Saturday, February 28, 2015

Congressional Hearings – Week of 3-1-15

Both the House and Senate will be in session this week. There are lots of budget hearings scheduled, but nothing of specific interest to readers of this blog. There will be four cybersecurity hearings; the most I’ve seen in a single week. There will also be a hearing on the Chemical Safety Board and a markup of the RESPONSE Act.


The following cybersecurity related hearings will be held in the House this week:

● Subcommittee on Oversight and Investigations (Committee on Energy and Commerce, Tuesday, “Understanding the Cyber Threat and Implications for the 21st Century Economy
● Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies (Committee on Homeland Security), Wednesday, “Industry Perspectives on the President’s Cybersecurity Information Sharing Proposal.”
● Subcommittee on Emerging Threats and Capabilities (Committee on Armed Services, Wednesday, “Cyber Operations: Improving the Military Cyber Security Posture in an Uncertain Threat Environment
● Subcommitte on Information Technology (Committee on Oversight and Government Reform), Thursday, “Cybersecurity: The Evolving Nature of Cyber Threats Facing the Private Sector

I don’t expect that there will be any real discussion of control system security at any of these hearings.

Chemical Safety Board

The House Committee on Oversight and Government Reform will be holding a hearing on Wednesday looking at “Rebuilding the Chemical Safety Board: Finding a Solution to the CSB's Governance and Management Challenges”.

There have been a number of complaints in the federal government and industry about the increasing political focus of the CSB’s accident investigation results in recent years. A number of people at OSHA and the EPA have complained about what some call the strident calls for legislative and regulatory action from the CSB. I expect that we will hear the same thing in this hearing.


The Senate Homeland Security and Governmental Affairs committee will be holding a business meeting on Wednesday. One of the items on the agenda is a markup of S 546, a bill that would establish the Railroad Emergency Services Preparedness, Operational Needs, and Safety Evaluation (RESPONSE) Subcommittee under the Federal Emergency Management Agency's National Advisory Council to provide recommendations on emergency responder training and resources relating to hazardous materials incidents involving railroads. The bill was just introduced this week, so the speed of this hearing is an indicator of how much interest there is in the bill.

On the Floor

There is nothing planned for this week in either house that will be of specific interest to readers of this blog. Of course the 500 lb gorilla that hangs over this week in Congress is the FY 2015 spending for DHS. It will be interesting to see if and how the various parties decide to try to work out their differences. What we have seen so far does not bode well for the future of the FY 2016 spending bills that have not yet even started to wend their way through Congress.

Friday, February 27, 2015

Bills Introduced – 02-26-15

For some reason the web site had problems today making yesterday’s legislation available for viewing. It just finally became available. There were 96 bills introduced in the House and Senate on Thursday. Only one appears to be of potential interest to readers of this blog:

HJ Res 37 Transportation Security Administration Continuing Appropriations Resolution, 2015 Rep. Ribble, Reid J. [R-WI-8]

The spending bill situation is getting entirely out of control when an odd congressman (meaning not a member of the appropriations committee) feels it is necessary to introduce a continuing resolution to fund just one component agency of DHS. I think we can safely assume that this bill will get no traction to go anywhere.

Senate Passes Amended HR 240 – House Disagrees

Earlier today the Senate adopted a clean version of HR 240 by a vote of 68 to 31; all 31 nay votes were from conservative Republicans. Just now the House voted (228 to 191) to disagree with the Senate amendment to HR 240 and to request a conference. It is unlikely that there will be a resolution to the disagreement on HR 240 today.

Meanwhile, the House debated HJ Res 35 and is now waiting for the leadership to call for a vote on that measure that would extend the current DHS funding until March 19th. The Senate is currently in recess subject to the call of the Chair waiting to take up either HR 240 or HJ Res 35.

APHIS Adds New Methyl Bromide Treatment Schedule

Today the Animal and Plant Health and Inspection Service (APHIS) published a notice of availability in today’s Federal Register (80 FR 10661-10662) concerning a new treatment schedule for the use of methyl bromide as a fumigant on imported figs for external pests.

This new treatment regime adds another to the critical uses of methyl bromide that will be another block to its elimination from use under the Montreal Protocol on Substances that Deplete the Ozone Layer (Protocol) and the Clean Air Act (CAA). It was the promise by the EPA of the elimination of the use of this toxic inhalation hazard chemical that lead the Department of Homeland Security to remove methyl bromide from their draft list of DHS chemicals of interest (COI) under the CFATS program.

While the use of methyl bromide has certainly diminished greatly since the 2007 COI draft it has not been eliminated. It is still manufactured, transported and used in the United States. And, as this notice indicates, its efficacy as a fumigant almost certainly insures that it will not be eliminated from commerce in the foreseeable future.

DHS needs to reconsider its delisting of methyl bromide as a release toxic chemical on its CFATS COI list.

Select Agents and Toxins Update ANPRMs

In separate rulemaking activities today the Centers for Disease Control (CDC) and the Animal and Plant Health Inspection Service (APHIS) both published advance notices of rulemaking (ANPRMs) in today’s Federal Register concerning the updating of the Select Agent and Toxins list. The CDC action (80 FR 10556-10558) and the APHIS action (80 FR 10527) are both routine biennial reviews mandated by Congress.

There are two separate lists maintained by these agencies based on separate congressional mandates. The CDC list is specifically targeting agents and toxins that affect humans while the APHIS list is for those targeting plants and animals. There is some overlap of the two lists.

The CDC is considering removing six agents from the HHS List of Select Agents and Toxins:

APHIS is not currently considering the addition or deletion of any specific agent or toxin from their List of Select Agents or toxins.

Both agencies are soliciting public comments. Comments may be submitted via the Federal eRulemaking Portal (; CDC comments would be filed under docket CDC-2015-0006 and APHIS comments under docket APHIS-2014-0095. Comments for both ANPRMs should be filed by April 28th, 2015.

