the Senate Homeland Security and Governmental Affairs Committee, so I thought they should be mentioned; at least in passing.

Tuesday, June 24, 2014

Update on 2014 CSSS Agenda Changes

After posting my brief discussion about the disappearing 2014 Chemical Sector Security Summit (CSSS) agenda this morning, I fired off an email to my PR contact at DHS NPPD asking about what was going on. This afternoon I got an email reply stating essentially that the site is now fixed and that it was just a technical glitch. Stuff Happens.

Except… there are now two different versions of the 2014 CSSS Agenda on the DHS web site; the one I wrote about last Friday and the one linked to by the updated web site. There are some minor formatting differences between the two version, but most of the information is word-for-word the same.

Except… the first two pages on the original agenda are missing from the current version. Those two pages were for the ‘Pre Summit’ on July 22nd. Most of this is just early registration type stuff, but there were three concurrent workshops listed for the pre-summit:

• Supply Chain Workshop
• How to Develop and Deliver an Effective Active Shooter Preparedness Program
• Chemical Facility Anti-Terrorism Standards (CFATS) Advanced Notice of Proposed Rulemaking (ANPRM) Listening Session

The actual link on the 2014 CSSS web site take one to an intermediate link web page that claims that the linked document was last updated on “Tue, 06/17/2014”. That would make it pre-date my Friday blog post which should mean that the agenda should be the one I described Monday rather than the one that is there now.

Don’t worry about it. With just under a month left to the 2014 CSSS, there will be plenty of time to take care of these glitches.

S 2244 – TRIA Reauthorization – Reported in Senate

According to yesterday’s Daily Digest the Senate Banking, Housing and Urban Affairs Committee favorably reported S 2244, the Terrorism Risk Insurance Program Reauthorization Act of 2014, with an amendment. This is the first of the five current bills intending to reauthorize the TRIA to be reported by Committee.

Unfortunately, the bill was reported without a written report, so it is not clear exactly what the amendment does to the bill.

This now clears this bill to be taken up any time that Sen Reid (D,NV) decides that it is appropriate to do so.

I mentioned earlier that I thought that the bill recently introduced by Rep. Neugebauer (R,TX), HR 4871, would have the best chance to move forward in the House. It now seems that Sen. Schumer’s bill has a slight edge just because it may come to the floor for a vote first.

CG Considers LHG Terminal in Vidor, TX

Today the Coast Guard published a notice in the Federal Register (79 FR 35766-35767) serving public notice that it had received a letter of intent for the establishment of a waterfront facility handling Liquefied Hazardous Gas (LHG) from Enterprise Terminalling LLC.

In accordance with 33 CFR Part 127, the Captain of the Port will review the letter of intent and the waterway suitability assessment provided by the company as well as any public comments received in response to this notice before a letter of recommendation is provided for this facility.

The Coast Guard is soliciting comments on this proposed facility’s effect on the waterways leading to the facility. Personnel wishing to submit such comments may do so using the Federal eRulemaking Portal (; Docket #  USCG-2014-0406). Such comments need to be submitted by July 24th, 2014.

Agenda Being Changed for 2014 CSSS?

With just about a month left until the 2014 Chemical Sector Security Summit, it looks like maybe changes are afoot. Last week I reported that the agenda was available for the 2014 CSSS. This morning the web site for that meeting is now missing the link to that agenda. The link is still functional but NPPD is apparently no longer providing it to the public.

This could, of course, just be a web site programing glitch, but it could also mean that some sort of change was being made to the agenda. I’ll try to see what DHS has to say about this.

Monday, June 23, 2014

Senate CFATS Bill No Longer on Agenda

Yesterday I reported that the Senate Homeland Security and Governmental Affairs Committee would consider a CFATS related bill during their business meeting on Wednesday. A revised agenda for that meeting [PDF download link] was posted on their web site today and the unintroduced CFATS bill is no longer listed. No explanation was given, but I suspect that there was some dissention within the Committee about parts of the proposed bill. I don’t know what those parts would be, but the standard areas for disagreement over the last 11 years have been IST provisions, worker participation requirements, and civil suit provisions.

OMB Approves First Responder Communities of Practice ICR

Friday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had given a short term approval (1 year) to the DSH S&T’s information collection request renewal for their First Responder Communities of Practice (FRCoP) program. This covers the registration information collected by S&T for that program.

This is not in response to the 60-day ICR notice that I wrote about last week. Apparently S&T knew about the short term renewal that was going to be published and was trying to get an early start on that renewal.

