Saturday, October 31, 2015

NRC Publishes Cybersecurity Event Reporting Final Rule

The Nuclear Regulatory Commission published in Final Rule in Monday’s Federal Register (80 FR 67264-67277; available on-line today) concerning Cyber Security Event Notifications. The rule codifies certain reporting activities associated with cybersecurity events contained in security advisories issued by the NRC.

The rule makes modifications to three sections of 10 USC Part 73 (§73.8, §73.22, and §73.54) and adds a new section (§73.77; Cyber Security Event Notifications). For readers of this blog, the items of specific interest will be found in the changes to §73.54 (Protection of digital computer and communication systems and networks) and the new §73.77.

Protecting Cyber Assets

Section 73.54 provides a great deal of detail about the requirements that a regulated facility needs to undertake to protect cyber systems associated with {§73.54(a)(1)}:

• Safety-related and important-to safety functions;
• Security functions;
• Emergency preparedness functions, including offsite communications; and
• Support systems and equipment which, if compromised, would adversely impact safety, security, or emergency preparedness functions

Paragraph (d) of the current §73.54 outlines the licensee actions that are required for the security program set forth in the section. They include:

• Ensure that appropriate facility personnel, including contractors, are aware of cyber security requirements and receive the training necessary to perform their assigned duties and responsibilities.
• Evaluate and manage cyber risks.
• Ensure that modifications to assets, identified by paragraph (b)(1) of this section, are evaluated before implementation to ensure that the cyber security performance objectives identified in paragraph (a)(1) of this section are maintained.

The new final rule adds a fourth required action: “Conduct cyber security event notifications in accordance with the provisions of §73.77.”

Event Notification

The NRC safety regulations contain a whole host of requirements for notification activities that must be under taken by licensees (see §73.71 for example). The new §73.77 adds a new set of notification requirements and classifies them generally by how soon notification is required after the event is detected. There are four operational time limit are:

• One hour;
• Four hour;
• Eight hour; and
• 24 hour

The one hour time limit is reserved for cyber attacks that: “that adversely impacted safety-related or important-to-safety functions, security functions, or emergency preparedness functions (including offsite communications); or that compromised support systems and equipment resulting in adverse impacts to safety, security, or emergency preparedness functions within the scope of § 73.54” {new §73.77(a)(1)}. In other words there was an actual impact on safety, security or emergency preparedness.

There are three categories of events under the four hour reporting standard. First is an attack that could have resulted in a situation that would have required a one-hour report if it had been successful. The second is the discovery of a “suspected or actual cyber attack initiated by personnel with physical or electronic access to digital computer and communication systems and networks within the scope of §73.54” {§73.77(a)(2)(ii)}; essentially a breach of the cyber perimeter. The third is a generic catch all that requires a report of any cyber related situation that resulted in a notification of law enforcement.

The eight hour category is the last one that requires actual telephonic communications with the NRC. It is reserved for information “regarding observed behavior, activities, or statements that may indicate intelligence gathering or pre-operational planning related to a cyber attack against digital computer and communication systems and networks within the scope of §73.54” {§73.77(a)(3)}.

The ’24 hour’ category that I’ve listed here is not actually a requirement to ‘communicate’ with the NRC in any direct way. It is a requirement to record the event in the “corrective action program (CAP)”. This is an NRC inspect able document maintained under §73.55(b)(10) that the facility uses to “track, trend, correct and prevent recurrence of failures and deficiencies in the physical protection program”. Under the new §73.77(b) the facility will now also record “vulnerabilities, weaknesses, failures, and deficiencies in their § 73.54 cyber security program” as well as documenting any of the notifications made under the provisions outlined above.

The remainder of the new §73.77 outlines how the facility is to report the incidents described above to the NRC and how a follow-up written report will be prepared and submitted.

Effective Date

This rule becomes effective on December 2nd, 2015. The NRC will begin enforcement of the rule on May 2nd, 2016.


Few readers (I know there are some, bear with me) of this blog are intimately involved in the operation of nuclear power plants or maintenance of the security apparat that protects them. I am certainly not planning on becoming a subject matter expert on the topic. This rulemaking is important, however, because it outlines a cybersecurity event notification process that can serve as a model in developing a regulatory scheme for control systems in other critical infrastructure sectors.

Before we go any further, let me remind folks that the NRC already has a regulatory process that is set up to take security reports from the regulated community, digest those reports and communicate the essential information to other facilities in that regulated community so that they can modify their on-going processes at a higher level of safety and security. Lacking that sort of information digestion and communication, there is absolutely no reason to require timely reporting of cybersecurity incidents, or any sort of security incidents for that matter.

The important thing for other regulators to take from this rulemaking is the way that the NRC prioritized reporting requirements; events that had cyber physical impacts, events that could have had cyber physical impacts, and events that demonstrate penetration of the cyber perimeter. This categorization should be able to withstand numerous changes in technology and be adaptable to any industry that has the potential for cyber physical impacts outside of the facility boundary.

The other important take away from this rulemaking is that the NRC had already established a workable definition of the critical control systems at their regulated facilities; safety functions, security functions, emergency response functions and systems that directly support those functions. Again, those functions could be easily translated into any regulated industry that has the potential for cyber physical impacts outside of the company fence line. With minor adaptations they could even be modified to apply to mobile control systems (auto, planes and ships) and even medical devices.

There is much that is still missing from this rulemaking, which is arguably part of the most proactive security program functioning in this country outside of the military. The NRC rules are still missing a cyber forensics component, for example. But the NRC is actually trying to codify a proactive cyber incident reporting program and that is a very important part of any cybersecurity program, a part that should be looked at very carefully by other critical infrastructure regulatory agencies.

