Wednesday, September 30, 2015

CFATS PSP – A Month Later

It has been a month now since the OMB’s Office of Information and Regulatory Affairs (OIRA) approved the DHS information collection request (ICR) for the Chemical Facility Anti-Terrorism Standards (CFATS) program’s personnel surety program (PSP). Since then there does not seem to be much movement on implementing the program; but appearances can be deceptive.

It looks like we are waiting on the publication of two documents. First is a fact paper providing an overview of the newly approved ICR and how the folks at the Infrastructure Security Compliance Division (ISCD) plan to implement the DHS portion of the PSP. I understand that we might see that published on the CFATS Knowledge Center sometime this week. As usual, I will report on that as soon as I see it.

The next document will be a more formal implementation procedure published in the Federal Register. This will outline the changes that facilities will need to make to their existing site security plans to accommodate the implementation of PSP checks against the Terrorist Screening Database (TSDB). It will also provide more information about data submission for those facilities opting to use that PSP vetting technique.

A quick reminder, until further notice (a new ICR request) this portion of the PSP will only apply to Tier 1 and Tier 2 facilities under the CFATS program. Tier 3 and Tier 4 facilities will have the benefit of working under a somewhat revised program as the bugs are worked out before being applied to the much larger number of facilities.

The way that I understand it is that facilities will be individually notified when they are going to be required to implement this last portion of the PSP. This will allow the Chemical Security Inspectors (CSI; have I said recently how much I hate that acronym? I hear Pink Floyd every time I say or hear it) to work closely with facility management to implement the new requirements. I am hearing rumors that this will take place during facility compliance inspections.

I have not yet heard anything about new versions of the Registration Manual for the Chemical Security Assessment Tool (CSAT) that would have to be revised to reflect the use of 3rd party personnel organizations to submit PSP data to ISCD. Nor have I heard anything about a manual for a new PSP tool in CSAT.

I am beginning to suspect that ISCD is going to short-circuit the classic manual development process by this use of CSI so that a more responsive first pass of the manual is developed after the bugs are worked out. As much as I would personally wait to see the manual come out, a more effective version 1.0 would probably be a good thing.

Tuesday, September 29, 2015

ICS-CERT Publishes Siemens Update and Three New Advisories

Today the DHS ICS-CERT published a fifth update to a Siemens advisory originally published in April and most recently updated earlier in September. New advisories were also printed for control system products from Baxter, Mitsubishi and Honeywell.

Siemens Update

This update reports that Siemens has produced a new version of SIMATIC S7 V8.0 SP2 that mitigates the vulnerability. The updated Siemens security advisory explains that user will actually be using the update for SIMATIC WinCC V7.2 Upd11 to update the SIMATIC S7 V8.0 SP2.

Note: There is a minor typo on the ICS-CERT updated advisory. Before the red marked update there is an ‘extra’ listing for SIMATIC S7 V8.0 SP2 with an incorrect link.

Baxter Advisory

This advisory describes four vulnerabilities in the Baxter SIGMA Spectrum Infusion System. The vulnerabilities were reported by Jared Bird with Allina IS Security. Baxter has produced a new hardware and software versions which remove three of the four vulnerabilities. There is no indication that Bird has been provided the opportunity to verify the efficacy of the fix. This advisory was originally released to the US-CERT Secure Portal on June 30th, 2015.

The four identified vulnerabilities are:

• Use of hardcoded password, CVE-2014-5431 and CVE-2014-5434;
• Authentication bypass issues, CVE-2014-5432; and
• Cleartext storage of sensitive information, CVE-2014-543;

The uncorrected vulnerability is the hardcoded password that can only be accessed manually. The three other vulnerabilities are remotely exploitable by a relatively unskilled attacker.

There is no indication in this advisory that the FDA has been contacted, or if it has been contacted that it has issued an advisory on this device.

Mitsubishi Advisory

This advisory describes a denial-of-service vulnerability in the Mitsubishi MELSEC FX-series PLCs. The vulnerability was reported by Ralf Spenneberg of OpenSource Security. A new version of the PLC’s has been developed that does not have this vulnerability. There is no indication that Spennenberg has been provided an opportunity to verify the efficacy of the fix. This vulnerability was released on the US-CERT Secure Portal on May 26th, 2015.

ICS-CERT reports that moderately skilled attacker could remotely exploit this vulnerability to execute a DOS attack that would require re-booting of the PLC to recover.

ICS-CERT reports that older versions of the PLC (produced before April 2015) have not been fixed because Mitsubishi “cannot guarantee the quality of new firmware in old hardware”.

Honeywell Advisory

This advisory describes a directory traversal vulnerability in the Honeywell Experion PKS application. The vulnerability was reported by Joel Langill. Honeywell has patches for newer versions of Experion PKS that apparently (poor wording in the advisory) mitigate the vulnerability. There is no indication that Joel has been provided the opportunity to verify the efficacy of the patches.

ICS-CERT reports that a relatively low skilled could use publicly available exploits to remotely exploit this vulnerability to gain access to the host’s root directory.

ICS-CERT has assigned a 2007 CVE # to this vulnerability (CVE-2007-6483) that links to a similar directory traversal vulnerability in the Sentinel Protection Server. The BUGTRAQ report on that earlier vulnerability may be the source of the ‘publicly available exploit’.

NOTE: There is a typo in the Vulnerability Details portion of the advisory. Under ‘Existence of Exploit’ is lists: “An attacker with a low skill would be able to exploit this vulnerability.” The availability of a public exploit was reported earlier in the advisory.

HR 3583 Introduced – PREPARE Act

Last week Rep. McSally (R,AZ) introduced HR 3583, the Promoting Resilience and Efficiency in Preparing for Attacks and Responding to Emergencies (PREPARE) Act. The bill reauthorizes and makes minor modifications to a number of emergency response and planning grant programs. Program changes of specific interest to readers of this blog include

• Cybersecurity protections for Public Safety Broadband Network;
• DHS use of social networking; and
• The medical countermeasures program

FirstNet Cybersecurity

Section 206 of the bill requires the DHS National Protection and Programs Directorate Under Secretary to provide Congress with a report on the cybersecurity support that DHS is providing to the Department of Commerce FirstNet program. Specifically the Under Secretary is tasked with the requirement “to identify and address cyber risks that could impact the near term or long term availability and operations of such [public safety broadband] network and recommendations to mitigate such risks”.