This renewal contains the same ‘Terms of Clearance’ notice as did the previous approval from March of last year:

“If DHS submits a renewal of this collection, it should include a report with the following information: • How the First Responders Community of Practice is being used. Has the intended audience been reached? • An analysis by DHS of the practical utility of the collection. • An analysis by DHS of other similar platforms currently in use by first responders.”

So apparently S&T is being given a second chance to get this information right.

Sunday, June 22, 2014

S 2444 – Introduced – FY 2015 CG Authorization

As I noted earlier this month, Sen. Begich (D,AK) introduced S 2444, the Coast Guard Authorization Act for Fiscal Years 2015 and 2016. As has been common for a number of years now, there is no mention of chemical security issues or operations under the Maritime Transportation Security Act (MTSA).

The only mention of chemical transportation safety issues is a revision for vessel oil spill response plans that provides for worst case scenario planning oil drilling rigs {§508}.

As I mentioned earlier today, there will be a markup of this bill this week. I doubt that we will see any language on chemical security issues.

Congressional Hearings – Week of 6-22-14

Both the Senate and House will be in town this week. The House has a fair number of hearings scheduled, but none of specific interest to readers of this blog. The Senate, however will be having three separate mark-up hearings that will be of interest; one spending bill, one authorization bill, and a trio of bills that have not yet been introduced.

DHS Spending

The Homeland Security Subcommittee of the Senate Appropriations Committee will be meeting on Tuesday to mark up the FY 2015 DHS spending bill. A draft copy of that bill is not yet available.

Coast Guard Authorization

The Senate Commerce, Science and Transportation Committee will meet on Tuesday to mark-up 8 bills including S 2444, the Coast Guard Authorization Act for Fiscal Years 2015 and 2016.

Three Homeland Security Bills

The Senate Homeland Security and Governmental Affairs Committee will meet on Wednesday to address one nomination and mark-up 11 bills. Three of those bills have yet to be introduced and those are the ones of specific interest here. They are:

• The Federal Information Security Modernization Act of 2014;
• The National Cybersecurity and Communications Integration Center Act of 2014; and
• The Protecting American Chemical Facilities From Attack Act of 2014.

The first may possibly contain language that affects control system security (not too likely) but the second has a better chance.

The third bill will be the long awaited Senate plan for the longer term reauthorization of the CFATS program. This will certainly contain provisions not seen in HR 4007 that has not yet made it to the floor of the House. I would not be surprised to see IST or worker participation language in this bill, both of significantly absent from the House bill. If they do show up here in strongly worded language, then that might signal that the House bill would not be considered in the Senate; that would be the death of comprehensive chemical security legislation for another session of Congress.

Saturday, June 21, 2014

OMB Approves FAA Notice on Model Airplanes

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the Federal Aviation Administration’s ‘Interpretation of the Special Rule for Model Aircraft’. As I mentioned when I reported the submission of this notice to OIRA there is nothing in the Unified Agenda on this topic so we have no official way of knowing what this notice contains until it is published in the Federal Register.

The current FAA ‘standard’ on model airplanes is explained in Advisory Circular 91-57 published on June 9th, 1981 and pertains mainly to hobbyist built radio controlled (RC) aircraft. This certainly pre-dates the widespread availability of small commercial RC aircraft and small unmanned aerial vehicles (UAVs).

The AC 91-57 guidance addresses safety of flight concerns and ignores critical infrastructure safety and security issues, not unexpected given the date of publication. I suspect that the notice approved yesterday will expand SOF concerns and address the critical infrastructure issue. This notice should be published in the coming week.

Friday, June 20, 2014

CG Announces CTAC Meeting – 8-19-14

Today the Coast Guard published a meeting notice in the Federal Register (79 FR 35369-35370) for a three day meeting of their Chemical Transportation Advisory Committee (CTAC) starting August 19th, 2014 in Arlington, VA. The meeting is open to the public.

There will be sub-committee meetings on the 19th and 20th. Each of the sub-committees has different task statements outlined for their meetings. Details can be found via the Homeport web site (sorry no direct links are available through Homeport).

The full committee will meet on the 21st. Their agenda includes:

• Harmonization of Response and Carriage Requirements for Biofuels and Biofuel Blends.
• Recommendations on Safety Standards for the Design of Vessels Carrying Natural Gas or Using Natural Gas as Fuel.
• Recommendations for Safety Standards for Ship to Ship Transfer of Hazardous Material Outside of the Baseline.
• Recommendations for Guidance on the Implementation of Revisions to MARPOL Annex II and the International Code for the Construction and Equipment of Ships Carrying Dangerous
• Chemicals in Bulk (commonly known as the IBC Code).
• Requirements for Third-Party Surveyors of MARPOL Annex II Prewash Operations.
• Improving Implementation of and Education about MARPOL Discharge Requirements Under MARPOL Annex II and V.