NARA Sends CUI Final Rule to OMB

Earlier this week (but available on-line for the first time today) the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that that the National Archives and Records Administration (NARA) had submitted their final rule on Controlled Unclassified Information for review. The notice of proposed rulemaking on this rule was published last May.

NARA has moved pretty quickly on this final rule with the comment period on the NPRM having closed in July. They were assisted on this by the relatively low number of comments (13) received on the NPRM.

It will be interesting to see how long it takes OIRA to approve the final rule. The NPRM took alomost a year to approve (May 20, 2014 to May 5, 2015). I’m sure that a bunch of the delay was working out agreements with the various affected Federal agencies. That may mean that this is a done deal within the government, but you never can tell.

Thursday, October 29, 2015

Bills Introduced – 20-28-15

Yesterday, with both the House and Senate in regular session, there were 26 bills introduced. Only one of those may be of specific interest to readers of this blog:

HR 3842 To improve homeland security, including domestic preparedness and response to terrorism, by reforming Federal Law Enforcement Training Centers to provide training to first responders, and for other purposes. Rep. Carter, Earl L. "Buddy" [R-GA-1]

This one is pretty much a reach, but I get interested when the title includes the phrase “and for other purposes”. Don’t expect that this will have a high chance of making it back into the blog postings.

HR 3819 Passes in Senate – STA Extension

Yesterday the Senate passed HR 3819, Surface Transportation Extension Act of 2015, on a voice vote. The bill passed the day before in the House, also by a voice vote. The bill extends the authorization for various surface transportation programs from tonight until November 13th. This was done to provide additional time for Congress to pass a longer term authorization bill.

There was minimal debate in the House (20 minutes) and no debate in the Senate. Just what you would expect with a short term extension for a fast expiring program that seems to finally be moving forward to resolution. One odd thing in the Senate. This was passed at the close of the session when we normally see non-controversial bills pass ‘without objection’. In that process the voice of a single Senator can derail passage. In this case a voice vote was used instead allowing the President Pro Tempore to decide if there were more voices in the almost empty chamber for or against. I’m not saying that there was anything underhanded in the passage of this bill, but this is how you would slip one by if you were so inclined (and willing to take the heat from the opposition the next day).

OOOPS. I never did take a close look at this bill. These short term extensions are typically pretty vanilla so as not to attract any undue objections to their passage. Now I wish I had. Someone mentioned last night that the Senate had passed an extension of the PTC deadline; oh yes it was a tweet from @SOCMA. It didn’t make sense when I saw it late last night, but I checked this morning, and sure enough, §1302 of HR 3819 is the “Positive Train Control Enforcement and Implementation Act of 2015”. This is virtually identical to §7014 of the most recent House STA bill, HR 3763.

The bill is on its way to the President for signature. There has been no specific word on whether or not he will sign it. There had been suggestions during the summer after the previous STA extension had been signed, that the President did not want to sign another short term extension, but I suspect that this will be quietly signed as it looks like there is some movement to consider HR 22 in the House.

Wednesday, October 28, 2015

DMCA Exemption Final Rule Published

Today the Library of Congress published a final rule in the Federal Register (80 FR 65944-65964) listing the latest exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works. The rule amends 37 CFR 201.40 which prescribes the classes of copyrighted works for which the Librarian of Congress has determined that shall for a three-year period be subject to the exemption provided in 17 USC. 1201(a)(1)(B) from the prohibition against circumvention of technological measures that effectively control access to copyrighted works set forth in §1201(a)(1)(A).

The Proposed Classes

The Librarian considered 24 classes of works that would be included in the revised §201.40(b). These included the following classes under the security and safety research provisions of §1201(j):

Class 22: Vehicle Software;
Class 25: Software;
Class 27A: Medical Device Software

As should be expected, there were significant industry objections to the approvals of these classes. Additionally, objections were raised by DOT about the vehicle software class and by FDA about the medical device software class. Comments supporting the three classes specifically and a broad exemption for all computer programs were received from the National Telecommunications and Information Administration (NTIA).

Based upon the comments received during both the public and government comment portions of the rulemaking, the Register recommended that:

• The good-faith security research exemption should be limited to “research on computer programs within devices or machines primarily designed for use by individual consumers (including voting machines), motorized land vehicles, and implanted medical devices and their corresponding monitoring systems”;

• As a general matter, the exemption should not go into effect until twelve months after the effective date of the new regulation with an exemption for voting machines, on the ground that there was no public safety issue;

• Security research must be conducted in a controlled setting designed to avoid harm to individuals or the public;

• The information derived from the research activity be used primarily to promote the security or safety of the devices containing the computer programs on which the research is conducted, or of those who use those devices

The Approved Exemption

The exact language of the approved exemption for security research on computer software can be found at §201.40(b)(7). It provides that good-faith security research on computer programs that does not otherwise violate federal law (specifically 18 USC 1030) may circumvent technological protection measures (TPMs) without violating copyright law as long as that research is conducted on:

• A device or machine primarily designed for use by individual consumers (including voting machines);
• A motorized land vehicle; or
• A medical device designed for whole or partial implantation in patients or a corresponding personal monitoring system, which is not and will not be used by patients or for patient care.

The exemption goes on to limit that research to accessing the software for the purposes of “testing, investigation and/or correction of a security flaw or vulnerability” and doing so in “a controlled environment designed to avoid any harm to individuals or the public”. Information from the research must be used “promote the security or safety of the class of devices or machines on which the computer program operates”.

Finally it must be noted that the exempted security research cannot start until October 28th, 2016 except for research on voting machines which can start today. This was done to provide affected government agencies a chance to limit potential harm from such research by additional regulation where necessary.