Thursday, February 26, 2015

House Rules Committee Meeting on DHS CR

This evening the House Rules Committee is meeting to formulate the rule for the consideration of HJ Res 35, a short term continuing resolution for the FY 2015 spending for the Department of Homeland Security. This CR will extend the current DHS funding deadline until March 19th.

The Senate is scheduled to have a series of votes on HR 240, the FY 2015 DHS spending bill. The final vote will be on an amended version of the bill that does not have the immigration provisions repealing some of the actions that the President has recently taken under administrative orders. Once that version passes in the Senate the House will either have to acquiesce to those changes or request a conference committee to resolve the differences.

The House Republican leadership is currently unwilling to agree to the changes in HR 240 and the Senate Democrats have announced that they would object to a conference, so it is unlikely that a final vote on HR 240 would be able to be completed before midnight tomorrow night when the current CR deadline runs out.

The two and a half week extension would likely allow the Senate to finish work on a bill that addresses the immigration issues covered in the House version of HR 240. Sen. McConnell (R,TN) got Democrats to agree to allow such a bill to come to the floor in exchange for his bringing a clean version of HR 240 to the floor. The House Republicans could then pass that bill to get the immigration issue ‘dealt with’. The pressure would then be off the Republicans to demand such action in the appropriations bill.

The Committee will almost certainly call for a closed rule with limited debate to allow the bill to come to a vote tomorrow morning. This would allow the Senate to take up the bill in the afternoon, effectively stopping a DHS shutdown.

ICS-CERT Publishes IntraVue Advisory

This afternoon the DHS ICS-CERT published an advisory for a code injection vulnerability in Network Vision’s IntraVue software. The vulnerability was reported by J├╝rgen Bilberger from Daimler TSS Gmbh.. Network Vision has developed a new version which mitigates the vulnerability, though there is no indication that Bilberger has had a chance to validate the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to execute arbitrary code on the IntraVue system. Since this is an industrial Ethernet visualization and control development tool this vulnerability could conceivably give an attacker virtual network control.

Bills Introduced – 02-25-15

There were 66 bills introduced yesterday in the House and Senate. Only one of those bills might be of specific interest to readers of this blog:

HR 1073 To amend the Homeland Security Act of 2002 to secure critical infrastructure against electromagnetic threats, and for other purposes. Rep. Franks, Trent [R-AZ-8]

I suspect that this will be very similar to HR 3410 introduced last session by Rep. Franks. That bill passed in the House on a voice vote, but was never acted upon in the Senate.

Wednesday, February 25, 2015

DHS Updates CFATS Website

Today the folks at DHS ISCD updated some of the web sites associated with the Chemical Facility Anti-Terrorism Standards (CFATS) program. The updated pages include:

The changes were made to reflect the passage of HR 4007 during the last session. The only substantive change to date (beyond the mention of the new CFATS authorization language) is a link to a copy of 6 USC §621 et seq. This is where the new CFATS authorization language is found. Interestingly the Department had to use a congressional web site for this link since the GPO web site for the US Code is not due for the 2014 update for a couple of months yet.

There is a brief mention of the new expedited approval process for Tier 3 and Tier 4 facilities that I have previously described in some detail. No details are provided beyond mentioning that DHS “expects the guidance to be issued in the summer of 2015”. As I mentioned in an earlier post, Congress set the deadline for publishing that guidance at 180 days after passage of HR 4007 which would be July 16th.

I am surprised that DHS does not mention the grandfathering of existing site security plans (SSPs) in these updated web pages. There has still not been any official pronouncement about the status of SSPs approved after December 18th. Those approved before that date will not have to be renewed for the new CFATS authorization language by congressional mandate. Plans approved after that date do not have that official protection.

Job Search – February 25, 2015

Those of you who follow me on TWITTER or LinkedIn will probably remember my mentioning a couple of weeks ago that I had been laid-off from my full-time job. The sharp drop in crude oil pricing has left lots of good people in and around the oil patch out of work. Now I don’t cover a lot of personal stuff in this blog, but I am mentioning this because my current job search may have an effect on the continuation of this blog.

The Blog and Employers

My last two employers both knew about the existence of this blog and my sometimes adversarial relationship with a couple of government agencies. I knew that a number of employers would object to having one of their employees publicly criticizing agencies that the company would have to deal with so I was very upfront with both employers about the blog. Neither objected to me continuing the blog as long as my association with them was not connected with the blog in any way. That was the reason for my employer being listed as “Unnamed Chemical Company” on my LinkedIn profile for the last two years.

I realized that if they had objected to my continuing the blog that I would have had to decide between paying the bills and continuing to write about chemical safety and security issues. Needless to say keeping a roof over the wife’s head would take precedence.

As I start the job search process again, I know that this issue will have to be discussed with any potential employer. Again, if forced to choose, I know which way that I would have to jump.

Making the Blog Pay

Now I certainly think that I have been providing a valuable service to both the government and industry (and yes even some advocacy groups) over the years with this blog. This isn’t just my ego talking (though it does come into play) as I have been told this by a number of readers from a wide variety of backgrounds over the last seven plus years of writing this blog.

As I have mentioned on a number of occasions I am a bit of a chemical safety and security preacher. I enjoy what I am doing and I really want to continue being a voice of reason and concern in this field. As such I would like to take this opportunity to officially expand my job search to include looking for someway to make the Chemical Facility Security News my official ‘keeping a roof overhead’ job.

Now, I don’t think that there is enough readership associated with this blog to make attempting to make it a subscription service workable. I don’t know exactly how many readers I have, but it certainly isn’t large enough (even if they were all willing to pay for the service) to pay a salary and the associated overhead of running a subscription web site.

There have been a number of organizations over the last seven years that have tried to make a go of maintaining a chemical security/safety web site blog. The only ones that are still around are blogs run by commercial organizations with the blog and associated web sites supporting that organization’s operations.