There will also be Coast Guard presentations on:

• Update on International Maritime Organization activities as they relate to the marine transportation of hazardous materials.
• Update on U.S. regulations as they relate to the marine transportation of hazardous materials.
• Update on Bulk Chemical Data Guide (Blue Book).
• Update on vessel to vessel transfer of hazardous materials in bulk.

Time has been set aside during sub-committee meetings and the full committee meeting for public comments. Registration is required to present oral statements; contact Patrick Keffler, 202-372-1424, fax 202-372-8380.

2014 CSSS Agenda Now Publicly Available

The public access to the 2014 Chemical Sector Security Summit agenda was made available sometime yesterday afternoon. This does not look like a ‘draft’ agenda; it is cleaned up pretty good (other than the nearly blank page 2 that makes it look like a short document).  This agenda makes this version of the CSSS appear to be much more of a government show with fewer industry presentations than has been common.

Some of the interesting topics include:

• Chemical Facility Anti-Terrorism Standards (CFATS) Advanced Notice of Proposed • Rulemaking (ANPRM) Listening Session
• Executive Order 13650 – Improving Chemical Facility Safety and Security – Interagency Panel
• United States Coast Guard– Updates
• Chemical Facility Anti-Terrorism Standards (CFATS) Overview
• What to Expect during a CFATS Inspection
• Transportation: Trucking/Rail/Pipelines
• International Trends in Chemical Security
• Theft and Diversion
• Alternative Security Programs under CFATS
• Outcomes and perspectives of Executive Order 13636 Improving Critical Infrastructure
• Cybersecurity
• Research and Development: Jack Rabbit II
• Incident Information Sharing Tabletop Exercise – Playbook Chemical SCC SOP [closed press]
• Ammonium Nitrate
• CSAT Improvements Demo:
• Congressional Perspectives
• Local Resources and Emergency Response

The Jack Rabbit II presentation will be of particular interest to emergency response personnel and personnel dealing with chlorine gas issues. This reports on a TSA project looking at a series of deliberate ‘catastrophic’ releases of chlorine gas done at Dugway Proving Grounds, UT to allow first responders to better understand the behavior of chlorine gas in this type of situation. I wrote about plans for this study back in 2010 (here and here), but little has been released to date.

Bills Introduced – 6-19-14

The House and Senate both continued to work in Washington yesterday and 44 bills were introduced. Two of those bills may be of specific interest to readers of this blog:

HR 4903 Latest Title: Making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2015, and for other purposes. Sponsor: Rep Carter, John R. [TX-31]

S 2500 Latest Title: A bill to restrict the ability of the Federal Government to undermine privacy and encryption technology in commercial products and in NIST computer security and encryption standards. Sponsor: Sen Walsh, John E. (D,MT)

I have already discussed the probable provisions of HR 4903 as it proceeded through markup in the House Appropriations Committee.

The Senate bill may or may not contain provisions that specifically apply to control system security. If it does there will be continued coverage of the bill in this blog.

Thursday, June 19, 2014

Critical Energy Infrastructure Information Release ICR Approved

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the renewal of the Federal Energy Regulatory Commission’s (FERC) information collection request (ICR) for their Critical Energy Infrastructure Information (CEII) Release program. The approval was conditional upon FERC’s continued review of internal procedures of how to best protect CEII while allowing the widest possible dissemination.

The actual condition language reads:

“The Commission will incorporate any changes, upon the resubmission of this information collection request, in response to FERC's ongoing assessment of how best to keep Critical Energy Infrastructure Information secure while allowing those in the industry who need the information to access it.”

CEII is defined at 18 CFR 388.113(c)(1) and the procedures for requesting access are outlined in the same section. There is an interesting review of the changes in the FERC handling of CEII access process on the FERC web site.

Restricted Update on 2014 CSSS

Yesterday there was a change made to the DHS web site for the 2014 Chemical Sector Security Summit (2014 CSSS). They added a line and a link referring to the agenda for the July meeting. Unfortunately, the link is worthless, returning an “Access Denied” error code. This is becoming an increasingly common problem on NPPD related web sites.

BTW: What ever happened to the practice of adding a “Last Updated on:” line at the bottom of chemical security web sites. This used to be one of the better distinguishing characteristics of NPPD web pages.