The fact that this exemption was limited to the three specific classes of devices was based in large part because those were the devices for which an exemption had been requested by researchers. Those petitions documented the fact that researchers in these areas had had actions taken against them by copyright holders due to the security research that they had conducted on these types of devices. Thus they demonstrated that the generic security research protections provided by §1201(j) were inadequate and required specific exemption under regulation.

In three years, these exemptions will not be automatically renewed when the 7th Triennial Process is completed. The petitions will again have to be submitted demonstrating that the conditions that led to the adoption of today’s exemptions still occur. Researcher need to insure that they start the documentation process all over again. Researchers seeking to expand the security research exemption to other types of devices will be able to build upon this approval, but they will still need adequate documentation.

Senate Passes S 754 – CISA

As everyone is probably already aware the Senate yesterday passed an amended S 754 by a substantially bipartisan vote of 74 to 21. The bill will now go to a conference committee where the differences between this bill and HR 1560 that was passed in the House in April.

Control System Security Issues

The revised bill does contain two provisions that have specific implications for control system security. First the information sharing provisions of the bill do apply to control systems as the definition of ‘information system’ in §102(10) specifically “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”.

Second, as I reported earlier, §407 of the bill would require DHS to report to Congress on the extent that critical infrastructure is currently required to report cyber intrusions or incidents involving cybersecurity incidents that “could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”. DHS would also be required to suggest to Congress additional statutory authority that would be required to allow the department to put into effect “a strategy that addresses each of the covered [critical infrastructure] entities, to ensure that, to the greatest extent feasible, a cyber security incident affecting such entity would no longer reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” {§407(c)(1)}.

The Whitehouse amendment (revised amendment #2626) that I described in my earlier post was not considered by the Senate. This amendment and Mikulski #257 were objected to by Sen. Burr (R,NC; Chair of the Senate Intelligence Committee and co-author of S 754) as not being “germane to amendment No. 2716.” { CREC-2015-10-27-pt1-PgS7503). Readers might remember that the Whitehouse amendment would have made it a federal criminal offense to damage to a critical infrastructure computer during the commission of computer fraud.

Moving Forward

With the House and Senate bills headed to conference in the coming weeks, there is no telling exactly when the resulting bill will come back for votes in the House and Senate. It is also not yet clear which bill number will be the vessel for that vote. It is apparent, however, that we will have an information sharing bill sent to the President in the not too distant future (probably before the end of the year).


I think that I have to agree with Jack Whitsitt’s view of the effectiveness of the information sharing provisions of this bill; it is not going to be a game changer by any stretch of the imagination. Nor do I subscribe to the dystopian view that this bill specifically furthers the government invasion of privacy evidenced in the NSA revelations of the last couple of years. It will, however, relieve Congress from any further requirement in the near term to craft ‘comprehensive cybersecurity legislation’.

I think what we will see from Congress is a continuation of the trend that I have mentioned here a couple of times of including relatively minor cybersecurity language in bills dealing with technology issues or general security issues. This will, in my opinion, be a much more effective (if piecemeal) way of dealing with cybersecurity issues in general and control system security issues specifically.

As Congress routinely addresses technical issues in automotive safety, intelligent transportation systems, medical devices, the smart grid and aircraft safety (to name a few specific areas) legitimate attention will also have to be directed at the security of the electronic systems that form the control basis for those systems. Integrating control system security into those larger issues is where important legislative work needs to be done.

The one area, however, that still needs major legislative attention is the protection of control systems where failure or an attack could have significant impact on a large segment of society. Section 407 of the bill that was passed yesterday was an important step in identifying those control systems that need to be protected.

I think that the time frame requirements in that section are way too short for effective analysis. This means that some truly critical systems are sure to be missed and some not so critical systems will be included. But, it is an important first step.

The control system security community, meanwhile, needs to start thinking seriously about how we want to see meaningful legislation crafted to deal with the control system vulnerabilities in these critical facilities. We need to figure out how to craft rules that won’t be technically obsolete by the time that they are published. We need to figure out how regulate control system security without stifling the creative expansion of control system capabilities.

We need to do it because Congress does not (and never will have) the technological skills and comprehension to do it on their own. If we leave this to them we will either have systems so complicated that future changes in automation technology will be fatally handicapped; or so weak that there will be no protection of critical infrastructure control systems at all. Congress is not equipped to find the technological middle ground; we are.

OMB Approves DHS Drone Privacy Rule Notice

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the DHS rulemaking notice on “Protecting Privacy, Civil Rights & Civil Liberties: Best Practices for Unmanned Aircraft Systems”. This rulemaking was not listed in the latest Unified Agenda so there are no details publicly available on the contents of this notice.

I expect that this is probably an advance notice of proposed rulemaking or a request for information as the DHS Privacy Office starts to tackle the issue of establishing privacy guidelines for the Department’s use of unmanned aerial vehicles.

I expect that we will probably see publication of this notice next week.

Tuesday, October 27, 2015

ICS-CERT Publishes Three Advisories

This afternoon the DHS ICS-CERT published three new control system security advisories for systems from Rockwell, Infinite, and Siemens.

Rockwell Advisory

This advisory describes multiple vulnerabilities in the Rockwell Allen-Bradley MicroLogix 1100 and 1400 programmable logic controller (PLC) systems. The vulnerabilities were reported by Ilya Karpov of Positive Technologies, Nir Giller of CyberX, and independent researcher Aditya Sood. Rockwell has produced firmware updates for most of the vulnerabilities with one fix still in the works. There is no indication that any of the researchers were provided the opportunity to verify any of the fixes.