 One of the things that has made my blog popular is the fact that I am not shilling for anyone; my views are my opinions, not fettered by any commercial agenda. I would like to maintain that editorial independence if I can. So essentially selling this blog to some commercial enterprise is probably something that I would only consider as a last resort.

Another possible option is to obtain some sort of grant (federal or corporate) money for continuing the blog. I’m not sure how to find such stuff, but I’ll start looking through the internet. If anyone is aware of such grant type funding, please let me know.

Separate Freelance Operation

Another option (and probably the most likely) is to hire my pen out to others. I have done this for a couple of different sites over the years; sometimes for pay, sometimes just for exposure. At this point, however, I think that I need to do it for pay. If anyone knows of a website or periodical that needs chemical security or safety content please put them in contact with me.

I have tried this in the past, but most freelance writers starve. I am in a bit better position as I attempt this now since I have an already (narrowly) established reputation. I’ll be contacting various editors that I have come in contact with in the last couple of years, letting them know that my services are generally available. If anyone is aware of any corporate interests in need of writing services in this field, please let me know or provide them with my contact information.

Still Looking for Process Chemist Job

While writing this blog full time is what I really like to do, I am not going to stop looking for a process chemist position. I really do enjoy that work as well and would be a valuable asset to any chemical manufacturing facility that would employ me. If anyone knows of any such opportunities please let me know.

Bills Introduced – 02-24-15

With both the House and Senate in session yesterday there were 61 bills introduced. Seven of those bills may be of specific interest to readers of this blog:

HR 1022 To amend the Homeland Security Act of 2002 to authorize the use of Urban Area Security Initiative and State Homeland Security Grant Program funding to counter violent extremism. Rep. Walker, Mark [R-NC-6]

HR 1024 To provide for the compensation of furloughed Department of Homeland Security employees in the event of a lapse in Department of Homeland Security appropriations, and for other purposes. Rep. Beyer, Donald S., Jr. [D-VA-8]

HR 1043 To establish the Railroad Emergency Services Preparedness, Operational Needs, and Safety Evaluation (RESPONSE) Subcommittee under the Federal Emergency Management Agency's National Advisory Council... Rep. Kind, Ron [D-WI-3] 

S 542 A bill to enhance the homeland security of the United States, and for other purposes. Sen. Coats, Daniel [R-IN]

S 545 A bill making continuing appropriations for Coast Guard pay in the event the Consolidated and Further Continuing Appropriations Act of 2015 expires and the Department of Homeland Security... Sen. Thune, John [R-SD]

S 546 A bill to establish the Railroad Emergency Services Preparedness, Operational Needs, and Safety Evaluation (RESPONSE) Subcommittee under the Federal Emergency Management Agency's National Advisory... Sen. Heitkamp, Heidi [D-ND] 

S 554 A bill to provide for the compensation of Federal employees affected by a lapse in appropriations. Sen. Cardin, Benjamin L. [D-MD]

Three of the bills (HR 1024, S 545, S 554) would ensure that all or some of the employees affected by a temporary shutdown of the Department of Homeland Security because of the current spending-immigration squabble would be paid for their required performance of their duties during the shutdown. If there is no shutdown of DHS these bills will not go any further than their introduction. In any case I probably won’t mention these bills again unless there is something particularly unusual in their wording.

Two bills (HR 1043 and S 546) would set up an advisory committee (okay subcommittee, but that is probably nothing more than a technicality) to deal with railroad emergency response matters. This almost certainly is being considered due to the crude oil train derailments over the last year or so.

HR 1022 will almost certainly help spread around the Urban Area Security Initiative and State Homeland Security Grant Program monies, but probably won’t increase the amount of money available. The new players will appreciate the move, everyone else will get their funding cut.

Finally, Sen Coats gets the day’s award for the most meaningless bill title for S 542. We will have to wait and see if it really means anything.

Tuesday, February 24, 2015

ICS-CERT Publishes Three Advisories

This afternoon the DHS ICS-CERT published three advisories in control systems from Schneider, Kepware and Software Toolbox.

Schneider Advisory

This advisory describes a buffer overflow vulnerability in the Schneider Invensys SRD Control Valve Positioner. The vulnerability was reported by Ivan Sanchez from Nullcode Team. Schneider has produced a new version of the software that mitigates the vulnerability, but there is no indication that Sanchez has verified the efficacy of the fix.

ICS-CERT reports that a local user is required to load a malformed DLL file before the vulnerability is exploitable. A successful exploit could result in arbitrary code execution. Schneider reports that once the DLL file is loaded the vulnerability is remotely exploitable. They don’t mention anything about loading a ‘malformed DLL file’; it is apparently a DLL file that is part of the software package.

Kepware Advisory

This advisory describes a resource exhaustion vulnerability reported by Crain and Sistrunk (back in December 2013 according to Adam Crain) in the Kepware DNP Master Driver. Kepware has produced a new version that mitigates the vulnerability, though there is no indication that Crain or Sistrunk have verified the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to crash the OPC Server.

The ICS-CERT discussion of the vulnerability appears to imply that a similar vulnerability might be found in other implementations of the DNP3 protocol. It notes that there is a DNP3 Application Note addressing the situation.

This looks like it was one of two remaining unresolved DNP3 vulnerabilities listed on the Project Robus website.

Software Toolbox Advisory

This advisory is a near duplicate of the Kepware advisory discussed above except that it involves the Software Toolbox Top Server. If this is, in fact, the second unresolved DNP3 vulnerability listed on the Project Robus site, I kind of suspect that these two vendors may be the only two with this specific implementation issue. Crain-Sistrunk would have looked for this in other implementations; they are kind of thorough that way.

Bills Introduced – 2-23-15

Just the Senate was in session yesterday and only 8 bills were introduced. Only one of those may be of specific interest to readers of this blog:

S 532 A bill to improve highway-rail grade crossing safety, and for other purposes. Sen. Blumenthal, Richard [D-CT]

My attention was caught by the “and for other purposes” portion of this title. We will have to wait and see if that includes any restrictions on the movement of hazardous materials; probably not.