Social Networking

Section 207 of the bill would add §318 to the Homeland Security Act of 2002. It provides for the establishment of a DHS Social Media Working Group. Alert readers of this blog will realize that I recently reported that the HR 623, with nearly identical language, has been reported in the Senate.

Medical Countermeasures Program

Section 303 of the bill would add §527 to the Homeland Security Act of 2002. It establishes a medical countermeasures program under the DHS Chief Medical Officer. The program is to be designed to “facilitate personnel readiness, and protection for working animals, employees, and individuals in the Department’s care and custody, in the event of a chemical, biological, radiological, nuclear, or explosives attack, naturally occurring disease outbreak, or pandemic” {new §527(a)}.

Moving Forward

McSally is the Chair of the Emergency Preparedness, Response, and Communications Subcommittee of the House Homeland Security Committee. The Committee Chair, Rep. McCaul, is cosponsor of this bill. So there is certainly the political will and power to move this bill forward.

The Subcommittee marked-up this bill before it was introduced. The full Committee markup is scheduled for Wednesday. I suspect that the bill will be approved by a voice vote without further amendment. If so it will move to the floor of the House before the end of the year; probably to be considered under suspension of the rules with little debate and no floor amendments.


The Congress is taking more and more actions like that seen here in specifying that DHS will report on the cybersecurity of FirstNet. These little one section toss offs in a wide variety of legislation are doing more to further the centralization of cybersecurity responsibility in DHS than any single piece of legislation could. I expect that this means that I am going to have to be watching a wider variety of bills to find those mentions that might be of specific interest to the control system security community.

I am not sure why the Social Media Working Group language is once again in legislation that is obviously heading to the floor. It was already passed in the House as a standalone bill. The only thing that makes a modicum of sense is that McSally and McCaul do not expect the Senate to actually take up HR 623 and they really want this group to be formed.

Of concern to me is that this version of the §318 language is also missing any mention of monitoring social media to provide situational awareness to the Department. While the intel folks are trying desperately to monitor the social network communications of IS and AQ supporters, the emergency response folks are, due to excessive concern with avoiding the appearance of spying on the public, being forced to ignore the vital information that could be available in natural disasters and after attacks or manmade disasters. A vitally important requirement for this SMWG should be the development of tools to abstract information from publicly available social networks to support emergency response.

The medical countermeasures program also seems to be an overly limited, if certainly legitimate DHS program. DHS certainly has a responsibility to ensure that medically foreseeable countermeasures to CBRNE attacks are available to keep their troops in the field fully functioning in their emergency response and criminal investigation capacities in the event of such attacks.

With minimal expansion of responsibility, however, the DHS Office of Health Affairs could be developing plans and standards for the deployment of medical countermeasures to the general public. In particular, incidents like the acrylonitrile train wreck this summer point to the need for the centralized stockpiling and subsequent distribution of medical countermeasures for industrial chemical accidents. OHA could have been tasked in this bill with the requirement to identify those industrial chemicals requiring specific medical countermeasures that would not routinely be available to local emergency rooms. In conjunction with such a list they could have been required to submit a plan to Congress on how a regional stockpiling and distribution plan could be put together for such countermeasures.

HR 3586 Introduced – Maritime Security

Last week Rep. Miller (R,MI) introduced HR 3568 the Border and Maritime Coordination Improvement Act. The bill would add a number of new sections to the Homeland Security Act of 2002 dealing with maritime security issues. Only a few of those provisions will be of specific interest to readers of this blog.

Joint Task Forces

The bill adds a new §420A to the Homeland Security Act that establishes a number of new border security joint task forces to “conduct joint operations using Department component and office personnel and capabilities to secure the international borders of the United States” {new §420A(a)}.

It provides for three specific task forces (East, West, and Investigation). The bill also provides authority for the Secretary to establish a number of other task forces, including one specifically to deal with cybersecurity {new §420A(i)(4)}. There are no details provided on what the purpose of a cybersecurity joint task force or how it might be constituted.

New TWIC Requirements

A new §420D is added to address concerns about Transportation Workers Identification Credentials (TWIC) being issued to non-US citizen applicants. The purpose of the new procedures outlined in this section are to ensure that “an individual who is not lawfully present in the United States cannot obtain or continue to use a Transportation Worker Identification Credential” {new §420D(a)}.

The language would require the Secretary to publish a list of documents that would provide acceptable proof that an applicant’s identity and legal presence in the United States. Additionally, a training program would have to be established to ensure that personnel processing TWIC applications from non-US citizens could detect fraudulent documents.

Finally the expiration of TWICs issued to non-US citizens would be changed so that they would expire on “the date of its expiration, or on the date on which the individual to whom such a TWIC is issued is no longer lawfully present in the United States, whichever is earlier” {new §420D(c)}.

Moving Forward

Miller is the Chair of the Border and Maritime Security Subcommittee of the House Homeland Security Committee and the Committee Chair, Rep. McCaul (R,TX) is a co-sponsor of this bill. This bill will certainly move through the committee process. In fact, it is one of the bills scheduled to be marked up by the full Committee on Wednesday.

There is supposed to be substitute language for this bill offered by Miller, but that language has not yet been published. I suspect that this will be the only amendment offered to this bill and it will almost certainly be approved by a voice vote. If that is the case this bill will most likely move to the floor of the House by the end of the year under suspension of the rules.


The adding of cybersecurity to the list of task forces that could be formed by the Secretary is kind of odd. The only other proposed or suggested task force that is not specifically designed to look at border control issues is suggested to be established in response to a major terrorist incident.

I suppose that since this bill established the bureaucratic guidelines for the establishment of joint agency task forces within the Department, it does make a certain amount of sense, but burying the provision in the US Customs Services portion of the statute still raises more questions then it answers. It will be interesting to see how/if this is specifically addressed in the Committee Report on this bill.

The TWIC provisions in this bill fall under the heading of ‘what has taken so long?’ I can see this providing some problems for people who are working here under renewable immigration documents. It is going to be costly for them to renew their TWIC more frequently than US citizens, but I don’t suspect that that was really part of the consideration for this measure.

I was kind of disappointed that this opportunity wasn’t taken to specifically include authorization for TWICs to be issued to employees of CFATS covered facilities. That would be a significant expansion in the number of TWICs to be issued, but I suspect that we are going to be seeing this happen in any course as the CFATS personnel surety program starts to ramp up. Specifically authorizing this would allow for a coordinated expansion of the program rather than a reactive expansion of capability in response to an ‘unexpected’ increase in the number of applications.