Bills Introduced – 06-18-14

Both Houses talking on the Hill and there were 26 bills introduced. Today I am reaching when I say that there is one that may be of specific interest to readers of this blog, but the catchy title of this bill just means that I have to go look at it:

HR 4894 Latest Title: To establish the United States Commission on an Open Society with Security. Sponsor: Rep Norton, Eleanor Holmes (D,DC)

There is a very good chance that this is the last you’ll hear of this bill from a non-voting member of Congress.

Wednesday, June 18, 2014

Bills Introduced – 06-17-14

Both the Senate and House are in Washington this week and 27 bills were introduced yesterday. Two of those bills may be of specific interest to readers of this blog:

HR 4871 Latest Title: To reauthorize the Terrorism Risk Insurance Act of 2002, and for other purposes. Sponsor: Rep Neugebauer, Randy (R,TX)

S 2478 Latest Title: A bill to authorize the Secretary of Transportation to partner with industry to strengthen the safety culture and safety practices of short line and regional freight railroads. Sponsor: Sen Collins, Susan M. (R,ME)

This now makes 5 bills in the current session that address the reauthorization of the TRIA. I haven’t seen this bill yet, but I suspect that this is the one that will get play in the House since Neugebauer is the Chair of the Housing and Insurance Subcommittee of the House Financial Services Committee.

The Collins bill may be of interest if it contains provisions specific to chemical transportation safety.

CSB Whistleblower Hearing Update – 6-17-14

Today the House Oversight and Government Reform website published a list of speakers that will testify on Thursday about whistleblower retaliation at the US Chemical Safety and Hazard Investigation Board (CSB). The witness list includes:

• Rafael Moure-Eraso, Chairman, CSB;
• Beth Rosenberg, Former Member, CSB Board;
• Carolyn N. Lerner, Special Counsel;
• Arthur A. Elkins, US EPA IG
• Patrick Sullivan, US EPA AIG

I did finally find a news story from last October about a whistleblower complaint related to the CSB, but it is not clear if that story is related to this hearing. I am hearing rumors that an on-going US EPA IG investigation is turning up all sorts of interesting allegations (no details that I’ve seen). Apparently there have also been allegations of reprisals against CSB employ’s that have cooperated with EPA IG investigators.

More to come, I’m sure.

Tuesday, June 17, 2014

CFATS Knowledge Center Update – 06-17-14

Today the folks at ISCD published two new outreach documents on the CFATS Knowledge Center web site. Both are documents that deal with Authorization Inspections; unfortunately they both have the same title – “What to Expect from a CFATS Authorization Inspection”. The CFATS Knowledge Center calls the second document: “Prepare for a CFATS Authorization Inspection Fact Sheet”.

The Fact Sheet

This is a short, two page document, which briefly outlines what the CFATS authorization inspection covers. While it is written mostly in generalities, it does provide a good overview. No one is going to ‘pass’ an authorization inspection solely based on information found in this document, but facilities would be foolish to ignore it.

What to Expect

This document is a set of presentation slides on the topic of Site Security Plan (SSP) authorization inspections. It provides more detail about how the inspection will be conducted, what information to have available, and a very short list of specific things that inspectors will be looking for.

Helpful, but…

I’m glad to see that ISCD is reaching out to help facilities through this critical portion of the SSP approval process. I don’t think, however, that either of these documents is going to provide significant assistance to the facility security team.

I’m disappointed, because I have had some interesting conversations with a number of Chemical Security Inspectors over the last couple of years and they have almost universally indicated that they have documents that they share with facilities that have been prepared by other facilities (with permission of the authors I have been vigorously assured) that provide much more detailed information about the inspection process and outline security procedures that have already been approved by DHS at other facilities.

Now I understand that ISCD has been forbidden by Congress from providing that kind of detailed guidance as to what constitutes an ‘approved practice’, but surely there is some level of detail greater than that provided in these documents that would provide actionable information without transgressing the mandate boundary.

BTW: I am sure that I have seen earlier versions of these documents before, but I can’t find them in my files. Today’s publication is not the first time that ISCD has attempted to reach out to covered facilities to try to make the authorization process easier.

NOTE to Webmaster: If you are not going to provide back copies of all of the CFATS Update fact sheets in the document center of the CFATS Knowledge Center, you might as well not list any of them. It would make the list shorter and easier to manage.

Whistleblower Problems at CSB?

Yesterday the House Committee on Oversight and Government Reform published a notice that they would be holding a hearing on Thursday concerning “Whistleblower Reprisal and Management Failures at the U.S. Chemical Safety Board”. No other information is available on the Committee web site at this time.