The vulnerabilities include:

• Stack based buffer overflow - CVE-2015-6490 (remains to be fixed in 1400);
• Improper restriction of operations within the bounds of a memory buffer - CVE-2015-6492;
• Unrestricted upload of a file with dangerous type - CVE-2015-6491;
• Cross-site scripting - CVE-2015-6488; and
• SQL injection - CVE-2015-6486.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities.

Slightly interesting that three separate researchers independently identified these vulnerabilities. Some element of chance involved, but I bet lots of people look at Rockwell PLCs.

Infinite Advisory  

This advisory describes multiple vulnerabilities in the Infinite Automation Systems Mango Automation application. The vulnerabilities were reported by Steven Seeley of Source Incite and Gjoko Krstic of Zero Science Lab. Infinite Automation Systems has produced a new version to mitigate vulnerabilities and researchers have validated the efficacy of the fix.

The vulnerabilities include:

• Unrestricted upload of file with dangerous type - CVE-2015-7904;
• OS command injection - CVE-2015-7901;
• Information exposure through debug information - CVE-2015-7900;
• SQL injection - CVE-2015-7903;
• Cross-site request forgery - CVE-2015-6493;
• Cross-site scripting - CVE-2015-6494; and
• Response discrepancy information exposure - CVE-2015-7902.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities.

Another large multiple vulnerability disclosure with multiple independent discoveries. This is getting to be a trend.

Siemens Advisory

This advisory describes a single vulnerability caused by an IEEE conformance issue involving improper frame padding in Siemens RuggedCom. The vulnerability was initially reported by David Formby and Raheem Beyah of Georgia Tech. Siemens has developed a new software version that mitigates the vulnerability and the researchers have validated the fix.

ICS-CERT reports that a relatively unskilled attacker on the network might be able to read a limited amount of unintended data within the packet. The Siemens notice explains that that data could come from previous network traffic of other VLANs.

NOTE: This vulnerability was reported by Siemens last week.

Appendix A Revision – TIH Chemicals

As I have mentioned in a couple of different blog posts lately (here and here), the folks at DHS Infrastructure Security Compliance Division (ISCD, the CFATS people) have asked for comments about potential revisions to Appendix A, 6 CFR Part 27, the DHS list of chemicals of interest (COI). I’m going to start my look at Appendix A by looking at the Release-Toxic COI on the list  and what chemicals might be added to the list.


The preamble to the Appendix A final rule defines the term ‘release-toxic’ as chemicals “with the potential to create a toxic cloud that would affect populations within and beyond the facility, if intentionally released”. Later DHS noted that it used the same EPA “listing criteria, including the EPA acute toxicity criteria and vapor pressure cut-off [10-mm Hg or greater]” used to establish the RMP list of toxic substances. DHS did remove three RMP toxic substances from the release-toxic list (the three toluene isocyanate isomer listings) because they did not meet the vapor pressure standards (EPA included them because of Congressional direction).

Interestingly (for reasons that will soon be obvious) the crafters of Appendix A turned to another regulatory agency for their definition of Theft/WME (weapons of mass effect), the another sort of toxic chemical covered by the CFATS regulations. Here they turned to DOT’s ‘gas poisonous by inhalation’ or Division 2.3. For Theft/WME DHS “listed all DOT Division 2.3 PIH gases including those in Hazard Zones A through D”.

Those Hazard Zones are a relative measure of the toxicity of the chemical based upon the LC50 for the chemical. The LC50 is the “concentration of vapor, mist, or dust which, administered by continuous inhalation for one hour to both male and female young adult albino rats, causes death within 14 days in half of the animals tested”. The hazard zones for Division 2.3 gasses are the same as those for Division 6.1 poisonous liquids.

Toxic Inhalation Hazard Chemicals

Of the 52 Release-toxic chemicals currently listed on the DHS COI list, seventeen are listed by DOT as Division 6.1 (poisonous material) chemicals {15 Division 2.3, 12 Class 8 (corrosive liquids), and 5 Class 3 (flammable liquids)}. Of those 17 listed in Division 6.1 twelve were listed in the two most deadly Hazard Zones (5 in Zone A; 7 in Zone B).

There are a total of 39 additional Division 6.1 chemicals listed in DOT’s 49 CFR 172.101 that also fall into Hazard Zones A and B. The reason that these chemicals do not fall under the RMP toxic definition is generally that these chemicals do not meet the ≥10mmHg vapor pressure standard used by EPA. In many cases this is because the vapor pressure is not publicly available (and as a production chemical veteran I assume that this is because no one has measured the vapor pressure, not a conspiracy to withhold information).

Now of the 17 chemicals on the EMP’s toxic list that are also included in DOT’s Division 6.1  five are found in Hazard Zone A and seven are in Hazard Zone B. The other five are of lower toxicity.


I would like to propose that in the revised Appendix A that DHS list all 32 Division 6.1, Hazard Zones A and B chemicals not currently listed in Appendix A. The seven in Zone A (listed below) should be listed without condition due to their extreme toxicity (LC50 < 200 ppm). Note: four of these chemicals (+) were not listed as Division 6.1 chemicals in 2007; additional testing by the Europeans revealed the extent of their toxicity since then and §172.101 has since been revised.

• tert-Butly isocyanate;
• Ethyl isocyanate+;
• Isobutyl isocyanate+;
• Isopropyl isocyanate+;
• Methoxymethyl isocyanate+;
• Methyl vinyl ketone; and
• n-Propyl isocyanate;

The remaining 25 in Hazard Zone B (listed below) should be listed unless their vapor pressure is < 10mmHg. Chemicals without readily available vapor pressure information would be provisionally listed in Appendix A until such time as an EPA accredited lab provided test data to show that their vapor pressure < 10mmHg. This provisional listing would provide manufacturers with a specific incentive to have the vapor pressure testing done. Currently the lack of RMP listing because of the lack of vapor pressure data acts as a disincentive to have the testing done.