Sunday, February 22, 2015

Committee Hearings – Week of 2-22-15

The House and Senate will both be back in town this week after spending some time in their districts. There will be a number of budget hearings, but only one of specific interest to readers of this blog; the Coast Guard budget. Cybersecurity will be an additional topic this week as will DHS performance and domestic terrorism.

Coast Guard Budget

The House Transportation Committee’s Subcommittee on Coast Guard and Maritime Transportation will be holding a hearing on Wednesday to look at the President’s budget proposal for Coast Guard spending in FY 2016. This will almost certainly be a ‘high-level’ review with little probability of chemical safety or security being mentioned, much less discussed in any detail.

Cybersecurity Information Sharing

On Wednesday the House Homeland Security Committee will be holding a hearing on “Examining the President’s Cybersecurity Information Sharing Proposal." Administration witness from DHS will be heard and there will be a report from the Congressional Research Service (CRS).

Watch the questioning at this hearing to see how close the two sides are achieving a consensus on the information sharing issue. Pay careful attention to see if Congress may take a wait and see response to the President’s actions as a way to avoid action on legislation this year.

DHS Oversight

The House Homeland Security Committee’s Subcommittee on Oversight and Management Efficiency will be holding a hearing on Thursday looking at “Assessing DHS’s Performance: Watchdog Recommendations to Improve Homeland Security.” No witness list has been published, but I suspect that it will be academics and think tanks.

There is a slight chance that the pending changes to the CFATS program will be mentioned, but, if it is, there won’t be many details discussed.

Domestic Terror Threat

Subcommittee on Crime, Terrorism, Homeland Security, and Investigations of the House Judiciary Committee will be holding a hearing on Thursday looking at “ISIL in America: Domestic Terror and Radicalization.” There is no witness list currently available.

There might be a passing mention of cybersecurity, but almost certainly nothing about chemical security.

On The Floor

The 800 lb gorilla this week is the Friday deadline to pass the FY 2015 spending bill for the Department of Homeland Security. The House passed HR 240 last month, but the Senate has not been able to overcome Democratic opposition to the immigration riders to actually be able to start debate on the measure. At least one more attempt will be made to get cloture on this bill this week.

There is an interesting indication that the House expects to see a revised version of HR 240 come back to the House for a vote this week. The Majority Leader’s web page mentions ‘possible consideration of HR 240’ later in the week. If the Senate can’t bring the bill to the floor in that body this week, there may be a short term continuing resolution coming out of the House.

There is always the possibility, however, that both sides will expect the other side to get the blame for a shutdown and thus let the whole matter slide past Friday. Most of DHS will continue working for ‘national security’ reasons, though it will be ‘without pay’ (back-pay for those that had to work would probably be included in the final bill that does eventually get worked out). The CFATS program would not, however, be covered under that provision.  Chemical security inspectors would not get paid, but they could spend the time with their families.

Thursday, February 19, 2015

ICS-CERT Publishes Another Siemens Advisory

This morning the DHS ICS-CERT published another advisory for twin vulnerabilities in the Siemens SIMATIC STEP 7 TIA Portal. Each advisory was separately discovered by Quarkslab team and Dmitry Sklyarov with PT-Security. Siemens has produced a patch to mitigate the vulnerabilities, but there is no indication that either research team has been given the opportunity to verify the efficacy of the patch.

The two vulnerabilities are:

● Man-in-the Middle vulnerability - CVE-2015-1601; and
● Use of password with insufficient computational effort - CVE-2015-1602

ICS-CERT reports that it would be moderately difficult to construct a workable exploit for these two vulnerabilities. Siemens reports that access to the network path between client and server would be required for the first vulnerability and access to TIA project files would be required for the second.

Why Siemens

At some point we have to wonder why we are seeing so many Siemens advisories. In many cases (but certainly not even most) the answer is self-reporting and that is a mark of a current commitment to security. But sooooo many vulnerabilities, surely that is the sign of a basic problem?

Yes, there were certainly problems with the way that most of these programs were originally written. The mistakes we are seeing seem so basic now, but that is because we have been seeing them throughout the industry for the last few years. Siemens is not paying for the mistakes that they and most of the rest of the industry made back when security was a ‘non-issue’ because control systems were air gapped and so hard to understand.

Siemens is now facing much the same problem that Micrsoft faced twenty years ago. Because of their size, familiarity and availability, researchers around the world are taking a hard look at Siemens products, knowing that they are going to find vulnerabilities. It many not be quite shooting fish in a barrel, but it is certainly fishing in a freshly stocked pond.

Many of these researchers are going to start to move on to the other suppliers in the field using the skills they honed on working on Siemens gear. There will be more advisories for other vendors and people will laugh at how easy they were to find; unless the other vendors internalize the searches and fix them before the researchers find them.

And the Siemens advisories will continue. Siemens makes ever more complex products; with more and more capabilities. Mistakes will be made. More importantly researchers (of whatever hat color) are also getting more and more sophisticated. They will find new types of vulnerabilities that we have not even thought about yet. Security designers and researchers will continue to be locked in a war of improving capabilities. And we users; we will be better for it.

Wednesday, February 18, 2015

More Information on WV Derailment

As clean up after Monday’s crude oil train derailment in West Virginia begins new information is starting to become available; some of it contradicts initial reports. As is typical for chemical related accidents in West Virginia a good source of information continues to be the Charleston Gazette.

No Water Contamination

One of the major concerns on Monday was the possible contamination of drinking water supplies by crude oil spilled into the Kanawha River. Early reports indicated that at least one crude oil tanker was in the river and there were even reports of oil burning on the river. It turns out that no tankers ended up in the water or were really even close to the river.

Given last year’s Freedom Industry spill it is understandable that local residents were concerned about drinking water contamination. Fortunately, safety procedures put into place after that spill were immediately implemented. This included shutting off water intakes on the river down stream of the accident and water testing by the West Virginia National Guard.