Monday, September 28, 2015

House Passes HR 2786 – Cross-Border Rail Security

This evening the House passed HR 2786, the Cross-Border Rail Security Act of 2015, under suspension of the rules. With limited debate (just six minutes) and no floor amendments, the bill was passed by a vote of 412 to 0.

As I mentioned in an earlier post, this bill continues the Congressional obsession with the possible smuggling of nuclear or radiological devices into the United States while ignoring the much more common threat of large shipments of toxic inhalation hazard chemicals that frequently enter the country by rail without being checked for potential improvised explosive devices.

Congressional Hearings – Week of 09-27-15

Both the House and Senate will be in session this week. It looks like the short term funding fight was resolved on Friday so the Congress turns to other items. Hearings this week will include three markup hearings in the House, a number of military related cyber hearings on both sides of the Capitol, as well as a pipeline safety and TSA management hearing.

Markup Hearings

The House Energy and Commerce Committee will hold a markup hearing on Tuesday that will look at HR 8, the North American Energy Security and Infrastructure Act of 2015. It will be interesting to see if any changes will be made to the Cyber Sense program to deal with the problems that I identified earlier.

The House Judiciary Committee will hold a markup hearing on Wednesday that will look at HR 3490, the Strengthening State and Local Cyber Crime Fighting Act. It is unlikely that this Committee will address the control system forensics concerns that I mentioned earlier. If that is to be addressed it will have to be in the Homeland Security Committee hearing described below. Both Committees will consider the same substitute language on the bill that is the result of the earlier subcommittee markup.

The House Homeland Security Committee will also hold a markup hearing on Wednesday with a large number of bills being considered. The bills of specific interest to readers of this blog include:

HR 3350, the Know the CBRN Terrorism Threats to Transportation Act;
HR 3490, the Strengthening State and Local Cyber Crime Fighting Act;
HR 3503, the Department of Homeland Security Support to Fusion Centers Act of 2015;
HR 3510, the Department of Homeland Security Cybersecurity Strategy Act of 2015;
HR 3578, the DHS Science and Technology Reform and Improvement Act of 2015;
HR 3583, the Promoting Resilience and Efficiency in Preparing for Attacks and Responding to Emergencies Act*;
HR 3584, the Transportation Security Administration Reform and Improvement Act of 2015;
HR 3586, the Border and Maritime Coordination Improvement Act*; and
HR 3598, the Fusion Center Enhancement Act of 2015*

Note: I have not had a chance to review the bills marked with an ‘*’ yet. I should publish reviews on them by Wednesday.

Military Cyber Issues

Military cyber issues are certainly going to touch on some IT and ICS security issues, but that will not be their primary focus. I am just going to list the hearings here without discussion.

Senate Armed Services - Cybersecurity policy and threats


The Homeland Security Subcommittee of the Senate Appropriations Committee will be holding a hearing on Tuesday to examine the Transportation Security Administration's efforts to address inspector general findings. There will only be two witnesses:

• Peter V. Neffenger, TSA Administrator; and
• John Roth, DHS Inspector General

Pipeline Safety

The Surface Transportation and Merchant Marine Infrastructure, Safety and Security Subcommittee of the Senate Commerce Science and Transportation Committee will hold a hearing on Tuesday to examine pipeline safety, focusing on oversight of our nation's pipeline network. Witnesses will include:

• Susan Fleming, US GAO;
• Christopher Hart, NTSB;
• Michael Bellamy, PII Pipeline Solutions;
• Donald Santa, Interstate Natural Gas Association of America; and
• Terry McCallister, American Gas Association

On the Floor

In addition to the clean version of HR 719 [Bill # corrected 17:00, 9-28-15] (the Continuing Resolution that will continue funding through December 13th) that the Senate will consider tonight and the House will consider on Wednesday, there are a couple of bills of specific interest that are scheduled to make it to the floor of the House this week. They are:

HR 2786, Cross-Border Rail Security Act of 2015, under suspension of the rules; and
HR 1735, 2016 NDA conference version, under a rule.

HR 3584 Introduced – TSA Reform

Last week Rep. Katko (R,NY) introduced HR 3584, the Transportation Security Administration Reform and Improvement Act of 2015. Most of this bill deals with passenger air transportation security issues, but Title II of the bill does address some surface security issues. Those security issues include:

• Surface transportation security inspectors; and
• Security training for transportation personnel


Section 201 of the bill deals with surface transportation security inspectors. The bill would amend 6 USC 1113(d) to ensure that these inspectors have surface transportation experience when appointed to the position {§201(a)}. The changed paragraph would read:

The Secretary shall require that surface transportation security inspectors have relevant surface [added] transportation experience and other security and inspection qualifications, as determined appropriate [deleted].

Paragraph (b) would require TSA to report to Congress on the efficacy of their surface transportation inspection program. The reporst would address:

• The roles and responsibilities of surface transportation security inspectors.
• The extent to which the TSA has used a risk-based, strategic approach to determine the appropriate number of surface transportation security inspectors and resource allocation across field offices.
• Whether TSA’s surface transportation regulations are risk-based and whether surface transportation security inspectors have adequate experience and training to perform their day-to-day responsibilities.
• Feedback from regulated surface transportation industry stakeholders on the benefit of surface transportation security inspectors to the overall security of the surface transportation systems of such stakeholders and the consistency of regulatory enforcement.
• Whether surface transportation security inspectors have appropriate qualifications to help secure and inspect surface transportation systems.
• Whether TSA measures the effectiveness of surface transportation security inspectors.
• Any overlap between the TSA and the Department of Transportation as such relates to surface transportation security inspectors in accordance with 6 USC 1117.

Section 202 of the bill addresses the controversy surrounding the law enforcement status of investigators in the TSA Office of Inspection. The DHS IG is required to report to Congress on the methods used by TSA to certify inspectors as criminal investigators.


Section 204 of the bill attempts to address the failure of TSA to provide regulatory guidance for transportation security training under 6 USC 1137 and §1184 for workers in the public transportation industry. Both training programs were required by Congress to be established in 2008. The bill requires TSA to report to Congress why it has not initiated the required rulemaking for these security training programs.  A similar training requirement under §1167 was not listed.

Moving Forward

Katko is the Chair of the Transportation Security Subcommittee of the House Homeland Security Committee and is thus responsible for the oversight of TSA. This is reflected in the fact that many of these provisions can be found in other bills that have been introduced in this Congress. The bill reflects the priority that Katko and presumably the Republican leadership on updating and reforming TSA operations.