• Allyl chloroformate;
• Bromoacetone;
• n-Butyl chloroformate;
• Chloroacetone;
• Chloroacetonitrile;
• 2-Chloroethanol;
• Chloropicrin;
• Cyclohexyl iscocyanate;
• 3,5-Dichloro-2,4,6-trifluoropyridine;
• Dikete;
• Dimethyl sulfate;
• Ethyl chloroformate;
• Ethyl phosphonothioic dichloride, anhydrous;
• Ethyl phosporodichloridate;
• Ethyldichloroarsine;
• Ethylene chlorohydrin;
• Ethylene dibromide;
• Hexachlorocyclopentadiene;
• Methanesulfonyl chloride;
• 2-Methyl-2-heptanethiol;
• Methyl iodide;
• Methyl isothiocyanate;
• Methyl orthosilicate;
• Methyl phospoonous dichloride;
• Methyldichloroarsine;
• Phenyl isocyanate;
• Phenyl mercaptan;
• Phenylcarbylamine chloride;
• Thiophosgene;
• Trimethoxysilane;
• Trimethylacetyl chloride;

NOTE: A copy of this blog was submitted to the Docket on 10-29-15 at 2:20 pm CDT

Appendix A Roundtable Discussion

I just finished listening to the roundtable discussion about possible changes to Appendix A to 6 CFR Part 27, the CFATS regulations. I talked about this roundtable in an earlier post.

The roundtable format allowed for the private sector participants (and apparently a couple of people from some public sector agencies as well) that were able to attend the event in Washington, to provide some comments and exchange some ideas on the parts of Appendix A that might need changing. As I mentioned earlier the topics that were covered were:

• The possible addition of chemicals to, and/or the deletion or modification of COI currently listed in Appendix A;
• The applicability and/or modification of any Screening Threshold Quantities (STQ) or minimum concentrations;
• Concentration and mixtures rules associated with Appendix A, which are described in 6 CFR 27.204;
• Isotopic variants to include comments on Chemical Abstract Service (CAS) Registry Numbers and nomenclature;
• The classification of COI within different security issues, to include the potential for re-designating certain chemicals now listed solely as release flammable so they are listed solely as toxic or as toxic and flammable; and
• Criteria for “counting rules” for screening threshold quantities to include clarification on how to determine if a COI is in transportation.

DHS provided a slide for each of the topics listed above (slides will be available at some point on; Docket # DHS-2014-0016-0071). Those slides included a couple of specific discussion points that came from the earlier public comments about Appendix A for the Advance Notice of Proposed Rulemaking (ANPRM) on the CFATS program.

The audio was poor (a problem with HSIN not ISCD) on the phone in link, but the comments that I could understand were many of the same  things that we saw eight years ago when the CFATS NPRM was published.

There will be a public comment period this afternoon for the event in Washington, but I don’t think that I will spend any time listening to that. Instead I am going to get back to work on my submission for this on the topic of toxic inhalation hazard chemicals listed in Appendix A. Needless to say readers will see it first here.

Monday, October 26, 2015

S 754 Amendments to Date - CISA -

Okay, I couldn’t help myself. I have gone back and looked at the amendments to S 754 to date and I have pieced together the following analysis.

Boxer Amendment

The Senate is currently dealing with what many are referring to as the ‘Boxer Amendment’. This is actually Senate Amendment # 2716 submitted by Sen. Burr (R.NC) and Sen. Boxer (D,CA) (Chair and Ranking Member of the Senate Intelligence Committee). It is substitute language for S 754 that takes the least controversial of the 21 amendments that the Senate agreed to consider last July and rolls them into S 754, along with some other changes that have bipartisan support in Committee.

There is only one section of this substitute language that specifically applies to control system security issues (kind of); §407. Strategy to protect critical infrastructure at greatest risk. This section requires the DHS Secretary to “identify critical infrastructure entities where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” {§407(b)}. It would then require a report to Congress “describing the extent to which each covered entity reports significant intrusions of information systems essential to the operation of critical infrastructure” {§407(c)} to either DHS or a regulating agency.

Additionally, DHS would be required to “conduct an assessment and develop a strategy that addresses each of the covered entities, to ensure that, to the greatest extent feasible, a cyber security incident affecting such entity would no longer reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” {§407(d)(1)}.

Unreasonably short timelines are required for all of the required reports to Congress.

Other Control System Security Amendments

In my July blog post I mentioned that the only one of the 21 amendments agreed to be considered specifically (okay almost specifically) addressed control system security issues was Whitehouse 2626. Since the Senate has taken up consideration of the bill this week only one more amendment has been proposed that address (again, almost specifically) control system security issues and that is Whitehouse 2713.

It would add a new section to 18 USC, the US criminal statutes (§1030A. Aggravated damage to a critical infrastructure computer). This is virtually the same section that was proposed in # 2713 and my comments in the earlier blog post certainly apply here. The implementation of its intent seems to me (again I am not a lawyer) to be fatally flawed by its reliance on the definition of ‘protected computer’ in the existing §1030(e)(2).

Interestingly, the Friday Daily Digest of the Congressional record lists a ‘Modified Amendment No. 2626’as one of the pending amendments being considered by the Senate. I suspect that the modification is making it amendment to Amendment 2716 instead of S 754. Unfortunately, neither amendment was included in the unanimous consent agreement list of those that will be considered today before a vote on S 2716.

Moving Forward

There is one more cloture vote possible today on the full bill. If that passes (and all cloture votes to date have) then there will be a final vote on the bill today.