Newer Tank Cars

As with all of these crude oil train accidents initial concerns were focused on the relatively fragile DOT 111 railcars that make up a large portion of the crude oil transport fleet. It turns out that the cars involved in this shipment were the slightly newer CPC 1232 railcars that are supposed to hold up to derailments better than the older DOT 111 cars.

While we are still waiting on OMB to approve the PHMSA High-Hazard Flammable Trains final rule, it is interesting to note that last fall’s NPRM included upgrades to the CPC 1232 railcar design that would lessen the chance of crude oil discharges in accidents like this. We will have to wait and see if those changes made it into the final rule (I expect that they did) and what the timetable will be for their implementation.

Looking at photos of the derailment it certainly looks like the results of the accident could have been much worse if these had been DOT 111 cars; particularly if they had been the older models. One good side of the current cutback in crude oil production, many of those DOT 111 cars will be among the first idled.

Cause of Accident

We are still way early in the accident investigation process so it is premature to call out any possible cause of the derailment. I do find it interesting to look at a close up picture of a portion of the track where the accident occurred. The track is severely damaged. What is not clear is if this damage was caused by the accident or if it was the cause of the derailment. CSX is reporting that the track had been inspected just last week.

Political Fallout

As with each of these crude oil train derailments there have been numerous calls for federal action to prevent the derailments and reduce the possibility of the related spills, fires and explosions. I expect that there will be added pressure on OMB to quickly approve the PHMSA rule now under consideration.

HR 726 Introduced – NSA Backdoors

As I mentioned earlier Rep. Lofgren (D,CA) introduced HR 726, the Secure Data Act of 2015. While the bill does not specifically mention the National Security Agency (NSA) it was obviously written in response to revelations that the NSA obtained backdoor access to various computer systems and software. Similar bills (HR 5800 and S 2981) were introduced last year during the close of the 113th Congress without any subsequent action.

The bill’s requirements are fairly straightforward. It states that no government agency “may mandate or request that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency” {§2(a)}.

The one loop hole in this bill that I identified in my discussion of the bills introduced last year remains in the definition of ‘covered products’. That term is defined as “any computer hardware, computer software, or electronic device that is made available to the general public[emphasis added]”  {§2(c)(2)}. It could certainly be argued that servers and the software for many internet based services are not ‘available to the general public’.

The bill is careful to ensure that the language does not interfere with court ordered access to digital communications as authorized under 47 USC 1001 et seq. Even those provisions prohibit law enforcement agencies from requiring “any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services” {47 USC 1002(b)(1)(A)}.

I suspect that if this bill were to make it to the floor of the House that it would pass with substantial bipartisan support. The question is if Lofgren has the political connections to get this bill considered in either of the two committees to which it has been referred. She is a member of the Judiciary Committee so I would expect that this would be the first committee to see any action on this bill.

Tuesday, February 17, 2015

ICS-CERT Publishes 3 Advisories and an Update

Today the DHS ICS-CERT published an update of a Siemens advisory from last year, two new Siemens advisories and an advisory for Yokogawa. Siemens also updated their GNU Bash advisory but that did not necessitate an update of the ICS-CERT supplement for that vulnerability.

Siemens Update

As I predicted ICS-CERT had to issue update ‘G’ to their Siemens OpenSSL Advisory. They did me one better though. They waited until Siemens published the notice of the availability of the update for APE V2.0.2 and ROX V2.6.0 with ELAN before they updated the advisory. This should effectively close out this set of vulnerabilities.

Yokogawa Advisory

This advisory concerns the HART DTM vulnerability for Yokogawa devices that use the CodeWrights  DTM library. The language in this advisory is the same as that found in the latest CodeWrights advisory. The only odd thing about this advisory is that Yokogawa was not listed as a CodeWrights customer on that earlier advisory. I wonder how many other vendors will also turn out to be affected.

Note: Both the Yokogawa advisory and the JP CERT advisory referenced in the ICS-CERT document are in Japanese. I would have thought that Yokogawa would have produced an English language version for the US market.

Siemens WinCC TIA Portal Advisory

This advisory describes twin authentication vulnerabilities in the Siemens WinCC TIA Portal. The vulnerabilities were originally reported by Gleb Gritsai, Roman Ilin, Aleksandr Tlyapov, and Sergey Gordeychik from Positive Technologies. Siemens has produced a new service pack that mitigates these vulnerabilities, but there is no indication that the researchers were given the opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

● Insufficiently protected credentials - CVE-2015-1358; and
● Hard coded cryptographic key - CVE-2014-4686 (NOTE: This same vulnerability was reported by the same researchers in Siemens WinCC last July)

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to reconstruct passwords or escalate privileges on the network. Siemens notes that an exploit of the first vulnerability requires capturing network traffic of the remote management module.

Siemens WinCC Step 7 TIA Portal Advisory

This advisory describes twin authentication vulnerabilities in the WinCC Step 7 TIA Portal. The vulnerabilities were reported by Aleksandr Timorin from Positive Technologies. Siemens has produced a service pack that mitigates the vulnerabilities but there is no indication that Timorin has been given the opportunity to verify the efficacy of the fix.

The vulnerabilities are:

● Weak password hashing - CVE-2015-1355; and
● Permissions, privileges and access control - CVE-2015-1356

ICS-CERT reports that an exploit would require a social engineering attack that could result in remote exploitation of this vulnerability to reconstruct passwords or gain permission to access the system.  Siemens notes that the second vulnerability requires local access to the TIA project file.

HR 702 Introduced – Export of Crude Oil

As I noted earlier, Rep. Barton (R,TX) introduced HR 702, a bill to adapt to changing crude oil market conditions (for some reason no fancy name was included in the language of this bill). The bill would remove restrictions on the export of coal, petroleum products, natural gas, or petrochemical feedstocks.

Removing Export Restrictions

The bill is very short with just four sections. The first section outlines the ‘congressional findings’ that provide the reasons for the actions outlined in the bill. Those findings relate to the changing international oil market and the fact that the United States has drastically increased its domestic production of crude oil.