It will be interesting to see how many amendments are made to this bill during the markup process, both in the Subcommittee and before the full Committee. I suspect that there will be a number of attempts to add improvements to the bill by members who would otherwise see their proposed TSA related legislation languish in Committee. TSA is a favorite target by folks on both sides of the aisle.

If the amendment process gets contentious, I would expect to see this bill move to the floor under a rule. If there are minimal amendments and they are handled by voice votes then the bill will probably be considered on the floor under suspension of the rules with limited debate and no floor amendments. In either case, the bill will almost certainly pass with bipartisan support.


Congress mandated that TSA develop security training program requirements in the Implementing Recommendations of the 9/11 Commission Act of 2007 (Public Law 110–53). Separate sections of that law required training programs for public transportation, railroads and over-the-road busses. All three programs were directed to have the following provisions:

• Determination of the seriousness of any occurrence or threat;
• Crew and passenger communication and coordination;
• Appropriate responses to defend oneself, including using nonlethal defense devices;
• Use of personal protective devices and other protective equipment;
• Evacuation procedures for passengers and employees, including individuals with disabilities and the elderly;
• Training related to behavioral and psychological understanding of, and responses to, terrorist incidents, including the ability to cope with hijacker behavior, and passenger responses;
• Live situational training exercises regarding various threat conditions, including tunnel evacuation procedures;
• Recognition and reporting of dangerous substances and suspicious packages, persons, and situations;
• Understanding security incident procedures, including procedures for communicating with governmental and nongovernmental emergency response providers and for on scene interaction with such emergency response providers; and
• Operation and maintenance of security equipment and systems.

It boggles the mind that there has not even been an advance notice of proposed rulemaking on any of these three training programs. I understand that the transportation industry has been opposed to the establishment of these programs for a number of reasons including the very real concern about how they would conduct such training with a very dispersed employee population.

TSA is sure to respond in their report to Congress that they are having a hard time coming up with cost effective training requirements. Since there have been no surface transportation terrorist attacks in the United States it will be hard for TSA to come up with a realistic cost of such an attack that could be avoided by the training. And some of the training requirements set out by law will be quite expensive.

TSA’s job would be made much easier if Congress were to re-look at some of the more esoteric requirements and determine which ones were appropriate for front line employees and which were more important for management. Training exercises and emergency response exercises for a physically dispersed workforce, for example, are probably going to be more cost effective if they were conducted as table top exercises for managers and planners.

Saturday, September 26, 2015

HR 3578 Introduced – DHS S&T

Two weeks ago Rep Ratcliffe (R,TX) introduced HR 3578, the DHS Science and Technology Reform and Improvement Act of 2015. The bill amends the authorizing language of the Homeland Security Act of 2002 as it pertains to the operations of the DHS Science and Technology (S&T) Directorate. One of the new sections being added to the 2002 Act deals specifically with the cybersecurity responsibilities of S&T.

Cybersecurity Provisions

The new §322 directs the Department to “support research, development, testing, evaluation, and transition of cybersecurity technology, including fundamental, long-term research to improve the sharing of information related to cybersecurity risks and incidents” {new §322(a)}. The expected R&D activities would include new {new §322(b)}:

• Advance the development and accelerate the deployment of more secure information systems;
• Improve and create technologies for detecting attacks or intrusions, including real-time continuous diagnostics and real-time analytic technologies;
• Improve and create mitigation and recovery methodologies, including techniques and policies for real-time containment of attacks, and development of resilient networks and information systems;
• Develop and support infrastructure and tools to support cybersecurity research and development efforts, including modeling, testbeds, and data sets for assessment of new cybersecurity technologies;
• Assist the development and support of technologies to reduce vulnerabilities in industrial control systems; and
• Develop and support cyber forensics and attack attribution.

Paragraph (d) provides a series of definitions used in this new section. The defined terms include:

• Cybersecurity risk;
• Homeland security enterprise;
• Incident; and
• Information system.

The only definition of consequence to readers of this blog is the last one. The bill uses the restrictive definition from 44 USC 3502 that specifically limit it to “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information” {§3502(8)}. Interestingly the term is never actually used in the new section.

Moving Forward

Ratcliffe is the Chair of the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee. As such he has oversight responsibility for S&T and certainly has the political pull to move this bill forward. I expect that we will see a markup hearing before his Subcommittee in the coming weeks and there is a good possibility that this bill will move forward to the full House before the end of the year.

It is strongly possible that this bill will be considered under suspension of the rules with minimal debate and no amendments. We will know better when we see how the Committee votes when this bill is marked up.


I am glad to see that industrial control systems are finally getting the Congressional recognition they deserve separate from the larger information systems that they have been lumped in with in the last couple of years.

One problem, however, with this belated recognition of the control system security issue, is that Congress still does not understand the real scope of the problem. For example §322(c) provides a list of agencies with whom S&T should coordinate their cybersecurity research program. Unfortunately, it fails to list a number of Federal agencies that have some oversight responsibility for control systems issues, including:

• Department of Transportation (automobiles, PTC, aircraft, etc);
• Food and Drug Administration (medical devices); and
• Department of Energy (energy production and transmission)

Coordinating and sharing control system security research with these other agencies would certainly help make the Federal research dollar go much further. This is particularly important since this bill does not provide any additional funding to S&T.

BTW: Have I mentioned how much I detest the new House Homeland Security Committee website? It is set up on the infographic model instead of the ‘old fashioned’ web site model with easy to find links to specific information on the site. Whoever designed this site needs to be banished from government service until they learn how to provide information rather than making something that looks pretty.

PCII and CVI Information

Earlier this week DHS did a complete update of their web site that deals with the Protected Critical Infrastructure Information (PCII) program. This controlled but unclassified information protection program was established in 2002 as Subtitle B of Title II of the Homeland Security Act of 2002 (PL 107-296). One of the new pages included in this re-worked site addresses information that is protected both by the PCII program and the Chemical Vulnerability Information (CVI) program under CFATS.

Differences Between PCII and CVI

Both programs provide similar degrees of protection against public disclosure of information submitted to the Federal government. There is a significant difference, however. Information submitted via the PCII program may not be used for regulatory purposes and the CFATS program is definitely a regulatory program.

This means, essentially, that the folks that work at the Infrastructure Security Compliance Division (ISCD) of NPPD do not have access to PCII. Facilities that submit documents to ISCD that have also been provided to DHS under the PCII program must ensure that there are no PCII markings on copies sent to ISCD.