The question then arises if the Senate will just send S 754 to the House or if it will substitute the language from S 754 for HR 1560, the House passed information sharing bill. The later would then almost certainly see a Conference Committee ironing out the differences between the two bills. Just sending S 754 to the House would probably result in the House amending that bill and prolonging the ultimate passage. Either way it is beginning to look like we are going to see an information sharing bill on the President’s desk during this session of Congress (which remember does not end until December of next year.

Committee Hearings – Week of 10-25-15

Both the House and Senate will be in Washington this week. There is only one hearing currently scheduled this week that may be (okay a little bit of a stretch) of interest to readers of this blog; an oversight hearing of DHS S&T.

S&T Oversight

The House Science, Space and Technology Committee will be holding a hearing on Tuesday on a “A Review of Progress by the Department of Homeland Security (DHS), Science and Technology Directorate”. The sole witness will be Under Secretary Brothers.

On the Floor

There will be two bills of potential interest this week that will be considered under suspension of the rules (limited debate, no amendments and 3/5th majority):

• Concur in the Senate Amendment to HR 623 – DHS Social Media Improvement Act of 2015; and
HR 3819 – Surface Transportation Extension Act of 2015

The Senate will continue working on S 754 the CISA. I am not going to try to keep up on the details of the amendment process in the Senate with its amendments to amendments processes. I’ll report on the final wording of the bill when it is passed (probably) on Tuesday.

Saturday, October 24, 2015

Bills Introduced – 10-23-15

With just the House in session on Friday there were 15 bills introduced. Of those four may be of specific interest to readers of this blog:

HR 3815 To deter terrorism, provide justice for victims, and for other purposes. Rep. King, Peter T. [R-NY-2]

HR 3819 To provide an extension of Federal-aid highway, highway safety, motor carrier safety, transit, and other programs funded out of the Highway Trust Fund, and for other purposes. Rep. Shuster, Bill [R-PA-9]

HR 3823 To provide for direct hire authority for positions in the Pipeline and Hazardous Materials Safety Administration, and for other purposes. Rep. Green, Gene [D-TX-29]

HR 3825 To improve transportation safety, efficiency, and system performance through innovative technology deployment and operations. Rep. Takano, Mark [D-CA-41]

HR 3815 was added to the list just because I wanted to see what new and innovative counter-terrorism ideas that Rep. King (R,NY) has come up with since he left chairmanship of the Homeland Security Committee.

HR 3819 is a bill to extend the current surface transportation authorization until November 15th. It is being introduced as a budget reconciliation bill so that it cannot held up in the Senate by cloture. It is currently scheduled to be considered in the House under suspension of the rules onTuesday. This is being done to give Congress a chance to act on HR 3673 which indicates that action on that bill will not be as clean as I originally predicted.

HR 3823 may be of interest depending on what employee slots this will effect and the reason given. The federal hiring process is a mess and we will be seeing more of these types of bills as the Feds try to fill existing critical slots in their agencies.

HR 3825 will only be of interest here if it addresses cybersecurity issues related to intelligent transportation systems.

Friday, October 23, 2015

Committee Passes HR 3763 – 2016 STA

Yesterday the House Transportation and Infrastructure Committee held a markup hearing for HR 3763, the Surface Transportation Reauthorization and Reform Act of 2015. [NOTE: Bill number corrected on 10-25-15 at 12:00 pm CDT] Ten amendments were considered and eight were adopted, apparently by voice votes, before the Committee unanimously approved the revised bill for consideration by the full House.

The Committee did not publish the language of the two bills that were defeated in bipartisan roll call votes, so we do not know what provisions they included. Of the other eight amendment, only one contained measures that would be of specific interest to readers of this blog. Chairman Shuster’s (R,PA) Managers Amendment included two provisions of interest; a cybersecurity addendum to the existing Intelligent Transportation Systems requirements in 23 USC 514, and a new section of the bill addressing the phase out of the current fleet of railcars for transporting flammable liquids.


Shuster’s amendment would modify §514(b) by adding a new subparagraph to the list of activities that the Secretary is required to “implement activities under the intelligent transportation system program”. That new subparagraph {§514(b)(10)} reads:
“(T)o assist in the development of cybersecurity standards in cooperation with relevant modal administrations of the Department of Transportation and other Federal agencies to help prevent hacking, spoofing, and disruption of connected and automated transportation vehicles.”

On a purely grammatical note it probably should have read “or disruption”.

Railcar Phase Out

The Shuster amendment added a new section dealing with the phase out of DOT-111 and CPC-1234 railcars in flammable liquid service. The new section would change the phase out of these railcars in favor of the DOT-117R and DOT-117 railcars. The amendment does not specifically mention the DOT-117P standard that was set in the recent HHFT final rule.

The HHFT final rule only prohibited the use of DOT 111 and CPC-1234 railcars in flammable liquid service in Highly-Hazardous Flammable Trains. The new section added in the Shuster amendment would remove that qualification by adding “regardless of train composition” {new Section (b)}. The HHFT also set different phase out dates based upon the packing group rating for the flammable liquid. The Shuster amendment does away with that distinction for “unrefined petroleum products in Class 3 flammable service, including crude oil” {new Section (b)(1)} and ethanol.

The table below shows a comparison of the phase out schedules for the Shuster amendment (Proposed) and the HHFT mandate. Note that the HHFT gave the Secretary the authority to slip the 1-1-2017 date to 1-1-2018 if there were not going to be enough DOT-117 and DOT-117R cars available due to lack of retrofit or manufacturing capacity.