The second section of the bill repeals 42 USC 6212. This was passed by Congress in 1979 during the ‘second oil crisis’ and authorized the President to draft regulations to control the exports of “coal, petroleum products, natural gas, or petrochemical feedstocks” {42 USC 6212(a)(1)} as well as the supplies, equipment and technology used to “maintain or further exploration, production, refining, or transportation of energy supplies” {42 USC 6212(a)(2)}. Thus this bill would remove the authorization for any such regulations. This repeal would potentially affect much more than the export of just the crude oil mentioned in the congressional findings.

The third section of the bill would reinforce the repeal of §6212 by specifically prohibiting the action of any federal agency to “impose or enforce any restriction [emphasis added] on the export of crude oil”. This was done to insure that any export controls not based upon §6212 could not be used to control the export of crude oil.

Unintended Consequences

This §3 language reflects a general mistrust for the current administration (and perhaps government in general). Unfortunately the broad language of this section (starting with the ‘Notwithstanding any other provision of law’) could potentially be used to justify the avoidance of hazmat shipping restrictions of crude oil at various stages of the crude oil export supply chain. Given the problems seen with some of the rail the shipments of Bakken crude oil, this was probably not the intent of Rep. Barton. But, wide sweeping language frequently carries unintended consequences.

The Inevitable Study

Section four of this bill would require the Secretary of Energy to conduct a study and report to Congress on “on the appropriate size, composition, and purpose of the Strategic Petroleum Reserve”. The report would be due to Congress within 120 days of passage of the bill.

Moving Forward

Given the current world price for oil it is unlikely that there will be any urgent push for passing this bill. This bill would almost certainly be able to pass in the House given the Republican majority. Whether this bill could garner enough Democratic support to overcome a liberal filibuster in the Senate is another question entirely. Modification of the language in Section 3 might increase those chances.

NOTE: HR 666, the earlier version of this bill that was essentially ignored by its author due to the assigned bill number, has identical language. No one will touch that bill.

Monday, February 16, 2015

Crude Oil Train Derailment in WV

The latest crude oil train derailment just occurred this afternoon in West Virginia in Kanawha County. As is fairly typical in WV the railroad track parallels the Kanawha River and a number of the rail cars have apparently ended up in the river. Fires and explosions have been reported in association with this accident.

The derailment took place upstream of Charleston, WV which had problems last year with the Freedom Industries spill. Local news reports have been very careful to announce that water intakes downstream of the spill have been closed to avoid contamination of the drinking water systems with the spilled crude oil.

More information will certainly be available in coming days.

OMB Approves FAA Drone Rule

On Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the FAA’s notice of proposed rulemaking (NPMR) on the Operation and Certification of Small Unmanned Aircraft Systems (sUAS). This is the same ruling that the FAA and the TSA held a joint media call about yesterday. A draft of the NPRM is available and will probably be published in the Federal Register this week.

The sUAS rules would apply to unmanned aircraft that weigh under 55 lbs. The NPRM would contain a proposal to set a subcategory of micro UAS category for UAS that weigh under 4.4 lbs. A number of additional restrictions would apply to both categories of UAS.

An operator of either type UAS would be required to have a ‘unmanned aircraft airman certificate” which would include a requirement for vetting by the DHS Transportation Security Administration (TSA).

I don’t see anything that would specifically prohibit flying micro UAS or sUAS over critical infrastructure facilities unless they were already covered under existing FAA restrictions. I’ll be going into more detail on this when it is published in the Federal Register.

Friday, February 13, 2015

Bills Introduced – 02-12-15

There were 129 bills introduced in the House and Senate yesterday. Only one of those may be of specific interest to readers of this blog:

HR 910 To amend title 23, United States Code, to provide eligibility under certain highway programs for projects for the installation of vehicle-to-infrastructure communication equipment, and for other... Rep. Miller, Candice S. [R-MI-10]

My main interest in following this bill is to see what sort of cybersecurity provisions are included.

Thursday, February 12, 2015

Bills Introduced – 2-11-15

Yesterday there were 76 bills introduced in the House and Senate. Three of those may be of specific interest to readers of this blog:

HR 861 - Making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2015, and for other purposes. Rep. Cummings, Elijah E. [D-MD-7]

HR 878 - To provide for the authorization of border, maritime, and transportation security responsibilities and functions in the Department of Homeland Security and the establishment of United States Customs...Rep. Miller, Candice S. [R-MI-10]

S 456 - A bill to codify mechanisms for enabling cybersecurity threat indicator sharing between private and government entities, as well as among private entities, to better protect information systems. Sen. Carper, Thomas R. [D-DE]

HR 861 is almost certainly a ‘clean’ FY 2015 appropriations bill for DHS. Since Rep. Cummings is a Democrat and not on either the Appropriations Committee nor the Homeland Security Committee this bill has almost no chance of being considered.

I think that recent press reports about the President’s cybersecurity bill being introduced in the Senate refer to this bill (almost no one else reports bill numbers), but according to Sen. Carper’s press release this bill is a blend of the Administration’s bill and “insights and advice from our Committee’s hearing on the topic earlier this month”. According to the release the bill will:

● Authorizes sharing and provides liability protections;
● Sharing within the government and protection of information;
● Government to industry sharing and improved coordination; and
● Builds in strong privacy protections.

The same could be said for a number of information sharing bills, but the devil is in the details. We’ll have to see what the bill actually says.