There is an interesting difference between document protection requirements in these two programs. While the CVI program sets rules for document protection at the facility that submits the documents, there are no such requirements included in the PCII program. The PCII program only sets the document protection requirements for government entities and contractors working for those entities.

If facilities are submitting the same documents under both programs it is important that the PCII marked documents are kept separate from the CVI marked documents. This is going to make keeping the documents up to date a tad bit more difficult as they will have to be maintained in separate computer files as well since electronic CVI documents are required to be saved with program markings.

Friday, September 25, 2015

Bills Introduced – 09-24-15

Yesterday, with both the House and Senate in session for the first time this week, there were 37 bills introduced. Of those three were of potential interest to readers of this blog:

HR 3598 To amend the Homeland Security Act of 2002 to enhance the partnership between the Department of Homeland Security and the National Network of Fusion Centers, and for other purposes. Rep. Barletta, Lou [R-PA-11]

S 2080 A bill to amend title 49, United States Code, to enhance pipeline safety, to provide communities with access to improved information concerning the equipment and operations of pipeline facilities, and for other purposes. Sen. Peters, Gary C. [D-MI]

S Amdt 2680 to HJ Res 61 Making continuing appropriations for the fiscal year ending September 30, 2016, and for other purposes. Sen. Cochran, Thad [R-MS]

It will be interesting to see the differences between HR 3598 and HR 3503 that I reported on earlier this week.

It is interesting that the junior Democrat on the Senate Commerce, Science and Transportation Committee is the author of this pipeline safety bill.

As expected the first continuing resolution amendment to HJ Res 61 failed its cloture vote yesterday. This new version does not contain the Planned Parenthood defunding provisions. A cloture vote is scheduled for Monday evening. This will then go to the House for a vote on Tuesday or Wednesday.

NOTE: Because of DC travel restrictions yesterday for the Pope’s visit the GPO has not yet made the Congressional Record available for Wednesday’s Senate Session. There may be a bills introduced blog post later today for any bills of interest that may have been introduced on Wednesday.

Thursday, September 24, 2015

ICS-CERT Publishes Update and 2 New Advisories

ICS-CERT Publishes an update to an N-Tron advisory published earlier this year and two new advisories for products from EasyIO and Endress+Hauser.

N-Tron Update

This update reports that Red Lion has produced a firmware update that mitigates the vulnerability and that the researcher who initially reported the vulnerability, Neil Smith, has verified the efficacy of the fix. The update reports that the update allows the end user to upload unique keys/certificates to the unit and this required a re-write of the user manual. The new manual is available here.

NOTE: This update is not on the main ICS-CERT web page so, unless you follow @ICSCERT on Twitter (or of course read this blog) you would not know about this update.

EasyIO Advisory

This advisory describes a hard-coded credential vulnerability in the EasyIO-30P-SF controller. The vulnerability was reported by Maxim Rupp. EasyIO has produced a patch that mitigates the vulnerability and Rupp has verified the efficacy of the fix. This advisory was originally released on the US-CERT Secure Portal on August 25th and is probably one of the advisories on that Portal that I reported on earlier this month.

ICS-CERT notes that this controller is “used in a number of DDC systems worldwide”. With this in mind a supplement has been issued to this advisory that lists a number of the OEM partners (and their devices) that are affected by this vulnerability. It also lists separate actions taken by those partners to mitigate this vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to gain complete access to the controller.

Endress+Hauser Advisory

This advisory describes an XML code injection vulnerability in Endress+Hauser Fieldcare used in conjunction with CodeWright HART Comm DTM. The vulnerability was reported by Alexander Bolshev of Digital Security. Endress+Hauser and CodeWright have each produced updates that work together to mitigate this vulnerability. Bolshev has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker on an adjacent network that receives HART DTM packets could exploit this vulnerability.

Question: How many other device manufacturers have a similar problem that would interact with the CodeWright HART Comm DTM to produce the same vulnerability? I am afraid that there is nothing in this advisory that would allow anyone to answer that question with any accuracy.

DHS Updates CFATS Knowledge Center – Four New FAQs

This afternoon the folks at DHS Infrastructure Security Compliance Division (ISCD) published a notice on the CFATS Knowledge Center announcing that they had added four new frequently asked questions (FAQs) dealing with the temporary Top Screen extension (still in effect) that was announced for agricultural production facilities on December 21st, 2007 and formally published in the Federal Register on January 9th, 2008.

The four new questions are:


On December 21st, 2007, during the middle of the initial Top Screen submission period, ISCD published a letter that many felt was a substantial concession to the agriculture lobby that provided essentially an open-ended extension of the requirement to file a Top Screen for any agricultural production facility that had sufficient quantities of DHS chemicals of interest (COI) on hand that would require them to submit a Top Screen under 6 CFR 27.200(b)(2).

An ‘agricultural production facility’ was defined in the letter as “facilities such as farms (e.g., crop, fruit, nut, and vegetable); ranches and rangeland; poultry, dairy, and equine facilities; turfgrass growers; golf courses; nurseries; floricultural operations; and public and private parks”. Additionally, the letter made clear that the term did not apply to “chemical distribution facilities, or commercial chemical application services”.

The letter also explained that the ‘temporary’ exemption only applied to two types of COI; those used:

“(I)n preparation for the treatment of crops, feed, land, livestock (including poultry) or other areas of an agricultural production facility; or
“(D)uring application to or treatment of crops, feed, land, livestock (including poultry) or other areas of an agricultural production facility.”
The Federal Register notice two weeks later further clarified that the exemption did not apply to fuels stored on those agricultural production facilities.

The letter tried to make it clear that DHS felt that it did not have enough information about operations at agricultural production facilities to make an informed risk assessment on these facilities based solely on the information contained in the Top Screen. In attempt to collect additional information about these types of operations in July 2010 DHS requested 1274 CFATS high-risk covered facilities that may sell, transfer or commercially apply COI-containing products (e.g., pesticides, fertilizers) used in agricultural activities by agricultural production facilities complete an Agriculture Survey about those COI.

FAQ Responses

The responses to all four questions posted today make it clear that the Top Screen exemption only applies to agricultural production facilities. Even for those facilities it only applies to COI and amounts of COI that are actually applied to the defined agricultural fields. COI used in other operations on those facilities would still be required to be reported on a Top Screen to ISCD if they exceeded the screening threshold quantity (STQ) set forth in Appendix A to 6 CFR 27.