Flammable Material
PG-1 in HHFT
PG-2 in HHFT
PG-3 in HHFT
Crude Oil

  Non-Jacketed DOT-111
  Jacketed DOT-111
  Non-Jacketed CPC-1232
  Jacketed CPC-1232



Other PG-1 Flammable Liquids

PG-2 and -3 Flammable Liquids

Paragraph (d) of the new section states that: “Nothing in this section shall be construed to require the Secretary to issue regulations to implement this section” and then paragraph (e) allows the implementation of the HHFT final rule “other than the provisions of the final rule that are inconsistent with this section”; which would be the phase out standards described above.

Moving Forward

This bill is a high priority for Chairman Shuster. The current surface transportation authorization runs out at midnight next Thursday and there is a major push to get this bill to the President by that time. I expect that we will see a Rules Committee hearing on this bill Monday evening with a House vote under a modified rule (limited debate and pre-approved amendments) on Tuesday with the Senate voting on Thursday. Because of the negotiations between the House and Senate Transportation Committees, there might not be any amendments allowed to be offered on the floor in the House or Senate.


The minor cybersecurity change added to this bill is just another instance of the change in the way that Congress is beginning to approach cybersecurity issues. As I have pointed out a couple of times in this blog, they are starting to move away from relying on large cybersecurity bills and starting to add small bits of cybersecurity language in other bills where appropriate.

This will have the effect of pushing more of the responsibility for cybersecurity out to the regulatory agencies. The argument could certainly be made that those agencies have more expertise to set cybersecurity standards than does Congress. In most cases I’m not sure that they have enough expertise, but that is going to be a perennial problem for any technical issue in government. I expect, however, that this will allow quicker movement to consideration of cybersecurity issues in these regulatory agencies than would waiting for comprehensive legislation.

I can understand why the Shuster amendment made changes to the railcar phase out standards set in the HHFT. There is a lot of political push to get the older cars off the tracks. Unfortunately this was a political risk management decision rather than a transportation risk management decision. There is no risk basis for having a 2029 phase out date for ‘other’ PG II chemicals and a 2018 phase out date for PG II crude oil. If the HHFT element had been left in the calculation you could make the argument that the higher number of cars in the train would increase the chance that a flammable liquid railcar would be involved in the derailment (which is why DOT only made the phase out required in HHFT situations), but without that distinction the risk of a PG II fire should be the same regardless of what the chemical is.

The concern about the higher flammability of Bakken Crude has only ever been claimed (but not substantiated) for PG I material. There has not been a claim that I know of that PG II and PG III Bakken Crude has a higher tendency to ignite.

If this change stands (and I see no political will to change it) then we are going to run into a situation on January 2nd, 2018 when there are not going to be enough railcars to transport crude oil from the Bakken basin. There were concerns enough that the DOT’s phase out program was too aggressive to provide enough railcars. Even with the decline in the crude oil production due to the lower crude prices there will be no way that there are going to be enough DOT-117 and DOT-117R (or DOT-117P) railcars available to move all of the Bakken Crude to refineries.

The resulting rise in crude oil prices and resulting rise in gasoline prices is going to create its own political backlash. But that will be two election cycles away so not a worry of the current Congress.

Thursday, October 22, 2015

ICS-CERT Publishes Advisory for Janitza Products

This afternoon the DHS ICS-CERT published an advisory for multiple vulnerabilities in the Janitza UMG power quality measuring products. The vulnerabilities were reported by Mattijs van Ommeren of Applied Risk. Janitza has produced new firmware and documentation to mitigate these vulnerabilities, but there is no indication that van Ommeren has been provided an opportunity to verify the efficacy of the fixes.

The vulnerabilities include:

• Weak password protection, CVE-2015-3972;
• Weak session token generation, CVE-2015-3973;
• Hard coded password, CVE-2015-3968;
• Privilege escalation, CVE-2015-3971;
• Persistent cross site scripting, CVE-2015-3970;
• Cross site forgery, CVE-2015-3967; and
• Information disclosure, CVE-2015-3960.

ICS-CERT reports that a moderately skilled attacker could remotely use a publicly available exploit of these vulnerabilities to adjust system parameters; manipulate measurement values and change the function of the device; and compromise availability, integrity, and confidentiality of the device and dependent systems.

In addition to new firmware, ICS-CERT reports that Janitza has produced a new manual [.PDF download] on how to set up a secure TCP/IP connection on most of the affected devices. In addition to setting up that secure connection the manual also addresses:

• Changing passwords for FTP, homepage and display; and
• Setting internal firewall settings.

This advisory was originally released to the US-CERT Secure Portal on September 22nd. This is apparently the vulnerability that I reported being on the Secure Portal back on October 5th.

FAA to Require Registration of UAS

Today the DOT’s Federal Aviation Administration published a notice of clarification in the Federal Register (80 FR 63912-63914) concerning aircraft registration requirements for Unmanned Aircraft Systems. The notice also requests information from the public necessary for establishing an electronic system for UAS registration and for determining risk-based criteria for continuing the discretionary exemption for some UAS.

All Unmanned Aircraft Systems Must be Registered

The FAA explains in the notice that:

“To maintain safety in the NAS [national air space], the Department has reconsidered its past practice of exercising discretion with respect to requiring UAS to be registered, consistent with statutory requirements of 49 U.S.C. 44101-44103, and has determined that registration of all UAS is necessary to enforce personal accountability while operating an aircraft in our skies.”

The effective date of this change in regulatory enforcement is today, October 22nd, 2015. To register a small UAS (hobby type flying device sold at toy stores, malls and hobby shops) you need to go to the FAA’s Aircraft Registration: Unmanned Aircraft (UA) web page and scroll down to the instructions for “To Register a New - Small Unmanned Aircraft (sUA)”. Ignore the statement at the top of the page that “Registration is not required for model aircraft”; that was changed by today’s notice and has not made it to the web site yet.