Wednesday, February 11, 2015

Bills Introduced – 2-10-11

Yesterday there were 75 bills introduced in the House and Senate. Just three of those bills may be of specific interest to readers of this blog:
HR 830 To amend the Robert T. Stafford Disaster Relief and Emergency Assistance Act to reauthorize the predisaster hazard mitigation program. Rep. Carson, Andre [D-IN-7]
HR 844 To require a plan approved by the Surface Transportation Board for the long-term storage of rail cars on certain railroad tracks. Rep. Kline, John [R-MN-2]
S 443 A bill to prohibit the long-term storage of rail cars on certain railroad tracks unless the Surface Transportation Board has approved the rail carrier's rail car storage plan. Sen. Klobuchar, Amy [D-MN]
HR 844 and S443 probably have to deal with the storage of unused crude oil tank cars. With the decreasing price of crude oil due to the current world oversupply a number of these cars have been temporarily taken out of service. They have to be put somewhere and a common place has been unused rail lines in rural areas. There have been concerns expressed about the safety and security of such rail cars and I expect that these bills will attempt to deal with the issue.

ICS-CERT Publishes an Update, an Advisory and an Alert

Yesterday the DHS ICS-CERT published an update for a Siemens advisory, a new advisory for an Advantech product line, and an alert for a Microsoft vulnerability.
Siemens Update
This update is for an WinCC advisory that was originally published last November. This update provides notification that the last affected system (WinCC 7.0 SP 3) now has an update available to mitigate the vulnerability. Siemens published their update last week.
Advantech Advisory
This advisory describes a buffer overflow vulnerability in the Advantech EKI-1200 MODBUS Gateway product line. The vulnerability was originally reported by Enrique Nissim and Pablo Lorenzzato of the Core Security Engineering Team in a coordinated disclosure. ICS-CERT reports that Advantech has a patch that mitigates the vulnerability but there is no indication that the researchers have validated that fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to execute arbitrary code.
Microsoft Alert
This alert describes a critical security update for the Microsoft Windows operating systems. The JASBUG vulnerability was first reported by four different researchers, including Jeff Schmidt at Global Advisors. Microsoft has produced an update that mitigates the vulnerability, but there is no indication that the researchers have been given the opportunity to verify the efficacy of the update.
ICS-CERT reports that an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

ICS-CERT notes that just processing the update does not fix the vulnerability. Additional actions need to be taken by the system administrator before the fix actually mitigates the vulnerability.

DHS Updates CFATS Knowledge Center

Yesterday the folks at DHS Infrastructure Security Compliance Division (ISCD) updated the CFATS Knowledge Center. They added a link in the Documentation section of the page for the February 2012 CFATS Update and removed older copies of the Update.

Interestingly there is still no mention of the passage of HR 4007 and its potential impact on the CFATS program.

Tuesday, February 10, 2015

EPA Sends 2016 Methyl Bromide CUE to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) reported that it had received the 2016 Critical Use Exemption from the Phaseout of Methyl Bromide notice of proposed rulemaking from the EPA. This is almost a full month earlier than last year’s rulemaking on this topic.

NOTE 1: For some reason this annual rulemaking did not make it into the Fall 2014 Unified Agenda.

NOTE 2: I’ll same my standard methyl bromide COI rant until the NPRM is actually published.

Sunday, February 8, 2015

Committee Hearings – Week of 2-8-15

Both the House and Senate will be in Washington this week. There are a number of threat/intel type hearings on the House side of the Capital and one internet of things (IOT) hearing in the Senate. Other than that, nothing of potential specific interest to readers of this blog.


None of the currently scheduled threat/intelligence hearings are specifically looking at chemical security. Cybersecurity will be specifically addressed in one hearing, but there will probably not be any significant discussion of control system security issues. And, of course, there will be no actionable threat information discussed; these are all open hearings. But you never can tell what interesting tidbits might be dropped. The three hearings are:

Countering Violent Islamist Extremism: The Urgent Threat of Foreign Fighters and Homegrown Terror." Committee on Homeland Security Wednesday
State Sponsor of Terror: The Global Threat of Iran Subcommittee on Terrorism, Nonproliferation, and Trade (Committee on Foreign Affairs) Wednesday
Emerging Threats and Technologies to Protect the Homeland Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies (Committee on Homeland Security) Thursday

Internet of Things

On Wednesday the Senate Commerce, Science and Transportation Committee will be holding a hearing on The Connected World: Examining the Internet of Things. This is going to be an anti-regulation hearing as can be seen by the following statement from Chairman Thune:

By engaging early in this debate, Congress can ensure that any government efforts to protect consumers are tailored for actual problems and avoid regulatory overreach.”

Since Thune will be one of the controllers of what cybersecurity legislation will pass in the 114th Congress, the tenor of his questions during this hearing will provide some valuable insight into what kind of legislation on cybersecurity issues we might see coming out of his Committee.

On the Floor

The Senate will continue to play chicken with HR 240, the FY 2015 DHS spending bill. The Republicans obviously don’t have the vote to bring the bill to the floor for a vote and the Democrats don’t have the votes to remove the restrictions on the President’s immigration executive actions. At some point before the February 27th deadline I expect Majority Leader McConnell bring a clean bill to the floor which will pass with a close bipartisan vote.

The House will bring a trio of homeland security related bills to the floor under suspension of rule. Of specific interest to readers of this blog will be HR 710. Rep Jackson-Lee’s (D,TX) bill was introduced last Wednesday and still hasn’t been published by the Government Printing Office. I suspect that it is a repeat of last session’s HR 3202 which passed easily in the House but was not taken up by the Senate. It will pass again this week with large bipartisan support.

Friday, February 6, 2015

DOT Tank Car Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a copy of DOT’s final rule on Enhanced Tank Car Standards and Operational Controls for High-Hazard Flammable Trains from the Pipeline and Hazardous Material Safety Administration (PHMSA).

The notice of proposed rulemaking (NPRM) for this rule was published just a little over six months ago. With the large number of comments (over 3,000) received on that NPRM it is remarkable that PHMSA was able to get a final rule to OMB in just over six months. It is, frankly, a measure of the political pressure the Administration is under to ‘get something done’ on this issue.

Because of the complexity of the issues involved and the amount of political pressure on both sides of the issue, there is no telling how long it will take OMB to clear this final rule for publication. In the little over two months that OIRA considered the NPRM it held 19 reported meetings with interested parties. I expect that a similar number will be held during the consideration of this final rule.