It is more than a little disturbing to me that almost eight years after this ‘temporary exemption’ was published that ISCD is now publishing these FAQ. FAQ’s are supposed to represent actual questions that have been asked by people in the private sector either via the CFATS Knowledge Center or directly to the CFATS Help Desk ((866) 323-2957 or via this web form). From the way the questions are presented it would seem that there are some number of facilities to which the Top Screen extension does not apply that have not yet submitted Top Screens because of the presence of the exemption.

We have no way of knowing if these are new facilities that are trying to determine if they fall under the exemption or if they were asked by facilities that should have submitted a Top Screen years ago but are just now being identified through the ISCD’s various outreach programs. I would like to think that it is the former, but I more than suspect that it is more of the latter.

The real question that these four new FAQs pose is why does this ‘temporary’ exemption still exist? The completion of the Top Screen is a relatively simple on-line exercise. For most agricultural production facilities it will take less than an hour; probably 10 or 15 minutes. Furthermore, is extremely unlikely given the physical isolation of most of these facilities that ISCD’s threat assessment process would find that these are high-risk chemical facilities that would then be required to complete a security vulnerability assessment and ultimately develop and implement a site security plan.

Of course, if that is not true; and a significant number of these facilities really are at high-risk of terrorist attack due to the presence of these COI then ISCD has been criminally negligent in allowing this ‘temporary’ exemption to continue for so long. The exemption ought to be closed, post haste, and all of these facilities should be given a reasonable time (90 days?) to complete and submit their Top Screen. Only then will we really know if this exemption provided almost eight years ago really was a reasonable exercise of regulatory discretion.

HR 623 Reported in Senate – Social Media Working Group

Earlier this week the Senate Homeland Security and Governmental Affairs Committee published their report on HR 623, Social Media Working Group Act of 2015. The Committee amended and adopted the bill during a hearing on May 6th. A copy of the revised language for the bill has also been published.


Most of the changes to the bill were minor, mostly increasing the emphasis in the language for the use of social media during natural disasters where the emphasis in the previous versions had been on that use during the response to terrorist attacks.

There is another minor, yet interesting wording change in the new version. In describing the purpose of the bill {new §318(b)}, the original language started with the following premise: “In order to enhance information sharing  [emphasis added] between the Department and appropriate stakeholders….” The new version reads: “In order to enhance the dissemination of information [emphasis added] through social media technologies between the Department and appropriate stakeholders….”

The one significant change was a provision that calls for the termination of the Social Media Working Group after 5 years unless the Chairman certifies that “that the continued existence of the Group is necessary to fulfill the purpose” {new §318(g)(1)} outlined in the bill.

Moving Forward

The bill has been placed on the Senate calendar, but that is no guarantee that it will be considered. The bill was adopted in Committee by a voice vote indicating substantial bipartisan support for the bill. This would mean that it would probably be considered under the unanimous consent process in the Senate at a time decided by the Majority Leader.


I am still more than a little puzzled by the lack of information about how Congress would intend for the processes and techniques developed by this Working Group would be disseminated to the agencies in the field. I would have expected to see a requirement to publish a public report on suggested best practices. I’m fairly sure that DHS will be able to figure out how to get the word out, but this is still a fairly odd oversight.

The change in wording of the purpose of the working group, may actually be the most significant change in the document. Where the original wording used information sharing that would seem to indicate a two way flow of information between the government and the public. The new use of ‘dissemination’ indicates a one way data flow.

I suspect that this was done to ease privacy concerns about the government monitoring of social networks. This would seem to me to be a knee jerk reaction that could actually limit the ability of the government to acquire timely information that might aid emergency response. I am certainly not advocating that the government be allowed to monitor emails, telephone calls or even texts, but the use of social media is by definition public and poses no presumption of privacy.

In a wide scale emergency live information about what is actually happening can provide valuable intelligence that could guide the deployment of fire, rescue and medical response assets. Ignoring that information because of an overblown fear of the appearance of violating privacy is a sure way of ensuring that innocent people are denied necessary life-saving emergency services.

In my opinion one of the most valuable things that this Working Group should be doing is developing the technology to capture and display timely information from social networking sources about an incident that will allow incident commanders to provide effective deployment of emergency response capability to protect the public.

Well, it is too late now for this bill. If, as I suspect it will, the bill is considered under the unanimous consent provisions there will not be another chance to change the language. Even when it goes to Conference there will only be a selection of one version of the language or the other, not a chance to actually add new or additional requirements. At best we can hope for a reversion to the House language for the purpose of the bill.

Wednesday, September 23, 2015

Bills Introduced – 09-22-15

There were 27 bills introduced in the House and Senate yesterday even though the House was only minimally present in a pro forma session. Three of those bills and a Senate Amendment may be of specific interest to readers of this blog:

HR 3583 To reform and improve the Federal Emergency Management Agency, the Office of Emergency Communications, and the Office of Health Affairs of the Department of Homeland Security, and for other purposes. Rep. McSally, Martha [R-AZ-2] 

HR 3584 To authorize, streamline, and identify efficiencies within the Transportation Security Administration, and for other purposes. Rep. Katko, John [R-NY-24]

HR 3586 To amend the Homeland Security Act of 2002 to improve border and maritime security coordination in the Department of Homeland Security, and for other purposes. Rep. Miller, Candice S. [R-MI-10]

S Amdt 2669 Making continuing appropriations for the fiscal year ending September 30, 2016, and for other purposes. Sen. Cochran, Thad [R-MS] To H J Res 61, Hire More Heroes Act of 2015

Very Brief Summaries

I’ll be watching HR 3583 for possible effects on the chemical safety programs under OHA.

HR 3584 will be of potential interest for changes to surface transportation security programs.

HR 3586 will watched for changes to the MTSA program.

This amendment to HJ Res 61 will be the first pass at a continuing resolution to fund the government through December 11th. This will almost certainly be stalled by the Democrats because this version includes defunding of Planned Parenthood programs. The Republicans did try to defuse that issue by making those funds available to other women’s health programs, but the name ‘Planned Parenthood’ is as much a positive keystone for the Democrats as it is a negative keystone for the Republicans. There will be a cloture vote today on this amendment.

Side Note

Pro forma sessions of the House are typically attended by just three members; the acting speaker and a floor representative from each party and only involve administrative matters like receiving messages and introducing bills and resolutions. Every once in a while, however, there are actual legislative activities that take place and the results are the same as if the whole House was in attendance.