The FAA notes in today’s notice that “it is apparent that the current paper-based system for aircraft registration is too burdensome for small UAS, to include model aircraft”. It is planning to move to an electronic registration system for small UAS. The FAA announced Monday that it would be convening a special task force to develop recommendations for a registration process for Unmanned Aircraft Systems (UAS)”. To assist that task force the included in today’s notice a number of questions about which it was requesting public feedback. Those questions include:

1. What methods are available for identifying individual products? Does every UAS sold have an individual serial number? Is there another method for identifying individual products sold without serial numbers or those built from kits?
2. At what point should registration occur (e.g. point-of-sale or prior-to-operation)? How should transfers of ownership be addressed in registration?
3. If registration occurs at point-of-sale, who should be responsible for submission of the data? What burdens would be placed on vendors of UAS if DOT required registration to occur at point-of-sale? What are the advantages of a point-of-sale approach relative to a prior-to-operation approach?
4. Consistent with past practice of discretion, should certain UAS be excluded from registration based on performance capabilities or other characteristics that could be associated with safety risk, such as weight, speed, altitude operating limitations, duration of flight? If so, please submit information or data to help support the suggestions, and whether any other criteria should be considered.
5. How should a registration process be designed to minimize burdens and best protect innovation and encourage growth in the UAS industry?
6. Should the registration be electronic or web-based? Are there existing tools that could support an electronic registration process?
7. What type of information should be collected during the registration process to positively identify the aircraft owner and aircraft?
8. How should the registration data be stored? Who should have access to the registration data? How should the data be used?
9. Should a registration fee be collected and if so, how will the registration fee be collected if registration occurs at point-of-sale? Are there payment services that can be leveraged to assist (e.g. PayPal)?
10. Are there additional means beyond aircraft registration to encourage accountability and responsible use of UAS?

Public comments may be submitted via the Federal eRulemaking Portal (; Docket # FAA-2015-4378). Since the Task Force is to complete their report by November 20th, the FAA is requesting that comments be submitted by November 6th, 2015.


The FAA clearly jumped the gun on this process in an attempt to get a registration process in place before the expected jump in small UAS sales for Christmas. Unfortunately, they quietly and blatantly ignored a number of regulatory requirements in their making the effective date of this change in enforcement effective today.

The first of course deals the fact that they have now made obsolete the information collection request for Aircraft Registration (2120-0042); an update of which was just approved on September 30th. The supporting document submitted to OMB by the FAA projected 206,570 responses per year for a time burden of 111,154 hours. Those burden estimates were based upon an extrapolation of documents submitted during the first 10 months of FY 2015.

That means that those burden estimates do not include the huge number of first time registrations for small UAS. I have no idea how many of those things are currently in service, but if you include even the smallest remotely controlled toy helicopters there are probably at least a hundred thousand UAS (admittedly a number picked out of mid-air, so to speak) currently in use that have not been registered with the FAA. The FAA clearly needs to launch a new ICR revision to take these numbers into account before it can legally require the information to be submitted.

As the FAA explained in their notice using the current paper based registration process for this huge influx of registration requests is not an option, but it is the only option currently available. And a truly antiquated process it is. According to the FAA’s registration web site:

“You must use an original Aircraft Registration Application, AC Form 8050-1. We don't accept photocopies or computer-generated copies of this form. Aircraft Registration Applications may be obtained from the Aircraft Registration Branch or your local FAA Flight Standards District Office (FSDO).”

NOTE: The OMB’s Office of Information and Regulatory Affairs (OIRA) only approved the most recent ICR for Aircraft Registration for 18 months because of the antiquated manual form filling process. OIRA stated “This collection has been approved for a period of 18 months. Before resubmission, the agency shall create PDF-Fillable versions of all the forms in this collection. Further, in conjunction with OMB 2120-0729, the agency shall evaluate allowing the use of e-signatures in accordance with GPEA. The agency shall provide a detailed report to OMB with the results of their evaluation and specific next steps for compliance.”

Fortunately, the other forms that are required in the registration process are available for download. But all of the completed documentation needs to be snail mailed to the Aircraft Registration Branch in Oklahoma City, OK. According to their Aircraft Registry web site they currently have about a 22 day backlog on registration processing. How much longer will that backlog be when they start receiving thousands of UAS application in addition to their standard workload?

The other side of this is that this is going to be a huge influx of money into the FAA (okay I’m pretty sure that this goes back into the general Treasury account, but still). There is a $10 fee for obtaining an N-number (aircraft registration number; starts with the letter ‘N’ hence the name); which is required before you submit your registration paperwork. And then there is the $5 registration fee. And the same fees must be paid every time the UAS is sold or the registration is renewed (every three years). Some of the newer and smaller versions of the quadcopters do not cost much more than the price of registration.

The FAA was way too premature in setting an October 22nd, 2015 effective date for the change in their aircraft registration policy. There is a lot more effort that needs to go into requiring the registration of small UAS. This had to be clearly understood when they added the 10 questions about UAS registration to this notice. The FAA clearly has no interest in registering 26mm quad copters, while it may find it necessary to register some pushing the 50-lb small UAS limit. The FAA needs to re-do this notice as a straight request for information and leave the change in enforcement until they decide which UAS they really need to register.

Oh, yes, that Task Force? Is there anyone in their right mind that thinks that a workable document can be crafted by that many people in that short of time? Really? One that will stand up to implementation in the real world? By an agency with the technological incompetence of the FAA? I have some land that I want to sell you about 50 miles south of Key West….
/* Use this with templates/template-twocol.html */