Thursday, February 5, 2015

ISC-CERT Updates DTP and HART-DTM Information

Today the DHS ICS-CERT published two new HART-DTM related advisories, updated the CodeWrights HART-DTM advisory, updated the NTP Advisory and published their promised NTP supplement. It was a busy information afternoon for ICS-CERT.

NTP Information

The third update to the ICS-CERT advisory on the NTP vulnerabilities was simply a change to add a link to the promised supplement addressing vendor specific information about how those vulnerabilities are implemented in specific products. That Supplement currently lists affected products (and mitigation measures) from/for the following vendors:

Arbiter Systems;
● Innomoninate;
● Meinberg;
● Siemens; and
● Wind River System;

The Supplement does not currently list reportedly unaffected products. Updates to this Supplement are expected.

HART-DTM Information

The third update to the CodeWrights HART-DTM advisory provides some new information about affected systems, including adding Honeywell to the list of potentially affected vendors. Interestingly GE-MAKTec was not included on the list even though ICS-CERT published an advisory about their HART-DTM vulnerabilities today. The Update has also provided links to ICS-CERT advisories for Emerson, Honeywell, Magnetrol, and Pepperl+Fuchs.

There is some additional clarification about the potential impact of successful exploits of this vulnerability. ICS-CERT notes that it only affects the Field Device Tool (FDT) Frame Application. Since that application is only used for configuration changes, ICS-CERT reports that a successful exploit “does not result in loss of information, control, or view by the control system of the HART devices on the 4-20 mA HART Loop”.

ICS-CERT continues to emphasize how difficult it would be to craft an exploit for this vulnerability. Interestingly, they have removed the comments about compromised physical access to the 4 mA to 20 mA current loop. They emphasize that an exploit is possible from “any adjacent network that receives or passes packets from the HART Device DTM”.

The new advisories for Pepperel+Fuchs products and products from GE and MAKTec (GE provides the DTM software for the MAKTec Bullet Adapter DTM according to a GE Advisory) provide basically the same information as the current CodeWrights advisory.

Consistency of Information Sharing

It seems odd that ICS-CERT is issuing individual advisories for vendors affected by the HART-DTM vulnerability but issues a supplement for the advisory that lists those affected by the DTP vulnerability. In most ways it really does not make a difference which process ICS-CERT uses and they are under no mandate or obligation to maintain any sort of consistency in their methodology.

Having said that the multiple advisory process being used with the HART-DTM vulnerability does present a problem. The two advisories issued today share the same language as that found in the current version of the CodeWrights advisory. The Emerson and Magnetrol advisories share the language with the previous version of the CodeWrights advisory. This means that ICS-CERT really should have offered updates of those two advisories today as well. And when the next change takes place, they will have to update all five advisories (plus any others issued in the interim). Using the DTP advisory/supplement model, only one advisory needs to be updated when information on the base vulnerability changes.

Bills Introduced – 2-4-15

There were 82 bills introduced in the House and Senate yesterday. Five of the bills may be of specific interest to readers of this blog:

HR 702 To adapt to changing crude oil market conditions. Rep. Barton, Joe [R-TX-6]

HR 705 To amend the authorization in title 49, United States Code, for capital grants for rail line relocation projects. Rep. Maloney, Sean Patrick [D-NY-18]

HR 710 To require the Secretary of Homeland Security to prepare a comprehensive security assessment of the transportation security card program, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 726 To prohibit Federal agencies from mandating the deployment of vulnerabilities in data security technologies. Rep. Lofgren, Zoe [D-CA-19]

S 356 A bill to improve the provisions relating to the privacy of electronic communications. Sen. Lee, Mike [R-UT]

HR 702 was actually introduced the day before, but it was assigned the number ‘HR 666’. Apparently this was considered a bad sign by Congressman Barton so the bill was re-introduced today. To be fair, anything that makes it hard for any member to vote for a bill is probably something to be avoided.

The two cybersecurity bills will probably not receive future mention here as I suspect that they are principally IT related bills. Control system language could creep in though.

Wednesday, February 4, 2015

ICS-CERT Updates NTP Advisory

Today the DHS ICS-CERT published an updated version of their advisory on the Network Time Protocol vulnerabilities. This is a fairly extensive update with five separate areas of the advisory being revised. The revisions deal with:

● The scope of the covered systems;
● The scope of the vulnerabilities;
● Additional background information;
● Additional mitigation information; and
● A link to a new document on best practices for using time reference services.

Scope Changes

ICS-CERT acknowledges in this new version that a number of vendor systems will be affected by this open source vulnerability. They note that they are working with vendors to determine which systems are specifically vulnerable. They will be publishing a supplement to this advisory that provides additional information on affected systems and unique mitigation measures.

In a rather unusual move ICS-CERT has added two new vulnerabilities to this advisory. They are:

● Authentication bypass by spoofing - CVE-2014-9297; and
● Improper check for unusual or exceptional conditions - CVE-2014-9298

Best Practices

This best practices document is interesting in a lot of ways. First off it has no organizational markings on it and it is prominently labeled “Unclassified”. This kind of leads me to believe that it may be a military document. There is a reference on page one to notifying the Coast Guard in case of a problem with a GPS signal.

About half of the document deals with GPS issues, about 1/3 deals with NPT issues and the remaining space is taken up with a discussion of Cessium clock issues and Time and Frequency Distribution System considerations.

Systemic Issues

We are seeing an increasing number of systemic vulnerabilities in industrial control systems that affect products from a number of vendors. These type issues make it easier for a serious attacker to develop tools that would be effective across a wide range of control system platforms. This would make things easier for people developing cyber-warfare weapons. A pretty sound argument could be made that a large portion of the ICS-CERT assets should be focused on these types of issues. Advisories of this sort (and the promised future updates and supplements) show that ICS-CERT is taking this type of issue seriously. Whether it is seriously enough, only time will tell.
/* Use this with templates/template-twocol.html */