Yesterday was one of these occasions. During the six  minute long session the Foreign Affairs Committee was discharged from responsibility for H Res 50 that was introduced yesterday. The resolution was then brought to the floor for consideration, amended twice, and adopted by unanimous consent.

The resolution was introduced by Rep. Levin (D,MI) in response to concerns of the Ukrainian  community in Michigan about the Russian treatment of Nadiya Savchenko, a Ukranian military pilot, that was captured by pro-Russian forces in eastern Ukraine.

This is not an earth shattering bill and its passage obviously had the support of the leadership of both sides of the aisle in the House. It does show, however, that pro forma sessions in the House do need to be watched as legislative matters can be dealt with under unanimous consent rules without a quorum being present.

DHS Publishes Chemical Security Awareness Training ICR

Today the DHS National Protection and Programs Directorate (NPPD) published a 60-day information collection request (ICR) renewal notice in the Federal Register (80 FR 57200-57201) for their Infrastructure Assessment and Training Program. This ICR used to be for the Chemical Security Awareness Training Program that I first wrote about in 2008, but was apparently canceled earlier this year.

The notice now describes the ICR as supporting the IP Gateway that consists of three separate collection activities:

• General User Registration;
• Chemical Security Awareness Training Registration, and
• User Satisfaction Survey

The last time that this ICR was approved (2011) DHS expected [.DOC download] 400,000 responses/participants per year at one hour per response (the total for registration, training and post training survey). That number was an estimate based upon the number of workers in the chemical industry not actual participation in the program that had been running for about three years at that point.

The current ICR notice expects just 9,000 participants in the program but they expect 5 hours of response burden for each participant. This would mean that the training portion of the program would be significantly longer than the earlier CSATP.

NPPD is soliciting comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (; Docket # DHS-2014-0010). Comments should be submitted by November 23, 2015.


Readers will recall that last week I complained that there was no chemical sector specific training available from DHS. I hope that this ICR submission indicates that that is only a temporary condition. I look for to seeing this new 5 hour long chemical security awareness training program.

Tuesday, September 22, 2015

ICS-CERT Publishes Three Advisories

This morning the DHS ICS-CERT published three advisories for control system vulnerabilities in systems from Everest Software, IBC Solar and Resource Data Management.

Everest Advisory

This advisory describes two pointer dereference vulnerabilities in the Everest Software LLC PeakHMI application. The vulnerabilities were reported by Josep Pi Rodriguez. Everest has produced a new version that mitigates the vulnerabilities, but there is no indication that Rodrigues has verified the efficacy of the fix. This advisory was released to the US CERT Secure portal on August 20th, 2015 and is probably one of the ones that I mentioned last week.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability.

ICS-CERT has two additional mitigation activities to recommend in addition to their standard recommendations for HMI systems. They are:

• Carefully monitor or block traffic to Port 49454.
• Disable the video server if it is not being used. This video server is only for remote HMI video support. (It is disabled by default on installation)

IBC Solar Advisory

This advisory describes three vulnerabilities in two different IBC Solar products. The vulnerabilities were reported by Maxim Rupp. ICS-CERT reports that IBC Solar has not mitigated these vulnerabilities

The three vulnerabilities are:

• Disclosure of source code, CVE-2015-6469;
• Plain text passwords, CVE-2015-6474; and
• Cross-site scripting, CVE-2015-6475

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities.

For the first two vulnerabilities ICS-CERT suggests upgrading to a source that does not have these vulnerabilities. It sounds to me like they are recommending a new vendor, but they don’t come right out and say that (DHS lawyers will be happy). For the cross-site scripting vulnerability they recommend data validation and they also provide a link to an NSA fact sheet on XSS.

Resource Data Management Advisory

This advisory describes two vulnerabilities in the Resource Data Management Data Manager application. The vulnerabilities were reported by Maxim Rupp. Resource Data Management has produced a new version that mitigates the vulnerability, but there is no indication that Rupp has been given the opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

• Privilege escalation, CVE-2015-6470; and
• Cross-site request forgery, CVE-2015-6468

 ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities.

ICS-CERT Vulnerability Reporting

There was an interesting Twitversation this morning about how ICS-CERT deals with the publication of zero day (0day) vulnerabilities (a vulnerability that is released to the public without prior coordination or notification to the vendor) that have been released as parts of exploit packages. The conversation was started by Joel Langill’s (@SCADAhacker) announcement that Gleg had released their latest version of SCADA+® and that it contained 3 0day control system vulnerabilities. I replied with a somewhat sarcastic comment about how I did not expect ICS-CERT to publish an alert for those three 0days. The conversation expanded from there.

Gleg Background

GLEG Ltd. is a Moscow based small security firm. They produce (among other things) a product called SCADA+. It is a penetration testing tool (similar to Metasploit®). It is supposed to contain a comprehensive selection of exploits for industrial control systems. Those include publicly available exploits as well as exploits developed in-house by Gleg, including those for Gleg discovered 0day vulnerabilities.

Gleg sells this tool to companies and researchers and they periodically update the tool. Joel is apparently a customer of Gleg because he routinely reports when a new version of SCADA+ is released and the SCADA+ web site is at least 3 releases behind what Joel is reporting. This is logical because Gleg would want to provide its paying customers with notice about 0day vulnerabilities before they are publicly announced.

NOTE: Gleg has a relatively new product out; MedPack. It apparently does for medical software (device and IT) what SCADA+ does for control systems.

Early ICS-Reporting on Gleg

When the SCADA+ Pack was first released as an add-on to the Gleg Agora product in 2011, ICS-CERT issued an advisory about the product. It also produced alerts (here and here) for two early updates that contained reported 0day exploits. Since then there have been no further alerts or advisories from ICS-CERT on SCADA+.

ICS-Reporting Products

ICS-CERT provides two types of notifications about control system vulnerabilities; alerts and advisories. They describe them this way:

• An ICS-CERT Alert is intended to provide timely notification to critical infrastructure owners and operators concerning threats or activity with the potential to impact critical infrastructure computing networks.
• Advisories provide timely information about current security issues, vulnerabilities, and exploits.

Generally it would seem that alerts are issued when there has been an exploit published for a 0day vulnerability. An advisory is issued when there has been at least some level of notification to the vendor either directly or through a coordinating agency like ICS-CERT.

Why Stop Gleg Reporting

The question that came up in the Twitversation that I describe earlier is why ICS-CERT had stopped producing alerts or advisories for SCADA+ updates since they frequently reportedly contain 0day vulnerabilities. Joel questioned if ICS-CERT had a mandate to report vulnerabilities that were not coordinated through them and that is certainly a legitimate question.