I cannot find any news mentions of a whistleblower case involving the CSB. The CSB has attracted the ire of many within both the Executive Branch and the Congress for their apparent concentration on the lack of action the two branches have taken on recommended chemical safety issues rather than solely concentrating on determining the physical root cause of major chemical accidents. I hope that this hearing is not a response to that anger.

First Responders Community of Practice ICR Notice – Again

Today the DHS Science and Technology Directorate (S&T) published a 60-day ICR renewal notice in the Federal Register (79 FR 34545) for their First Responders Community of Practice Program (FRCoP). I wrote about the previous submission of this ICR to OMB last year; that submission has not yet been acted upon by OMB. This ICR notice completely ignores that previous submission.

I noted in my earlier blog that the previous approval of this ICR (which expired last October) was a short term approval because OMB wanted additional information about the program and its efficacy. I noted that S&T had not included that information in its published ICR notices. Looking back now at the actual ICR submission supporting documents there is an attempt [Word® download link] by S&T to fulfill that requirement. There is no indication on the OMB site if that was considered to be an adequate response.

One interesting item of information from that S&T document is the report that there are 5,000 active members of the FRCoP. Since this ICR only covers the submission of registration information that is supplied on a one time basis, it would seem that there is a pretty good retention of site members. The site has been active since somewhere in 2010 and S&T indicates that there have been an average of 2000 registrations per year. That means that between 6,000 and 8,000 registrations have taken place. Retaining 5,000 members from that number would seem to be a pretty high success rate.

One other interesting administrative note; this ICR notice uses the same docket number as the ICR submission that was withdrawn last year. It seems that everyone, both at DHS and OMB, is ignoring the ICR that was submitted last year. That seems to be more than a little strange.

Anyway, S&T is soliciting public comments on this ICR submission. Public comments may be made via the Federal eRulemaking Portal (; Docket # DHS-2012-0013). Comments need to be submitted by August 18th, 2014.

Monday, June 16, 2014

ISCD Publishes June 2014 CFATS Update

Today the good folks at DHS Infrastructure Security Compliance Division got around to publishing their June update for the CFATS program. The new data covers the month of May so my charts will call the latest data points ‘May 2014’ instead of ‘June 2014’. Generally speaking the number of both authorized site security plans and approved site security plans continues to rise while the total number of covered facilities continues to fall.

Diagram 1 shows the last 12 months’ worth of data for the program. We continue to see an increasing number of authorized and approved site security plans.

 Diagram 1: Total Authorized and Approved SSPs
Diagram 2 shows the rate of authorizations and approvals; only two months have seen a higher rate of site security plan approvals.

 Diagram 2: Rate of SSP Authorizations and Approvals

Diagram 3 shows the number of facilities covered by the CFATS program. The total number of covered facilities continues to decline. ISCD still does not provide an explanation of how much this decline is related to decreased risk or poor economic activity.

Diagram 3: Number of Covered Facilities

HR 4687 Introduced – Pipeline Inspections

As I noted last month Rep. Hahn (D,CA) introduced HR 4687, the Pipeline Inspection Enforcement Act of 2014. This bill is intended to close a gap in the pipeline inspection process during the transfer of pipelines from one company to another. It was inspired by the recent March 17th crude oil spill in Wilmington, CA. It would amend 49 USC 60108.

Section 2 of the bill would add new paragraphs (e) and (f) to §60108. Paragraph (e) would require the Secretary of Transportation to establish regulations governing the inspection of pipelines that are purchased by a new owner. The regulations would require an inspection within 180 days of the date of sale. The inspections would be conducted both by the person purchasing the pipeline and the regulatory agency responsible for inspecting pipelines in that State.

Paragraph (f) would address the issue of ‘abandoned’ pipelines. It would require a similar set of inspections for any pipeline that is newly listed as ‘abandoned’. The inspections would be done by “the regulatory authority responsible for inspections of the facility, together with the person owning or operating the facility” {§60108(f)}.

The term ‘abandoned’ is defined in the current USC as “permanently removed from service” {§60108(c)(1)(A)}, but that definition only applies to underwater pipelines. This bill probably should have been included a definition that would have included language that that ‘abandoned’ also requires the pipeline to be empty of hazardous materials. Simply inspecting the ‘abandoned’ pipeline in Wilmington may not have ended up with it being emptied (though I would certainly like to think that it would have been done if that had been discovered before the spill).

If this bill can get a hearing it would almost certainly pass in Committee and on the Floor of the House or Senate. This is a very good candidate for being added to PHMSA authorizing legislation.
/* Use this with templates/template-twocol.html */