The ICS-CERT web site contains an explanation of the mission of ICS-CERT. In the last two of six bullet points it includes:

• Coordinating the responsible disclosure of vulnerabilities and associated mitigations; and
• Sharing and coordinating vulnerability information and threat analysis through information products and alerts.

Given those broadly painted guidelines it would seem that reporting SCADA+ updates that included 0-day vulnerabilities should definitely a responsibility of ICS-CERT. In fact, I could make the case that for previously reported vulnerabilities for which there had been no publicly reported exploits that the inclusion of the vulnerability in SCADA+ (or other penetration testing products like Metasploit) represents an escalation in the severity of the vulnerability that should be reported by ICS-CERT.


I am going to preface this next portion of the discussion by saying this is made up from whole cloth in my head and may bear no resemblance to actual fact. It is being presented for discussion purposes only.

I can think of at least one possible reason to explain why ICS-CERT stopped reporting on the Gleg Scada+, and it is a potential legal issue. The public documentation for the updates provides almost no information on the character of the 0day vulnerabilities. I haven’t seen the customer documentation, but based upon the three ICS-CERT documents that have been published it would seem that there is little detailed information provided to customers. To dig out the 0day exploit details that ICS-CERT would be able to use would require reverse engineering the software.

I fully expect that ICS-CERT has the talent, skill and inclination to do such reverse engineering (and it would presumably get simpler with each new release).  While reverse engineering software falls within grey areas of the law, the public sharing of information from that process would certainly violate a couple of US laws dealing with intellectual property.

I would like to think that ICS-CERT if they discovered actionable details about a 0day vulnerability that they would notify the vendor of the vulnerability so that they could fix the problem. Then in the normal course of events they would publish an advisory for the vulnerability without listing a researcher.

If ICS-CERT acknowledged the Gleg release for a 0day vulnerability and then subsequently reported an advisory for mitigating that vulnerability I can imagine DHS lawyers getting concerned that Gleg might complain (ie: take DHS to court) about ICS-CERT effectively stealing the intellectual property from Gleg. That would be much harder to sustain if DHS publicly ignored the Gleg update.

Policy Question

As it is becoming more and more obvious that control systems in many critical application are vulnerable to cyber attacks the role of ICS-CERT in being an information development and sharing organization becomes ever more important. Congress needs to start considering what type of role ICS-CERT should perform by-law. In my opinion one of the most important tasks that ICS-CERT should have is the information sharing role concerning vulnerabilities in industrial control systems.

That information sharing takes a couple of different directions. They include sharing vulnerability information with:

• Vendors concerning vulnerabilities that have been identified by independent researchers, outside research groups, ICS-CERT and intelligence agencies;
• Researchers concerning actions being taken by vendors to mitigate vulnerabilities;
• Critical infrastructure owners concerning vulnerabilities identified and mitigation measures developed; and
• The ICS community in general about trends in vulnerability detection and mitigation.

There are, of course, other areas of information sharing that would be important for ICS-CERT to be involved in, but those will have to be discussed on another day. This post has gotten a tad too long already.

HR 3503 Introduced – DHS Fusion Center Support

Two weeks ago Rep. McSally (R,AZ) introduced HR 3503, the Department of Homeland Security Support to Fusion Centers Act of 2015. It would require DHS to examine the level of support that it was providing to fusion centers around the country and address security clearance issues for fusion center analysts.

Support Requirements

Section 2 of the bill would require the DHS Secretary to “conduct a needs assessment of Department personnel assigned to fusion centers” {§2(a)} in accordance with the requirements of 6 USC 124h(c). The bill requires specific attention be given to the need for additional personnel from:

• US Customs and Border Protection, US Immigration and Customs Enforcement, and the Coast Guard for fusion centers located near border and coastal areas; and
• Transportation Security Administration for fusion centers located in jurisdictions with large and medium hub airports.

The Secretary is given 120 to complete the needs assessment and 60 days thereafter to provide a report to Congress on the plan for fulfilling the needs identified.

Section 3 of the bill would require the Under Secretary for Intelligence to “shall establish a program to provide eligibility for access to information classified as Top Secret” for State and local analysts located in fusion centers. A report to Congress on the progress of implementation of this would be required in two years.

Moving Forward

McSally is a junior (but very influential; she is Chair of the Emergency Preparedness, Response, and Communications Subcommittee) member of the House Homeland Security Committee so she does have political pull to move this bill along through Committee. Add to that the fact that Committee Chair and the Counterterrorism and Intelligence Subcommittee Chair are cosponsors and we can see why this bill was considered in a subcommittee markup last week; less than a week after it was introduced. The bill was recommended to the full Committee without amendments on a voice vote.

This bill will almost certainly come to the full Committee next month where it will pass with a substantial bipartisan vote. Whether and when it comes to the House floor will depend on how the bill is prioritized by Chairman McCaul (R,TX). Due to its non-controversial nature and bipartisan support it would be considered under suspension of the rules without further amendments. If considered by the House it would pass with substantial bipartisan support.


While there is nothing in the bill that is the least bit controversial there are some things that are clearly missing. There is nothing in this bill (or the underlying statute) that would provide additional intelligence capabilities for other specialized potential threats.  For example there is no mention of major ground transportation hubs or areas with large chemical manufacturing concentrations. Both of these areas would be high-threat areas with specific intelligence analysis requirements.

I suspect that a large part of reason for the mention of these areas is that there are no large organizations that would have the people necessary to spare to man such posts. The TSA ground folks and the CFATS folks are woefully undermanned and underfunded and have not been provided with a real intelligence analysis component in any case.

It would be helpful if this bill were to include a needs analysis requirement to examine the potential need for specialized intelligence analysis capability in these two areas to support fusion centers as well as a requirement to identify other specialized intelligence categories that might be needed by fusion centers.

The need for access to Top Secret intelligence information at the fusion center level is probably justified. I don’t think that there would be a high volume of such information, but the TS clearance process is so involved that there is no quick way to approve such clearances if a real specific need does arrive.

The problem the Congress continues to ignore, however, when directing DHS and other agencies to share classified intelligence with non-Federal agencies and organizations is that there is a steep cost associated with the communications facilities and storage requirements for classified information.  I think that it would be appropriate in this legislation for DHS to report on the specific costs to fusion centers for adding the capability to transmit, receive and store Top Secret materials.
/* Use this with templates/template-twocol.html */